Effective Date:
04 April, 2016

HITRUST LLC (“HITRUST” or “Licensor”) hereby authorizes limited access to and use of the HITRUST De-Identification Framework to entities that are parties to a HITRUST CSF Framework Subscription Agreement, a HITRUST CSF Qualified Assessor Agreement, or who have agreed to the HITRUST Terms of Use and downloaded a copy of the HITRUST De-Identification Framework (hereinafter collectively referred to as ”Subscriber”) from hitrustalliance.net/de-identification-license-agreement. Subscriber further agrees to the terms of this HITRUST DE-IDENTIFICATION FRAMEWORK License Agreement (“License”).

The Licensee may have access to and use the HTRUST De-Identification Framework as provided in this License, and as a condition to such use and access, the Licensee agrees to the following terms:

1. License Fee. There shall be no fee for the license provided herein.

2. Delivery of De-Identification Framework. During the term of this License, HITRUST shall make the De-Identification Framework available to licensees for delivery by the Internet from the server(s) on which they are hosted.

3. De-Identification Framework Ownership. All title and intellectual property rights and interest in and to the De-Identification Framework, including but not limited to any text, images, photographs, animations, video and audio incorporated into it, and any copies of that a licensee is expressly permitted to make herein, are and continue to be solely owned by HITRUST or its suppliers. The De-Identification Framework includes valuable, proprietary, and confidential information, compilations, methods, techniques, procedures and processes not generally known, which can only be obtained from HITRUST. HITRUST has implemented reasonable protections for the De-Identification Framework, including but not limited to the terms of this License, to prevent their unauthorized disclosure or use.

4. Grant of License. Subject to compliance with the terms and conditions of this License, Licensor hereby grants to Licensee, and Licensee accepts, a non-exclusive, non-transferable, and non-assignable right and license to:

• Make one (1) electronic copy of the De-Identification Framework solely for use by the Licensee.

• Make paper copies of the De-Identification Framework for the sole use of each Licensee subject to this License.

• Use the De-Identification Framework for Licensee’s internal educational and information sharing purposes only, for Licensee and any wholly-owned subsidiaries of Licensee or sister-organizations under the same ownership as Licensee that have been previously identified and approved in writing to HITRUST (“Affiliate”). Licensee agrees that it shall not use, or attempt to use, the De-Identification for any other purpose, including but not limited to any external disclosure or use with any Licensee customers, vendors or partners.

• Use the De-Identification Framework to create Licensee’s internal De-Identification risk, maturity, or readiness assessment reports.

5. Updates. Licensor may, in its sole discretion, provide updates and/or supplements of the De-Identification Framework to the Licensee, in which case such updates shall be deemed to be included in the De-Identification Framework and governed by this License as such, unless HITRUST expressly notifies the Licensee that any such Update(s) are provided under other licensing terms.

6. Prohibited Activities and Uses of De-Identification Framework. Any use of the De-Identification Framework not expressly permitted by this License is strictly prohibited. In particular, and without limitation, the Licensee shall NOT do any of the following:

• Provide or otherwise allow the disclosure of an electronic or paper copy, in whole or part, of the De-Identification Framework, to any individual or entity that is not a duly authorized Licensee.

• Use the De-Identification Framework, in whole or part, to provide analysis, assessments, services or products of any kind to any other person or entity, except a Licensee Affiliate.

• Store or otherwise maintain the De-Identification Framework, in whole or part, on any publically available cloud service, storage provider, or other electronic database.

• Create any derivative work, based in whole or part, on the De-Identification Framework for any purpose not permitted under Section 4 of this License, without Licensor’s express prior written consent.

• These prohibitions shall not apply to: Any information, compilation, method, technique, procedure or process included in the De-Identification Framework that (a) is or has become public knowledge, by publication or other public disclosure, through no action or omission of the Licensee under this License; (b) was verifiably known to the Licensee prior to the date of entry into this License; (c) was independently developed by the Licensee without use of the De-Identification Framework; or (d) was lawfully obtained by the Licensee from a third party who was in lawful possession of it and had the right to provide it to Licensee.

7. Licensee, Authorized Users. A Licensee must be a HITRUST Qualified Organization, which includes organizations employing a function or activity involving the use or disclosure of individually identifiable health information, provided such organization does not provide security products or services of any kind or nature. Unless already a party to a valid and existing HITRUST Qualified De-Identification Framework Assessor Agreement, the following non-exclusive list of persons or entities are not HITRUST Qualified Organizations and shall not be permitted to be a Licensee or Affiliate under any circumstance: IT security service providers, IT security product providers, IT security consultants, IT security vendors and suppliers.

The Licensee may authorize up to the number of individuals authorized per the Licensee’s CSF License Agreement. Each such individual must have a need to use the De-Identification Framework in order to provide internal services or perform internal functions for the Licensee, subject to this License (“Authorized Users”). The Licensee shall maintain a list of all current and past Authorized Users at all times, and promptly make it available to HITRUST upon request. Authorized Users may include both employees of the Licensee or its Affiliates and their non-employed agents, provided that all Authorized Users shall be subject to this License and provide prior written acceptance of its terms. Licensee shall take all reasonable and diligent efforts to prevent disclosure of an electronic or paper copy, in whole or part, of the De-Identification Framework, to any other person or entity.

Upon termination of an Authorized User’s authorization under this License for any reason, the Licensee shall (a) revoke the individual’s electronic access to the De-Identification Framework, (b) remove any such electronic files from the individual’s possession, and (c) remove any paper copies of the De-Identification Framework from the individual’s possession.

8. No Interference with Intellectual Property Protections. Under no circumstances shall any entity or individual subject to this License disable any digital rights protections or remove, modify, interfere with, or obscure any copyright, trademark or other proprietary rights and notices that apply to, appear on, or included in the De-Identification Framework.

9. Compliance. Upon Licensor’s request, an officer of the Licensee shall promptly certify in writing to Licensor that the Licensee and all Affiliates are in full compliance with the terms and conditions of this License.

10. Defense of Infringement and Misappropriation Claims.

10.1. Notice and Cure. In the event that HITRUST receives notice that the De-Identification Framework, or any component of the De-Identification Framework, may infringe any copyright, trademark or patent, or constitute a misappropriation of a trade secret, HITRUST may, at its sole discretion:

a. Procure for the Licensee the right to continue using the potentially or allegedly infringing or misappropriated component;

b. Modify the De-Identification Framework to provide for substitute materially equivalent functioning or a materially functional equivalent which does not infringe and/or is not misappropriated; or

c. If HITRUST elects to provide substitute equivalent functioning or a functional equivalent, and upon written notice, the Licensee shall immediately stop using the allegedly infringing or misappropriated component and shall cooperate with HITRUST in implementing use of the functional substitute.

10.2. Limited Defense. HITRUST will defend the Licensee against any claims by an unaffiliated third party that any component of the De-Identification Framework infringes any copyright, trademark or patent or misappropriates any trade secret, including but not limited to an action for injunctive relief based on such a claim; on the condition precedent that the Licensee gives HITRUST prompt written notice of such claim, gives HITRUST sole control over its defense or settlement (except that HITRUST may not settle any such claim against you unless it unconditionally releases you of all liability), and provides HITRUST with reasonable assistance and cooperation in such defense. Defense to any other claims shall not be provided, and issues relating to defense coverage shall be made at the sole discretion of HITRUST.

10.3. Limitation of Duty to Defend. HITRUST shall have no obligation to defend the Licensee against any claim:

a. That relates to an allegedly infringing use, or use of misappropriated intellectual property, after HITRUST has notified the Licensee of a substitute as provided above;

b. That relates to any use or disclosure of the De-Identification Framework, in whole or in part, in breach of any term of this License; or

c. For any trade secret claim, that arises from the Licensee acquiring the trade secret through improper means, under conditions giving rise to a duty to maintain its secrecy or limit its use, or from a person other than Licensee who owed the party asserting the claim a duty to maintain the secrecy or limit the use of the trade secret.

10.4. Exclusive Remedy. The rights and remedies stated in Section 10 state Licensor’s entire liability and the sole and exclusive remedy of Licensee and its Affiliates with respect to any claim of infringement or misappropriation of the intellectual property rights of any third party, whether arising under statutory or common law or otherwise.

11. DISCLAIMER OF WARRANTIES. THE DE-IDENTIFICATION FRAMEWORK IS DEEMED ACCEPTED BY THE LICENSEE AS OF THE DATE ACCEPTED BY LICENSEE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HITRUST AND ITS SUPPLIERS PROVIDE THE DE-IDENTIFICATION FRAMEWORK “AS IS” AND WITH ALL FAULTS, AND HITRUST AND ITS SUPPLIERS HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, QUIET POSSESSION, SECURITY, CONFORMITY TO DESCRIPTION, NON-INFRINGEMENT, RELIABILITY, ACCURACY OR COMPLETENESS, AND RESULTS ALL WITH REGARD TO THE DE-IDENTIFICATION FRAMEWORK OR OTHERWISE ARISING OUT OF THE USE OF THE DE-IDENTIFICATION FRAMEWORK THE ENTIRE RISK AS TO THE QUALITY OR ARISING OUT OF THE USE OF THE DE-IDENTIFICATION FRAMEWORK AT ALL TIMES REMAINS WITH THE LICENSEE AND ITS AFFILIATES.

12. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL, EXEMPLARY AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL HITRUST OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DATA OR INFORMATION, BUSINESS INTERRUPTION, PERSONAL INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, NEGLIGENCE, AND ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE DE-IDENTIFICATION FRAMEWORK , THE PROVISION OF OR FAILURE TO PROVIDE THE DE-IDENTIFICATION FRAMEWORK , OR OTHERWISE ARISING OUT OF THE USE OF THE DE-IDENTIFICATION FRAMEWORK , OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS LICENSE, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF LICENSOR OR ANY SUPPLIER AND EVEN IF HITRUST OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13. LIMITATION OF LIABILITY AND REMEDIES. NOTWITHSTANDING ANY DAMAGES THAT THE LICENSEE OR ANY AFFILIATE MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED HEREIN AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANYTHING ELSE), HITRUST’S LIABILITY TO LICENSEE AND ITS AFFILIATES SHALL NOT EXCEED THE TOTAL AMOUNT ACTUALLY RECEIVED BY HITRUST AS LICENSE FEES UNDER THIS LICENSE. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.

14. Indemnification. The Licensee hereby agrees to defend, indemnify and hold harmless HITRUST, its officers, directors, shareholders, employees and agents at the Licensee’s own expense from and against any and all suits, claims, actions, losses, costs, penalties and damages of whatsoever kind in nature, including reasonable attorney’s fees and costs, arising out of or in connection with or incident to the use by the Licensee or any Affiliate, or any breach of this Agreement by the Licensee or any Affiliate.

15. Injunctive Remedies for License Violations. The Licensee hereby acknowledges that any violation of this License by the Licensee or an Affiliate will cause irreparable injury to HITRUST, and, as a result, HITRUST shall be entitled to seek any injunctive relief or other rights or remedies to which HITRUST is or may be entitled to under law to prevent or mitigate the effects of such violation. This expressly includes but is not limited to any breach by Licensee of the Prohibited Activities and Uses of De-Identification Framework provided in paragraph 6 above.

16. Jurisdiction and Venue. Jurisdiction for any action arising from or pertaining to this License, including but not limited to an action by Licensor for injunctive relief, shall be interpreted and governed under the laws of the State of Texas, and venue shall be in an applicable court of Collin County, Texas. The Licensee hereby waives all defenses of lack of personal jurisdiction and forum non-conveniens.

17. Legal Fees and Costs. In the event of legal proceedings arising from or pertaining to this License the prevailing party shall be awarded its reasonable attorney’s fees and costs of litigation, including any on appeal or in bankruptcy proceedings.

BY CLICKING THE ACCEPTANCE BUTTON BELOW OR BY ACCESSING OR USING THIS INFORMATION, I ACKNOWLEDGE THAT I HAVE READ THE HITRUST DE-IDENTIFICATION FRAMEWORK LICENSE AGREEMENT, UNDERSTAND IT AND AGREE TO BE LEGALLY BOUND BY ITS TERMS AND CONDITIONS.

I have read and agree to the general terms and conditions stated in the above license agreement.

I represent and certify to HITRUST LLC that I am not employed by, and agent of, or otherwise affiliated with any IT security service or product provider, any IT security consultant, or any IT security vendor or supplier, unless already a party to a valid and existing HITRUST Qualified CSF Assessor Agreement. I further represent that I have read the CSF License Agreement and am eligible to be a Subscriber as provided in the CSF License Agreement.