Practice Agreement Terms & Conditions
These Terms & Conditions (“Terms”) to the Practice Agreement (“Agreement”) are entered into by and between Dandy (“Dandy” or “we”) and you and your dental practice or office (“You”) and are effective as of the date the Practice Agreement is entered into (“Effective Date”). If you accept these Terms on behalf of an entity, partnership, corporation, or organization “you” includes you, that entity, and all entity users and you hereby represent that you have the authority to bind all such users. Dandy and you will each be referred to as a “Party” and together, the “Parties.” For good and valuable consideration as set forth in the Agreement, the Parties agree to the following:
- Amendment. These Terms and the Agreement cannot be changed unless we both agree in writing. If Dandy makes material changes to either the Terms or the Agreement, Dandy will notify you of such change. Any material change will become effective thirty (30) days after we notify you, unless you notify us in writing that you wish to terminate the Agreement. In that case, the change will not take effect and Dandy will honor the existing Agreement for 60 days or until you return the scanner and any other Dandy equipment that may be in your possession.
- Entire Agreement. The Practice Agreement, these Terms, the Business Associates Agreement, and the IT Policy for Practice-Provided Equipment, if applicable, constitute our entire agreement. Anything communicated in any other method outside of these documents is not binding. This Agreement supersedes any other conflicting agreement we may have made in the past.
- Non-assignability. Dandy is partnering with you, so you may not transfer or assign the Agreement and Terms to a third-party unless we both agree in writing.
- Legal Compliance. Both Parties agree to comply with all applicable health laws and regulations in the United States, including HIPAA, among others.
- Indemnity. You will indemnify, defend, and hold harmless Dandy against and from all claims, causes of actions, damages, debts, liabilities, losses, obligations, payments, costs, and expenses (including legal expenses), arising from or relating to: (a) your breach of any term of the Agreement, these Terms and/or the Business Associates Agreement; (b) your breach of any term of any agreement between you and any patient, or any negligent, reckless or willful acts or failures with respect to your care of a patient; (c) your provision of incorrect or incomplete information, scans, documents, or data to Dandy, or any failure to timely provide Dandy with any information it requests from you, your practice, or any of your Dentists; and (d) any and all dealings with federal, state or local administrative agencies, regulators, licensing, or professional bodies.
- Arbitration. Dandy hopes that we never encounter any meaningful disagreements about our Agreement, these Terms, and the Business Associates Agreement, and Dandy very much prefers to resolve any disagreements in the most amicable way possible. Dandy’s goal is to work closely with you and Dandy’s mission is to support your practice. If something does arise that we are unable to resolve through amicable problem solving, we both commit to resolve the issue through arbitration with JAMS in the state of New York, under New York law.
Business Associate Agreement
This HIPAA BUSINESS ASSOCIATE AGREEMENT (“Addendum”), is effective as of the date the Practice Agreement is entered into (“Effective Date”), between the dental practice identified in the Practice Agreement (“Covered Entity”) and Dandy (“BA”). This Addendum, which supersedes any previous business associate agreement between the parties, amends, supplements, and is made a part of the Practice Agreement, by and between Covered Entity and BA, as the same may be amended from time to time (the “Agreement”).
RECITALS
WHEREAS, Covered Entity is a “covered entity” as that term is defined at 45 C.F.R. § 160.103;
WHEREAS, BA may, on behalf of Covered Entity, create, receive, maintain, or transmit certain Protected Health Information (as defined below) in order to provide services to Covered Entity pursuant to the Agreement;
WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164 (collectively “Privacy and Security Regulations”);
WHEREAS, the Privacy and Security Regulations require Covered Entity to enter into a contract with BA in order to mandate certain protections for the privacy and security of Protected Health Information, and those Regulations prohibit the disclosure of Protected Health Information from Covered Entity to BA if such a contract is not in place;
WHEREAS, this Addendum shall be applicable only in the event that BA meets, with respect to Covered Entity, the definition of “business associate” set forth in 45 C.F.R. § 160.103.
In consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the parties agree as follows:
1. Definitions
- “Breach” shall have the meaning given to the term “breach” at 45 C.F.R. § 164.402, as applied to the Unsecured PHI created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
- “Electronic Protected Health Information” or “ePHI” means shall have the meaning given to the term “electronic protected health information” at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
- “Protected Health Information” or “PHI” shall have the meaning given to the term “protected health information” at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
- “Reportable Event” means any (1) use or disclosure of PHI not provided for by this Addendum; (2) Security Incident; (3) Breach of Unsecured PHI; or (4) any data incident involving PHI for which data breach notification is required under applicable foreign, federal, or state law.
- “Services” mean the services provided by BA to Covered Entity as set forth in the Agreement.
- “Security Incident” shall have the meaning given to the term “security incident” at 45 C.F.R. § 164.304, as applied to the ePHI created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections 160.103 and 164.501. Any inconsistency in the definition of a term shall be resolved in favor of a meaning that permits compliance with HIPAA.
2. Permitted Uses and Disclosures of PHI
Except as otherwise limited in this Addendum or the Agreement, BA may do any or all of the following:
- Use of Disclosure under the Agreement. Use or disclose PHI to perform functions, activities, or services for, or on behalf of Covered Entity, to the extent permitted in the Agreement, provided that such use or disclosure would not violate the Privacy Rule or any applicable state law if done by Covered Entity. Notwithstanding the above, BA may use and disclose PHI for the purposes identified in paragraphs (2), (3), and (5) of this Section 2, even if Covered Entity could not do so under the Privacy Rule.
- Use for Administration or Legal Responsibilities. Use PHI, but only to the minimum extent necessary, for the proper management and administration of BA, for debt collection practices of BA, or to carry out the legal responsibilities of BA.
- Disclosure for Administration or Legal Responsibilities. Disclose PHI, but only to the minimum extent necessary, for the proper management and administration of BA or to carry out the legal responsibilities of BA, provided that:
- The disclosures are Required by Law; or
- BA obtains reasonable assurances from the third party to whom the PHI is disclosed that such information shall remain confidential and shall be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon BA pursuant to this Addendum), and such person agrees to promptly notify BA of any instance of which it is aware in which the confidentiality of the information has been breached.
- Use for Reporting of Violations. Use PHI to report violations of law to appropriate federal, state, and local authorities, consistent with 45 C.F.R. § 164.502(j).
- Use for Data Aggregation Services. Use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
- De-Identified Information. Use PHI to create de-identified information in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c).
3. Obligations of Business Associate
- Limited by Agreement and Law. BA may not use or disclose PHI other than as permitted or required by this Addendum and the Agreement or as Required by Law.
- Compliance with HIPAA. To the extent that BA is responsible for carrying out an obligation of Covered Entity under HIPAA pursuant to this Addendum or the Agreement, BA shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligation.
- Appropriate Safeguards for PHI. BA shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by the Agreement and this Addendum.
4. Reportable Events.
- Use of Subcontractors. If BA discloses PHI to a subcontractor or allows a subcontractor to create, receive, maintain, or transmit PHI on its behalf, BA shall require the subcontractor to execute a written agreement obligating the subcontractor to comply with all the terms of this Addendum. If BA becomes aware of a pattern of activity or practice of a subcontractor that would constitute a material breach or violation of the written agreement between BA and subcontractor, BA shall take reasonable steps to cure such breach or end the violation, as applicable, or terminate such written agreement with such subcontractor.
- Availability of Internal Practices, Books and Records to Government Agencies. BA agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI that is received from, or created or received by BA on behalf of, Covered Entity available to the Secretary of the United States Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA. No attorney-client, accountant-client, or other legal privilege shall be deemed to have been waived by BA by virtue of BA’s compliance with this provision.
- Access to and Amendment of PHI. To the extent that BA maintains PHI in a Designated Record Set, BA shall: (a) make the PHI specified by Partner available to the individual(s) identified by Covered Entity as being entitled to access such PHI, and (b) make amendment(s) to such PHI in a Designated Record Set that as directed or agreed to by Covered Entity. BA shall provide such access and incorporate such amendments within the time and in the manner specified by Covered Entity that meets the requirements of 45 C.F.R. § 164.524, § 164.526, and applicable state law.
- Accounting of Disclosures. Upon Covered Entity’s request, BA shall provide to Covered Entity an accounting of the disclosures of an Individual’s PHI in a time and manner that meets the requirements of 45 C.F.R. § 164.528 and, as of the applicable effective date, Section 13405(c) of HITECH and any regulations promulgated thereunder.
- Minimum Necessary. BA agrees that it shall comply with HIPAA’s minimum necessary requirements.
- Communication with Other Business Associates. In connection with the performance of its services, activities, and/or functions to or on behalf of Covered Entity, BA may disclose information, including PHI, to other business associates of Covered Entity. Likewise, BA may use and disclose information, including PHI, received from other business associates of Covered Entity, as if this information was received from, or originated with, Covered Entity. The parties agree that it is the responsibility of Covered Entity to secure and maintain business associate agreements with its other business associates.
- BA shall report to Covered Entity any Reportable Event of which it becomes aware. All such reports shall be made without unreasonable delay and in no case later than fifteen (15) business days after BA’s discovery of a Reportable Event.
- BA shall cooperate with Covered Entity in investigating a Reportable Event and assist Covered Entity in determining whether a Reportable Event constitutes a Breach of Unsecured PHI.
- BA shall mitigate, to the extent practicable, any harmful effect that is known to BA of a Reportable Event.
- The parties acknowledge and agree that this section constitutes notice by BA to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or use, loss, modification, destruction, or disclosure of, PHI, such as pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, unsuccessful denial of service attacks, or any combination thereof.
5. Obligations of Covered Entity
- Notice of Privacy Practices. Covered Entity shall notify BA in writing of any limitations in its notice of privacy practices, to the extent that such limitations may affect BA’s use or disclosure of PHI.
- Notification of Revocations. Covered Entity shall notify BA in writing of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect BA’s use or disclosure of PHI.
- Notification of Restrictions. Covered Entity shall notify BA in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect BA’s use or disclosure of PHI.
- Permissible Requests. Covered Entity shall not request that BA use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable federal or state law if done by Covered Entity.
6. Term and Termination
- Term. The term of this Addendum shall be the same as the term of the Agreement, but shall terminate as of the earliest occurrence of any of the following:
- The Agreement expires or is terminated with or without cause;
- This Addendum is terminated for cause as described in Section 5.2 below;
- The parties mutually agree to terminate this Addendum; or
- This Addendum is terminated under applicable federal, state, or local law.
- Termination for Cause.
- Upon Covered Entity’s determination of a breach of any material term of this Addendum by BA, Covered Entity shall provide BA written notice of that breach in sufficient detail to enable BA to understand the specific nature of that breach and afford BA an opportunity to cure the breach; provided, however, that if BA fails to cure the breach within thirty (30) days of receipt of such notice, Covered Entity may terminate this Addendum and the Agreement.
- Upon BA’s determination of a breach of a material term of this Addendum by Covered Entity, BA shall provide Covered Entity written notice of that breach in sufficient detail to enable Covered Entity to understand the specific nature of that breach and afford Covered Entity an opportunity to cure the breach; provided, however, that if Covered Entity fails to cure the breach within thirty (30) days of receipt of such notice, BA may terminate this Addendum and the Agreement.
- Effect of Termination
- Subject to Section 5.3(b) below, upon termination of this Addendum for any reason, BA shall return or destroy all PHI that BA still maintains in any form. BA shall retain no copies of such PHI.
- If return or destruction of any or all PHI is not feasible, BA shall:
- Retain only that PHI for which return or destruction is not feasible;
- Return to Covered Entity or destroy the remaining PHI that BA still maintains in any form;
- Extend the protections of this Addendum to any retained PHI, continue to use appropriate safeguards, and comply with the Security Rule with respect to ePHI, in order to prevent use or disclosure of the retained PHI other than as provided for in this Addendum for as long as BA retains the PHI;
- Not use or disclose the PHI retained by BA other than for the purposes for which such PHI was retained and subject to the same conditions set forth in this Addendum that applied prior to termination; and
- Return to Covered Entity or destroy the PHI retained by BA if and when it becomes feasible to do so.
- These provisions shall apply to PHI that is in the possession of subcontractors or agents of BA.
- This Section 5.3 shall survive termination of this Addendum.
7. Miscellaneous
- Regulatory References. A reference in this Addendum to a section in HIPAA means the section as in effect or as amended at the time this Addendum is executed or amended.
- Amendment; No Waiver. Upon the effective date of any federal statute amending or expanding HIPAA, any guidance or temporary, interim final or final regulations promulgated under HIPAA, or under any federal statute amending or expanding HIPAA (collectively, the “HIPAA Regulations”) that are applicable to this Addendum or any amendments to the HIPAA Regulations, this Addendum shall be automatically amended, such that the obligations imposed on Covered Entity and BA shall remain in compliance with such requirements, unless the parties agree otherwise by mutual consent. The parties shall take all necessary action to expressly reflect such automatic amendments to this Addendum from time to time. Except as provided otherwise in this paragraph (B), no waiver, change, modification, or amendment of any provision of this Addendum shall be made unless it is in writing and is signed by the parties hereto. The failure of either party at any time to insist upon strict performance of any condition, promise, agreement, or understanding set forth herein shall not be construed as a waiver or relinquishment of the right to insist upon strict performance of the same condition, promise, agreement, or understanding at a future time.
- Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits compliance with HIPAA. The titles and headings set forth at the beginning of each section hereof are inserted for convenience of reference only and shall in no way be construed as a part of this Addendum or as a limitation on the scope of the particular provision to which it refers. In the event of an inconsistency between the provisions of this Addendum and the mandatory terms of HIPAA, as may be expressly amended from time-to-time by the Secretary, or as a result of interpretations by the Secretary, a court, or another regulatory agency with authority over the parties, the interpretation of the Secretary, such court, or regulatory agency shall prevail.
- Relationship to Agreement Provisions. In the event that a provision of this Addendum is contrary to a provision of the Agreement, the provision of this Addendum shall control. Otherwise, this Addendum shall be construed under, and in accordance with, the terms of the Agreement.
- Relationship of Parties. The parties to this Addendum are independent contractors. None of the provisions of this Addendum are intended to create, nor shall they be interpreted or construed to create, any relationship between Covered Entity and BA other than that of independent contractors. Except as otherwise expressly set forth herein, neither party, nor any of its representatives, shall be deemed to be the agent, employee, or representative of the other party.
- No Third Party Beneficiaries. This Addendum is between the parties hereto. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Covered Entity and BA and any respective successors and assigns.
- Invalid or Unenforceable Provision. The provisions of this Addendum shall be severable. The invalidity or unenforceability of any particular provision or portion of such provision of this Addendum be construed, in all respects, as if such invalid or unenforceable provision or portion of such provision had been omitted, and shall not affect the validity and enforceability of the other provisions hereof or portions of that provision.
- Assignment. The parties’ rights and obligations with respect to assignment of this Addendum shall be subject to the assignment provision set forth in the Agreement. In the event that the Agreement does not contain an assignment provision, neither party may assign its rights, or delegate its duties or obligations, under this Addendum without the prior written consent of the other party, which consent shall not be unreasonably withheld. This Addendum shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective successors.
- Applicable Law. This Addendum shall be construed, administered, and governed by the governing law set forth in the Agreement, except to the extent preempted by applicable federal law. In the event that the Agreement does not identify the governing law, this Addendum shall be construed, administered, and governed under the laws of the State of New York, except to the extent preempted by applicable federal law.
- Notices. All notices hereunder shall be in writing, and either delivered by hand, or sent by mail, or delivered in such other manner as the parties may agree upon, to the following:
To Covered Entity: Practice’s Email Address Identified in the Practice Agreement
To BA: Dandy
Attention: Legal Department
10 E 40th St., 15th Floor
New York, New York 10016
Each party reserves the right to change address for receiving notice during the term of this Addendum upon written notice to the other parties.
- Counterparts. This Addendum may be executed in separate counterparts, none of which need contain the signatures of both parties, and each of which, when so executed, shall be deemed to be an original, and such counterparts shall together constitute and be one and the same instrument.
[Remainder of Page Intentionally Left Blank]
IT Policy for Practice-Provided Equipment
This policy applies only to practices that use their own laptop and scanner as part of their relationship with Dandy.
Standard Systems Policy:
To ensure the quality and consistency of case submission to Dandy Labs, you agree to comply with the following requirements regarding your IT infrastructure:
- You agree to use the 3Shape TRIOS 3 or 3Shape TRIOS 4 intraoral scanner only.
- Dandy is not compatible with the 3Shape TRIOS 3 MOVE nor the 3Shape TRIOS 4 MOVE at this time.
- You agree to provide a consistent Wi-Fi connection of at least 25 Mbps upload and 25 Mbps download in all locations where case submission occurs.
- You agree to use a computer with the 3Shape intraoral scanner that meets the following system requirements:
- PC Minimum:
- Processor: Intel ® Core™ i5-12400 or similar
- Memory:32 GB
- Disk: 512 GB SSD (or more)
- Graphics card: NVIDIA® T1000
- Operating system: Windows 10 Pro or higher
- Has an operational webcam and maintains TeamViewer
- PC Recommended:
- Processor: Intel® Core™ i5-12600HX or better
- Memory:32 GB
- Disk: 1 TB SSD
- Graphics card: NVIDIA® A3000
- Operating system: Windows 10 Pro or higher
- Has an operational webcam and maintains TeamViewer
- PC Minimum:
- You agree to upgrade the Trios software to a minimum version of 1.7.19.0.
- You agree to save and submit all case files to the local storage of the computer.
- You agree to grant EasyAccess to TeamViewer to Dandy’s customer service team with a mutually agreed-upon shared password that will exist for the duration of the relationship.
- You agree to install the DandyUploader to a local user’s profile and you will use this local profile in connection with your use of the TRIOS software.
- You agree to grant permission to the following file path if you are using antivirus software:
C:\Users\<user>\AppData\Local\orthly-uploader
C:Users/Dandy/AppData/Roaming/@orthly/enamel
C:Users/Dandy/AppData/Roaming/@orthly/uploader-medit-backend
C:Users\Dandy\AppData\Local\orthly-uploader
C:Users\Dandy\AppData\Local\Programs\orthly-uploader
- You will install the Atera software and ensure it is readily available to maintain the health of the Dandy software.
- Should your practice have a network firewall, either physical or web-based, please allow all traffic on the following domains: