The Small and Medium Business Services Agreement between Catapult and Customer includes, and is subject to, these General Terms and Conditions and HIPAA Business Associate Agreement.

ARTICLE 1: Catapult’s Responsibilities

  1. Equipment and Supplies. Catapult will provide all necessary supplies and equipment to perform the VirtualCheckup®.
  2. Participant Consent. Catapult will obtain consent from each Participant.
  3. Records; Ownership of Data. Except as otherwise provided by law, Catapult will retain all Participant consents and records covered by this Agreement, including, but not limited to, data regarding the extent and cost of health Checkups provided. Catapult shall retain ownership of data collected by Catapult and data analyses generated by Catapult in connection with the Services.

ARTICLE 2: Customer’s Responsibilities

  1. Notification of VirtualCheckup® Offering. Beginning at least 30 days prior to launching the VirtualCheckup® registration portal, Customer shall use best efforts to provide weekly education and awareness messages to eligible Participants regarding the VirtualCheckup®.
  2. Participant Privacy. Customer understands and agrees that Catapult will not share any Participant health information with Customer unless permissible by law and consistent with the Business Associate Agreement.
  3. Compliance with Applicable Wellness Regulations. Customer agrees to comply with applicable laws and regulations governing the design and administration of wellness programs (including applicable notice requirements) for its employees and dependents; including, but not limited to, the requirements of the Patient Protection and Affordable Care Act, the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act.

ARTICLE 3: Additional Terms Regarding Payment

  1. Late Payments. Any payment not received within 30 days after the invoice date will accrue interest at a rate equal to the lesser of 1.5% per month or the highest rate permitted by applicable law.
  2. Provider Agreement:  If Catapult’s provider agreement with a health plan is amended and Catapult is filing claims with the health plan for Services rendered, Catapult’s Checkup Fee will be adjusted to match the amended rate for Services provided. 
  3. Disputed Amounts. If Customer disputes the accuracy of any portion of an invoice, Customer will notify Catapult of such dispute promptly following its discovery. No dispute will relieve Customer from paying the undisputed portion of the invoice. The parties will work together in good faith to resolve the dispute.

ARTICLE 4: Indemnification and Limitation of Liability

  1. Indemnification by Catapult. Catapult agrees to indemnify, hold harmless, and defend Customer, its officers, directors, employees, agents, successors, and assigns from and against any and all damages, costs, and expenses, including reasonable legal fees and expenses (collectively, “Damages”), incurred in connection with a third party claim or assertion arising from or related to (i) any claim by a Participant due to Catapult’s gross negligence or willful misconduct in the performance of the Services; or (ii) any breach of Catapult’s responsibilities under this Agreement.
  2. Indemnification by Customer. Customer agrees to indemnify, hold harmless, and defend Catapult, its officers, directors, employees, agents, successors, and assigns from and against any and all Damages incurred in connection with a third party claim or assertion arising from or related to (i) any claim by a Participant other than due to Catapult’s gross negligence or willful misconduct in the performance of the Services; or (ii) any breach of Customer’s responsibilities under this Agreement.

ARTICLE 5: Term and Termination

  1. Term and Termination. This Agreement shall continue until terminated or not renewed. This Agreement shall automatically renew for successive one-year terms unless a party shall have given the other party written notice of non-renewal at least 60 days prior to the anniversary of the Effective Date.
  2. Elective Termination. Notwithstanding the foregoing, either party may terminate this Agreement at any time upon 60 days prior written notice to the other party; provided, however, that a termination initiated by Customer shall not relieve it from Catapult’s minimum annual participation requirement, or from paying any fees incurred or to be incurred for VirtualCheckups in progress and before Catapult has received notice of termination.

ARTICLE 6: Confidentiality

  1. Each party shall comply with such party’s respective obligations with respect to the privacy and security of Protected Health Information (as defined at 45 CFR 160.103) under applicable law, including without limitation the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and shall comply with the terms of the Business Associate Agreement between the parties, included as Exhibit A and incorporated herein by reference. The parties also agree that they will preserve the confidentiality of data or information relating to the other party’s business, which is (i) confidential and clearly so designated, or which by nature of the circumstances surrounding the disclosure ought in good faith to be treated as proprietary or confidential; and (ii) submitted to such party by the other party in order to perform Services under this Agreement. Neither party will have an obligation to maintain the confidentiality of any data or information (except to the extent such data or information constitutes Protected Health Information), which (і) was in a party’s lawful possession prior to the submission thereof by the other party; (ii) is later lawfully made available to a party by a third party having no obligation of secrecy to the other party; (iii) is independently developed by a third party; (iv) is or later becomes available to the public through no fault of either party; or (v) is subject to disclosure pursuant to a valid court order or subpoena or similar legal process. Violations may be enjoined through injunctive proceedings in addition to any other rights available at law or equity.  

ARTICLE 7: Non-Covered Services, Status of Parties, Independent Medical Judgment

  1. Non-covered Services. The parties acknowledge and agree that this Agreement does not cover any medical services beyond the Services. This Agreement expressly does not cover any of the following:
    1. medical testing other than tests described in the Description of Services on Page 1 of this Agreement;
    2. treatment of Participants for any diseases or conditions;
    3. emergency care or emergency transport; or
    4. prescriptions for medications or pharmaceuticals.
  2. Status of Parties; Independent Medical Judgment. Customer acknowledges and agrees that Catapult healthcare providers are obligated to use their own independent medical judgment in the evaluation and treatment of any Participant. No provision of this Agreement shall be construed to affect the free exercise of independent medical judgment by Catapult healthcare providers, and that any provision to the contrary shall be superseded by this paragraph.

ARTICLE 8: General Provisions

  1. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of Texas (without regard to any conflict of laws rule or principle that might refer governance or construction of this Agreement to the laws of another jurisdiction). Venue for any action brought hereunder shall be proper only in the federal and state courts having jurisdiction in the county in which the headquarters of the party against which such action is brought are located.
  2. Entire Agreement. This Agreement and any attached exhibits, addenda, or appendices, shall constitute the entire agreement between the parties with respect to the subject matter of this Agreement. There are no understandings or agreements relating to the subject matter of this Agreement that are not fully expressed herein, and no change or waiver is valid unless it is in writing and executed by the party against whom it is sought to be enforced. This Agreement may be amended or modified only by a written instrument that is signed by all parties.
  3. Force Majeure. In the event either party is prevented from performing, or is unable to perform, any of its obligations under this Agreement due to any cause (including but not limited to inclement weather) beyond the reasonable control of the party invoking this provision (each, a “Force Majeure Event”), the affected party’s performance will be excused and the time for performance will be extended for the period of delay or inability to perform due to such occurrence. In the event that a party’s performance is prevented or delayed for more than 30 days, then the other party may terminate this Agreement by delivery of written notice to the non-performing party.
  4. Severability. If a court of competent jurisdiction finds any provision of this Agreement to be unenforceable, the remainder of this Agreement will be enforced, with substitution as necessary to give reasonable overall effect to the terms of this Agreement.
  5. Injunctive Relief. The parties understand and agree that, due to the highly competitive nature of the healthcare industry, the breach of any covenants set out in this Agreement may cause irreparable injury to Catapult or Customer for which no adequate remedy at law will be available. Therefore, either Catapult or Customer, as the case may be, will be entitled, in addition to such other remedies as it may have hereunder, to seek a temporary restraining order and preliminary injunctive relief for any breach or threatened breach of this Agreement.
  6. Business Relationship. The parties agree that Catapult is an independent contractor of Customer. This Agreement will not create any agency, employment, joint venture, partnership, representation, or an attorney-client or fiduciary relationship between the parties. No party has the authority to nor will a party attempt to, create any obligation on behalf of another party as a result of this Agreement.
  7. Compliance with State and Federal Laws. The parties enter into this Agreement with the intent of conducting their relationship in full compliance with applicable state, local and federal laws and regulations, including, but not limited to, the federal and state privacy and security laws, the applicable provisions of the Patient Protection and Affordable Care Act (Public Law 111-148) and the Health Care and Education Reconciliation Act (Public Law 111-152), and the Texas Occupations Code illegal remuneration law; provided however, Customer shall be responsible for its and its Participants compliance with the Employee Retirement Income Security Act of 1974, applicable requirements of the Internal Revenue Service and the Patient Protection and Affordable Care Act of 2010. Notwithstanding any unanticipated effect of any of the provisions herein, the parties agree not to intentionally conduct themselves under the terms of this Agreement in a manner that would constitute a violation of any federal, state or local law, as each such law is amended.
  8. No Government Payor Reimbursement. It is the intent of Catapult and Customer that Customer and Catapult will not be participating in a federal or state healthcare program or seeking reimbursement from any federal or state healthcare program for the services provided to Participants.
  9. Managed Care Contracting. As applicable, the parties agree to participate in and comply with the provisions of any participating provider, managed care and other third party payor contracts entered into by the parties.
  10. Authority. Each individual executing above on behalf of an entity hereby represents and warrants to the other party that such individual is duly authorized to execute, and to deliver, this Agreement on behalf of that entity and that such execution and delivery makes this Agreement a valid and binding obligation of the entity for all purposes.
  11. Notices. All notices to a party pursuant to this Agreement shall be sent by certified mail, return receipt requested, to the officer executing this Agreement at the address set forth on the signature page hereto.


This HIPAA Business Associate Agreement (“BAA”) amends and is made part of the Small and Medium Business Services Agreement (the “Services Agreement”) by and between Customer and Catapult (“Business Associate”).

Customer acknowledges that Catapult functions as the business associate of certain affiliated entities (collectively, “Catapult Affiliates”) that are covered entities and business associates (each as defined at 45 CFR § 160.103) and on whose behalf Catapult may enter into agreements.  Customer and Catapult agree that the parties incorporate this BAA into the Service Agreement in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations set forth at 45 C.F.R. Parts 160 and Part 164 (the “HIPAA Rules”). To the extent Catapult is acting as a business associate of Customer pursuant to the Service Agreement, the provisions of this BAA shall apply, and Catapult shall be subject to the penalty provisions of HIPAA as specified in 45 CFR Part 160.

1.              Definitions. Capitalized terms not otherwise defined in this BAA shall have the meaning set forth in the HIPAA Rules. References to “PHI” mean Protected Health Information maintained, created, received or transmitted by Catapult from Customer or on Customer’s behalf.

2.             Uses or Disclosures.  Catapult will neither use nor disclose PHI except as permitted or required by this BAA or as Required By Law. To the extent Catapult is to carry out an obligation of Customer under 45 CFR Part 164, Subpart E, Catapult shall comply with the requirements of 45 CFR Part 164, Subpart E that apply to Customer in the performance of such obligation. Catapult is permitted to use and disclose PHI:

  1. to perform any and all obligations of Catapult as described in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Customer directly;
  2. as otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Customer directly and provided that Customer gives its prior written consent;
  3. to perform Data Aggregation services relating to the health care operations of Customer;
  4. to report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.502(j)(1);
  5. as necessary for Catapult’s proper management and administration and to carry out Catapult’s legal responsibilities (collectively “Catapult’s Operations”), provided that Catapult may only disclose PHI for Catapult’s Operations if the disclosure is Required By Law or Catapult obtains reasonable assurance, evidenced by a written contract, from the recipient that the recipient will: (1) hold such PHI in confidence and use or further disclose it only for the purpose for which Catapult disclosed it to the recipient or as Required By Law; and (2) notify Catapult of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached;
  6. to create de-identified information in accordance with 45 C.F.R. § 164.514(b), provided that such de-identified information may be used and disclosed only consistent with applicable law;
  7. to create a limited data set as defined at 45 CFR §164.514(e)(2), provided that Catapult will only use and disclose such limited data set for purposes of research, public health or health care operations and will comply with the data use agreement requirements of 45 CFR §164.514(e)(4), including that Catapult will not identify the information or contact the individuals.

In the event Customer notifies Catapult of an Individual’s restriction request granted pursuant to 45 CFR §164.522 that would restrict a use or disclosure otherwise permitted by this Section, Catapult shall comply with the terms of the restriction request.   

3.              Safeguards. Catapult will use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI other than as permitted by this BAA. Catapult will also comply with the provisions of 45 CFR Part 164, Subpart C with respect to electronic PHI to prevent any use or disclosure of such information other than as provided by this BAA.

4.              Subcontractors. In accordance with 45 CFR §§ 164.308(b)(2) and 164.502(e)(1)(ii), Catapult will ensure that all of its Subcontractors that create, receive, maintain or transmit PHI on behalf of Catapult agree by written contract to comply with the same restrictions and conditions that apply to Catapult with respect to such PHI, including but not limited to the obligation to comply with 45 CFR Part 164, Subpart C.

5.              Minimum Necessary. Catapult represents that the PHI requested, used or disclosed by Catapult shall be the minimum amount necessary to carry out the purposes of the Service Agreement. Catapult will limit its uses and disclosures of, and requests for, PHI (i) when practical, to the information making up a Limited Data Set; and (ii) in all other cases subject to the requirements of 45 CFR § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.

6.              Obligations of Customer. Customer shall notify Catapult of (i) any limitations in its notice of privacy practices, (ii) any changes in, or revocation of, permission by an individual to use or disclose PHI, and (iii) any confidential communication request or restriction on the use or disclosure of PHI that Customer has agreed to or with which Customer is required to comply, to the extent any of the foregoing affect Catapult’s use or disclosure of PHI. Customer shall obtain all consents, permissions or authorizations, if any, required for Customer to disclose PHI to Catapult and for Catapult to use and disclose PHI as permitted herein and only disclose to Catapult the minimum Protected Health Information necessary to allow Catapult to perform its obligations under the Service Agreement.

7.              Access and Amendment.  In accordance with 45 CFR § 164.524, Catapult shall permit Customer or, at Customer’s request, an individual (or the individual’s designee) to inspect and obtain copies of any PHI about the individual that is in Catapult’s custody or control and that is maintained by Catapult in a Designated Record Set. If the requested PHI is maintained electronically, Catapult shall provide a copy of the PHI in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by Customer and the individual. Catapult will, upon receipt of notice from Customer, promptly amend or permit Customer access to amend PHI held in a Designated Record Set by Catapult so that Customer may meet its amendment obligations under 45 CFR § 164.526.

8.              Accounting. Except for disclosures excluded from the accounting obligation by the HIPAA Rules and regulations issued pursuant to HITECH, Catapult will record for each disclosure that Catapult makes of PHI the information necessary for Customer to make an accounting of disclosures pursuant to the HIPAA Rules. In the event the U.S. Department of Health and Human Services (“HHS”) finalizes regulations requiring Covered Entities to provide access reports, Catapult shall also record such information with respect to electronic PHI held by Catapult as would be required under the regulations for Covered Entities beginning on the effective date of such regulations. Catapult will make information required to be recorded pursuant to this Section available to Customer promptly upon Customer’s request for the period requested, but for no longer than required by the HIPAA Rules (except Catapult need not have any information for disclosures occurring before the effective date of this BAA).

9.              Inspection of Books and Records.  Catapult will make its internal practices, books, and records, relating to its use and disclosure of PHI, available upon request to Customer or HHS to determine compliance with the HIPAA Rules.

10.              Reporting.  To the extent Catapult becomes aware or discovers any use or disclosure of PHI not permitted by this BAA, any Security Incident involving electronic PHI or any Breach of Unsecured Protected Health Information involving PHI, Catapult shall promptly report such use, disclosure, Security Incident or Breach to Customer. Catapult shall mitigate, to the extent practicable, any harmful effect known to it of a Security Incident, Breach or a non-permitted use or disclosure of PHI that is caused by Catapult or Catapult Affiliates. Notwithstanding the foregoing, the parties acknowledge and agree that this section constitutes notice by Catapult to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Customer shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Catapult’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI. All reports of Breaches shall be made in compliance with 45 CFR § 164.410.

11.              Term and Termination. This BAA shall be effective as of the effective date of the Service Agreement and shall remain in effect until termination of the Service Agreement. Either party may terminate this BAA and the Service Agreement effective immediately if it determines that the other party has breached a material provision of this BAA and failed to cure such breach within thirty (30) days of being notified by the other party of the breach. If the non-breaching party determines that cure is not possible, such party may terminate this BAA and the Service Agreement effective immediately upon written notice to other party.

Upon termination of this BAA for any reason, Catapult will, if feasible, return to Customer or destroy all PHI maintained by Catapult in any form or medium, including all copies of such PHI. Further, Catapult shall recover any PHI in the possession of Catapult Affiliates and return to Customer or securely destroy all such PHI. In the event that Catapult determines that returning or destroying any PHI is infeasible, Catapult may maintain such PHI but shall continue to abide by the terms and conditions of this BAA with respect to such PHI and shall limit its further use or disclosure of such PHI to those purposes that make return or destruction of the PHI infeasible. Upon termination of this BAA for any reason, all of Catapult’s obligations under this BAA shall survive termination and remain in effect (a) until Catapult has completed the return or destruction of PHI as required by this Section and (b) to the extent Catapult retains any PHI pursuant to this Section.

12.              General Provisions. In the event that any final regulation or amendment to final regulations is promulgated by HHS or other government regulatory authority with respect to PHI, the parties shall negotiate in good faith to amend this BAA to remain in compliance with such regulations. Any ambiguity in this BAA shall be resolved to permit Customer and Catapult to comply with the HIPAA Rules. Nothing in this BAA shall be construed to create any rights or remedies in any third parties or any agency relationship between the parties. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. The terms and conditions of this BAA override and control any conflicting term or condition of the Service Agreement and replace and supersede any prior business associate agreements in place between the parties. All non-conflicting terms and conditions of the Service Agreement remain in full force and effect.