local_library Resource

Purchase Order Terms and Conditions

Stanford University Purchase Orders are issued subject to the following terms and conditions. Terms in any acceptance by a Seller which are in addition to, or not identical with the following terms will not become a part of any Stanford University Purchase Contract unless Stanford specifically and expressly agrees in writing that such other terms are accepted.

1.1 “Stanford” means the Board of Trustees of the Leland Stanford Junior University.  

1.2 “Contractor” means the person or entity contracting to supply goods and/or services under this Purchase Order,  and includes all Contractor's sales or other agents, subcontractors, employees and distributors thereof.

1.3 “Purchase Order” and/or “PO” means a valid Stanford University Purchase Order.

The PO is accepted on, subject to, and governed by the terms set forth herein. Any additional Terms will not become a part of any PO unless Stanford specifically and expressly agrees in writing that such additional terms are accepted. By performing under the PO or any part hereof, Contractor agrees to and accepts all the provisions of the PO and agrees to fully perform. 

Stanford shall have a reasonable time (but not less than 30 days) after receipt to inspect goods tendered by Contractor. Stanford at its option may reject all or any portion of such goods which do not in Stanford's sole discretion comply in every respect with each and every term and condition of this PO. Stanford may elect to reject any or all goods tendered even if only a portion thereof is nonconforming.  If Stanford elects to accept nonconforming goods, Stanford, in addition to its other remedies, shall be entitled to deduct a reasonable amount from the price to compensate Stanford for the nonconformity. Any acceptance by Stanford, even if unconditional, shall not be deemed a waiver or settlement of any defect in such goods.

Stanford shall pay Contractor the Fee set forth in Contractor's quotation/proposal referenced herein for services satisfactorily performed by Contractor in accordance with this PO. If Contractor's Fee is stated as an hourly rate, fractional hours shall be compensated for on a prorated basis. Time necessarily spent in local travel shall not be considered working time. Hours expended by Contractor shall be documented by weekly timesheets. Timesheets shall be provided to Stanford, upon request. Hourly rates shall include Contractor's fees, cost of operation, including benefits attributable to payroll, overhead, salaries and other administrative expenses.  Contractor and Stanford agree that the Maximum Cost for Contractor's Fees set forth in this PO shall not be exceeded without prior written approval byStanford and a change order to the PO has been issued. Stanford shall reimburse Contractor on account of expenses paid or incurred by Contractor for travel beyond a 50-mile radius from the Stanford University campus. The amount and extent of reimbursement for travel shall be in accordance with the provisions of Stanford University's Guide Memorandum Number 5-4-2, which can be viewed at https://adminguide.stanford.edu/5-4-2. Stanford will also reimburse Contractor on account of incurred costs for reproduction services as may be required in the performance of this PO, and for such purchased services as may be approvedin advance by Stanford, at Contractor's  cost. The amount for Contractor's reimbursable expenses, if any, shall be included in Contractor's quotation/proposal. The total Not-to-Exceed amount stated on the PO shall constitute the limit of compensation due to Contractor under this Agreement.

Contractor shall include Stanford's eight (8) digit PO number on all invoices and the delivery address for all goods delivered to Stanford.

6.1 GOODS: If this PO is for the provision of goods, following acceptance of an undisputed invoice, Stanford shall transmit payment to Contractor within thirty (30) days.

6.2 SERVICES: If this PO is for the provision of services, Contractor shall submit invoices for services, reimbursable expenses and additional services not more often than once per month to the person and/or office specified in the PO. If Contractor's Fee is stated as an hourly rate, supporting data to be attached to the invoice shall include payroll data identifying each individual, the position, grade or title, number of hours worked, applicable hourly rate and dates worked. Invoices for reimbursable expenses shall be supported by receipts. Each invoice shall contain a summary of the total amount of previous invoices, this invoice amount, and the unbilled balance of this PO and its approved Change Orders. If the Contractor believes that any amount included in a current invoice is outside the scope of this PO, Contractor shall identify the amount and the nature of the work. In addition, the Contractor shall, on a monthly basis, review its progress on the project. If the Contractor, having performed said review, has reason to anticipate a need for additional funding, it shall indicate, on an invoice attachment, the reasons for the anticipated funding increase, its best estimate of the total additional costs and the time impact, if any, on the project completion schedule. Any failure by the Contractor to comply with this section shall be cause for Stanford to refuse compensation. Following acceptance of an undisputed invoice, Stanford shall transmit payment to Contractor within thirty (30) days. Invoices for Contractor's Services are to be made out to Stanford University and submitted for approval, to the address stated on the face of this PO. The PO Number shall be referenced on each invoice.

Contractor understands that time is of the essence with respect to its performance, and that this Agreement may not be modified, supplemented, qualified or interpreted by any usage of trade.

Unless otherwise specified herein, Contractor agrees that the price quoted herein includes all federal, state and local sales, use, excise, transaction, and other taxes, fees and/or assessments.

Until accepted by Stanford as provided above, Contractor shall bear all risk of loss and damage, unless such loss or damage results solely from the gross negligence or intentional misconduct of Stanford.

10.1 GOODS: If this PO is for the provision of goods, Contractor warrants that the goods (a) are of merchantable quality; (b) are fit for the particular needs and purposes of Stanford as may be communicated to Contractor; (c) comply with the highest warranties, representations and options expressed by Contractor orally or in any written advertisement, correspondence or other document provided to or in the possession of Stanford; (d) comply with all applicable laws, codes and regulations as published by any national, state or local association or group; and (e) are not restricted in any way by patents, copyrights, trade secrets, or any other rights of third parties. If any of the foregoing warranties is breached, Contractor agrees to correct all defects and nonconformities, to be liable for all direct, indirect, consequential and other damages suffered by Stanford and any other persons, and to defend, indemnify and hold harmless Stanford from any claim asserted by any person resulting in whole or in part from such breach.

10.2 SERVICES: If this PO is for the provision of services, Contractor warrants that all services hereunder shall be performed by personnel experienced and highly skilled in their profession and in accordance with the highest applicable standards of professionalism for comparable or similar services. Contractor shall be responsible for the professional quality, timeliness, coordination and completeness of the services. Contractor personnel assigned to perform the services shall be as proposed by Contractor and approved by Stanford. No such personnel of Contractor shall be reassigned without the approval of Stanford. Contractor shall use only personnel required for the performance of the services who are qualified by education, training and experience to perform the tasks assigned to them. Contractor agrees to replace any of its employees whose work is considered by Stanford to be unsatisfactory or contrary to the requirements of the services to be performed hereunder. Stanford shall not supervise nor control the details of Contractor's services, but rather shall be interested only in the results of Contractor's services.

If at any time Stanford in good faith determines that it questions Contractor's ability or intent to perform, then Contractor agrees to provide Stanford with written assurance fully satisfactory to Stanford, in Stanford's sole discretion, of Contractor's ability and intent to fully perform. Such assurance shall be provided within the time and in the manner specified by Stanford. Contractor shall immediately notify Stanford of any circumstance which may cause Contractor to fail to fully perform. Upon Stanford's good faith determination that Contractor cannot or will not perform, then Stanford may deem this PO to be breached by Contractor (unless performance is excused as provided below), may cancel this PO, and/or may re-procure from other sources.

Stanford shall be obligated to pay Contractor only for goods and/or services described herein. Any additional goods or services must be approved in writing by Stanford. Stanford, by written notice, may change or terminate all or any part of this PO for Stanford's convenience. If such changes cause an increase or decrease in costs incurred or time required to complete performance an equitable adjustment shall be made in compensation and/or period of performance, and this PO shall be amended accordingly in writing, provided however that Stanford will not compensate Contractor for any goods not shipped or services not performed by the date of such change or termination. If such goods are standard items of Contractor's inventory, Contractor's claim for an equitable adjustment under this paragraph must be submitted to Stanford in writing within 30 days of receipt of notice of change or termination, otherwise all such claims of Contractor shall be deemed to have been waived.

Stanford may, by written notice, terminate this PO, in whole or in part, for failure of Contractor to perform any of the provisions, including failure to deliver as and when specified. If the PO is terminated, Contractor shall be liable for all damages, including without limitation:

a) Any incremental cost of re-procuring the same or similar goods or services,

b) Shipping charges for any items Stanford may, at its sole option, return to Contractor, including items already delivered, but for which Stanford no longer has any use because of Contractor's default, and

c) Amounts paid by Stanford for any items Stanford received but returns to Contractor.

d) Contractor will provide to Stanford a refund of any fees prepaid to Contractor for services not yet rendered, including a prorated refund of any fees for incomplete license periods or other incomplete service period.

In the event of termination, Stanford shall be liable only for payment in accordance with the payment provisions of this PO for services performed prior to the effective date of termination. 

Neither party is responsible for any failure to perform its obligations under this Agreement, if it is prevented or delayed in performing those obligations by an event or circumstance which is reasonably unforeseen and beyond the party’s control; including, but not limited to, riot, war, act of terrorism, rebellion, earthquake, flood, fire, pandemic, or other natural disaster, national labor strike or a shortage of raw materials (Force Majeure).  A party impacted by a Force Majeure event must immediately (a) notify the other party in writing with details of the event and the reasons it is preventing or delaying performance, and (b) use reasonable efforts to mitigate the effects of the event upon its performance.

Contractor agrees to indemnify, defend and hold Stanford harmless from and against, and to waive all claims against Stanford for claims, suits and demands of liability loss or damage whatsoever, including reasonable attorneys' fees, whether direct or consequential,  

  1. on account of any loss, injury, death or damage (including without limitation lost-wage, labor, or employment claims)  to any person or property (including without limitation all agents and employees  of  Contractor and Stanford and all property owned by, leased to or used by either Contractor or Stanford, or both)  or   
  2. on account of any loss or damage to business or reputation or privacy of any person, 

arising in whole or in part in any way from or in any way connected with or in any way related to Contractor's performance, and regardless of whether such loss, injury, death or damage or person or property results in whole or in part from (1) the negligence or omission of Stanford, (2) any product liability of Stanford or any person, or (3) any strict liability of Stanford or any person.  

Any such claims, suits and demands of liability, loss or damage resulting solely from Stanford's gross recklessness or willful intent to injure are excluded from the above indemnity and waiver provisions. As used in this indemnity and waiver provision, and for purposes of Contractor's insurance, “Stanford” shall be deemed to include Stanford University, its Trustees, Directors, officers, employees, faculty, students, agents, affiliated organizations and their insurance carriers, if any.  

Contractor, at its expense, shall defend, indemnify and hold harmless Stanford, its trustees, officers, employees, agents, and students from and against any and all claims and demands which may be made to the extent that it is based on a claim that any Services furnished hereunder infringed a patent, copyright, trademark, service mark, trade secret, or other legally protected proprietary right.  Contractor shall pay all costs, fees, and damages which may be incurred by Stanford for any such claim or action or the settlement thereof.

Contractor agrees not to use Stanford's name or other Stanford trademarks (together referred to herein as the "Marks"), or the name or trademarks of any related organization, or to quote any of Stanford's faculty, staff, students, volunteers or agents ("Quotes"), either in writing or orally, without the prior written consent of Stanford’s Senior Director, University Brand Management.  This prohibition includes, but is not limited to, use of the Marks or Quotes in press releases, advertising, marketing materials, other promotional materials, presentations, photographs for commercial use, case studies, reports, websites, application or software interfaces, and other electronic media.

18.1   Non-Disclosure. Contractor acknowledges that Stanford continually develops confidential information for Stanford and that Contractor may learn of confidential information, including confidential information of third parties, during the term of this Agreement. Contractor will comply with the policies and procedures of Stanford for protecting confidential information set forth below and, in any event, shall not disclose to any person or entity (except as required by applicable law or for the proper performance of Contractor’s duties and responsibilities to Stanford), or use for Contractor’s or any third party’s benefit or gain, any confidential information obtained by Contractor incident to Contractor’s consultancy or other association with Stanford.  Contractor understands that this restriction shall continue to apply after this Agreement terminates, regardless of the reason for such termination.

18.2   Ownership of Data. Ownership of technical data produced by or for Contractor or any of its employees in the course of performing the Services hereunder and of all proprietary rights therein shall vest in and shall be delivered, upon request, to Stanford.  For the purposes hereof, the term "technical data" means technical writing, pictorial reproductions, drawings or other graphical representations, tape recordings, reports, calculations, tables and documents of technical nature, whether copyrightable or copyrighted, which are made in the course of performing the Services as specified. Contractor may, however, use data prepared or produced under this Agreement, where such data is otherwise made publicly available or with the specific approval of Stanford.

18.3   Data Security. Contractor agrees to handle data and other information ("Data") with a standard of care at least as rigorous as that specified in Stanford's Minimum Security Standards and Minimum Privacy Standards, located at https://minsec.stanford.edu and http://minpriv.stanford.edu respectively, which are hereby incorporated by reference into the Agreement. Prior to performing Services which require access to, transmission of, and/or storage of Stanford's Moderate or High Risk Data, Contractor will provide a third party certification verifying its ability to comply with the Guidelines. Contractor will not copy, cause to be copied, use or disclose Data received from or on behalf of Stanford except as permitted or required by the Agreement, as required by law, or as otherwise authorized by Stanford in writing. Contractor will give immediate notice to Stanford of any actual or suspected unauthorized disclosure of, access to or other breach of the Data. In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the Data, Contractor will comply with all state and Federal laws and regulations related to such breach, and will cooperate with Stanford in fulfilling its legal obligations. Contractor will indemnify Stanford for its violation of this paragraph, including but not limited to the cost of providing appropriate notice to all required parties and credit monitoring, credit rehabilitation, or other credit support services to individuals with information impacted by the actual or suspected breach. Upon termination or expiration of the Agreement, Contractor will return or, at Stanford's election, destroy, the Data within 30 days from the conclusion of the Agreement. This paragraph and its indemnity will survive the termination of the Agreement.

18.4   FERPA (Family Educational Rights and Privacy Act). During the course of performing Services under this Contract, Contractor may have access to certain Student educational records. If Contractor accesses Student educational records, Contractor may not permit access to, or the release or transfer of personally identifiable information from a student’s educational record to any party by any means, other than to Stanford officials and/or the student upon written request.

18.5   Protected Health Information. During the course of performing Services under this Contract, Contractor may have access to certain information that may constitute Protected Health Information (PHI). Attached to, and hereby incorporated into, this Agreement is a Business Associate Addendum (BAA) that sets forth the terms and conditions governing the handling of PHI. If Contractor accesses PHI, Contractor agrees to comply with the requirements of the BAA, and acknowledges that failure to comply with the requirements of the BAA may result in the liquidated damages stipulated in the BAA and termination of this Agreement.

18.6   GDPR (General Data Protection Regulation). During the course of performing Services under this Agreement, Contractor may have access to certain information that may constitute Personally Identifiable Information (PII) under the General Data Protection Regulation (GDPR). Attached to and hereby fully incorporated into this Agreement is a Data Processing Addendum that sets forth the terms and conditions governing the handling of Personally Identifiable Information.  If Contractor has access to PII for a particular project, Contractor: (a) will return a copy of the Data Processing Addendum to Stanford, complete with information detailing the specific usage of the applicable data, such information requirements are highlighted in yellow in the Data Processing Addendum; (b) agrees to comply with the requirements and stipulations of said Data Processing Addendum; and (c) acknowledges that failure to comply with such requirements will subject Contractor to the damages stipulated in the GDPR as well as termination of this Agreement.

19.1 Contractor shall, throughout out the term of this Agreement, handle data and other information generated from financial transactions stored, processed and/or transmitted by or for it under this Agreement  ("Cardholder Data") in compliance with the then current Payment Card Industry Data Security Standards (PCI DSS) and all applicable laws and regulations

19.2 Contractor hereby certifies its PCI DSS compliance as of the Effective Date, and shall maintain its certification throughout the term of this Agreement.  Without limiting the foregoing, Contractor hereby acknowledges that it is responsible for (i) the security of Cardholder Data that it possesses or otherwise stores, processes or transmits on behalf of Stanford, or to the extent that it could impact the security of Stanford’s cardholder data environment; and (ii) managing and maintaining all PCI DSS requirements. 

19.3 Contractor will provide a list of payment applications Contractor will use to conduct financial transactions under this Agreement. Payment applications must meet Stanford's published requirements. Contractor will provide 30 days-notice prior to adding or removing any payment applications. 

19.4 Upon execution of this Agreement, Contractor will provide Stanford with documentation signed by a certified PCI Qualified Security Auditor verifying that Contractor, and each of its subcontractors is PCI DSS compliant.  Such documentation will be sent to @email.  Stanford reserves the right, at any time during the term of this Agreement, to request updated documentation of such compliance. 

19.5 If Contractor becomes non-compliant with PCI DSS, it will immediately notify Stanford and provide its plan to remediate the non-compliance. In no event will Contractor’s notification to Stanford be later than seven (7) calendar days after Contractor discovers its non-compliance.  

19.6 Contractor will give immediate notice to Stanford of any actual or suspected unauthorized disclosure of, access to or other breach of Cardholder Data.  

19.7 Notwithstanding the foregoing sections (i.e. Sections 1.5 and Section 1.6), Stanford may terminate the Agreement immediately in the event Contractor fails to maintain compliance with PCI DSS or otherwise fails to maintain confidentiality of any Cardholder Data.

19.8 Contractor acknowledges that the indemnification provisions of this Agreement apply to any failure to maintain PCI DSS compliance or confidentiality of any Cardholder Data.

Contractor shall not commence Services under this Agreement until it has obtained insurance that satisfies the below minimum insurance requirements. The Contractor shall not allow any subcontractor to commence Services under a subcontract until the subcontractor has obtained insurance that satisfies the below minimum insurance requirements, or Contractor has insured the subcontractor under its own insurance policies.  

Insurance required under this Agreement shall be:
20.1 Commercial General Liability (bodily injury, property damage, and personal injury) insurance, with a single limit of not less than $2,000,000 for a single occurrence.

20.2 Automobile Liability insurance (bodily injury, property damage and personal injury), with a combined single limit of not less than $1,000,000 for all owned, non-owned, and hired vehicles.

20.3 Required insurance shall include the following provisions:
20.3.1 For projects at the University: The Board of Trustees of the Leland Stanford Junior University, its officers, agents, representatives, students, employees and volunteers, shall be included as additional insureds, by endorsement.  

20.3.2 For projects at Stanford Health Care: In addition to those listed above, Stanford Health Care, its Board of Directors, its officers, agents, representatives, students, employees, and volunteers shall be included as additional insureds, by endorsement. 

20.3.3 The Contractor’s insurance shall be primary coverage, Stanford University and/or Stanford Health Care insurance or self-insurance shall be excess and noncontributory.  

20.3.4 Thirty (30) days prior written notice of cancellation or material change in the insurance must be given to Stanford. 

20.3.5 Contractor and Contractor’s insurance companies waive their rights to subrogation against the above named insureds, by endorsement.

20.4 Worker's Compensation insurance and employer's liability insurance covering all persons whom the Contractor may employ in carrying out the Services hereunder. Worker's Compensation insurance will be in accordance with the Worker's Compensation Law of the State of California.

20.5 The insurance arranged by the Contractor and subcontractor(s) or subconsultant(s) shall include contractual liability insurance insuring the indemnity terms of this Agreement.

20.6 On each insurance certificate, the Certificate Holder shall read as follows:  
“The Board of Trustees of the Leland Stanford Junior University
485 Broadway, University Hall, Redwood City, CA 94063”

The Contractor shall furnish Stanford the insurance documents for all insurance required in the preceding paragraphs. The failure of Stanford to: a) object to insurance documents that do not comply with the above insurance requirements or b) require performance by the Contractor under these provisions does not constitute a waiver of these provisions. These provisions may only be amended or waived as provided by this Agreement or by a separate writing signed by Stanford.

Additional Insurance Requirements for Specific Services


Design Services or Other Services Requiring a State License or Professional Certification: 
Include additional Professional Errors and Omissions Liability Insurance with limits not less than $1,000,000.

Painting Services:
Include additional Pollution/Environmental Impairment Liability insurance (including cleanup costs) with limits of not less than $1,000,000.00 per claim and $2,000,000 annual aggregate for liability resulting in Bodily Injury or Property damage arising out of the work or services to be performed for Stanford University. Coverage shall be provided for both work performed on site, as well as during the transport of lead-based paint.

Elevator Services:
Commercial General Liability insurance, increased to a single limit of not less than $10,000,000 for a single occurrence.
Employer’s Liability coverage shall be provided with limits not less than:
$2,000,000.00 Bodily Injury by Accident – Each Accident
$2,000,000.00 Bodily Injury by Disease – Policy Limit
$2,000,000.00 Bodily Injury by Disease – Each Employee

Asbestos Abatement and Other Hazardous Waste Handling Services:
The Business Automobile Liability insurance shall be increased to a combined single limit of not less than $2,000,000 per accident for bodily injury and property damage for all owned, non-owned and hired vehicles. The Business Automobile Liability policy shall be endorsed to delete pollution related exclusions (including lead and asbestos). If Agreement requires transporting asbestos or other hazardous materials, an MCS 90 endorsement with limits of not less than $5,000,000 must be provided to Stanford. Without such coverage Contractor MAY NOT transport asbestos or other hazardous materials to and from Stanford.

Include additional Pollution/Environmental Impairment Liability insurance (including coverage for asbestos and cleanup costs) with limits of not less than $2,000,000 per claim and $4,000,000 annual aggregate for liability resulting in bodily injury or property damage arising out of the work or services to be performed under this contract. Coverage shall be provided for both work performed on site, as well as during the transport of hazardous materials.

Include additional Umbrella/Excess Liability insurance with a limit of not less than $5,000,000 per occurrence for bodily injury and property damage liability, listing the required Employer’s Liability, General Liability, and Business Automobile Liability as underlying policies.

Employer’s Liability limits shall be not less than $1,000,000 each accident; $1,000,000 each employee; $1,000,000 each disease including occupational disease.

Large Construction Projects:
The minimum coverage for Commercial General Liability will be increased an appropriate amount based on the overall Construction Project cost.

Automobile Liability insurance is increased to a minimum combined single limit of not less than $2,000,000 for all owned, non-owned, and hired vehicles.

Include additional Umbrella/Excess Liability insurance with a limit of not less than $2,000,000 per occurrence for bodily injury and property damage liability, listing the required employer’s liability, general liability, and automobile liability as underlying policies.

Recycling, Disposal and Transport of Gas Cylinders:
Include additional Pollution/Environmental Impairment Liability insurance (including cleanup costs) with limits of not less than $1,000,000.00 per claim and $2,000,000 annual aggregate for liability resulting in bodily injury or property damage arising out of the work or services to be performed for Stanford University. Coverage shall be provided for both services performed on site, as well as during the transport of the gas cylinders.

Automobile/Bus Charter Services:
Automobile Liability insurance is increased to a minimum combined single limit of not less than $10,000,000 per vehicle for all owned, non-owned, and hired vehicles.

Include additional Umbrella/Excess Liability insurance “follow-form” for the required coverage to supplement any deficiency. The coverage limit is per occurrence for bodily injury and property damage liability, listing the required employer’s liability, general liability, and automobile liability as underlying policies.

Eatery Operators Serving Alcoholic Beverages:
The required Commercial General liability insurance shall include the following coverage:
A. For injury to one person $2,000,000
B. For injuries arising out of any single accident or occurrence $2,000,000
C. For property damage $2,000,000

Include additional Liquor Liability insurance coverage with a limit of not less than $5,000,000. The Liquor Liability coverage shall be either (i) separate liquor liability, or (ii) a liquor liability endorsement to the comprehensive public liability policy.

Include additional Personal Property Insurance covering property and contents (including food and beverage) of Stanford or the Operator.

Whenever an actual or potential labor dispute delays or threatens to delay the performance under this Agreement, Contractor shall immediately notify Stanford in writing, presenting all relevant information concerning the dispute and its background.

Stanford's policy requires avoidance of real or apparent conflict of interests. Contractor affirms, that to the best of its knowledge, there exists no actual or potential conflict between Contractor's family, business or financial interest and the Services under this Agreement, and in the event of change in either private interests or Services under this Agreement, it will raise with Stanford any question regarding possible conflict of interest which may arise as a result of such change.

Stanford shall have access to and the right to examine any directly pertinent books, documents, papers and records of Contractor involving transactions related to this Agreement until the expiration of three (3) years after final payment hereunder. Contractor agrees to keep and maintain such records for such period of time. If this Agreement is for the provision of Services with a value of $10,000.00 or more within a 12 month period, then until the expiration of four (4) years after the furnishing of any Services pursuant to this Agreement, Contractor shall make available, upon written request from the Secretary of the United States Department of Health and Human Services or from the United States Comptroller General, or any of their duly authorized representatives, this Agreement and such books, documents and records of Contractor as are necessary to certify the nature and extent of the reasonable cost of Services to Stanford.  If Contractor enters into an agreement with any related organization to provide Services pursuant to this Agreement with a value of $10,000.00 or more within a 12-month period, such agreement shall contain a clause identical in content to the first sentence of this paragraph. This paragraph shall be of force and effect only to the extent required by P.L. 96 499.

Except for subcontracting specifically approved by Stanford, Contractor shall not assign its rights nor delegate its duties under this Agreement. Notwithstanding any notice of assignment, Stanford's tender of payment to the Contractor named herein or to any person reasonably believed by Stanford to be entitled to payment shall fully satisfy Stanford's obligation to pay, and in no event shall Stanford be obligated to pay additional sums or be liable for any damages due to failure to pay the correct party.

The laws of the State of California govern all matters arising out of or relating to this Agreement. Any dispute arising under this Agreement shall be resolved in the courts of Santa Clara County or in the Federal District Court for the Northern District of California, Northern Branch, and Stanford and Contractor hereby submit themselves to the personal jurisdiction of said courts. All rights and remedies of Stanford and Contractor shall be cumulative.

All Services performed under this Agreement shall conform to all applicable Local, County, State and Federal codes and regulations, and applicable guidelines and policies at Stanford, including, but not limited to, Stanford's Code of Conduct which can be found at: https://adminguide.stanford.edu/1-1-1.
Nothing in this Agreement shall be construed as requiring or permitting Services that are contrary to the above-referenced codes, regulations, policies and guidelines.

If the Contractor is providing websites, web applications, or other electronic content design or development services to Stanford under this agreement, Contractor confirms that such deliverables shall meet the requirements of Stanford’s Accessibility of Electronic Content Policy, the provisions of which are incorporated by reference.

This Agreement is subject to Stanford’s “Living Wage and Benefit Guidelines for Stanford Contractors”, hereinafter “The Guidelines,” which can be found at https://fingate.stanford.edu/purchasing-contracts/policy/policy-and-initiative-information-suppliers#anchor-23986

Contractor represents and warrants that it will comply with The Guidelines as amended by Stanford from time to time. Contractor acknowledges that failure to comply with The Guidelines will be deemed a material breach of this Agreement. Contractor agrees to provide in a timely manner upon Stanford’s written request, but in any event not more than 10 business days, written evidence of compliance satisfactory to Stanford.

In connection with its performance under this Agreement, Contractor will not discriminate against any employee or applicant for employment because of race, religion, color, sex, sexual orientation, gender identity, age, national origin; or because he or she is a special disabled veteran or veteran of the Vietnam era in regard to any position for which the employee or applicant is qualified; or because of physical or mental disability in regard to any position for which the employee or applicant is qualified. Contractor agrees to comply with the following federal regulations which are hereby incorporated herein by reference: 41 CFR 60-1.4; 41 CFR 60-250.5; 41 CFR 60-741.5; and all other applicable regulations of 41 CFR Part 60, Federal Acquisition Regulation (“FAR”) 52.222-26 (Equal Opportunity); FAR 52.222-27 (Affirmative Action Compliance Requirements for Construction) – applicable for construction contracts only; FAR 52.222-35 (Affirmative Action for Disabled Veterans and Veterans of the Vietnam Era); FAR 52.222-36 (Affirmative Action for Workers with Disabilities); and all other applicable provisions of the Federal Acquisition Regulations.

All Federal Grant and/or subcontract purchases are subject to the terms and conditions defined in Public Law 87-653 (Truth in Negotiations) and the Copeland “Anti-Kickback” Act. In addition, the following clauses are incorporated herein by reference according to the amount of this order, and references to Government (or United States) and this PO shall be interpreted as necessary to apply to the U.S. Government or Stanford and Contractor, respectively.
Clauses which are required for the transaction covered by this PO also are incorporated by reference.
FAR Number and Title of Clause, Regardless of Amount:
52.203.11           Certification & Disclosure Re: Payments to Influence Certain Federal Transactions
52.222.4             Contract Work Hours and Safety Standards Act
52.225.13           Restrictions on Certain Foreign Purchases
52.227.10           Filing of Patent Applications-Classified Subject Matter
52.227.11/12/13 Patent Rights
52.247.63           Preference for U.S. Flag Air Carriers
52.247.64           Preference for Privately Owned U.S. Flag Commercial Vessels
252.227.7034     DFAR Patents- Subcontracts DOD only
252.227.7039     DFAR Patents Reporting Subject Inventions DOD only
52.222.21           Prohibition of Non-Segregated Facilities
52.222.26           Equal Opportunity
52.222.35           Affirmative Action for Disabled Veterans of the Vietnam Era
52.222.36           Affirmative Action for Workers with Disabilities
52.222.37           Employment Reports on Disabled Veterans of the Vietnam Era
FAR Number and Title of Clause, Orders over $100,000: all of the above clauses plus:
52.203.6             Restrictions on Subcontractor Sales to the Government
52.203.7             Anti-Kickback Procedures
52.203.12           Limitation on Payments to Influence Certain Federal Transactions
52.215.2             Audit and Records- Negotiation, Alternative II
52.219.8             Utilization of Small Business Concerns
52.227.1             Authorization and Consent Alternative I
52.227.2             Notice and Assistance Regarding Patent and Copyright Infringement
42 U.S.C. 7401, et. seq.     Clean Air Act
33 U.S.C. 1251, et. seq.     Federal Water Pollution Control Act
FAR Number and Title of Clause, Orders over $700,000:  all of the above clauses plus:
52.219.9             Small Business Subcontracting Plan
FAR Number and Title of Clause, Orders over $750,000: all of the above clauses plus:
52.215.12/13      Subcontractor Cost or Pricing Data- Modifications

This section applies to all contractors who supply Stanford University with services that are not related to facilities or grounds maintenance, construction, demolition, installation of equipment (including furnishings) or products that contain regulated hazardous materials (including consumer products).

Asbestos: In accordance with California Health and Safety Code Section 25915 (Connelly Act) and the Cal/OSHA Asbestos Standard, 8 CCR Section 1529, Contractor is hereby notified that in Stanford facilities there are construction materials that are known to contain asbestos. In some areas, asbestos has been identified in one or more of the following construction products: spray-applied fireproofing; pipe, boiler, tank and air duct insulation; air duct seam tape; gaskets; roofing tar, felt and mastic; asbestos-cement pipe, wallboard, and shingles; plaster and acoustical treatments; gypsum board taping compound; vinyl and asphalt floor tile; vinyl sheet flooring; vinyl flooring, basecove, and ceiling tile adhesive; caulking and glazing compound; acoustic ceiling and wall tile; lab fume hood liners, exhaust ducts and counter tops; and fire-rated door core insulation.

Contractor shall not disturb building materials and shall stop work and report any inadvertent disturbance of such materials immediately to Stanford Environmental Health and Safety at 650-725-9999.  Unless specifically qualified to do so, Contractor shall not enter an area that is posted with warning signs or labels indicating the presence or chemical, biohazardous or radioactive materials or equipment or areas that may have residual contamination from such materials.

Proposition 65 Notice: Under California Health and Safety Code Sections 25249.5 through 25249.13, asbestos, lead, mercury and polychlorinated biphenyls have been listed as chemicals known to the State of California to cause cancer or reproductive harm. Contractor will be working in areas in which some or all of these materials may be present. This notice constitutes the warning of the presence of a chemical known to cause cancer or reproductive harm required by Proposition 65. It is Contractor’s duty to follow all requirements of Proposition 65.

Persons who work on Stanford University projects under contract, including supply vendors, must comply with the provisions of Stanford’s Sexual Harassment policy. Stanford defines Sexual Harassment as: “Unwelcome sexual advances, requests for sexual favors, and other visual, verbal or physical conduct of a sexual nature, between persons of the same or different gender, constitute sexual harassment when: (1) It is implicitly or explicitly suggested that submission to or rejection of the conduct will be a factor in academic or employment decisions or evaluations, or permission to participate in a Stanford activity; or (2) The conduct, whether subtle or blatant, has the purpose or effect of interfering with an individual’s academic or work performance by creating an intimidating, hostile or offensive academic, work or student living environment, such as persistent and unwanted communication of a sexual nature (e.g., in person, by phone, text, email, via social media) and applies to one incident if sufficiently severe or repeated behaviors over time.

For information, consultation, advice or to lodge a complaint, contact the Sexual Harassment Policy Office at 556 O’Connor Lane, Griffin Drell House, Room 101 Stanford, CA 94305-8210, (650) 724-2120; email to: @email; website: http://harass.stanford.edu.

If Stanford determines that any Stanford employee, student, agent, representative or associate is being sexually harassed by a Contractor employee or subcontractor, the Contractor will immediately remove the employee or subcontractor from any and all Stanford University projects under contract. Contractor must operate in accordance with all federal, state and local laws and regulations, as well as Stanford's Code of Conduct which can be found at: https://adminguide.stanford.edu/1-1-1.

33.1 In accordance with Stanford policy supporting its fundamental research mission, Stanford suppliers may NOT sell or ship any International Traffic in Arms (ITAR) controlled defense article or technical data, any dual-use “500/600 Series” item or technology, and any Wassenaar Arrangement Munitions List item, without express written preauthorization from Stanford’s Export Control OfficerLearn more about Stanford’s ITAR policy.

33.2 Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment. Section 889 of the FY 2019 National Defense Authorization Act (Public Law 115- 232) prohibits, among other things, the US government from contracting with any entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.  The prohibition in Section 889(a)(1)(B) applies to the use of covered telecommunications equipment or services, regardless of whether that use is in performance of work under a Government contract.  Supplier is therefore prohibited from providing to Stanford University or the US government any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless otherwise permitted by laws.  Supplier hereby represents that it has reviewed the definition of “covered telecommunications equipment or services” set forth in Federal Acquisition Regulation 52.204-25, as amended, and hereby represents and warrants that Supplier has not provided and will not provide any equipment, system, or service that uses covered telecommunications equipment or services to Stanford University in the performance of any contract, supply agreement, purchase order, or other agreement entered into between Stanford University and the Supplier.  Supplier shall ensure that it is in compliance with Section 889 of Public Law 115-232 and is required to monitor the prohibited parties listing, which currently includes, without limitation, the following companies or any of their subsidiaries: Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company.

Supplier is responsible for its access to, use of, and data accuracy within Stanford's approved vendor database, including keeping its login information confidential and secure.  Stanford will treat any information updates associated with a valid login as authentic.  Stanford is not responsible for unauthorized access to Supplier's account, or inaccurate data resulting from a valid login, including, but not limited to, misdirection of funds.

For account access please contact Stanford’s Financial Support Center (FSC).  The FSC will then send Supplier an email with a secure access link.

This PO (including these Terms and Conditions), any specifications or additional terms and conditions attached or referenced, constitute the entire agreement between Stanford and Contractor. Contractor's quotation/proposal is incorporated if specifically stated in the PO. No other terms or conditions are binding on Stanford unless accepted by Stanford in writing. In the event of a conflict between this PO and terms and conditions stated in Contractor's quotation/proposal, the terms of this PO shall take precedence.

This addendum (“Addendum”) is by and between The Board of Trustees of the Leland Stanford Junior University, a body having corporate powers under the laws of the State of California (“Stanford”) and Contractor (“Contractor”). 

This Addendum supplements and amends the Purchase Order Terms and Conditions (“Agreements”) hereto as follows: 
1. Applicability. The requirements of this Addendum apply to non-construction services performed by Contractor on-site at any Stanford location in Santa Clara County and/or San Mateo County (“On-site”). For clarity, if Contractor provides both construction and non-construction services, these requirements will only apply to the non-construction portion of the services. 

2. Requirements. Contractor is responsible for managing the health and safety of its employees for On-site work in the county in which it provides services to Stanford.  In order to promote a safe and healthy environment for Stanford faculty, staff, students and visitors, Stanford requires Contractor to verify that all of its workforce members, including employees, that will be on-site at any Stanford property or facility are fully vaccinated, unless an individual has received a medical or religious accommodation, and such accommodation has been documented by Contractor. Contractor is required to verify compliance with all applicable health orders set forth by the federal government and Santa Clara and San Mateo Counties, including without limitation, verifying vaccination status (e.g., obtaining proof of vaccination), proper masking and weekly testing for all of Contractors workforce members[1].

By executing this Addendum, Contractor is verifying its compliance with the above requirements and all such orders. Contractor further agrees to abide by, and to instruct its employees to abide by, the following as may be amended from time to time: (a) any public health orders set forth by the Counties, (b) any instructions posted at the relevant Stanford jobsite and (c) any additional instructions provided to Contractor by Stanford.  

[1] Cal-OSHA COVID19 Guidance and Resources found at: https://www.dir.ca.gov/dosh/coronavirus
Santa Clara County Public Health Orders at: https://covid19.sccgov.org/public-health-orders
San Mateo County Public Health Order found at: https://www.smchealth.org/health-officer-updates/8221-ho-order-c19-12-face-covering 

3. Audit Rights and Termination. Stanford reserves the right to audit Contractor’s books and records on request to confirm its compliance with this Addendum. Failure to comply with the terms of this Addendum, including failure to cooperate in the implementation of the overall social distancing protocol described above or of any relevant public health orders set forth by the Counties, as may be amended from time to time, including the symptom checking process, shall constitute a material breach of the Addendum by Contractor. Such breach may result in termination of the Agreements without penalty to Stanford and with a refund of any prepaid fees for services not yet rendered by Contractor. 

4. Indemnification. Contractor shall indemnify, defend and hold Stanford harmless from any and all claims arising in whole or in part out of the subject matter of this Addendum, resulting in whole or in part from Contractor’s breach of this Addendum, or the negligence or willful misconduct of Contractor, its employees, contractors, invitees, agents or visitors. 

5. Notice. Any notices under this Agreement will be given as follows: 
Notices will be deemed sufficient if given by (a) registered or certified mail, postage prepaid, return receipt requested (“Mail”); (b) private courier service, with signature provided by the receiving party (“Courier Service”); Purchase Order Terms and Conditions or (c) electronic mail to the Authorized Contacts below, with carbon copies required as shown (“Electronic Mail”). If Contractor opts to provide notice by Mail and/or Courier Service, Contractor must also send a copy by Electronic Mail in order for notice to be deemed sufficient. 

Receipt. Notices sent via mail or courier will be deemed given upon receipt. Notices sent via electronic mail will be deemed given when receipt has been acknowledged by the Authorized Contact, with an automatic “read receipt” constituting acknowledgement, or 3 days after dispatch if the email was sent to the correct address and was not returned as undeliverable. 

For safety issues: 
Please contact the Stanford Representative for the jobsite/Purchase Order 

If to Stanford for a legal matter: 
Stanford University 
Office of General Counsel 
Main Quad, Building 170 
Stanford, CA 94305 M/C 2038 
Attention: Senior University Counsel 

Fax: 650-736-2495 

If to Contractor, to: 
Contractor’s address as noted on the face of the Purchase Order 
Attn: CEO/President 

Each Party may change its address and that of its representative for notice by giving notice thereof in the manner provided above in this section. 

6. Integration Clause. This Addendum constitutes the full and complete agreement of the Parties with respect to the subject matter of this Addendum and cannot be changed or modified except in writing signed by both Parties.

THE FOLLOWING BUSINESS ASSOCIATE ADDENDUM (BAA) IS APPLICABLE IN SITUATIONS WHERE THE CONTRACTOR MIGHT ACCESS, RECEIVE, USE, DISCLOSE, OR MAINTAIN PROTECTED HEALTH INFORMATION TO PERFORM A SERVICE ON STANFORD UNIVERSITY’S BEHALF

This Addendum (the “Addendum”) is entered into as of the Purchase Order date, and supplements and amends the Purchase Order Terms and Conditions that require Business Associate (as defined below) to perform a service, function or activity that may involve the Use or Disclosure of Protected Health Information (defined below), by and between The Board of Trustees of the Leland Stanford Junior University through its HIPAA Covered Entity (“Covered Entity”) and Contractor (“Business Associate”). Covered Entity and Business Associate are sometimes referred to herein individually as a “Party” and collectively as the “Parties.”

Business Associate may perform functions or activities on behalf of, or provide certain services (the “Services”) to Covered Entity that involve access to, or creation, receipt, processing, maintenance, use, or disclosure of certain information, some of which may constitute Protected Health Information (“PHI”). Both Parties are required to comply with the Health Information Technology Economic and Clinical Health (“HITECH”) Act, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the regulations promulgated thereunder, including, but not limited to, the Privacy, Security, Breach Notification, and Enforcement Rules (45 C.F.R. Parts 160, 162 and 164), as may be amended from time to time. This Addendum sets forth the terms and conditions pursuant to which Protected Health Information, including electronic Protected Health Information, will be handled by Business Associate and third parties during the term of the Agreement and after its termination. The Parties agree as follows:

1.    DEFINITIONS
All capitalized terms shall have the meaning set forth in HITECH and regulations issued thereunder, HIPAA and regulations issued thereunder (including but not limited to the HIPAA Privacy and Security Rules), and applicable state privacy laws, including but not limited to the Confidentiality of Medical Information Act (COMIA) and state breach notification laws (including but not limited to California Health and Safety Code § 1280.15 and Civil Code § 1798.82 et seq., as these may be amended from time to time).

The term “Breach” as used herein shall mean (i) breach as defined in the HIPAA Rules and (ii) unlawful or unauthorized access to, or unauthorized use or disclosure of, information pursuant to state law (including but not limited to COMIA, California Health and Safety Code § 1280.15 and California Civil Code § 1798.82).
Terms used but not otherwise defined in this Addendum shall have the same meaning as those terms in HITECH, HIPAA, the HIPAA Privacy Regulation or Security Regulation, or applicable state privacy and breach notification laws, as they are currently drafted and as they are subsequently updated, amended, or revised. 

2.    PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
2.1  Services.  Except as otherwise specified herein, Business Associate may use Protected Health Information directly necessary to perform its obligations under the Agreements, provided that such use does not violate HITECH, HIPAA or the Privacy or Security Regulations and such use is expressly permitted by this Addendum. Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Addendum only (i) to its Subcontractors (as defined below) and agents, in accordance with Section 3(f), (ii) as directed by Covered Entity in accordance with this Addendum, (iii) as otherwise permitted by the terms of this Addendum including, but not limited to, Section 2.2 below, or (iv) as required by law, in accordance with Section 3(b) below. Any other use and/or disclosure not permitted or required by this Addendum (“Unauthorized Use and/or Disclosure”) is prohibited.  

In conducting activities under this Agreement that involve the use and/or disclosure of Protected Health Information, Business Associate shall limit the use and/or disclosure of Protected Health Information to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure. To the extent Business Associate is performing one or more of Covered Entity’s obligations under HIPAA and HITECH, Business Associate agrees to comply with the legal requirements that apply to Covered Entity in the performance of such obligation(s). 

2.2   Business Activities of Business Associate. Business Associate may use and disclose Protected Health Information if necessary for the proper management and administration of Business Associate or to meet its legal responsibilities; provided, however, that such Protected Health Information may be disclosed to third parties for such purposes only if the disclosures are required by law or Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that:
a.    the information will remain confidential;
b.    the information will be used or further disclosed only as required by law or for the purpose for which the information was disclosed to the third party; and 
c.    the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

2.3   Additional Activities of Business Associate. In addition to using the Protected Health Information to perform the Services, Business Associate may use Protected Health Information for Data Aggregation purposes only for the Health Care Operations of Covered Entity if expressly authorized under the Agreement(s). Under no circumstances may Business Associate disclose Covered Entity’s Protected Health Information to a third party pursuant to this Section 2.3 absent Covered Entity’s explicit written authorization.  Business Associate may not de-identify Protected Health Information received from or created on behalf of Covered Entity unless such de-identification and the permitted uses and disclosures of such de-identified information are expressly permitted in writing by the Covered Entity’s Chief Privacy Officer or authorized designee. 

2.4   Prohibition on Sale of Protected Health Information. Business Associate is prohibited from the sale of Protected Health Information without authorization unless an exception under 45 C.F.R §164.508 applies.

3.    OBLIGATIONS AND RESPONSIBILITIES OF BUSINESS ASSOCIATE WITH RESPECT TO PROTECTED HEALTH INFORMATION
Business Associate hereby agrees to do the following:
a.    Business Associate shall use and/or disclose the Protected Health Information only as permitted or required by the Agreement(s), this Addendum or as otherwise Required by Law. 
b.    Business Associate shall immediately, or as soon as practicable, notify Covered Entity if it believes it may disclose Protected Health Information on the basis that such disclosure is Required by Law. Unless immediate disclosure is Required by Law, Business Associate shall not, without the prior written consent of Covered Entity, disclose any Protected Health Information on the basis that such disclosure is Required by Law without first notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the Protected Health Information until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from third parties receiving Protected Health Information in accordance with Sections 2.1 or 2.2 hereof that such third parties will provide Covered Entity with similar notice and opportunity to object before disclosing Protected Health Information on the basis that such disclosure is Required by Law.

c.    Because Covered Entity’s Protected Health Information is subject to state laws (including those referenced in Section 1 hereof), Business Associate must report to the Covered Entity’s Chief Privacy Officer, in writing, any Breach, Security Incident or any Unauthorized Use and/or Disclosure of which Business Associate becomes aware as soon as possible, and at least within five (5) calendar days of Business Associate’s discovery of such Breach, Security Incident, or Unauthorized Use and/or Disclosure. For purposes of this Section, “discovery” shall have the meaning ascribed to it in 45 CFR § 164.404(a)(2)). In the event of a Breach, Security Incident, or Unauthorized Use or Disclosure that arises from the acts or omissions of Business Associate or its employees, Subcontractors, agents, or representatives, and that requires notification of government agencies and/or individuals, Business Associate will cooperate fully with Covered Entity in Covered Entity’s efforts to carry out any mitigation efforts and notifications.  Business Associate will indemnify and reimburse Covered Entity for all of Covered Entity’s costs of complying with and carrying out such requirements. In the event Covered Entity requests that Business Associate carry out the notification requirements, Business Associate will do so subject to Covered Entity’s prior approval of any written reports or communications.  
d.    Mitigate, to the greatest extent possible, any deleterious effects from any Breach, Security Incident, Unauthorized Use and/or Disclosure of Protected Health Information of which Business Associate becomes aware.
e.    Comply with the Security Rule to maintain the security of the Protected Health Information including electronic Protected Health Information and to prevent Unauthorized Use and/or Disclosure of such Protected Health Information. Business Associate shall maintain and implement a comprehensive written information privacy and security program that complies with HITECH, HIPAA, and the regulations and guidance issued thereunder by the U.S. Department of Health and Human Services (“HHS”). Without limitation, this includes administrative, technical and physical safeguards that are appropriate to the size and complexity of Business Associate’s operations and the nature and scope of its activities to reasonably and appropriately protect the privacy, confidentiality, integrity and availability of Protected Health Information. In addition to any safeguards required by law and as set forth in this Addendum, Business Associate shall use any and all appropriate safeguards to prevent Unauthorized Use or Disclosure of Covered Entity’s Protected Health Information. 
f.    Require any person(s) to whom Business Associate delegates a function, activity, or service, or any person(s) who create, receive, maintain or transmit Protected Health Information (“Subcontractors”) and agents that receive or use, or have access to, Protected Health Information to enter into a business associate agreement that, (i) complies with the HITECH and HIPAA requirements, (ii) includes to the same restrictions, conditions and obligations concerning Protected Health Information that apply to Business Associate pursuant to this Addendum; (iii) not to subcontract or assign its rights and obligations under the Agreement without obtaining Business Associate’s and Covered Entity’s prior written consent; and (iv) ensures that all subcontractors of Business Associate’s Subcontractor enter into Business Associate Agreements. 
g.    Before allowing any Subcontractor or agent that is not organized under the laws of any state within the United States (“Foreign Subcontractor”) to use or disclose, or have access to, Protected Health Information, Business Associate shall obtain the prior written consent of Covered Entity, which consent may be withheld in Covered Entity’s sole discretion. Notwithstanding anything to the contrary in the Agreement, and in addition to any other remedies available to Covered Entity under this Addendum, the Agreement or at law, Business Associate hereby acknowledges that irreparable harm may result from any breach of the terms of this Section 3.g. of this Addendum. 
h.    Make available all records, books, agreements, policies and procedures, and related  materials pertaining to the use and/or disclosure of Protected Health Information to the Secretary of the U.S. 

Department of Health and Human Services (or any officer or employee of HHS to whom the Secretary of HHS has delegated such authority) for purposes of determining Covered Entity’s compliance with the Privacy Regulation and Security Regulation after the compliance dates, respectively, of those regulations, subject to attorney-client and other applicable legal privileges. Business Associate shall immediately notify Covered Entity upon receipt by Business Associate of any complaint or request for access by the Secretary of HHS and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto.
i.    Upon reasonable prior written notice, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies, procedures, and related materials pertaining to the use and/or disclosure of, and security of, Protected Health Information to Covered Entity for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of this Addendum.
j.    Document such disclosures of Protected Health Information as necessary to enable Covered Entity to respond to an individual’s request for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528, as it may be amended to comply with HITECH. Specifically, Business Associate shall maintain a record of all disclosures of Protected Health Information for a period not less than 6 years following any such disclosure, including the date of the disclosure, the name and, if known, the address of the recipient of the Protected Health Information, a brief description of the Protected Health Information disclosed, and the purpose of the disclosure (including an explanation of the basis for such disclosure). This provision shall survive the termination or expiration of the Agreements. 
k.    Within 10 business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's Protected Health Information in accordance with 45 C.F.R. § 164.528, as it may be amended to comply with HITECH. In the event that an individual requests an accounting of disclosures directly from Business Associate or its agents or Subcontractors, Business Associate must notify Covered Entity in writing within 5 business days of the request; Covered Entity shall be responsible for preparing and delivering to the individual any such accounting requested.
l.    Subject to Section 5.3 below, return to Covered Entity or destroy, within 30 calendar days of the termination of this Addendum and/or the Agreements, the Protected Health Information in its possession and retain no copies (which for purposes of this Addendum shall include, without limitation, destruction of all backups).
m.    using or disclosing Protected Health Information, Business Associate agrees to comply with all applicable provisions of the HITECH Act and any implementing regulations adopted thereunder.
n.    Business Associate represents to Covered Entity that all of its employees, agents, representatives, Subcontractors and members of its Workforce, whose services may be used to fulfill obligations under the Agreement or this Addendum are or shall be appropriately informed of the terms of this Addendum.

4.    RESPONSIBILITIES OF BUSINESS ASSOCIATE WITH RESPECT TO HANDLING OF DESIGNATED RECORD SET
In the event that the Protected Health Information received by Business Associate pursuant to the Agreement constitutes a Designated Record Set, Business Associate hereby agrees to do the following:
a.    At the request of, and in the time and manner designated by Covered Entity, provide access to the Protected Health Information to Covered Entity for inspection or copying, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524. In the event that an individual requests access to Protected Health Information directly from Business Associate or its agents or Subcontractors, Business Associate must notify Covered Entity in writing within 5 business days of the request; Covered Entity shall be responsible for delivering to the individual the information he or she has requested.
b.    At the request of, and in the time and manner designated by Covered Entity, make any amendment(s) to the Protected Health Information that Covered Entity directs pursuant to 45 C.F.R. § 164.526. In the event that any individual requests an amendment of Protected Health Information directly from Business Associate or its agents or Subcontractors, Business Associate must notify Covered Entity in writing within 5 business days of such request; Covered Entity will then direct Business Associate to amend its Protected Health Information, as may be appropriate based on the individual’s request.

5.    TERM AND TERMINATION
5.1   Term. This Addendum shall become effective on the Agreement Effective Date and shall continue in effect until termination or expiration of the Agreement, subject to the provisions of Section 7.1, unless terminated as provided in this Section 5.

5.2   Termination by Covered Entity. As provided under 45 C.F.R. § 164.504(e)(2)(iii), Covered Entity may immediately terminate this Addendum and the Agreements, in whole or in part, if Covered Entity determines that Business Associate has violated any material provision of this Addendum. Alternatively, if Covered Entity has determined that Business Associate has breached a material term of this Addendum and does not immediately terminate the Agreement and this Addendum, then Covered Entity shall: (i) provide Business Associate written notice of the existence of an alleged material breach; and (ii) afford Business Associate an opportunity to cure the alleged material breach within 5 days. In the event that Business Associate does not cure the breach within 5 days, Covered Entity may terminate, the Agreement, if feasible (as determined by Covered Entity), or if termination is not feasible, report the problem to the Secretary of HHS.

5.3   Effect of Termination. Upon termination of the Agreement and this Addendum pursuant to this Section 5, Business Associate shall return or destroy, as directed by Covered Entity, all Protected Health Information that Business Associate and its agents and Subcontractors still maintain in any form. If such return or destruction is not feasible, then Business Associate will so notify Covered Entity in writing, and shall (a) extend any and all protections, obligations, limitations and restrictions contained in this Addendum to Protected Health Information retained by Business Associate, its agents and its Subcontractors after the termination of the Agreement and this Addendum, (b) limit any further uses and/or disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible, and (c) at such time as return or destruction of such retained PHI becomes feasible, return or, if agreed to by Covered Entity, destroy such PHI.  Notwithstanding the foregoing, in the event that one or more of the Agreements is terminated and other Agreements and this Addendum remain in effect, Business Associate shall, in accordance with this Section 5.3 and to the extent it is practicable and feasible to do so, return to Covered Entity or destroy the PHI related to the Services that are the subject of the terminated Agreement(s) concurrent with the termination of such Agreement(s).

6.    INDEMNIFICATION
Business Associate agrees to indemnify, defend and hold harmless Covered Entity and its affiliated corporations and entities and their trustees, officers, agents, employees, representatives, students, and volunteers (collectively, Covered Entity’s “Indemnitees”) against all actual and direct losses, liabilities, damages, claims, costs, fines or expenses (including reasonable attorney’s fees) the Indemnitees may suffer as a result of any claims, demands, actions, investigations, settlements or judgments against the Indemnitees arising from or in connection with any breach of this Addendum or of any representation or warranty hereunder, or from any acts or omissions, including failure to perform its obligations under the Privacy Regulation and Security Regulation, by Business Associate or its employees, directors, officers, Subcontractors, representatives, agents or other members of its Workforce. In addition, and without limiting the foregoing, in the event of a HITECH Breach that requires notification of government agencies and individuals, Business Associate will cover all costs of complying with such legal requirements if the breach arises from actions or omissions of Business Associate or its employees, directors, officers, Subcontractors, representatives, agents, or other members of its Workforce. To the extent that the Agreement contains a provision that limits Business Associate’s liability under the Agreement, Business Associate’s obligation to indemnify Covered Entity and its Indemnitees under this Section 6 shall be excluded from such limitation of liability. Business Associate’s obligation to indemnify Covered Entity and its Indemnitees shall survive the expiration or termination of this Addendum for any reason. 

7.    MISCELLANEOUS
7 .1   Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 3, 5.3, 6, 7.5, 7.8 and 7.10 shall survive termination of this Addendum indefinitely. In addition, Section 4 shall survive termination of this Addendum, provided that Covered Entity determines that the Protected Health Information being retained pursuant to Section 5.3 herein constitutes a Designated Record Set.

7.2   Entire Agreement; Amendments; Waiver. This Addendum constitutes the entire agreement between the Parties pertaining to the Business Associate’s access to, or creation, receipt, processing, maintenance, use, or disclosure of Protected Health Information while performing Services and supersedes any previous agreements between the Parties relating to the same subject matter. This Addendum may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

7.3    No Third Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

7.4    Notices. Any notices under this Addendum shall be written in English and given as follows:
a.    Notices will be deemed sufficient if given by (a) registered or certified mail, postage prepaid, return receipt requested; (b) private courier service, with signature provided by the receiving party; (c) electronic mail to the Authorized Contacts in this Section 7.4, with carbon copies required as shown. 
b.    Receipt. Notices sent via mail or courier will be deemed given upon receipt.  Notices sent via electronic mail will be deemed given when receipt has been acknowledged by the Authorized Contact, with an automatic “read receipt” constituting acknowledgement, or 3 days after dispatch if the email was sent to the correct address and was not returned as undeliverable.

If to Covered Entity    If to Business Associate
To:    Stanford University 
505 Broadway, 6th Floor | 6212
Redwood City, CA 94063
Attention: Chief Privacy Officer 
Facsimile: 650-725-0073
Or email: privacy@stanford.edu 
Contractor’s address as noted on the face of the Purchase Order
Attn: CEO/President

With a copy to:   Stanford University
Office of General Counsel
Main Quad, Building 170
Stanford, CA 94305 M/C 2038
Attention: Senior University Counsel
Fax: 650-736-2495    

Each Party may change its address and that of its representative for notice by giving notice thereof in the manner provided above in this Section 8.4.
7.5   Counterparts; Facsimiles. This Addendum may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.

7.6   Effect of Agreement. Except as specifically required to implement the purposes of this Addendum, or to the extent inconsistent with this Addendum, all other terms of the Agreement shall remain in full force and effect.

7.7   Interpretation. The provisions of this Addendum shall prevail over any provisions in the Agreement that may conflict or appear inconsistent with any provisions in this Addendum. The Parties agree that any ambiguity in this Addendum shall be resolved in favor of a meaning that complies and is consistent with the Privacy Regulation and Security Regulation. The section headings used in this Addendum are for reference and convenience only and have no legal or contractual effect.

7.8   Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of California, without application of principles of conflicts of laws. The Parties hereto agree that any dispute arising under this contract shall be resolved in the California State courts of Santa Clara County, California, or in the Federal District Court for the Northern District of California sitting in San Francisco, California, and the Parties hereby submit themselves to the personal jurisdiction of said courts. 

7.9   Amendment to Comply with Law. The Parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The Parties agree to take such action as is necessary to implement the standards and requirements of HITECH and regulations thereunder, HIPAA, the Privacy Regulation, the Security Regulation, and other applicable laws relating to the security or confidentiality of Protected Health Information. The Parties further agree that if current or future federal or state laws, rules, or regulations adversely impact a Party’s performance under the Agreement or this Addendum, the Parties will negotiate in good faith to amend the Agreement and/or this Addendum, as necessary, to be consistent with the requirements of HITECH and regulations thereunder, HIPAA, the Privacy Regulation, the Security Regulation, or other applicable laws, as the same may be amended from time to time. Covered Entity may terminate the Agreement and this Addendum in the event that the Parties are unable to modify the Agreement and/or Addendum to remain in full compliance with HITECH and regulations thereunder, HIPAA, the Privacy Regulation, the Security Regulation, California laws and regulations, or other applicable law.

7.10   Injunctions. Covered Entity and Business Associate agree that any violation of the provisions of this Addendum may cause irreparable harm to Covered Entity. Accordingly, in addition to any other remedies available to Covered Entity at law, in equity, or under this Addendum, in the event of any violation by Business Associate of any of the provisions of this Addendum, or any explicit threat thereof, Covered Entity shall be entitled to an injunction or other decree of specific performance with respect to such violation or explicit threat thereof, without any bond or other security being required and without the necessity of demonstrating actual damages.

7.11   Individual Authorization. Nothing in this Addendum shall be construed to require or permit Business Associate to use or disclose Protected Health Information without written authorization from an individual who is a subject of the Protected Health Information, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.

7.12    Agency. The Parties agree and acknowledge that Business Associate is not an “agent” of Covered Entity as that term is defined in the federal common law.

Last Updated: Nov 22, 2022

Questions?

arrow_upward
Back to Top