Effective Date: April 21, 2020
Information We Collect
If you are a patient and your physician has entered you into our system, when you use our Site, we may collect the following information from you:
- Your name and contact information (such as email address, phone number and shipping address); and
- Information related to payment for your prescriptions, such as insurance information or credit card information;
Note that we will also collect information from your physician related to your prescription.
If you are a physician, when you use our Site we may collect the following information from you:
- Your name and contact information (such as email address, phone number and mailing address);
- Your NPI number and professional license number;
- Information related to the patients you are treating, including any information you submit related to your patients (such as name, prescription, and other identifying information related to your patient); and
- Any other information necessary under state or federal law for a valid prescription.
For all users, we may also collect the following information related to your use of the Site.
- Information you provide to us if you communicate with us (for example by sending us comments or questions);
- Your device parameters such as the type of device you are using, the date and time of your Site access, your browser type, IP address and other information related to how your device is interacting with our Site; and
- The location of the device you are using to access our Site.
Cookies and Other Tracking Technologies
When you use the Site we automatically collect and store some information about you and your device through cookies, web beacons, and similar technologies. We use these technologies to enhance your experience on our Site. A “cookie” is a small data file sent from a website and stored on your device to identify your device in the future and allow for an enhanced personalized user experience. A “session cookie” disappears after you close your web browser, or may expire after a fixed period of time. A “persistent cookie” remains after you close your web browser and may be accessed every time you use our Site. We may use both session and persistent cookies. You should consult your web browser to modify your cookie settings. Please note that if you delete or choose not to accept cookies from us, you may not be able to use certain features of our Site.
How We Use and Disclose Information
The information you provide will be accessible to any provider engaged by us to provide services through the Site. We may use your contact information, including your email address, to contact you for administrative purposes such as responding to your questions, acknowledging a payment, or providing you with information.
We use the information that we collect to operate, maintain, enhance, and provide all features of the Site.
To the extent permitted by applicable law, we may disclose your information if required to do so by law to comply with state and federal laws, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.
We also reserve the right to disclose your information that we believe, in good faith, is appropriate or necessary to: (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Site, or (v) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.
Information may be disclosed and otherwise transferred to an acquirer, successor, or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets, to the extent and in the way as prescribed by applicable law.
Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. We may use aggregate information within Veda Grace to understand the needs of individuals using the Site.
Veda Grace uses appropriate physical, managerial, and technical safeguards that are designed to protect the confidentiality, integrity and security of personal data that we collect and maintain against accidental or unlawful loss, theft and misuse and unauthorized access, disclosure, alteration destruction, or any other type of unlawful processing. Unfortunately, no web site, server or database is completely secure. Veda Grace cannot guarantee that your information will not be disclosed, misused or lost by accident or by the unauthorized acts of others.
Storage of Information Collected
Information we collect may be stored or processed in locations other than the jurisdiction in which you live or work. In such cases, we will work to ensure that any vendor we use in that location has the appropriate protections in place. By using our Site you consent to the collection, storage, and processing of your information in any country to which we may transfer it in the course of our business operations.
Do Not Track
Our Site does not support Do Not Track requests at this time. Do Not Track (DNT) is a privacy preference that you can set in your web browser to indicate that you do not want certain information about your webpage visits collected across websites when you have not interacted with that service on the page. For all the details, including how to turn on Do Not Track, visit https://www.eff.org/issues/do-not-track.
California Shine the Light Law
California’s “Shine the Light” law, permits individuals who are California residents to request and obtain from us a list of Your User Registration Information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. If you would like to make a request for information under the Shine the Light law, please contact us by email at email@example.com. Requests may be made only once a year and are free of charge.
TERMS OF SERVICE
Effective Date: April 21, 2020
By (a) using our website and/or mobile applications operated by Veda Grace (collectively, the “Site”), (b) purchasing and/or using the products and/or services provided by us thereunder (together, the “Products”), and/or (c) providing your personal information to Veda Grace, you signify your acknowledgement and agreement to these Terms of Service, whether or not you register for an account with Veda Grace through the Site (an “Account”). If you do not agree with any provision in these Terms of Service, please do not use the Site, purchase or use the Products, provide your personal information to Veda Grace, or register for an Account. These Terms of Service do not apply to websites or applications that display or link to different terms of service. PLEASE REVIEW THESE TERMS OF SERVICE CAREFULLY.
You may be asked to provide certain personal information to us from time to time. Your personal information will be collected, used and disclosed by us in accordance with Veda Grace’ Privacy Statement, which is available here and is incorporated by this reference into these Terms of Service. The information you provide will be accessible to any provider engaged by Veda Grace to provide services through the Site. In order to have an Account with us, you will be required to provide us with certain personal information. You are responsible for maintaining the confidentiality of the password and username for your Account and are fully responsible for all activities that occur under your password or username.
1. Representations and Warranties of Users
You represent and warrant to Veda Grace that:
- All information you provide to Veda Grace is true, accurate, current and complete, and you agree to maintain and promptly update such information to keep it true, accurate, current and complete as long as you are using the Site. If we have reasonable grounds to suspect that such information is not true, accurate, current or complete, we may deny or terminate your access to the Site (or any portion thereof) in our sole discretion, subject to compliance with any notice or waiting period provided by applicable law.
- You understand that Veda Grace is not itself a healthcare provider.
- You understand that you should never delay seeking advice from your dermatologist, primary care physician, or any other health professionals due to any information provided (or the omission of any such information) by Veda Grace, the Site or the Products.
- If you are a health care provider using our Site, you have obtained any necessary patient consent before providing us with patient information.
2. Rights, Obligations and Conduct of Users
Subject to the terms and conditions of these Terms of Service, we hereby grant to you a limited, non-exclusive, non-transferable, freely revocable license to use the Site as permitted by the features of the Site solely for your personal or, if you are a physician, your professional use, and in all cases only as permitted under these Terms of Service. Veda Grace reserves all rights in the Site, the Intellectual Property (as defined below) and the Marks (as defined below) not expressly granted to you herein. We reserve the right, in our sole discretion, to deny use of the Site to anyone, for any reason, and at any time, subject to applicable law. In consideration of your access to and use of the Site, you covenant and agree that you shall:
- Notify Veda Grace immediately if you become aware of any inaccuracies, errors, omissions or inconsistencies in the information or content provided through the Site, and to comply with any corrective action taken by Veda Grace.
- Refrain from the use of offensive or abusive language when using the Site, including when communicating with us.
- Make all arrangements necessary for you to have access to our Site and ensure the security of the computers and systems you are using to access our Site.
- Not share your Veda Grace Account or any information related thereto, including your password, with any other persons. You are responsible for maintaining the confidentiality of your Account and for all activities that occur under your Account, including any use by others who obtain access to your Account. You agree to immediately notify us upon becoming aware of any unauthorized use of your Account or any other breach of security. You may not use the Account of any other Veda Grace user at any time.
- Be responsible for any act or omission of any users that access the Site under your Account that, if undertaken by you, would be a violation of these Terms of Service. Any such act or omission shall be deemed a violation of these Terms of Service by you.
- Not, and shall not attempt to,: (a) infringe the patent, trademark, trade secret, copyright, or other intellectual property or other rights of another person, (b) reproduce, duplicate, copy, sell, resell, or exploit any portion of the Site, (c) reverse engineer, disassemble, decompile, or translate any components of the Site, attempt to derive the source code of any components of the Site, or authorize or assist any third party to do any of the foregoing, (d) modify, copy or make derivative works based on any part of the Site or any underlying software, technology or other information, including any printed materials of the same, (e) use any robot, spider, or other such programmatic or automatic device, including, without limitation, automated dial-in or inquiry devices, to obtain information from the Site or otherwise monitor or copy any portion of the Site, or (f) systematically collect or use any content from the Site, including through the use of any data mining, or similar data gathering and extraction methods.
- Not, and shall not attempt to,: (a) disrupt or interfere in any manner with the operation of the Site, or the hardware or network used to operate the Site, or disobey any requirements, procedures, policies or regulations of networks connected to the Site, (b) allow, enable, or otherwise support the transmission of unsolicited or unauthorized advertising, junk or bulk email (SPAM), chain letters, letters relating to a pyramid scheme, or any other unsolicited commercial or non-commercial communication, (c) upload or otherwise spread any software viruses, worms, time bombs, corrupted files, Trojan horses or any other computer code, files, or programs that are designed or intended to disrupt, damage, overburden, impair or limit the functioning of any software, hardware, network, server, or communications systems or equipment, (d) attempt to disable, bypass, modify, defeat, or otherwise circumvent any security related tools incorporated into the Site, (e) use any high volume, automated, or electronic means to access the Site (including, without limitation, robots, spiders or scripts), or (f) create Internet “links” to or from the Site, or “frame” or “mirror” any Veda Grace content which forms part of the Site, place pop-up windows over its pages, or otherwise affect the display of its pages.
- Not and shall not attempt to,: (a) disrupt, interfere with, or inhibit any other person from using the Site or other affiliated or linked websites, material, contents, products and/or services, (b) create a false identity for the purpose of misleading others, (c) prepare, compile, use, download or otherwise copy any user information and/or usage information for any portion thereof, or transmit, provide or otherwise distribute (whether or not for a fee) such information to any third party, or (d) distribute, sell, lease, rent, sublicense, assign, export, or transfer in any other manner any of your rights under these Terms of Service or otherwise use the Site for the benefit of a third party or to operate a service bureau.
- Not use the Site: (a) to violate any local, state, national or international law, rule or regulation, (b) in a manner that is harmful, threatening, harassing, abusive, defamatory, slanderous, vulgar, gratuitously violent, obscene, pornographic, indecent, lewd, libelous, invasive of another’s privacy, or racially, ethnically or otherwise offensive, hateful, or abusive, (c) to collect or store personal data about other users, (d) to impersonate any person or entity, or otherwise misrepresent your affiliation with a person or entity, or (e) in any manner that exceeds the scope and purpose of use granted above.
3. Persons under the Age of 18
Persons under eighteen (18) years of age are not eligible to use the features, services and other aspects of the Site or the Products. Further, persons under eighteen (18) may not use the Site or the Products unless Veda Grace has authorization from the parent or legal guardian of such individual. A parent or legal guardian of a person under the age of eighteen (18) may prohibit such individual’s use of the Site. If you are the parent or legal guardian of an individual under the age of eighteen (18) and believe your child has used the Site without your consent or authorization, please contact us at firstname.lastname@example.org.
4. Fees and Payment
If you elect to use features of the Site and/or purchase Products that involve the payment of any fees, you agree to pay, and will be responsible for payment of, such fees and any and all taxes associated therewith in accordance with the billing terms in effect at the time a fee is due and payable. Unless otherwise stated, all fees are quoted in U.S. Dollars. All payments shall be facilitated through a third-party payment processing service. You hereby authorize Veda Grace to charge you, through its third-party processing vendor, for all fees as they become due, and represent and warrant that you are authorized to use any and all payment information you provide to the third-party payment processing vendor. If your payment method fails or fees associated with your Account are past due, we may collect fees owed using other collection mechanisms, include charging other payment methods on file with the third-party payment processing vendor and/or retaining collection agencies and legal counsel. Subject to compliance with any notice or waiting period provided by applicable law, we may also block your Account pending resolution of any amounts due by you to Veda Grace.
5. Ownership of Intellectual Property
The software, code, proprietary methods, systems and content used to operate the Site (collectively, the “Intellectual Property”) are (1) copyrighted by Veda Grace and/or its licensors under United States and international copyright laws, (2) subject to other intellectual property and proprietary rights and laws, and (3) the exclusive property of Veda Grace or its applicable licensors. The Intellectual Property may not be copied, modified, reproduced, republished, posted, transmitted, sold, offered for sale, or redistributed in any way without our prior written consent or the prior written consent of our licensors, as applicable. You must abide by all copyright notices, information, or restrictions contained in or attached to any of the Intellectual Property and you may not remove or alter any such notice, information or restriction. Your use of the Site and the Intellectual Property must at all times comply with these Terms of Service. Nothing in these Terms of Service, your relationship with Veda Grace, or your use of the Site shall grant you any right to the Intellectual Property except the limited license to use the Site in accordance with these Terms of Service.
Certain of the names, logos, and other materials displayed on the Site may constitute trademarks, trade names, service marks, or logos (collectively, the “Marks”) of Veda Grace or other parties. You are not authorized to use any such Marks. Ownership of all such Marks and the goodwill associated therewith remains with us or those other parties, as applicable.
You may delete your Account at any time, for any reason, by sending an email to email@example.com. You also may deactivate your Account at any time. Veda Grace may terminate your Account and/or the limited license to use the Site granted to you under these Terms of Service, at any time, for any reason or no reason. The provisions of these Terms of Service will survive the expiration or earlier termination of the agreement pursuant to these Terms of Service for any reason. Our (and our licensors’) proprietary rights (including any and all intellectual property rights) in and to the Intellectual Property, the Marks and the Site will survive the expiration or earlier termination of the agreement pursuant to these Terms of Service for any reason.
Without limiting any rights that Veda Grace may otherwise have, Veda Grace reserves the right to take any and all action, as it deems necessary or reasonable, regarding the security of the Site and your Account, including, without limitation, terminating or changing your Account, or requesting additional information to authorize transactions on your Account.
We reserve the right to discontinue the Site with or without notice to you. We will not be liable to you or any third party should we exercise our right to change or discontinue the Site.
Any termination or discontinuance of the Site pursuant to the provisions set forth in this Section 6 shall be subject to compliance with any notice or waiting period provided by applicable law.
7. Disclaimer of Warranties
USE OF THE SITE AND Veda Grace PRODUCTS IS AT YOUR SOLE RISK. THE SITE AND PRODUCTS ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. Veda Grace EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE OR PURPOSE, NON-INFRINGEMENT, TITLE, OPERABILITY, CONDITION, QUIET ENJOYMENT, VALUE, ACCURACY OF DATA, OR SYSTEM INTEGRATION. Veda Grace MAKES NO WARRANTY THAT THE SITE WILL MEET YOUR REQUIREMENTS, OR THAT THE SITE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE; NOR DOES Veda Grace MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SITE, OR THAT DEFECTS IN THE SITE WILL BE CORRECTED. YOU UNDERSTAND AND AGREE THAT ANY INFORMATION, PRODUCTS OR SERVICES OBTAINED THROUGH THE USE OF THE SITE IS DONE AT YOUR OWN DISCRETION AND RISK AND THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE OR LOSS THAT RESULTS FROM THE USE THEREOF. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM Veda Grace OR THE SITE WILL CREATE ANY WARRANTY NOT EXPRESSLY MADE HEREIN.
Veda Grace DOES NOT WARRANT THAT ANY INFORMATION, PICTURES OR GRAPHIC DEPICTIONS, DESCRIPTIONS OR OTHER CONTENT OF THE SITE ARE ACCURATE, COMPLETE, RELIABLE, UPDATED, CURRENT, OR ERROR-FREE. Veda Grace IS NOT RESPONSIBLE FOR THE INTERNET, DATA BANDWIDTH OR SIGNAL OF YOUR COMPUTER OR MOBILE DEVICE. Veda Grace MAKES NO REPRESENTATION OR WARRANTY THAT THE SITE IS APPROPRIATE OR AVAILABLE FOR USE IN LOCATIONS OUTSIDE THE UNITED STATES OR ALL TERRITORIES WITHIN the UNITED STATES. Veda Grace MAY RELY ON THE AUTHORITY OF ANYONE ACCESSING YOUR ACCOUNT AND IN NO EVENT AND UNDER NO CIRCUMSTANCES SHALL Veda Grace BE HELD LIABLE TO YOU FOR ANY LIABILITY OR DAMAGES RESULTING FROM OR ARISING OUT OF YOUR USE OF THE SITE OR YOUR ACCOUNT.
Veda Grace DOES NOT WARRANT THAT PRODUCT DESCRIPTIONS ARE ACCURATE, COMPLETE, RELIABLE, CURRENT, OR ERROR-FREE, OR THAT PRODUCT PACKAGING DEPICTED ON THE SITE WILL MATCH THE ACTUAL PRODUCT THAT YOU RECEIVE.
8. Limitation of Liability
TO THE EXTENT PERMITTED UNDER APPLICABLE LAW, IN NO EVENT WILL Veda Grace OR ITS OFFICERS, DIRECTORS, EMPLOYEES, CONSULTANTS, REPRESENTATIVES OR AGENTS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF REVENUES, PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF SUCH PARTIES WERE ADVISED OF, KNEW OF OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY), ARISING OUT OF OR RELATED TO YOUR USE OF THE SITE OR PRODUCTS, REGARDLESS OF WHETHER SUCH DAMAGES ARE BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY), WARRANTY, STATUTE OR OTHERWISE. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE SITE, THE PRODUCTS, OR THESE TERMS OF SERVICE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USE OF THE SITE AND/OR PRODUCTS. THE AGGREGATE LIABILITY OF Veda Grace TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THE SITE AND/OR PRODUCTS IS LIMITED TO THE GREATER OF (I) THE AGGREGATE AMOUNT OF FEES ACTUALLY PAID BY YOU TO Veda Grace OR (II) ONE HUNDRED U.S. DOLLARS (U.S. $100.00).
9. Indemnification and Release
You agree to indemnify, defend and hold harmless Veda Grace and its officers, directors, employees, consultants, representatives and agents, and other users and visitors of the Site, from and against any and all third-party claims, liabilities, damages, losses, costs, expenses, fees (including reasonable attorneys’ fees and court costs) that such parties may incur as a result of or arising out of or related to (a) any information you submit, post or transmit through the Site, (b) your use of the Site and/or Products, (c) your violation of any provision of these Terms of Service, (d) your violation of any rights of any other person or entity, or (e) any viruses, Trojan horses, worms, time bombs, cancelbots or other similar harmful or deleterious programming routines input by you into the Site.
You hereby release Veda Grace, its officers, directors, employees, consultants, representatives and agents from any and all claims, demands, losses, damages, rights, claims, and actions of any kind including, without limitation, personal injury, death, and property damage, that is either directly or indirectly related to or arises from your use of the Site or the Products. If you are a California resident, you hereby waive California Civil Code Section 1542, which provides that: “a general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release which, if known by him must have materially affected his settlement with the debtor.”
10. Governing Law and Dispute Resolution
The validity, interpretation, construction and performance of these Terms of Service will be governed by the laws of the State of Illinois, without giving effect to the principles of conflict of laws. Any dispute arising out of or relating in any way to these Terms of Service will be resolved exclusively by final and binding arbitration in Chicago, Illinois under the rules of the American Arbitration Association, except that either party may bring a claim related to intellectual property rights, or seek temporary and preliminary specific performance and injunctive relief, in any court of competent jurisdiction within Chicago, Illinois , without the posting of bond or other security. The parties agree to the personal and subject matter jurisdiction and venue of the courts located in Chicago, Illinois for any action related to these Terms of Service. The failure of Veda Grace to exercise or enforce any right or provision of these Terms of Service will not constitute a waiver of such right or provision. You agree that irrespective of any statute or law to the contrary, any claim or cause of action arising out of or related to use of the Site or these Terms of Service must be filed within one (1) year after such claim or cause of action arose or be forever barred.
11. Severability and Construction
If any term, provision, covenant or condition of these Terms of Service is found by a court or arbitral body of competent jurisdiction to be invalid, void or unenforceable, the remainder of the provisions hereof shall remain in full force and effect to the fullest extent permissible by applicable law and shall in no way be affected, impaired or invalidated. The headings in these Terms of Service are for convenience only and shall not affect the meaning or interpretation of these Terms of Service or any section thereof.
If Veda Grace or its assets are acquired by another company, or in the event of a merger, consolidation, change in control, transfer of substantial assets, reorganization or liquidation, Veda Grace may transfer, sell or assign to third parties rights related to your relationship with Veda Grace, including, without limitation, your Account and any personal information that you provide or that has been provided on your behalf to Veda Grace. Such third parties will assume (a) responsibility for your relationship with Veda Grace, (b) information collected by Veda Grace in connection with Veda Grace’ business operations or through the Site, and (c) the rights and obligations regarding such information as described in these Terms of Service. These Terms of Service shall be binding upon and inure to the benefit of Veda Grace’ successors or assigns. You may not assign your rights under these Terms of Service without our prior written consent, and any attempted assignment will be null and void.
13. Entire Agreement and Amendments
In order to participate in certain aspects of the Site or receive certain Products, you may be required to agree to additional terms and conditions as posted on the Site (the “Additional Terms”), which are hereby incorporated into these Terms of Service. To the extent there is a conflict between the provisions in these Terms of Service and the Additional Terms, the latter shall have precedence. The current version of these Terms of Service, including, without limitation, the Additional Terms, constitute the entire and exclusive and final agreement between you and Veda Grace with respect to the subject matter hereof, and governs your access and use of the Site, superseding any and all prior or contemporaneous agreements or arrangements between you and Veda Grace with respect to the subject matter hereof, whether written or oral.
We reserve the right to amend, modify, add, delete or update the terms of these Terms of Service, including, without limitation, the Additional Terms, at any time in our sole discretion, as long as such changes are in compliance with applicable law. If we change the terms of these Terms of Service, we will post the new Terms of Service on the Site and you agree that such postings constitute notice of the new Terms of Service to you. We recommend that you read these Terms of Service each time you use the Site. If you object to any changes to these Terms of Service, your sole recourse will be to cease using the Site and/or Products. Your continued access to and usage of the Site and/or Products signifies your acknowledgement and acceptance of any such changes to these Terms of Service and agreement to be bound thereby.
14. Geographic Restrictions
We provide this Site for use only by persons located in the United States. We make no claims that the Site or any of its content is accessible or appropriate outside of the United States. If you access the Site from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.
15. Report Violations
You should report any suspected violations of these Terms of Service to firstname.lastname@example.org.
If you have questions or concerns about these Terms of Service, please contact us email@example.com.
BUSINESS ASSOCIATE AGREEMENT
This Agreement by and between Veda Grace Inc (“Business Associate”) and the undersigned physician practice (“Covered Entity”), is agreed upon by both the Business Associate and Covered Entity for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the “Breach Notification Rule” (“Breach Notification Rule”) (the Privacy Rule, Breach Notification Rule and the Security Rule are collectively called the “Privacy and Security Rules”) Business Associate and Covered Entity are collectively referred to as the “Parties.”
WHEREAS, the undersigned physician practice is a “Covered Entity” as that term is defined under HIPAA, which requires Covered Entities and certain of their service providers to enter into confidentiality agreements;
WHEREAS, Business Associate may create on behalf of, or receive from, the Covered Entity or the Covered Entity’s other service providers protected health information (“PHI”); and
WHEREAS, upon creation or receipt of such PHI, Business Associate would be a “Business Associate” in relation to the Covered Entity, as that term is defined under HIPAA.
NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein, Covered Entity and Business Associate hereby agree as follows:
- Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to such terms under HIPAA, the HITECH Act and the Privacy and Security Rules, as may be amended from time to time.
- Business Associate’s Responsibilities with Respect to Use and Disclosure of PHI . Business Associate hereby agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:
- to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered Entity (“the Services”); (ii) consistent with the manner in which Covered Entity is permitted to Use and Disclose by 45 C.F.R. 164.502 (as amended from time to time) and/or 45 C.F.R. § 164.512; (iii) for Business Associate’s proper management and administration; (vi) to fulfill any present or future legal responsibilities; (v) as otherwise permitted or required by this Agreement; or (vi) as otherwise permitted or required by law.
- to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Business Associate that is not permitted or required by this Agreement of which Business Associate becomes aware;
- to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use and/or Disclosures contrary to this Agreement;
- to the extent that Business Associate creates, receives, maintains or transmits Electronic Protected Health Information as that term is defined by the Security Rule, on behalf of Covered Entity to report to Covered Entity any Security Incident of which Business Associate becomes aware to the extent such incidents represent successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System that contains or has access to the Electronic Protected Health Information of Covered Entity, and upon request by Covered Entity, report all unsuccessful attempts for which Business Associate has records; and
- to require all of Business Associate’s subcontractors and agents utilized in providing the Services which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Business Associate pursuant to this Agreement.
- Safeguards. Business Associate shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of Business Associate’s operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316, which includes Business Associate’s obligation to have written policies and procedures in place to document its administrative, technical and physical safeguards.
- Access Requests. Business Associate shall process Covered Entity’s requests to access records in the Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45 C.F.R. § 164.524.
- Amendment Requests.Business Associate shall process Covered Entity’s requests for amendment of the PHI in Business Associate’s possession, solely upon Covered Entity’s request and in a manner that allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner in which Covered Entity is amending the PHI in Covered Entity’s possession.
- Accounting of Disclosures. The Parties agree that Business Associate shall track and keep a record of all Disclosures of PHI, and that Business Associate shall provide to Covered Entity the information necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R. §164.528, to individuals who request an accounting. In each case Business Associate shall provide at least the following information with respect to each such Disclosure: (a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an explanation of the basis for such Disclosure. In the event that Business Associate receives a request for an accounting directly from an individual, Business Associate shall forward such request to Covered Entity in writing.
- De-Identification. Business Associate may de-identify PHI for lawful purposes, so long as such de-identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to time and may use the PHI to provide data aggregation services relating to Covered Entity’s health care operations.
- Meet Covered Entity Obligations where Appropriate. If Business Associate will perform a service for Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable requirements in the performance of that service;
- Requests from Secretary of Health and Human Services. If Business Associate receives a request, made by or on behalf of the Secretary of the United States Department of Health and Human Services (the “Secretary”), requiring Business Associate to make its internal practices, books, and records relating to the Use and Disclosure of the PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Business Associate’s compliance with HIPAA, then Business Associate shall make its internal practices, books and records available to the Secretary or the Secretary’s authorized representative.
- Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition.
- Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date on which the Breach is discovered. “Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Business Associate’s response to the Breach.
- Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Business Associate, Covered Entity hereby agrees:
- that the Uses and Disclosures of the PHI by Business Associate pursuant to this Agreement are, at the time of execution and throughout the term of this Agreement will be, consistent with the form of notice of privacy practices (the “Notice”) that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520.
- to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the Use and/or Disclosure of the PHI by Business Associate under this Agreement including, but not limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522 agreed to by Covered Entity, and to hold Business Associate harmless from the financial impact of any such agreement by Covered Entity; and
- to obtain any consent or authorization that may be required under HIPAA or state law prior to furnishing the PHI to Business Associate.
- Term. Unless otherwise terminated as provided in Section 14, this Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of any oral or written agreement by Business Associate to provide Services to Covered Entity and will terminate without any further action of the Parties upon the termination of all such agreements.
- If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party’s obligations under this Agreement, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Business Associate under the engagement.
- Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the arrangement for Services affected by the breach.
- Effect of Termination. Upon the event of termination of this Agreement, Business Associate agrees, where feasible, to return or destroy the PHI, which Business Associate still maintains in any form. Prior to doing so, Business Associate further agrees, to the extent feasible, to request the destruction of the PHI that is in the possession of its subcontractors or agents. If in Business Associate’s opinion, it is not feasible for Business Associate or any subcontractors to return or destroy portions of the PHI, Business Associate shall, upon Covered Entity’s written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible and limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.
- Third Party Beneficiaries. Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person.
- Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.
- Informal Resolution. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
- Limitation on Liability. Neither Party shall be liable to the other party for any incidental, consequential or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other Party has been advised of the possibility of such loss or damages.
- Notices. All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when received
- Interpretation. The provisions of this Agreement shall prevail over any provisions in any other agreements between Business Associate and Covered Entity that may conflict or appear inconsistent with any provision of this Agreement. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.
- Survival. Sections 4, 6, 15, 19, and 22 shall survive the termination of this Agreement.