Terms of Service Agreement
Last Updated: April 20th, 2023
The following Terms of Service Agreement, (the “Agreement”) is entered into by and between you and Nabla Technologies, Inc. (“Nabla”, “Company”, “we”, “us” or “our”). This Agreement governs your access to and use of our platform (“Platform”), our application (“App”), our application programming interfaces (each an “API”) or any other products and services made available by us (collectively, the “Services”).
Please read this Agreement carefully. By accessing or otherwise using the Services or by clicking to accept or agree to the Agreement when this option is made available to you, you:
i. acknowledge that you have read and understood this Agreement,
ii. represent and warrant that you meet all of our eligibility requirements for using the Services as described in this Agreement, and
iii. accept and agree to be bound by this Agreement, including any other terms applicable to the Services that are incorporated herein by reference.
If you are using the Services on behalf of an entity, you are agreeing to this Agreement for that entity and are representing to us that you have the authority to bind that entity to this Agreement (in which case “you” will refer to that entity). If you do not accept this Agreement or do not satisfy the eligibility requirements set forth below, you may not access or use the Services.
The parties acknowledge that acceptance of the Agreement by electronic means between the Parties has the same evidential value as a paper agreement.
2. Changes to this Agreement
We reserve the right to update and revise this Agreement at any time. We’ll make sure to also change the “Last Updated” date at the top of this page so you can tell if this Agreement has changed since your last visit. Any such changes are effective immediately when we post them and apply to all access to and use of the Services thereafter. Please review this Agreement regularly because once we post any changes, your continued use of the Services constitutes your acceptance of the revised Terms. If you do not accept any modification to the Terms, you must stop using the Services. Notwithstanding the foregoing, any change to the Fees and Payment terms as described in Section 5 will enter in force only on the calendar month following the revision of this Agreement.
3. Use of the Services
Your use of the Services is subject to your compliance with this Agreement. By accessing and using the Services, you warrant that:
i. You are legally capable of entering into binding contracts;
ii. All registration information you submit is truthful and accurate; “registration information” is understood to mean your registration information and not those of your patients.
iii. You will maintain the accuracy of such information; and
iv. Your use of the Services does not violate any applicable law or regulation.
3.1 Intended Use
The Services are designed and intended to be used by healthcare providers, telehealth companies and any companies that provide services relating to any of the foregoing. Despite the foregoing, the Services are a tool that enable these constituencies to better serve their patients and customers, and do not, in any circumstance, constitute the provision of medical advice by us.
You can only use or receive the Services to the extent the laws of your jurisdiction or the United States do not bar you from doing so. Please make sure this Agreement is in compliance with all laws, rules and regulations that apply to you. You are solely responsible for ensuring that your use of the Services complies with the laws of your specific jurisdiction.
We hereby grant you a non-exclusive, non-transferable right to access and use the Services during the Term, solely for use by your end users in accordance with this Agreement. In this Agreement, “end users” refers to your staff (e.g. employees, contractors) authorized to use the Services under the conditions defined in the Agreement.
To the extent that your use of the Services involves the use and/or integration of our Platform or any of our APIs or Services, we hereby grant you, during the Term, a non-exclusive, non-transferable license (without the right to sublicense) to use the Platform and/or any API or API components and/or Services to :
i. develop and implement applications to assist you to access and use the Services (the “User Applications”); and
ii. use the Platform, any API and/or any code related to either for the sole purposes of designing, developing, and testing such User Applications, including for the purpose (commercially or otherwise) of distributing any User Application to third parties or allowing any third parties to access or use any User Application.
3.4 Restriction on use
You may only use the Services as explicitly authorized and in compliance with any policies as set forth herein or otherwise made available to you within the Services. No portion of the Services may be reproduced in any form or by any means. Without limiting the foregoing, you may not do any of the following while accessing or using the Services:
Use the Services for any revenue generating endeavor, commercial enterprise, or other purpose other than for the permitted uses under this Agreement without our express written consent;
Express or imply that any statements you make are endorsed by Nabla;
Resell any Services for commercial purposes, except as expressly permitted herein;
Modify, adapt, translate, reverse engineer, decompile, disassemble or convert into human readable form any of the contents of the Services not intended to be so read;
Interfere or attempt to interfere with the proper working of the Services or any activities conducted on the Services;
Bypass, circumvent, or attempt to bypass or circumvent any measures we may use to prevent or restrict access to the Services, including without limitation other accounts, computer systems or networks connected to the Services;
Run any form of auto-responder or “spam” on the Services;
Access or use the Services for any illegal or unauthorized purpose, including to harass, abuse, defame or otherwise infringe or violate the rights of any other party; or
Otherwise take any action in violation of this Agreement.
3.5 Modifications of the Services
We may from time to time in our sole discretion develop and provide updates to the Services, modify the Services, change the Services, restrict access to the Services (including to registered users) or withdraw or terminate the Services entirely, and we reserve the right to do so in our sole discretion without notice to you. Any such updates, modifications or changes will be deemed part of the Services and subject to all terms and conditions of this Agreement. Following such update, modification or change, you may terminate this Agreement without cause upon thirty (30) days written notice. We will not be liable to you or any third party for any modification, suspension, discontinuance or termination of the Services. In the event of modification suspension, discontinuance or termination, you will still be bound by your obligations under this Agreement, including the warranties made by you, and by the disclaimers and limitations of liability.
3.6 Availability of the Services
Your access to the Services may be occasionally restricted to allow for repairs, maintenance or the introduction of new facilities or Services. We will restore the Services as soon as we reasonably can. We will not be liable to you if the Services are unavailable from time to time.
3.7 Compliance with laws
The Services are intended to assist you in the conduct of your business. We do not make any representations or warranties that your use of the Services will satisfy or ensure your compliance with any legal obligations or applicable laws, rules, or regulations. You are solely responsible for ensuring compliance with all applicable laws and regulations. You acknowledge and agree to use the Services only for purposes that are legal, proper and in accordance with this Agreement and any applicable laws, rules or regulations.
Without limiting the foregoing, you will
3.8 Term and Termination
The term of the Agreement shall commence on the day you sign the Agreement (the “Effective Date”).
Your access to and use of the Services will continue indefinitely until cancelled by you upon sixty (60) days’ written notice to the Company.
We can terminate your access to or use of the Services as a result of your having violated this Agreement or otherwise engaged in conduct that harms or is intended to harm us or the Services. We may also suspend or terminate your use of the Services as a result of your fraud or breach of any obligation under this Agreement. Such termination or suspension may be immediate and without notice. A breach of this Agreement includes, without limitation, the unauthorized copying or download of content from the Services.
We can also terminate this Agreement without cause and in our sole and complete discretion upon sixty (60) days’ written notice to you.
3.9 Effect of termination
If your access to the Services is terminated or suspended for any reason,
i. all rights granted under this Agreement will end,
ii. you agree to immediately terminate and cease use of all Services,
iii. we will not be liable to you or any third party for compensation, reimbursement, or damages for any termination or suspension of the Services, or for deletion of your information or account data. All sections of this Agreement that by their nature are intended to survive such suspension or termination shall so survive.
In addition, upon termination of the Services, we will, at your option, either return all your information, account data and Patient information to you or delete all said information and data.
4. User Accounts
4.1 Account registration
To access and use the Services, you will be required to register with the Site and create a user account (“Account”). Any individual employed by a business that is a healthcare provider, telehealth company and any company that provides services to any of the foregoing who will be using the Services, is required to create their own Account.
In order for us to provide you the best possible service, you agree that, as part of the registration process, you will provide us with complete and accurate information and also agree to keep your Account information up to date at all times. You agree that all information that you submit upon creation of your Account is accurate and truthful and you have the right to post the content on the Service and grant a license to Nabla for purposes of its provision of the Services. If any information on your Account or on the Services is incorrect or outdated, it can lead to errors or delays, for which we will not be responsible.
4.2 Account verification
If you are a healthcare provider or an employee or agent of a healthcare provider, telehealth company or any person or entity who provides services to any of the foregoing, in order to comply with applicable laws, rules and regulations, you may be required to, as necessary, verify your identity and credentials after registering your Account. After you have completed the registration process, we will send you an email providing the steps required to complete the verification process. If you are required to but do not complete the verification process, you may not be permitted to use the Services. We reserve the right to modify the verification process, including but not limited to automating the verification process, at any time in our sole discretion.
4.3 Responsibility for Account
If you create an Account, you are solely responsible for any activity that occurs through your Account.
You, your employees or agents should not share your Account information. You agree to not use another person’s Account or registration information to access or use the Services. You agree not to permit any third party to use your Account or registration information to access or use the Services. You are solely responsible for keeping your Account and Account password secure and for any consequence resulting from your failure to do so. You should never publish, distribute, or post login information for your Account.
4.4 Suspension or termination of Account
We reserve the right to disable any Account, username, password or other identifier, whether chosen by you or provided by us, at any time in our sole discretion for any or no reason, including if, in our opinion, you have violated any provision of this Agreement. You can always delete your Account by emailing us at firstname.lastname@example.org.
The Services may include both paid-for Services, for which you will be charged fees (“Fees”) and free Services for which no fees are charged. The applicable Fees are available on our website or on the subscription portal.
We reserve the right to, at any time and from time to time and upon reasonable advance notice to you, in our sole discretion, change the Fees we charge for the Services, including the right to charge Fees for Services that were previously free of charge. We may also at any time and from time to time, in our sole discretion, change or remove any of the pricing models in place. The new prices shall apply as of the calendar month following the notification.
In case of refusal of the new prices, you remain free to terminate this Agreement by notifying us before the new prices enter in force.
5.2 Invoicing and Payment
Fees are invoiced in advance on monthly basis and payable upon receipt of the invoice by direct debit, credit card or other payment means notified to you at our sole discretion.
The first invoice will cover the period from the Effective Date to the end of the then-current month.
We may use third party payment service providers to collect any Fees you incur in the course of your use of the Services. Our third party payment service providers may receive and implement updated credit card information from your credit card issuer in order to prevent your payment or subscription from being interrupted by an outdated or invalid card. This disbursement of the updated credit card information is provided to third party payment service providers at the sole election of your credit card issuer. Your credit card issuer may give you the right to opt-out of the update service. Should you desire to do so, please contact your credit card issuer. You agree not to hold us responsible for banking charges incurred due to payments on your account.
5.3 Late payments
You acknowledge that your failure to pay any Fees when due may result in suspension or termination of your use of the Services. If you fail to pay any of the fees or charges due hereunder, the Company reserves the right to, among other things, engage an attorney or a collections agency to collect the delinquent fees and charges. You agree to pay all fees and costs incurred by the Company in connection with the collection of such delinquent amounts, including without limitation, any and all court related costs, attorneys’ and/or collections agencies’ fees plus interest in an amount equal to the lesser of 1.0% per month or the maximum rate permitted by applicable law.
You are responsible for all sales tax, use tax, value added taxes, withholding taxes and any other similar taxes and charge of any kind imposed by a governmental entity on the transactions contemplated by this Agreement. When we have the legal obligation to pay or collect taxes for which you are responsible pursuant to this Section 5.4, the appropriate amount will be invoiced to and paid by you unless you provide us with a valid tax exemption certificate authorized by the appropriate taxing authority.
6. Customer Support.
Although we aim to offer you the best service possible, we make no promise that the Services will meet your requirements and we cannot guarantee that the Services will be fault free. We will use commercially reasonable efforts to provide technical support services to you in the event a fault or other issue with the Services occurs. If a fault or other issue occurs in our Services, please report it to us at email@example.com and we will review your complaint and, where we determine it appropriate to do so, correct the fault.
7. Confidential Information.
“Confidential Information” means all information provided or made available by or on behalf of the disclosing party (whether disclosed orally or disclosed or accessed in written, electronic, or other form of media, and whether or not marked, designated, or otherwise identified as “confidential”).
Neither party shall disclose to any third party any Confidential Information without the other party’s prior written consent, except as otherwise expressly permitted under this Agreement. The foregoing restrictions do not apply to,
i. any information that is in the public domain or already in the receiving party’s possession,
ii. was known to the receiving party prior to the date of disclosure,
iii. becomes known to the receiving party thereafter from a third party having an apparent bona fide right to disclose the information, or
iv. Confidential Information that the receiving party is obligated to produce pursuant to a court order or a valid administrative subpoena, providing receiving party provides disclosing party of timely notice of such court order or subpoena (unless receiving party is legally precluded from providing such notice).
This Section 7 will survive termination or expiration of your use of the Services.
8. Data Protection
The parties agree to comply with all applicable privacy, data protection, anti spam and other laws, rules, regulations and guidelines relating to protection, collection, use and distribution of Personal Information (as defined below).
If required by applicable data protection legislation or other law or regulation, you will inform third parties that you are providing their Personal Information to us for processing and will ensure that any required third parties have given their consent to such disclosure and processing.
“Personal Information” means any information that identifies, relates to, describes, or can be reasonably associated with or traced to, directly or indirectly, a particular individual or household, including an individual’s name, address, telephone number, e-mail address, credit card information, social security number or other similar specific factual information, regardless of the media on which such information is stored (e.g., on paper or electronically).
8.1 Patient Information
As part of using the Services, you agree that you will comply with all laws, rules, and regulations applicable to you and/or your business, including the Health Insurance Portability and Accountability Act (“HIPAA”). You represent and warrant that you have all rights necessary to any information covered by HIPAA that you use or provide to us as part of your use of the Services.
If either of you or your organization are subject to HIPAA as a Covered Entity or Business Associate (as defined in HIPAA) and intend to use the Services in a manner that will cause us to create, receive, maintain, or transmit Protected Health Information on your behalf, then, at the outset of creating an account to use the Services for yourself or your organization, you will be required to agree to the Business Associate Agreement made available to you at such time, and absent agreeing to such Business Associate Agreement you will not be able to use the Services.
You acknowledge and agree that we may freely use any patient information so long as such information has been fully anonymized and de-identified prior to any such use.
9. Intellectual Property
Except as otherwise expressly granted to you in this Agreement, we reserve and retain all right, title and interest in the Services, including without limitation, all technology and processes, enhancements or modifications thereto, trademarks, service marks, site design, text, video, graphics, logos, images and icons, as well as the arrangement thereof. You acknowledge that the Services contain proprietary content, information and material protected by applicable intellectual property and other laws, including but not limited to copyright and trademark laws, and you agree that, except with our prior written consent or as explicitly provided in this Agreement, using the Services does not,
Any unauthorized use of any content or materials on the Services is strictly prohibited and violates copyright, trademark, and/or other intellectual property laws, and/or the laws of privacy, publicity, and/or communications regulations and statutes.
In particular, audio or video content from Nabla not explicitly indicated as downloadable may not be downloaded or copied from the Services. You may not otherwise download, display, copy, reproduce, distribute, modify, perform, transfer, create derivative works from, sell or otherwise exploit any content, code, data or materials in the Services. If you make other use of the Services, or the content, code, data or materials thereon, except as otherwise provided, you may violate copyright and other laws of the United States, other countries, as well as applicable state laws and may be subject to liability for such unauthorized use.
Other than to operate your business and the business of your affiliates who are authorized to use the Services, you may not access or use for any commercial purposes any part of the Site or any services or materials available through the Site. You acknowledge and agree that you do not acquire any ownership interest in the Services under this Agreement, or any other rights thereto other than to use the Services in accordance with the license granted. Appropriate legal action may be taken for any illegal or unauthorized use of the Services.
To inquire about obtaining authorization to use the materials or content other than as permitted in this Agreement, please contact us at firstname.lastname@example.org.
10. Warranty Disclaimers; Limitation of Liability
THE SERVICES ARE PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE COMPANY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, RELATING TO THE SERVICES OR ANY CONTENT ON THE SERVICES, WHETHER PROVIDED OR OWNED BY THE COMPANY OR BY ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, FREEDOM FROM COMPUTER VIRUS, AND ANY IMPLIED WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE IN TRADE, ALL OF WHICH ARE EXPRESSLY DISCLAIMED. IN ADDITION, YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE SERVICES AND THE COMPANY DOES NOT MAKE ANY REPRESENTATION OR WARRANTY THAT ANY OF THE SERVICES OR ANY CONTENT AVAILABLE THROUGH ANY OF THE SERVICES IS ACCURATE, COMPLETE, AVAILABLE, CURRENT, FREE FROM ERRORS OR OTHER DEFECTS (TECHNICAL OR OTHERWISE) THAT WILL BE CORRECTED, FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS OR DEFECTS, OR THAT THE SERVICES WILL MEET YOUR REQUIREMENTS. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM COMPANY SHALL CREATE ANY WARRANTY NOT EXPRESSLY MADE HEREIN.
IN NO EVENT WHATSOEVER SHALL THE COMPANY, ITS AFFILIATES, OR SUPPLIERS, OR THEIR RESPECTIVE OFFICERS, EMPLOYEES, SHAREHOLDERS, AGENTS, OR REPRESENTATIVES, BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES, OR FOR ANY LOSS OF PROFITS OR REVENUE, INCLUDING BUT NOT LIMITED TO LOSS OF SALES, PROFIT, REVENUE, GOODWILL, OR DOWNTIME, (ARISING UNDER TORT, CONTRACT, OR OTHER LAW) REGARDLESS OF SUCH PARTY’S NEGLIGENCE OR WHETHER SUCH PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. YOU UNDERSTAND AND AGREE THAT THE DOWNLOAD OF ANY MATERIALS IN CONNECTION WITH THE SERVICES IS DONE AT YOUR DISCRETION AND RISK AND THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY LOSS OR DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT MAY RESULT FROM THE DOWNLOAD OR UPLOAD OF ANY MATERIAL. COMPANY NEITHER ASSUMES, NOR DOES IT AUTHORIZE ANY OTHER PERSON TO ASSUME ON ITS BEHALF, ANY OTHER LIABILITY IN CONNECTION WITH THE PROVISION OF THE SERVICES. IF, NOTWITHSTANDING THE OTHER PROVISIONS OF THIS AGREEMENT, COMPANY IS FOUND TO BE LIABLE TO YOU FOR ANY DAMAGE OR LOSS WHICH ARISES OUT OF OR IS IN ANY WAY CONNECTED WITH YOUR USE OF ANY SERVICES, COMPANY’S LIABILITY SHALL IN NO EVENT EXCEED THE GREATER OF (1) THE TOTAL OF ANY FEES PAID BY YOU TO COMPANY IN THE SIX (6) MONTHS PRIOR TO THE DATE THE CLAIM IS ASSERTED FOR ANY OF THE SERVICES OR FEATURE RELEVANT TO THE CLAIM, OR (2) US$500.00.
THESE DISCLAIMERS AND LIMITATIONS OF LIABILITY ARE MADE TO THE FULLEST EXTENT PERMITTED BY LAW.
You agree to defend, indemnify and hold harmless the Company, its affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses or fees (including reasonable attorneys' fees) arising out of or relating to your violation of this Agreement or your use of the Services or your use of any information obtained through the Services.
Company agrees to defend you and your affiliates, against any third party claim asserted, threatened, or brought against you or your affiliates, and pay damages and reasonable costs assessed against you or your affiliates by a court of competent jurisdiction (or, at Company’s option, that are included in a settlement of such claim or action in accordance herewith), to the extent such claim arises from infringement by the Services of such party’s copyrights, trademarks, trade secrets or patents issued as of the Effective Date.
12. Governing Law
No matter where you’re located, the laws of the state of New York will govern this Agreement and the relationship between you and the Company as if you signed this Agreement in New York, without regard to New York state’s conflicts of laws rules. If any provisions of this Agreement are inconsistent with any applicable law, those provisions will be superseded and/or modified only to the extent such provisions are inconsistent. The parties agree to submit to the federal or state courts in New York for exclusive jurisdiction of any dispute arising out of or related to your use of the Services or your breach of this Agreement.
Except for claims for injunctive or equitable relief, any dispute arising under this Agreement, including disputes arising from or concerning their interpretation, violation, invalidity, non-performance, or termination, is subject to final and binding arbitration under the Rules of Arbitration of the American Arbitration Association of Service. The arbitration shall be seated in New York, New York. Any arbitral decision may be enforced in any court of competent jurisdiction. With respect to all disputes arising in relation to this Agreement, but subject to the preceding arbitration provision, the parties hereto consent to exclusive jurisdiction and venue in the state and Federal courts located in New York, New York.
If it turns out that any part of this Agreement is invalid, void, or for any reason unenforceable, that term will be deemed severable and limited or eliminated to the minimum extent necessary. The limitation or elimination of the term will not affect any other terms.
15. Entire Agreement
This Agreement together with the Business Associate Agreement if any constitutes the entire agreement between you and the Company and supersedes all prior or contemporaneous communications and proposals, whether electronic, oral, or written with respect to these Services. Any rights not expressly granted herein are reserved.
16. Force Majeure
We will not be liable for any failure to perform any of our obligations stated in this Agreement if the failure results from a cause beyond our reasonable control, including—without limitation—mechanical, electronic or communications failure or degradation, strikes or other labor disputes (whether or not relating to our workforce), restraints or delays affecting carriers, or our inability or delay in obtaining supplies of adequate or suitable materials.
You cannot assign, transfer or sublicense your rights, obligations or responsibilities under this Agreement without first obtaining our consent. We may assign, transfer, or delegate any of our rights and obligations without consent. This Agreement does not create any agency, partnership, joint venture, or employment relationship, and neither party has any authority to bind the other in any respect.
No waiver by any party of the other party’s failure to comply with any part of this Agreement shall be binding unless the waiver is in writing signed by the party giving the waiver. No waiver of or failure to exercise any option, right or privilege under the terms of this Agreement by either of the parties hereto on any occasion or occasions shall be construed to be a waiver of the same or of any other option, right or privilege on any other occasion.
You release the Company and our successors from all losses, damages, rights, and demands and actions of any kind, including personal injuries, death, and property damage, that are directly or indirectly related to or arise from your use of the Services (collectively, “Claims”). If you are a California resident, you hereby waive California Civil Code Section 1542, which states, “A general release does not extend to claims that the creditor or releasing party does not know or suspect to exist in his favor at the time of executing the release, which, if known by him would have materially affected his settlement with the debtor.” This release does not apply to any Claims for unconscionable commercial practice by the Company or fraud, deception, false promise, misrepresentation or concealment, or suppression or omission of any material fact in connection with the Services.
20. Comments, Concerns and Complaints
All feedback, comments, requests for technical support and other communications relating to the Services should be directed to: email@example.com.
Annexe I: Business Associates Agreement
This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into by and between Nabla Technologies Inc., a company incorporated under the laws of Deleware (“Business Associate”) and a client who has entered a Terms of Service Agreement (the “Agreement”) with the Business Associate (“Covered Entity”), in accordance with the meaning given to those terms at 45 CFR §164.501. This BAA applies to the processing carried out by the Business Associate on behalf of the Covered Entity. In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.
I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are
defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);
II. The Parties have entered into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”);
III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;
IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;
V. Both Parties are committed to complying with all federal and state laws and all other applicable regulations and laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”);
VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:
For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or other pertinent law.
A. “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
B. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule or the GDPR which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
C. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
D. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
E. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.
F. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
G. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
H. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.
I. “HHS” means the U.S. Department of Health and Human Services.
J. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
K. “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
L. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
M. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
N. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
O. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
P. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
2. Use and Disclosure of PHI.
A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.
B. Except as otherwise limited by this BAA or federal or state law or other applicable law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. However, due to substantial financial, material and human investments made by Business Associate within the framework of the Agreement for the development and updating of the Solution as defined in the Agreement, Covered Entity authorizes Business Associate to reuse the PHI as long as the latter undertakes to comply with Privacy Rule and other applicable law, for all these PHI, for the uses listed below:
- research and development of the Solution,
- improving performance, models and algorithms developed and trained by Business Associate in the context of the Solution or any other solution published by Business Associate,
without Covered Entity being able to claim any intellectual property right relating to these elements.
Covered Entity declares that he/she has assessed and validated the compatibility of the said uses within the meaning of the Privacy Rule and other applicable law with the initial purposes of the data processing carried out within the scope of the Agreement.
D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession.
E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
3. Safeguards Against Misuse of PHI
Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
4. Reporting Disclosures of PHI and Security Incidents
Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event.
5. Reporting Breaches of Unsecured PHI
Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach.
6. Mitigation of Disclosures of PHI
Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
7. Agreements with Agents or Subcontractors
Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity.
8. Audit Report
Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent SOC 2 certification report or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate’s audit report.
9. Access to PHI by Individuals.
A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.
B. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.
10. Amendment of PHI.
A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request.
B. In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.
11. Accounting of Disclosures.
A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
B. Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.
12. Availability of Books and Records
Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.
13. Responsibilities of Covered Entity
With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:
A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable law if done by Covered Entity.
14. Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.
15. Term and Termination.
A. This BAA will become effective from the date of signature of the Agreement, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.
B. Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.
C. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS.
D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors but will not include the PHI produced by Business Associate within the framework of article 2.C.. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 15.D. will survive any termination of this BAA.
16. Effect of BAA.
A. This BAA is a part of and subject to the terms of the Agreement and as such shall be governed by, and shall be construed in accordance with, the same law as the Agreement. In case of contradiction between the terms of this BAA and any term of the Agreement, the terms of this BAA will prevail if it does not conflict with applicable laws.
B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
17. Regulatory References.
A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
All notices, requests and demands or other communications to be given under this BAA to a Party will be made via electronic mail to the Party’s address given below:
A. If to Covered Entity, to the e-mail address given when signing the Agreement:
B. If to Business Associate, to: firstname.lastname@example.org
19. Amendments and Waiver
This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.