Terms of Service & BAA
Thank you for using the DeepCura AI website at https://deepcura.com (the “Site”) and using DeepCura's (“Company” or “we” or “our” or “us”) corresponding notes platform available through the Site (“Platform”) that, along with such other functionality as the Company may make available through the Platform from time to time, allows medical providers to learn, organize, and curate medical knowledge (the Platform, collectively with the Site and the “Services”). These Terms of Services (“Agreement”) govern your browsing, viewing and other use of the Services.
Please read this Agreement carefully, as it (among other things) provides: (a) in Section 14 that you and the Company will arbitrate certain claims instead of going to court and that you will not bring class action claims against the Company; (b) in Section 5 that certain terms and conditions apply with respect to recurring subscription charges for certain paid account types. Please only create a Services account or otherwise use the Services if you agree to be legally bound by all terms and conditions herein. Your acceptance of this Agreement creates a legally binding contract between you and the Company. If you do not agree with any aspect of this Agreement, then do not create a Services account or otherwise use the Services.
If you are viewing this on your mobile device, you can also view this Agreement via a web browser on your computer at https://deepcura.com/termsofservice/.
Note for Children. Use of the Services by anyone under the age of 18 is prohibited. By using the Services, you represent and warrant that are you at least 18 years of age.
You understand and agree that the Services are not intended to store personal information and/or protected health information of any patient or other third party (“Protected Information”). Protected Information is subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and other laws, rules and regulations. We clearly stipulate under this agreement that all Protected Health information is not used for training of Artificial Intelligence models or stored in our servers permanently, PHI is only managed by DeepCura while in transit when the logic of our application perform the services that we promise under this agreement.
1. How the Services Work. In addition to other functionality we may make available from time to time through the Services, the Services allow users to aspire and analyze cases over a lifetime to promote clinical mastery. Functionality available through the Services may allow you to deepen and refine your knowledge base and share your notes with other users of the Services to optimize understanding and retention.
2. Representations and Warranties; User Responsibilities.
2.1. You represent, warrant and covenant that, in connection with this Agreement or the Services, you will not and will not attempt to: (i) violate any laws, third party rights or our community guidelines and other policies; (ii) re-join or attempt to use the Services if the Company has banned or suspended you; (iii) defraud the Company or another user; or (iv) use another user's account or allow another person to use your user account. Any illegal activities undertaken in connection with the Services may be referred to the authorities.
2.2. By using the Services, you hereby expressly agree that you are solely responsible for ensuring: (i) the protection and maintenance of the hardware and software on which you use the Services (“Equipment”); (ii) adequate safeguards are in place to protect the Equipment and the physical location in which the Services are used; (iii) that the Equipment is protected from theft, damage, corruption, alteration, unauthorized access, virus, malware etc.; (iv) that the Services are not accessed by any unauthorized individual; (v) compliance with applicable data privacy laws relating to your use of the Services, including HIPAA, the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009, and related regulations.
2.3. The Services and Company Materials (as defined in Section 4), and any information contained or entered therein, in no way replaces or substitutes your professional judgment or skill. You accept all risks arising from, and are solely responsible for, your professional, advisory, analytical and technical services including patient examination, diagnosis, prescription, treatment and personal injury or loss of life. Neither Company nor its third-party service providers assume any responsibility for your actions. Without limiting the foregoing, you acknowledge and agree that any examples of potential diagnoses or other output generated using the artificial intelligence or machine learning functionality available on the Services (such as DeepCura AI) may be incorrect, harmful, or biased, and you will not rely on or substitute such examples or output for your own professional judgment.
2.4 The Services and any Company Materials made available through the Services are a non-device clinical decision support software application within the meaning of Section 520(o)(1)(E) of the federal Food, Drug and Cosmetic Act, 21 U.S.C. Sec. 360j(o)(1), and the regulations and guidance issued by the U.S. Food and Drug Administration to implement that provision. By accessing or using the Services and Company Materials, you agree to only use the Services and Company Materials in this manner and solely for this purpose. The artificial intelligence or machine learning functionality available on the Services (“DeepCura AI”) are intended for use only by healthcare providers and are not intended for use by the general public. If you are not a healthcare provider, you are not authorized to and will not access or use the DeepCura AI functionality. If you access or use DeepCura AI, you attest that you are a healthcare provider and agree that the application is: (1) not intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system; (2) intended for the purpose of displaying, analyzing, or printing medical information about a patient or other medical information; (3) intended for the purpose of supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and (4) intended for the purpose of enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.
3. Ownership; Proprietary Rights. As between you and the Company, the Company owns all worldwide right, title and interest, including all intellectual property and other proprietary rights, in and to the Services, all content, text, information, data and other content displayed or made available through the Services, and all usage and other data generated or collected in connection with the use thereof (the “Company Materials”). Except for as expressly set forth herein, you agree not to license, distribute, copy, modify, publicly perform or display, transmit, publish, edit, adapt, create derivative works from, or otherwise make any unauthorized use of the Company Materials. You agree not to reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, algorithm or programs underlying the Company Materials. The Company reserves the right to modify or discontinue the Services or any version(s) thereof at any time in its sole discretion, with or without notice.
4. Third Party Sites. The Services may include advertisements or other links that allow you to access web sites or other online services that are owned and operated by third parties. You acknowledge and agree that the Company is not responsible and shall have no liability for the content of such third-party sites and services, products or services made available through them, or your use of or interaction with them.
5.2. Fees for Services Account. By signing up for any paid account and providing your payment information, you agree to pay us (and authorize our Payment Processor to charge you) the recurring and/or nonrecurring fees as displayed to you at the time you create your account and as may be modified from time to time as described in this Agreement, as well as any other fees you expressly choose to incur in connection with your use of the Services. Unless otherwise specified upon enrollment, for subscription products or services, your payment method will be authorized for up to a month for the applicable account type and on a monthly basis thereafter until you cancel the subscription. You acknowledge and agree that the payment method provided by you will be automatically charged the fees you incur in connection with your use of the Services and represent and warrant that you have all necessary rights relating to such payment instrument to authorize Company to make such charges. Your use of the Services may be suspended if we are unable to charge such payment instrument for any reason or if your account is otherwise past due. The fees applicable to your account may be subject to modification from time to time pursuant to notice (which may be given via e-mail) provided by us at least thirty (30) days in advance of the payment date for which the modification would be effective. You may at any time cancel your account as set forth below if you do not agree to any modified fees. All fees must be paid in U.S. dollars (or such other currency(ies) which may be accepted by Company from time to time, as indicated at the time of payment) and are non-refundable.
5.3. Cancellation of Platform Account. YOU MAY CANCEL YOUR SUBSCRIPTION AT ANY TIME BY CONTACTING US BY DOWNGRADING YOUR ACCOUNT IN THE SETTINGS SECTION ON THE SITE. IF YOU CANCEL YOUR SUBSCRIPTION, YOU MAY STILL USE YOUR SUBSCRIPTION UNTIL THE END OF YOUR THEN-CURRENT SUBSCRIPTION MONTH. TO NOT BE CHARGED FOR YOUR SUBSCRIPTION FOR THE FOLLOWING SUBSCRIPTION MONTH, YOU MUST CANCEL YOUR SUBSCRIPTION AT LEAST THIRTY (30) DAYS PRIOR TO THAT MONTH, OR YOU WILL OTHERWISE BE CHARGED FOR THAT MONTH'S SUBSCRIPTION. ALL CANCELLATION REQUESTS RECEIVED LESS THAN THIRTY (30) DAYS BEFORE THE FOLLOWING SUBSCRIPTION MONTH WILL APPLY TO THE FOLLOWING CYCLE.
6. Your Content
6.1. You understand that all of Your Content is provided to you through the Services only on an “as-available” basis and the Company does not guarantee that the availability of Your Content will be uninterrupted or bug free. You agree you are responsible for all of Your Content and all activities that occur under your user account. As stated at the top of this Agreement, you are not permitted to include Protected Information in Your Content on the Services.
6.3. In connection with Your Content, you further agree that you will not: (i) use material that is subject to third party intellectual property or proprietary rights, including privacy and publicity rights, unless you are the owner of such rights or have permission from their rightful owner to post the material and to grant the Company all of the license rights granted herein; (ii) use Protected Information; (iii) use material that is unlawful, defamatory, libelous, threatening, pornographic, obscene, harassing, hateful, racially or ethnically offensive or encourages conduct that would be considered a criminal offense, violate any law or is otherwise inappropriate; or (iii) include advertisements or marketing content or solicitations of business, or any content of a commercial nature. The Company may investigate an allegation that any of Your Content does not conform this to Agreement and may determine in good faith and in its sole discretion whether to remove such of Your Content, which it reserves the right to do at any time. If you are a copyright holder and believe in good faith that your content has been made available through the Platform without your authorization, you may follow the process outlined at email@example.com to notify the Company's designated agent (pursuant to 17 U.S.C. § 512(c)) and request that the Company remove such content.
6.4. You hereby acknowledge that you may be exposed to content from other users that is inaccurate, offensive, obscene, indecent, or objectionable when using the Services, and further acknowledge that the Company does not control the content shared by users and does not have any obligation to monitor such content for any purpose.
7. Prohibited Uses. As a condition of your use of the Services, you will not use the Services for any purpose that is unlawful or prohibited by this Agreement. You may not use the Services in any manner that in our sole discretion could damage, disable, overburden, impair or interfere with any other party's use of it. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Services. You agree not to scrape or otherwise use automated means to access or gather information from the Services and agree not to bypass any robot exclusion measures we may put into place. In addition, you agree not to use false or misleading information in connection with your user account and acknowledge that we reserve the right to disable any user account with a profile which we believe (in our sole discretion) is false or misleading (including a profile that impersonates a third party).
8. Additional Terms. When you use certain features or materials on the Services, or participate in a particular promotion, event or contest through the Services, such use or participation may be subject to additional terms and conditions posted on the Services. Such additional terms and conditions are hereby incorporated within this Agreement, and you agree to comply with such additional terms and conditions with respect to such use or participation.
9. Termination. You may terminate this Agreement at any time, for any reason or for no reason, by deleting your Services account by contacting us at firstname.lastname@example.org. Note that deleting the App from your device will not terminate your Services account. You agree that the Company, in its sole discretion and for any or no reason, may terminate this Agreement, your account or your use of the Services, at any time and without notice. The Company may also in its sole discretion and at any time discontinue providing the Services, or any part thereof, with or without notice. You agree that the Company shall not be liable to you or any third-party for any such termination. Sections 2, 4, 5, 6.3, 6.4, and 7 through 16 will survive any termination of this Agreement.
10. Apple. You hereby acknowledge and agree that Apple, Inc.: (i) is not a party to this Agreement; (ii) has no obligation whatsoever to furnish any maintenance or support services with respect to the App; (iii) is not responsible for addressing claims by you or any third party relating to the App, including any product liability claims, claims under consumer protection laws or claims under any other law, rule or regulation; (iv) has no responsibility to investigate, defend, settle or discharge any claim that the App or use thereof infringes any third party intellectual property rights; and (v) is a third party beneficiary of this Agreement with the right to enforce its terms against you directly.
11. Disclaimers; No Warranties. THE SERVICES AND ANY CONTENT, INFORMATION OR OTHER MATERIALS MADE AVAILABLE IN CONJUNCTION WITH OR THROUGH THE SERVICES ARE PROVIDED “AS IS” AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW, THE COMPANY AND ITS LICENSORS, SERVICE PROVIDERS AND PARTNERS DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY RIGHTS. THE COMPANY AND ITS LICENSORS, SERVICE PROVIDERS AND PARTNERS DO NOT WARRANT THAT THE FEATURES AND FUNCTIONALITY OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE SERVICES OR THE SERVERS THAT MAKE AVAILABLE THE FEATURES AND FUNCTIONALITY THEREOF ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. CERTAIN STATE LAWS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE FOREGOING DISCLAIMERS, EXCLUSIONS, OR LIMITATIONS MAY NOT APPLY TO YOU, AND YOU MIGHT HAVE ADDITIONAL RIGHTS.
12. Indemnification. You agree to indemnify and hold the Company and its affiliated companies, and each of their officers, directors and employees, harmless from any claims, losses, damages, liabilities, costs and expenses, including reasonable attorney's fees, (any of the foregoing, a “Claim”) arising out of or relating to your use or misuse of the Services, including without limitation any use of examples of diagnoses or other output generated using the artificial intelligence or machine learning functionality available on the Services (such as DeepCura), your provision of professional, advisory, analytical and technical services including patient examination, diagnosis, prescription, treatment and personal injury or loss of life, breach of this Agreement, or infringement, misappropriation or violation of the intellectual property or other rights of any other person or entity, provided that the foregoing does not obligate you to the extent the Claim arises out of the Company's willful misconduct or gross negligence. The Company reserves the right, at our own expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate with our defense of these claims.
13. Limitation of Liability and Damages. UNDER NO CIRCUMSTANCES, INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE, SHALL THE COMPANY OR ITS AFFILIATES, CONTRACTORS, EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR THIRD PARTY PARTNERS, LICENSORS OR SERVICE PROVIDERS, BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES THAT ARISE OUT OF OR RELATE TO THE SERVICES, INCLUDING YOUR USE THEREOF, OR ANY OTHER INTERACTIONS WITH THE COMPANY, EVEN IF THE COMPANY OR A COMPANY AUTHORIZED REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. APPLICABLE LAW MAY NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY OR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU, IN WHICH CASE THE COMPANY'S LIABILITY WILL BE LIMITED TO THE EXTENT PERMITTED BY LAW. IN NO EVENT SHALL THE TOTAL LIABILITY OF COMPANY OR ITS AFFILIATES, CONTRACTORS, EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR THIRD-PARTY PARTNERS, LICENSORS OR SERVICE PROVIDERS TO YOU FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT OR YOUR USE OF THE SERVICES EXCEED ONE HUNDRED U.S. DOLLARS.
14.1. Agreement to Arbitrate. This Section 14 is referred to herein as the “Arbitration Agreement.” The parties agree that any and all controversies, claims, or disputes between you and Company arising out of, relating to, or resulting from this Agreement, shall be subject to binding arbitration pursuant to the terms and conditions of this Arbitration Agreement, and not any court action (other than a small claims court action to the extent the claim qualifies). The Federal Arbitration Act governs the interpretation and enforcement of this Arbitration Agreement.
14.2. Class Action Waiver. THE PARTIES AGREE THAT EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY ON AN INDIVIDUAL BASIS AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE ACTION OR PROCEEDING. UNLESS BOTH PARTIES AGREE OTHERWISE, THE ARBITRATOR MAY NOT CONSOLIDATE OR JOIN MORE THAN ONE PERSON'S OR PARTY'S CLAIMS AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF A CONSOLIDATED, REPRESENTATIVE, OR CLASS PROCEEDING. ALSO, THE ARBITRATOR MAY AWARD RELIEF (INCLUDING MONETARY, INJUNCTIVE, AND DECLARATORY RELIEF) ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO PROVIDE RELIEF NECESSITATED BY THAT PARTY'S INDIVIDUAL CLAIM(S).
14.3. Procedures. Arbitration will be conducted by a neutral arbitrator in accordance with the American Arbitration Association's (“AAA”) rules and procedures (the “AAA Rules”), as modified by this Arbitration Agreement. If there is any inconsistency between the AAA Rules and this Arbitration Agreement, the terms of this Arbitration Agreement will control unless the arbitrator determines that the application of the inconsistent Arbitration Agreement terms would not result in a fundamentally fair arbitration. The arbitrator must also follow the provisions of this Agreement as a court would, including without limitation, the limitation of liability provisions in Section 13. You may visit http://www.adr.org for information on the AAA and http://www.adr.org/fileacase for information on how to file a claim against the Company.
14.4. Venue. The arbitration shall be held in the county in which you reside or at another mutually agreed location. If the value of the relief sought is $10,000 or less, you or Company may elect to have the arbitration conducted by telephone or based solely on written submissions, which election shall be binding on each party, but subject to the arbitrator's discretion to require an in-person hearing if the circumstances warrant. Attendance at any in-person hearing may be made by telephone by either or both parties unless the arbitrator requires otherwise.
14.5. Governing Law. The arbitrator will decide the substance of all claims in accordance with the laws of the State of California, without regard to its conflicts of laws rules, and will honor all claims of privilege recognized by law. The arbitrator shall not be bound by rulings in prior arbitrations involving different users of the Services but is bound by rulings in prior arbitrations involving you to the extent required by applicable law.
14.6. Costs of Arbitration. Payment of all filing, administration, and arbitrator fees (collectively, the “Arbitration Fees“) will be governed by the AAA's Rules. Each party will be responsible for all other fees it incurs in connection with the arbitration, including without limitation, all attorney fees.
14.7. Confidentiality. All aspects of the arbitration proceeding, and any ruling, decision or award by the arbitrator, will be strictly confidential for the benefit of all parties.
14.8. Severability. If a court decides that any term or provision of this Arbitration Agreement other than Section 14.2 is invalid or unenforceable, the parties agree to replace such term or provision with a term or provision that is valid and enforceable and that comes closest to expressing the intention of the invalid or unenforceable term or provision, and this Arbitration Agreement shall be enforceable as so modified. If a court decides that any of the provisions of Section 16.2 is invalid or unenforceable, then the entirety of this Arbitration Agreement shall be null and void. The remainder of this Agreement will continue to apply.
15. Miscellaneous. The Company may make modifications, deletions and/or additions to this Agreement (“Changes”) at any time. Changes will be effective: (i) thirty (30) days after the Company provides notice of the Changes, whether such notice is provided through the Services user interface, is sent to the e-mail address associated with your account or otherwise; or (ii) when you opt-in or otherwise expressly agree to the Changes or a version of this Agreement incorporating the Changes, whichever comes first. Under this Agreement, you consent to receive communications from the Company electronically. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without giving effect to any principles of conflicts of law. You agree that any action at law or in equity arising out of or relating to this Agreement or the Services that is not subject to arbitration under Section 16 shall be filed only in the state or federal courts in California (or a small claims court of competent jurisdiction) and you hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. The failure of any party at any time to require performance of any provision of this Agreement shall in no manner affect such party's right at a later time to enforce the same. A waiver of any breach of any provision of this Agreement shall not be construed as a continuing waiver of other breaches of the same or other provisions of this Agreement. If any provision of this Agreement shall be unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from this Agreement and shall not affect the validity and enforceability of any remaining provisions. This Agreement, and any rights and licenses granted hereunder, may not be transferred or assigned by you, but may be assigned by the Company without restriction. This is the entire agreement between us relating to the subject matter herein and shall not be modified except in a writing, signed by both parties, or by a change to this Agreement made by the Company as set forth herein.
16. More Information; Complaints. The services hereunder are offered by DeepCura, which can be contacted via email@example.com.
Annexe I: Business Associates Agreement
This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into by and between DeepCura Inc., a company incorporated under the laws of Delaware (“Business Associate”) and a client who has entered a Terms of Service Agreement (the “Agreement”) with the Business Associate (“Covered Entity”), in accordance with the meaning given to those terms at 45 CFR §164.501. This BAA applies to the processing carried out by the Business Associate on behalf of the Covered Entity. In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.
I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are
defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);
II. The Parties have entered into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”);
III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;
IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;
V. Both Parties are committed to complying with all federal and state laws and all other applicable regulations and laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”);
VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:
For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or other pertinent law.
A. “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
B. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
C. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
D. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
E. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.
F. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
G. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
H. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.
I. “HHS” means the U.S. Department of Health and Human Services.
J. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
K. “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
L. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
M. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
N. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
O. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
P. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
2.Use and Disclosure of PHI.
A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.
B. Except as otherwise limited by this BAA or federal or state law or other applicable law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession.
E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
F. Notwithstanding the foregoing, Business Associate may use or disclose, without limitation, any Protected Health Information that has been fully anonymized and de-identified prior to such use or disclosure.
3.Safeguards Against Misuse of PHI
Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
4.Reporting Disclosures of PHI and Security Incidents
Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event.
5.Reporting Breaches of Unsecured PHI
Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach.
6.Mitigation of Disclosures of PHI
Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
7. Agreements with Agents or Subcontractors
Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity.
8. Audit Report
Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent SOC 2 certification report or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate’s audit report.
9.Access to PHI by Individuals.
A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.
B. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.
10.Amendment of PHI.
A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request.
B. In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.
11.Accounting of Disclosures.
A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
B. Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.
12.Availability of Books and Records
Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.
13.Responsibilities of Covered Entity
With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:
A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable law if done by Covered Entity.
Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.
15.Term and Termination.
A. This BAA will become effective from the date of signature of the Agreement, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.
B. Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.
C. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS.
D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors but will not include the PHI produced by Business Associate within the framework of article 2.C.. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 15.D. will survive any termination of this BAA.
16.Effect of BAA.
A. This BAA is a part of and subject to the terms of the Agreement and as such shall be governed by, and shall be construed in accordance with, the same law as the Agreement. In case of contradiction between the terms of this BAA and any term of the Agreement, the terms of this BAA will prevail if it does not conflict with applicable laws.
B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
17. Regulatory References.
A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
All notices, requests and demands or other communications to be given under this BAA to a Party will be made via electronic mail to the Party’s address given below:
A. If to Covered Entity, to the e-mail address given when signing the Agreement:
B. If to Business Associate, to: firstname.lastname@example.org
19. Amendments and Waiver
This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
© 2023 by DeepCura Inc.
Engineered by DeepCura in San Francisco.
A Well-equipped Samurai beats 10 traditionally trained warriors.