Last Modified: 21 April 2020
SPRUCE DOES NOT PROVIDE MEDICAL SERVICES OR ADVICE, INCLUDING VIA THE PLATFORM. IF YOU ARE (OR SOMEONE ELSE IS) EXPERIENCING A MEDICAL EMERGENCY, CALL 911 IMMEDIATELY.
YOU ACKNOWLEDGE AND AGREE THAT:
PLEASE READ THESE TERMS OF SERVICE CAREFULLY BEFORE USING OUR SERVICES OR OUR PLATFORM.
In these Terms, the terms "you" and "yours" refer to the entity, including any medical practice group or other health care provider organization, on whose behalf these Terms are entered into. The terms "we", "our", "us", and "Spruce" collectively refer to Spruce Health, Inc. Even though you may have arrived to the Platform through a website or mobile application operated or controlled by a third party, including by an affiliate of Spruce, you understand and agree that these Terms are entered into between you and Spruce. You also understand and agree that the Platform and any services provided through these Terms are provided solely by Spruce, and no other parent, subsidiary, or affiliate of Spruce. Any person using or accessing the Platform for or on behalf of you represents and warrants that they have the authority to download the App or use the Website and agree to these Terms on your behalf.
If you downloaded the App from the Apple App Store: These Terms incorporate by reference Apple's Licensed Application End User License Agreement (https://www.apple.com/legal/internet-services/itunes/dev/stdeula/), for purposes of which you are the "end user".
If you downloaded the App from the Google Play Store: These Terms incorporate by reference Google's Android Market Terms of Service (https://www.google.com/intl/en_gb/mobile/android/market-tos.html).
If you accessed the Platform through the Website: These Terms apply.
Conditioned upon your continued compliance with these Terms, Spruce grants you, and other members of your organization, the right to access and use the Platform. To access and use all or part of the Platform, you are required to register and create an account. Any registration information you provide to Spruce must be accurate, current, and complete. Your access credentials, such as your username and password, cannot be shared with or used by any person or entity except for you. You will be responsible for keeping your account, including access credentials, secure from unauthorized third-party access or use, and you must promptly notify Spruce of any suspected or actual breach or unauthorized use thereof. You are responsible for all access to and use of the Platform using your credentials, including all acts and omissions. Spruce may immediately suspend your account and access to the Platform if you violate, or Spruce reasonably suspects that you have violated, these Terms. Upon termination of your account, your access to the Platform will be terminated with immediate effect.
We reserve the right, in our sole discretion, to amend these Terms, in whole or in part, at any time and for any reason, without penalty or liability to you or any third party. If we determine our changes to these Terms are material, we will make reasonable efforts to notify you of such changes. However, you should check the Terms regularly to determine if any changes have been made. You can determine when the Terms were last revised by referring to the "Last Modified" notation above. If you use the Platform after the amended Terms have been posted, you will be deemed to have agreed to the amended Terms. If any of the provisions of these Terms are not acceptable to you, your sole and exclusive remedy is to discontinue your use of the Platform.
You understand and agree that Spruce makes the Platform available to facilitate communication between you, your patients, and other entities. Such communications may include, but are not limited to, secure messaging, voicemail, file sharing, and video calls. The Platform enables you, your patients, and other entities to communicate information, including health information (such as past or present health conditions, medications, ailments, and images) and personal information (such as names, locations, and demographic information). The Platform does not provide for emergency calling services (e.g., 911); however, Spruce VoIP phone services support emergency service calling in accordance with the terms available at https://www.sprucehealth.com/e911.
You understand and agree that the Platform enables communications and other data transmissions across multiple channels and to multiple endpoints, a number of which involve transmission that does not occur exclusively through and on the Platform ("Unsecure Communications"). Unsecure Communications include, but are not limited to, email, Short Message Service (SMS) text messages, e-faxing, and voice communications, which may include transmission and/or storage via unsecured networks, devices, or channels. Unsecure Communications may not be encrypted or otherwise protected by Spruce or third parties and could be intercepted or otherwise accessed by unauthorized third parties. You assume all responsibility for any unauthorized access to PHI, as that term is defined in HIPAA (as defined below), or other information of your patients, you, or any other person or entity resulting from any such Unsecure Communications. In no event will Spruce have any liability to you, your patients, or any other person or entity for any such unauthorized access.
As a condition of your use of the Platform, you agree to the following:
You must have a compatible mobile device or computer, access to the Internet, and certain necessary software and hardware, as we may stipulate from time to time in our sole discretion, in order to use the Platform. Fees and charges may apply to your use of the mobile services and to the Internet. Spruce is not responsible for those or any other fees.
You will not use, or encourage or permit others to use, our Platform except as expressly permitted in these Terms. You will not, and will not encourage or permit others to:
To the extent applicable, you understand and agree that Spruce will be a "business associate" of yours (as defined in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and its related regulations and amendments from time to time (collectively, "HIPAA")) for purposes of HIPAA, pursuant to our Business Associate Agreement (Attachment A).
As between Spruce and you, Spruce is the sole and exclusive owner of all right, title, and interest in and to the Platform and its general content, features, and functionality (including, without limitation, all information, software, text, displays, images, video, audio, selection, arrangement, and look and feel), and all intellectual property rights therein, and any suggestions, ideas, or other feedback provided by you which relates to the Platform. Any copy, modification, revision, enhancement, adaptation, translation, or derivative work of the Platform shall be owned solely and exclusively by Spruce or its licensors, including all intellectual property rights therein. Subject to your compliance with these Terms, Spruce grants you an internal, limited, revocable, nonexclusive, and nontransferable license to view, download, access, and use the Platform and its content, solely for your internal use. You are not permitted to reproduce, publish, transmit, distribute, display, modify, create derivative works from, sell or participate in any sale of, or exploit in any way, in whole or in part, any such content for commercial use. No other right, title, or interest in or to the Platform is transferred to you, and all rights not expressly granted are reserved by us, our affiliates, or our licensors. Notwithstanding the foregoing and except as set forth in Section IX.B, Spruce will not have any right, title, or interest in or to any Health Data (as defined below) or User Data (as defined below).
Certain names, logos, and other materials displayed in and through the Platform may constitute trademarks, trade names, service marks, or logos ("Trademarks") of Spruce or its affiliates. You are not authorized to use any such Trademarks without the express written permission of Spruce or its affiliates. Ownership of all such Trademarks and the goodwill associated therewith remains with us or our affiliates.
The Platform may allow you, your patients, or other entities (collectively, "These Entities") to enter, submit, or otherwise transmit to Spruce information or other data related to any of These Entities. The Platform may also contain information or other data, related to any of These Entities, that was created on the Platform by any of These Entities. All such data is "Health Data" when it would qualify, in context, as PHI were it the property of a Covered Entity, as those terms are defined in HIPAA. All such data that is not Health Data is "User Data".
To the extent that any User Data is not the property of Spruce, you hereby grant and agree to grant to Spruce, our service providers, and our successors and assigns a fully transferable and sublicensable right and license to use, copy, reproduce, modify, create derivative works of, analyze, perform, display, distribute, and otherwise disclose to third parties any such User Data for the purposes of: (i) providing services to you; (ii) conducting research or analyses of such data; and (iii) designing, developing, implementing, modifying, and/or improving new, current, or future features, products, and services of Spruce using such data.
You hereby grant and agree to grant to Spruce, our service providers, and our successors and assigns the fully transferable and sublicensable right and license to use, copy, produce, reproduce, modify, create derivative works of, analyze, perform, display, distribute, and otherwise disclose to third parties any de-identified Health Data for the purposes of: (i) providing services to you; (ii) conducting research or analyses of such data; and (iii) designing, developing, implementing, modifying, and/or improving new, current, or future features, products, and services of Spruce using such data. For the avoidance of doubt, the terms of the Business Associate Agreement (Attachment A) will control, when applicable, with regard to Health Data.
Your use of the Platform may begin with a free trial. If we offer you a free trial, these Terms will govern your use of the Platform. Spruce reserves the right, in its sole discretion, to determine eligibility for free trials. As your free trial period ends, Spruce may contact you, including, without limitation, via email, telephone call, SMS text messaging, or through the Platform, to discuss potential subscription plans and features. If you choose to subscribe to the Platform, payment for any such subscription may take place through a separate website or service provider and not through the Platform. If you do not enter into a subscription plan, Spruce may immediately terminate your account and/or your access to the Platform.
Spruce does not provide any recommendation, advice, certification, approval, endorsement, or other specific knowledge or statement related to the fitness, quality, or any other aspect of any third-party organization or other entity, or of the goods or services of any such organization or entity, with regard to any health care purpose, regardless of whether the organization or entity may use the Platform or have any other association with Spruce. Any references or materials related to such a third party that may be present on the Platform are solely for your convenience and are used at your own risk. We are not liable to you in any way, either directly or indirectly, for any content, errors, damage, or loss caused by or in connection with the use of or reliance on third parties or their goods or services.
The Platform may also contain hyperlinks or references to other websites or other services ("Linked Sites") operated by third parties. The Linked Sites may not be under our control; therefore, we are not responsible for the information, products, or services described thereon, or for the content of any Linked Site, including, without limitation, any link contained in a Linked Site, or any changes or updates to a Linked Site. We are providing these Linked Sites to you only as a convenience, and the inclusion of any link does not necessarily imply endorsement of the Linked Site or any association with its operators. Your use of these Linked Sites is at your own risk, and we are not liable to you in any way, either directly or indirectly, for any content, errors, damage, or loss caused by or in connection with use of or reliance on information contained in or provided to Linked Sites.
You may have arrived to the Platform through a Linked Site, including a Linked Site controlled by a parent, subsidiary, or affiliate of Spruce. You understand and agree that we are not responsible for the information, products, or services described on those Linked Sites and that only these Terms will apply to your use of or access to the Platform.
YOU ACKNOWLEDGE AND AGREE THAT THE PLATFORM IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. YOUR USE OF THE PLATFORM IS AT YOUR SOLE RISK. SPRUCE AND ITS AFFILIATES AND THEIR RESPECTIVE OFFICERS, DIRECTORS, MANAGERS, PARTNERS, MEMBERS, EMPLOYEES, AND AGENTS (COLLECTIVELY "RELATED PERSONS") DISCLAIM ALL REPRESENTATIONS AND WARRANTIES OF ANY KIND WITH RESPECT TO THE PLATFORM, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AVAILABILITY, SECURITY, ACCURACY, FREEDOM FROM VIRUSES OR MALWARE, COMPLETENESS, TIMELINESS, FUNCTIONALITY, RELIABILITY, SEQUENCING, SPEED OF DELIVERY, OR ARISING FROM THE COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE.
YOU FURTHER ACKNOWLEDGE AND AGREE THAT THE PLATFORM IS NOT INTENDED TO SUPPORT OR CARRY EMERGENCY CALLS (E.G., 911) BY VOICE OR SMS TO ANY EMERGENCY SERVICES. NEITHER SPRUCE NOR ITS RELATED PERSONS WILL BE LIABLE UNDER ANY LEGAL OR EQUITABLE THEORY FOR ANY CLAIM, DAMAGE, OR LOSS (AND YOU WILL HOLD SPRUCE AND ITS RELATED PERSONS HARMLESS AGAINST ANY AND ALL SUCH CLAIMS) ARISING FROM OR RELATING TO THE INABILITY TO USE THE PLATFORM TO CONTACT EMERGENCY SERVICES.
WITH RESPECT TO OUR VOIP PHONE SERVICES, YOU ACKNOWLEDGE AND AGREE THAT WE DO NOT HAVE ANY CONTROL OVER WHETHER, OR THE MANNER IN WHICH, CALLS USING OUR 911 DIALING SERVICE ARE ANSWERED OR ADDRESSED BY ANY LOCAL EMERGENCY RESPONSE CENTER. WE EXPRESSLY DISCLAIM ANY AND ALL RESPONSIBILITY FOR THE CONDUCT OF SUCH LOCAL EMERGENCY RESPONSE CENTERS AND THE NATIONAL EMERGENCY CALLING CENTER. WE RELY ON THIRD PARTIES TO ASSIST US IN ROUTING 911 DIALING CALLS TO LOCAL EMERGENCY RESPONSE CENTERS AND TO A NATIONAL EMERGENCY CALLING CENTER. WE DISCLAIM ANY AND ALL LIABILITY OR RESPONSIBILITY IN THE EVENT SUCH THIRD PARTY DATA USED TO ROUTE CALLS IS INCORRECT OR YIELDS AN ERRONEOUS RESULT. YOU AGREE THAT WE MAY NOT BE HELD LIABLE FOR ANY CLAIM, DAMAGE, OR LOSS, AND YOU HEREBY WAIVE ANY AND ALL SUCH CLAIMS OR CAUSES OF ACTION, ARISING FROM OR RELATING TO OUR 911 DIALING SERVICE, UNLESS SUCH CLAIMS OR CAUSES OF ACTION ARISE FROM OUR GROSS NEGLIGENCE, RECKLESSNESS, OR WILLFUL MISCONDUCT.
NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT AND TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER SPRUCE NOR ITS RELATED PERSONS WILL BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY YOUR RELIANCE ON INFORMATION OBTAINED THROUGH THE PLATFORM. IT IS YOUR RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS, TIMELINESS, RELIABILITY, OR USEFULNESS OF THE PLATFORM. FURTHERMORE, SPRUCE DOES NOT WARRANT THAT THE PLATFORM WILL BE UNINTERRUPTED, OR FREE FROM ERROR, DEFECT, LOSS, DELAY IN OPERATION, CORRUPTION, CYBER ATTACK, VIRUSES, INTERFERENCE, HACKING, MALWARE, OR OTHER SECURITY INTRUSION, OR THAT THE USE OF THE PLATFORM AND/OR INFORMATION OBTAINED THROUGH THE PLATFORM WILL NOT CAUSE ANY DAMAGE TO YOUR MOBILE PHONE OR COMPUTER OR LOSS OF DATA.
To the fullest extent permitted by applicable law and except as set forth in this Section, Spruce, its Related Persons, and licensors will not be liable to you or to any party under any legal or equitable theory, whether in tort (including negligence), contract, strict liability, or otherwise, for any indirect, punitive, special, incidental, or consequential loss or damage, including lost profits, loss of data or loss of goodwill, service interruption, mobile phone damage, or system failure, or the cost of substitute products or services, or for any damages for personal or bodily injury or emotional distress, including death, arising out of or in connection with any access or use of (or inability to use) the Platform. This is true even if Spruce or its Related Persons have been advised of the possibility of such damages or losses. To the fullest extent permitted by applicable law and subject to this Section, in no event shall the total liability of Spruce and its Related Persons for any damages, claims, or losses arising under these Terms exceed the total amount of payments actually paid by you to us, if any, in the preceding twelve (12) months prior to the date the liability first arose.
You agree to indemnify, defend, and hold Spruce and any of its Related Persons, licensors, and suppliers harmless from and against any and all third-party claims, demands, liabilities, costs, or expenses, including attorneys' fees and costs, arising from or related to: (i) any breach by you of these Terms, (ii) your use of any aspect of the Platform in an unauthorized manner, (iii) communications or other information or data that you failed to view, listen to, or otherwise receive and/or react to in a timely manner, regardless of whether or not it was caused in part by us or any of our affiliates, officers, directors, agents, representatives, employees, successors, or assigns, (iv) your use of Call Recording for any purpose or in any capacity, whether intentional or unintentional, or whether authorized or unauthorized, and/or (v) a violation by you of any and all applicable laws, rules, or regulations.
Spruce reserves the right at any time and for any reason to modify, or temporarily or permanently discontinue, the Platform, or any portion thereof, with or without notice. You agree that Spruce shall not be liable to you or to any third party for any modification, suspension, or discontinuance of the Platform. Without limiting the foregoing, we will make reasonable efforts to notify you in advance of any discontinuation of the Platform in its entirety.
The Terms will remain in full force and effect as long as you continue to access or use the Platform. You may terminate the Terms by discontinuing use of the Platform and notifying us; such termination will be deemed to take effect on the last day of the current billing cycle for your account and Spruce will not provide you with a refund for any such termination. Your permission to use the Platform automatically terminates if you violate these Terms.
Except for termination or suspension by us subject to Sections II or X, we may terminate or suspend any of the rights granted by these Terms and your access to our Platform for any reason upon thirty (30) days written notice to you. Notwithstanding the foregoing, we may immediately terminate these Terms and your access to our Platform if required by applicable regulatory authorities or if we determine that any change in any applicable federal, state, or local government laws, rules, or regulations would render unlawful the conduct under these Terms of you or us. If we terminate these Terms in the absence of a threatened or actual violation or breach of these Terms by you, we will refund to you any unused portion of prepaid payments made by you, if any, for subscription time past the later of: a) your last actual date of usage of the Platform, or b) thirty (30) days after our written notice of termination to you. The amount of any such refund will be calculated pro rata, based on the fees paid, the actual time length of the services, and the originally contemplated time length of the services, in days. We will issue such refund within ninety (90) days of our notice of termination.
The following Sections survive the expiration or termination of these Terms for any reason whatsoever: VII (Restrictions on Use), XIII (Disclaimer), XIV (Limitation of Liability), XV (Indemnification), XVIII (Governing Law; Dispute Resolution; Arbitration; Class Action Waiver), and XX (Miscellaneous).
Subject to applicable law, Spruce reserves the right to maintain, delete, or destroy all communications and materials posted or uploaded to the Platform in its sole discretion.
PLEASE READ THIS SECTION CAREFULLY BECAUSE IT REQUIRES YOU AND SPRUCE TO RESOLVE ALL DISPUTES BETWEEN US THROUGH BINDING INDIVIDUAL ARBITRATION AND LIMITS THE MANNER IN WHICH YOU CAN SEEK RELIEF FROM SPRUCE.
The Platform is controlled and operated by us from the United States, and is not intended to subject us to the laws or jurisdiction of any state, country, or territory other than that of the United States. These Terms will be governed by the laws of the State of California without regard to conflicts of law principles.
You and Spruce agree that all claims and disputes relating in any way to your use of our Platform, or arising out of or in connection with these Terms, shall be resolved by binding arbitration, to the fullest extent permitted by applicable law, on an individual basis, except for any dispute in which either party seeks equitable relief for the alleged unlawful use of copyrights, trademarks, trade names, logos, trade secrets, or patents, or any dispute already pending at the time you first agree to these Terms. You also agree that any arbitration will take place in San Francisco, California.
IN THE EVENT ARBITRATION IS CONTRARY TO APPLICABLE LAW, YOU AND SPRUCE WAIVE ANY CONSTITUTIONAL OR STATUTORY RIGHT TO GO TO COURT AND HAVE A TRIAL IN FRONT OF A JUDGE OR A JURY. You and Spruce are instead electing to have claims and disputes resolved by arbitration. Arbitration is the referral of a claim or dispute to one or more persons charged with reviewing the claim or dispute and making a final binding determination to resolve it instead of having it decided by a judge or jury in court. Arbitration procedures are typically more limited, more efficient, and less costly than rules applicable in court and are subject to very limited review by a court. The arbitrator's award shall be binding and may be entered as a judgment in any court of competent jurisdiction.
YOU AND SPRUCE AGREE THAT ALL CLAIMS AND DISPUTES WITHIN THE SCOPE OF THIS ARBITRATION AGREEMENT MUST BE ARBITRATED OR LITIGATED ON AN INDIVIDUAL BASIS AND NOT ON A CLASS BASIS. CLAIMS AND DISPUTES OF MORE THAN ONE CUSTOMER OR USER CANNOT BE BROUGHT AS A CLASS OR OTHER TYPE OF REPRESENTATIVE ACTION, WHETHER WITHIN OR OUTSIDE OF ARBITRATION, OR ON BEHALF OF ANY INDIVIDUAL OR OTHER GROUP. UNLESS BOTH YOU AND SPRUCE AGREE OTHERWISE, THE ARBITRATOR MAY NOT CONSOLIDATE OR JOIN MORE THAN ONE PERSON'S OR PARTY'S CLAIMS AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF A CONSOLIDATED, REPRESENTATIVE, OR CLASS PROCEEDING. ALSO, THE ARBITRATOR MAY AWARD RELIEF (INCLUDING MONETARY, INJUNCTIVE, AND DECLARATORY RELIEF) ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO PROVIDE RELIEF NECESSITATED BY THAT PARTY'S INDIVIDUAL CLAIM(S) OR DISPUTE. ANY RELIEF AWARDED CANNOT AFFECT OTHER SPRUCE USERS OR CUSTOMERS.
The Federal Arbitration Act governs the interpretation and enforcement of this dispute resolution provision. Any arbitration between you and Spruce will be initiated through the American Arbitration Association ("AAA") and will be governed by the AAA Consumer Arbitration Rules. The AAA Rules and filing forms are available at www.adr.org.
You agree that your use of the Platform or Spruce will comply with the federal CAN-SPAM Act, HIPAA, the Telephone Consumer Protection Act, and other federal, state, or local laws and regulations that affect your utilization of the Platform or Spruce.
The Terms set forth the entire understanding and agreement between you and us with respect to the subject matter hereof. If any provision of the Terms is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties' intentions as reflected in the provision, and the other provisions of the Terms shall remain in full force and effect. Headings are for reference only and in no way define, limit, construe, or describe the scope or extent of such section. Our failure to act with respect to any failure by you or others to comply with these Terms does not waive our right to act with respect to subsequent or similar failures. You may not assign or transfer your rights or obligations under these Terms without our prior written consent, and any assignment or transfer in violation of this provision shall be null and void. Except as otherwise set forth in these Terms: (a) any notice given by us to you will be provided via email to the email address used to register your account and/or, in our sole discretion, to the email address of the person listed as your organization's administrator on the Platform, and will be deemed to be both written and fully given on the date of sending; and (b) any notice given by you to us will be provided as set forth in Section XXII.
Spruce reserves the right to remove any content or any other material or information available on or through our Platform, at any time, for any reason. Spruce otherwise complies with the provisions of the Digital Millennium Copyright Act ("DMCA") applicable to Internet service providers (17 U.S.C. § 512, as amended), and responds to clear notices of alleged copyright infringement. This Section describes the procedure that should be followed to file a notification of alleged copyright infringement with Spruce.
If you have objections to copyrighted content or material made available on or through our Platform, you may submit a notification to us as set forth in Section XXII, with such notification marked with attention to our Designated Agent, the Spruce Compliance Officer.
Any notification to Spruce under 17 U.S.C. § 512(c) alleging copyright infringement must include the following information:
If you have any questions or concerns, or if you wish to provide notice to us under these Terms, please contact us by one of the following means:
Any notice required or permitted to be given by you to us under these Terms will be given in writing by certified mail with return receipt requested, overnight delivery by a nationally recognized carrier, or by email upon our confirmation of receipt, and will be deemed fully given on the date of actual delivery.
This "Attachment A – Business Associate Agreement" (the "Agreement") is incorporated into and a part of the "Spruce Care Messenger – Terms of Service for Organizations" ("Terms of Service"), where applicable. The term "Covered Entity" shall refer to you and "Business Associate" to Spruce as such terms are defined in the Terms of Service. In the event that you are a Business Associate and we are your subcontractor Business Associate under HIPAA, "Covered Entity" shall refer to you in your capacity as a Business Associate of one or more Covered Entities, and "Business Associate" shall refer to us as your subcontractor Business Associate. In the event that you are neither a Covered Entity nor a Business Associate under HIPAA, this Agreement shall not apply.
A. Whereas, the U.S. Department of Health and Human Services issued regulations on "Standards for Privacy of Individually Identifiable Health Information" comprising 45 C.F.R. Parts 160 and 164, Subparts A and E (the "Privacy Standards"), "Security Standards for the Protection of Electronic Protected Health Information" comprising 45 C.F.R. Parts 160 and 164, Subpart C (the "Security Standards"), "Standards for Notification in the Case of Breach of Unsecured Protected Health Information" comprising 45 C.F.R. Parts 160 and 164, Subpart D (the "Breach Notification Standards"), and "Rules for Compliance and Investigations, Impositions of Civil Monetary Penalties, and Procedures for Hearings" comprising 45 C.F.R. Part 160, Subparts C, D, and E (the "Enforcement Rule"), promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") (the Privacy Standards, the Security Standards, the Breach Notification Standards, and the Enforcement Rule are collectively referred to herein as the "HIPAA Standards").
B. Whereas, in conformity with the HIPAA Standards, Business Associate has, and/or will create, receive, maintain, or transmit certain Protected Health Information ("PHI") of Covered Entity pursuant to the services provided under the Terms of Service.
C. Whereas, Covered Entity is required by the HIPAA Standards to obtain satisfactory assurances that Business Associate will appropriately safeguard all PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
D. Whereas, the parties hereto desire to enter into this Agreement to memorialize their obligations with respect to PHI pursuant to the requirements of the HIPAA Standards.
Now, therefore, Covered Entity and Business Associate agree as follows:
This Agreement supplements, modifies, and amends the Terms of Service, whether oral or written, between the parties involving the disclosure of PHI by Covered Entity to Business Associate, or the creation, receipt, maintenance, or transmission of PHI by Business Associate on behalf of Covered Entity. The terms and provisions of this Agreement shall supersede any other conflicting or inconsistent terms and provisions in the Terms of Service between the parties, including all exhibits or other attachments thereto and all documents incorporated therein by reference.
Business Associate and Covered Entity agree to amend this Agreement to the extent necessary to allow either Business Associate or Covered Entity to comply with the HIPAA Standards promulgated or to be promulgated by the Secretary of the Department of Health and Human Services ("Secretary") or other related regulations or statutes.
Except as otherwise specified herein, capitalized terms used but not defined in this Agreement will have the same meaning as those terms in the HIPAA Standards.
Except as otherwise limited by the Terms of Service or this Agreement, Business Associate may:
(a) Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Standards if done by Covered Entity;
(b) Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
(c) Use PHI to de-identify PHI in accordance with 45 C.F.R. § 164.502(d), including for reporting and process improvement purposes;
(d) Provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required under the Terms of Service; and
(e) Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that (i) the disclosure is Required by Law or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate will also comply with any further limitations on uses and disclosures of PHI by Covered Entity in accordance with 45 C.F.R. § 164.522, provided that Covered Entity communicates such limitations to Business Associate.
Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate agrees to comply with applicable provisions of 45 C.F.R. Part 164, Subpart C with respect to electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware. Additionally, Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. At the request of Covered Entity, Business Associate will identify the date and nature and scope of the Security Incident, Business Associate's response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Notwithstanding the foregoing, the parties acknowledge and agree that this Section II(4) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. Unsuccessful Security Incidents means, without limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of Covered Entity's electronic PHI.
Business Associate agrees to notify Covered Entity of any Breach of Unsecured Protected Health Information without undue delay and within no more than sixty (60) calendar days of the date Business Associate discovers the Breach. Business Associate will provide such information to Covered Entity as required by Covered Entity and the Breach Notification Standards.
Business Associate shall obtain and maintain a written agreement with each agent or subcontractor that creates, receives, maintains, or transmits Covered Entity's PHI on behalf of Business Associate. Under the agreement, such agent or subcontractor shall agree to the same restrictions and conditions that apply to Business Associate pursuant to this Agreement with respect to such PHI.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement or the HIPAA Standards.
If Business Associate maintains PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, and upon request of Covered Entity, Business Associate agrees to provide access to such PHI in a Designated Record Set to Covered Entity in order for Covered Entity to comply with the requirements under 45 C.F.R. § 164.524. If Business Associate receives a direct request from an Individual for access to PHI, it will promptly forward the request to Covered Entity to fulfill. Further, if the PHI that is the subject of a request for access is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such information, the Business Associate shall promptly provide access to the PHI in the electronic form and format requested, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by Covered Entity and the Individual.
If Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set, in order for Covered Entity to comply with 45 C.F.R. § 164.526. If Business Associate receives a direct request from an Individual for amendment to PHI, it will promptly forward the request to Covered Entity to fulfill.
Business Associate will promptly make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity, or at the request of the Secretary of the U.S. Department of Health and Human Services, for purposes of determining Covered Entity's compliance with the Privacy Standards.
Business Associate agrees to document and make available promptly information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and the HITECH Act. Business Associate further agrees to promptly provide Covered Entity such information upon request to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528 and the HITECH Act.
Business Associate acknowledges that it will limit the use, disclosure, or request of PHI to perform or fulfill a function required or permitted under this Agreement to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, as specified by the HIPAA Standards and any relevant guidance issued by the U.S. Department of Health and Human Services.
Except for the purposes set forth in the Terms of Service and as otherwise provided by law, Business Associate agrees not to directly or indirectly receive remuneration in exchange for any PHI of an Individual.
If Business Associate agrees to carry out an obligation of Covered Entity under 45 C.F.R. Part 164, Subpart E, Business Associate agrees to comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Covered Entity in the performance of such obligations.
If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Part 162.
For the avoidance of doubt, the terms of Section IV(B), "Unsecure Communications", of the Terms of Service shall apply without restriction to all matters contemplated in or otherwise within the scope of this Agreement, including without limitation PHI.
This Agreement shall become effective upon Covered Entity's acceptance of the Terms of Service and, unless otherwise terminated as provided herein, shall have a term that shall run concurrently with that of the last expiration date or termination of the Terms of Service.
Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity may terminate this Agreement by terminating the Terms of Service pursuant to the terms thereof.
Upon termination of this Agreement, Business Associate shall either return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity and which Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, to the extent that Business Associate determines that it is not feasible to return or destroy such PHI, the terms and provisions of this Agreement shall survive termination and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.
Any notices or communications to be given pursuant to this Agreement will be made pursuant to the terms of the Terms of Service.
A reference in this Agreement to a section in the HIPAA Standards means the section then in effect.
The parties agree to take such action as may be necessary to amend this Agreement from time to time to ensure the parties comply with the requirements of the HIPAA Standards and any other applicable law or regulation. Any amendment to this Agreement proposed by either party will not be effective unless mutually agreed to in writing by both parties.
Nothing express or implied in this Agreement is intended to confer, nor will anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Standards. In the event of any inconsistency or conflict between this Agreement and the Terms of Service, the terms and conditions of this Agreement shall govern and control.
This Agreement shall be governed by and construed in accordance with the same internal laws as that of the Terms of Service.