This Application Privacy Policy describes WoundAlly’s practices with regard to data we collect in connection with woundally.com and our business-to-Application offered via our Medical Practices Suite Application, or such other names for these services as we may apply, and any other service operated by WoundAlly that posts a link to or otherwise incorporates this Application Privacy Policy (collectively, the “Application”). If the individual accessing or using the Application (“You”) is doing so as the authorized user of a company to which we are providing the Application under a contract, Your use may be subject to the terms of that contract, and Your use of the Application should be done in manner consistent with terms of that contract. This Application Privacy Policy does not cover or affect the confidentiality, or our use, of our customers’ business content, data, or other proprietary information as defined in and governed by an applicable contract.

The Information We Collect

The Application collects information from You when You use it. Some of this information may be considered “personal information” under various applicable laws. We consider information that identifies You as a specific, identified individual to be personal information (such as Your name and email address), and we treat additional information, including IP addresses and cookie identifiers, as “personal information” where required by applicable law. Note that we may de-identify personal information so that it is non-personal, such as by aggregating it or converting it to a code (“hash”). We will treat de-identified information as non-personal to the fullest extent allowed by applicable law.

We collect information in the ways described below. Please also see the service-specific sections for woundally.com for additional information on information that is collected by those services.

Information You Submit. The Application is account-based, and in order to create an account, You or Your employer will need to provide information such as Your contact information (Your name and e-mail address), a password, and Your employer.

Information We Collect Automatically. The Application collects certain information whenever You visit it or otherwise interact with it ("Usage Information"). Usage Information may include the hardware model, browser, and operating system You are using, the URL or advertisement that referred You to the webpage You are visiting, all of the areas within the Application that You visit, Your time zone, and mobile network (if applicable), among other information. In addition, we automatically collect Your IP address or other unique identifier ("Device Identifier") for any computer, mobile phone or other device You use to access our Application. We may be able to collect or infer Your approximate location based on Your IP address or similar information we collect. As You use the Application, we may also track how You interact with the Application.

The methods that may be used to collect Usage Information include the following:

Cookies and Local Storage are small text files stored locally on Your device that help store user preferences. These technologies are able to store a unique identifier for a device to us to recognize the device whenever the device is used to visit the Application. These technologies may be used for many purposes by us, our service providers, and our third-party business partners, such as automatically collecting Usage Information, enabling features, serving advertisements to You online (in the case of woundally.com), and remembering Your preferences. We may use cookies and other technologies to study traffic patterns on the Application, to study the effectiveness of our customer communications, and to personalize Your experience through the Application, such as to recognize You when You return to them. The information we store includes internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. If You do not want to accept cookies, You can block them by adjusting the settings on Your Internet browser. You can find more information about cookies and how they work at www.allaboutcookies.org.

Web beacons (also known as clear GIFs and pixel tags) are small pieces of code used to collect usage analytics. They help us to determine, for instance, whether a page has been viewed or not and, if so, how many times. When You ask us to send You information or a promotion or a newsletter, we will use web beacons to establish how many of the emails are actually opened. In general, any electronic image viewed as part of a web page, including an ad banner, can act as a web beacon.

We use similar tools to collect such information from mobile devices. In addition, we may use a variety of other technologies that collect similar information for security and fraud detection purposes.

How We Use Your Information

We may use non-personal information for any purpose. We also use information that we collect, including personal information and Usage Information: (1) to provide the services You request and allow You to participate in features we offer, or to provide related customer service; (2) to recognize You across our sites and services; (3) to process Your requests, questions, or feedback, including to provide You with technical support; (4) to provide You with information, products, materials, or services that You have requested or that we think may interest You, including updates and information concerning the Application, WoundAlly, and its business partners; (5) to investigate and prevent fraudulent transactions and other illegal activities or activities that violate our policies, which may include sharing information with other companies, lawyers, courts, or other government entities; (6) to process Your account registration, including verifying Your information is active and valid; (7) to improve the Application and for internal business purposes; (8) to contact You with regard to Your use of the Application and, in our discretion, changes to our policies; (9) for internal research; (10) for marketing and data analysis; and (11) for purposes disclosed at the time You provide Your personal information or otherwise with Your consent.

Please also see the service-specific sections for woundally.com for additional information on how we use Your information in connection with those services.

How We Share Your Information

We may share non-personal information, such as aggregated statistics or de-identified data, for any purpose in our discretion. (For clarity, however, and as noted above, this Application Privacy Policy does not cover or affect our customers’ business content, data, or other proprietary information, and such information will be used only as set forth in the applicable contract.) In addition, we may share the information we have collected about You, including personal information and Usage Information, as disclosed at the time You provide us with Your information or with Your consent, and as described in this Application Privacy Policy, including as set forth below.

Please also see the service-specific sections for woundally.com for additional information on how we share Your information in connection with those services.

Your Employer. If You are accessing the Application as an authorized representative of a company, all Your activities are considered to be on behalf of that company, and the company will have access to information about Your activities and the information in Your account, if applicable.

Affiliated Third Parties for Their Business Purposes. We may share information with our subsidiaries, divisions, partners, and affiliated companies for business, analytical, and operational purposes.

Service Providers. We contract with certain companies to perform services on our behalf, including advertising, marketing assistance, e-mail delivery, hosting services, site maintenance and repair, security, quality assurance, customer service, surveys, and data research and analysis, and provide Your information to them in furtherance of such services.

In Connection with Business Transitions. In the event WoundAlly undergoes a business transition, such as a merger with or acquisition by another company, or sale of all or a portion of its assets, we may transfer Your personal information and other information to the successor organization in connection with such transaction, including during the course of any due diligence. By providing Your personal information, You agree that we may transfer such information to the other entity in such a transaction without Your further consent.

For Administrative and Legal Reasons. We reserve the right to use or disclose any information as needed to satisfy any law, regulation, or legal request; to protect the integrity of the Application; to fulfill Your requests; to cooperate in a law enforcement investigation, an investigation on a public safety matter, or an investigation into claims of intellectual property infringement; to protect and defend the legal rights and/or property of WoundAlly and any of our subsidiaries, affiliates, and shareholders, or the Application, any of their users, or any other party; or, in an emergency, to protect the health and safety of users or the general public.

Third Party Analytics Providers

We work with third party analytics providers to provide us with information regarding the use of the Application. We allow these companies to place tracking technologies like cookies and web tags on the Application, and they may otherwise collect or have access to Usage Information and other information about You. We may share information, typically information that has been aggregated or de-identified, Usage Information, and location information with analytics providers. Some of these parties may collect personal information over time when You visit the Application or other online websites and services.

We use Google Analytics, which uses cookies and similar technologies to collect and analyze information about the use of the Application and report on activities and trends. This service may also collect information about the use of other websites, apps, and online services. You can learn about Google’s practices by going to https://policies.google.com/technologies/partner-sites, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

If You are a California resident, please see our Notice to California Residents regarding additional rights You have, including how to exercise Your “Do Not Sell” right.

How We Respond to "Do Not Track" Signals

Do Not Track (“DNT”) signals offered by some web browsers are settings that request that a web application disable its tracking of an individual user. When You choose to turn on the DNT setting in Your browser, Your browser sends a special signal to websites, analytics companies, ad networks, plug in providers, and/or other web services You encounter while browsing to stop tracking Your activity. There is no consensus among industry participants as to what “Do Not Track” means in this context. Like many websites and online services, we may not alter our practices when our systems receive a “Do Not Track” signal from a visitor’s browser, except as specifically required by law. You can learn more about Do Not Track at www.allaboutdnt.com.

Third Party Content and Links

The Application may contain links to third party websites, services, applications, or content that You elect to access through our Application. When You navigate away from the Application to such third party sites or content, this Application Privacy Policy does not apply, and we are not responsible for the privacy practices of any third party.

Your Choices About the Information We Collect

You are responsible for maintaining the accuracy of the information You submit to us, such as Your contact information associated with Your account. If You have an account within the Application, You will have a profile section within Your account that allows You to update certain personal information You have provided. You may also contact us at if You have questions about or wish to modify certain information that we have collected from or about You. Note that some information may be controlled by Your employer and may not be able to be changed. In addition, when You modify Your personal information or change Your preferences, information that You remove may persist internally for our administrative purposes or within backup media.

If we send You marketing email communications, You will have the ability to opt-out using the mechanism provided in the emails. Please note that we reserve the right to send You certain non-marketing communications relating to Your account or use of the Application, such as administrative communications, service announcements, and other transactional emails.

If You are a California resident, please see our Notice to California Residents regarding additional rights You have, including how to exercise Your “Do Not Sell” right.

Security of Your Information

We implement commercially reasonable measures to protect the security of Your information. However, no website or Internet transmission is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We urge You to take steps to keep Your personal information (including Your account password) safe and to log out of Your account after use.

General Audience Application

The Application is not intended for children Younger than the age of 18. We do not knowingly collect or solicit personal information from children Younger than the age of 18.

Changes to this Application Privacy Policy

It may be necessary from time to time for us to modify this Application Privacy Policy to reflect changes in the way we collect and use information or changes in privacy-related laws, regulations and industry standards. Accordingly, to the extent allowed by applicable law, we reserve the right to change this Application Privacy Policy at any time. We will inform You by posting a notice on the Application and/or woundally.com. We may also provide notice to You in other ways, such as through contact information You have provided. Your continued use of the Application after the effective date of the revised Application Privacy Policy will constitute Your consent to those changes to the fullest extent allowed by applicable law.

Consent to International Transfer of Your Information

We are a US-based company so if You are located outside of the United States, please be aware that the information that we collect from You will be transferred to, and stored at, a destination outside of Your country. By using the Application or providing us with any information, You fully understand and unambiguously consent to this transfer to, and processing, usage, sharing, and storage of Your information in the United States and other jurisdictions, which may have different or less protective privacy laws than those in Your country. As a result, this information may be subject to access requests from governments, courts, or law enforcement in the United States and other countries according to the laws in those jurisdictions. Your information will also be disclosed to third parties as described in the “How We Share Your Information” section above.

How Long We Retain Your Information

We will retain Your information for so long as we are required in order to provide the Application to You, in accordance with our agreement with Your employer, or as required to fulfill our legal requirements and defend legal claims. After You (or Your employer) have terminated Your use of the Application, we will store Your information in an aggregated and anonymized format.

Contact Us

If You have any questions, comments, or concerns regarding this Application Privacy Policy and/or our practices, please contact us at WoundAlly, 25044 Peachland Ave Ste 110 Newhall, CA 91321, or at . When writing to us, please specify that You are writing about WoundAlly’s Application Privacy Policy and practices.

Notice to California Residents

This California Notice is effective as of February 28, 2024

This notice supplements our Business Privacy Policy and applies only to California consumers who are users of the Application. Terms (including defined capitalized terms) used in this California Privacy Notice have the same meanings given in the California Consumer Privacy Act, the California Privacy Rights Act of 2023, and any implementing regulations adopted thereunder (collectively, the “CCPA”), unless otherwise defined.

Exercising Your Rights

The CCPA provides California users with the right to request (1) that we disclose to you what Personal Information we collect, use, disclose, and sell, including the right to request that we provide to you the categories and specific pieces of Personal Information we have collected about you ("Right to Know"); and (2) that we delete the Personal Information we collected about you ("Right to Delete"), (3) that we correct inaccurate Personal Information we hold about you (“Right to Correct”), (4) to opt-out from the sharing of your Personal Information to a third party for cross-context behavioral advertising (i.e., targeted advertising) (“Right to Opt-Out of Sharing”), (5) to opt-out from the sale of their Personal Information (“Right to Opt-Out of Sale”) and (6) that we limit the use or disclosure of your Sensitive Personal Information (SPI) to purposes set forth under the CCPA, including what is necessary and anticipated to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services (“Right to Limit Use and Disclosure of SPI”), all subject to meanings and exceptions set forth in the CCPA. More information on how to exercise these rights is below.

Please note that our business activities do not use personal information in a manner that triggers the Right to Limit Use and Disclosure of SPI.

California users have the right to not receive discriminatory treatment for exercising CCPA rights. We will not discriminate against you for exercising your CCPA rights.

Verifying Requests: Please note that we will take reasonable steps to verify your identity in order to fulfill your request. In addition to your username and email address, we may ask for additional information, such as your transactions with us (e.g., a series or movie you have marked as a favorite). In your request, you must provide enough information to allow us to verify you are the person about whom we collected personal information, or their authorized representative. If we are unable to verify that the individual submitting the request is the same individual about whom we have collected information (or someone authorized by that individual to act on their behalf), we will not be able to process the request. When you exercise your Right to Know, Right to Delete, and/or Right to Correct, we may ask that you provide us with information, beyond the above, in order to verify your identity and fulfill your request.

Agents: If you are an authorized representative submitting a request on a user’s behalf, please submit the request per the instructions below We will follow up to request a signed, written permission signed by the individual who is the subject of the request authorizing you to make the request on their behalf. The written permission must state your full legal name, the full legal name of the individual who is the subject of the request and needs to be clear about the permission granted. Alternatively, You may submit a copy of a power of attorney under Probate Code sections 4000-4465. In either case, please also indicate in your email the nature of your request. The consumer’s identity, in addition to your own, will need to be independently verified in order for us to be able to fulfill the request. We may also ask the consumer to directly confirm with us that they provided you permission to submit a request. Please keep in mind that if we do not receive adequate proof that you are authorized to act on the consumer’s behalf, we may deny the request. If you have questions about any of these rights, please contact us at .

Submitting Your Requests

If you are a California Consumer and would like to exercise your rights please email us at or mail us your request at WoundAlly, 25044 Peachland Ave Ste 110 Newhall, CA 91321. Your request must include your username (if you have one) and email address; please also include any additional information that you have submitted to us that may help us verify you as set forth below.

Other Important Information

Requests to Know: In order to have us provide specific pieces of information, we will require a signed declaration under penalty of perjury that You are the consumer whose Personal Information is the subject of the request.

Requests to Delete: To ensure that we do not delete Your personal information in response to a fraudulent request, once You submit the request, we may follow up to confirm that You want Your information to be deleted.

Do Not Sell or Share for Cross-Context Behavioral Advertising: As required under CCPA, WoundAlly provides a right to users of this Application who are California consumers to request to opt-out of the sale of Personal Information, where applicable. WoundAlly does not sell personal information for monetary compensation, but as described above, certain third-party advertising partners and analytics companies may collect data from visitors to the Application, and these may be considered “sales” or “sharing” under the CCPA. In these cases, there will be a “do not sell or share my personal information” link available within the Business Service; click that link to access the service’s cookie manager and set Your preferences.

Note that these are cookie-based opt-outs. You will need to indicate Your opt-out choices at the Application separately, and if You disable Your cookies or upgrade Your browser after opting out, or if You use different computers or browsers, You will need to indicate Your opt-out choices across those other computers and browsers.

Do Not Track

Some browsers incorporate a 'Do Not Track' (DNT) feature that, when turned on, signals to websites and online services that you do not wish to be tracked. Because there is not yet an accepted standard for how to respond to browser DNT signals, we do not currently respond to them.

Users Younger than Age 16. WoundAlly does not knowingly sell Personal Information of minors Younger than 16 years of age.

Data Retention

We collect certain types of information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”). The Personal Information we collect about You will depend on how You use the Application or otherwise interact with us. Accordingly, we may not collect all of the below information about You.

In addition to the below, we may collect and/or use additional types of information, and will do so after providing notice to You and obtaining Your consent to the extent such notice and consent is required by the CCPA.

Category of Personal Information Collected

  • Identifiers

    Examples: name, email address, and device identifiers

    Business or Commercial Purpose(s) for which Information is Collected
    • To provide the Application to You and allow You to participate in the features the Application offers
    • To help us to improve the Application and to serve You better
    • To send you communications
    • For legal, regulatory, administrative, and internal business purposes
    • To protect against misuse of the Application, fraud, or criminal activity
    • To detect and troubleshoot problems, resolve disputes, and enforce applicable agreements and policies for the Application
    • For other purposes described to You at the time of collection or otherwise consistent with this Privacy Policy
    Categories of Sources from Which Collected
    • You
    • Third party service providers and business partners
    • Cookies and other tracking technologies
    Categories of Third Parties with whom Information is Shared/Disclosed for Business Purpose
    • Other Users
    • Service Providers
    • Third parties whose features are integrated with the Application, such as social media companies
    • Third party advertising and analytics companies
    • Third parties who may acquire Your information in connection with a merger, acquisition or other ownership transition
    • Third parties or affiliated companies when You request that we share Your information with them
    • Other third parties (including government entities) to comply with laws, regulations, or legal requests or to protect or defend our rights or the rights of any third party
    • Third parties when You agree to or request that we share Your information with them.
    Categories of Third Parties to Whom This Type of Personal Information Is Sold or Shared
    • Third party advertising, analytics, and similar marketing partners may have access to this data, including in order to better service you relevant advertisements, and this may be considered a “sale” or “share” under the CCPA in certain circumstances.
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))

    Examples: name, email address, phone number

    Business or Commercial Purpose(s) for which Information is Collected
    • To provide the Application to You and allow You to participate in the features the Application offer
    • To help us to improve the Application and to serve You better
    • To send you communications
    • For legal, regulatory, administrative, and internal business purposes
    • To protect against misuse of the Application, fraud, or criminal activity
    • To detect and troubleshoot problems, resolve disputes, and enforce applicable agreements and policies for the Application
    • For other purposes described to You at the time of collection or otherwise consistent with this Privacy Policy
    Categories of Sources from Which Collected
    • You
    • Other Users
    • Third party service providers and business partners
    • Cookies and other tracking technologies
    Categories of Third Parties with whom Information is Shared/Disclosed for Business Purpose
    • Other Users
    • Service Providers
    • Third parties whose features are integrated with the Application, such as social media companies
    • Third party advertising and analytics companies
    • Third parties who may acquire Your information in connection with a merger, acquisition or other ownership transition
    • Third parties or affiliated companies when You request that we share Your information with them
    • Other third parties (including government entities) to comply with laws, regulations, or legal requests or to protect or defend our rights or the rights of any third party
    • Third parties when You agree to or request that we share Your information with them.
    Categories of Third Parties to Whom This Type of Personal Information Is Sold or Shared
    • Third party advertising, analytics, and similar marketing partners may have access to this data, including in order to better service you relevant advertisements, and this may be considered a “sale” or “share” under the CCPA in certain circumstances.
  • Commercial information

    Examples: products or services obtained or considered; purchasing or consuming history or tendency

    Business or Commercial Purpose(s) for which Information is Collected
    • To provide the Application to You and allow You to participate in the features the Application offer
    • To help us improve the Application and to serve You better
    • For legal, regulatory, administrative, and internal business purposes
    • To protect against misuse of the Application, fraud, or criminal activity
    • To detect and troubleshoot problems, resolve disputes, and enforce applicable agreements and policies for the Application
    • For other purposes described to You at the time of collection or otherwise consistent with this Privacy Policy
    Categories of Sources from Which Collected
    • You
    • Third party service providers and business partners
    Categories of Third Parties with whom Information is Shared/Disclosed for Business Purpose
    • Other Users
    • Service Providers
    • Third parties whose features are integrated with the Application, such as social media companies
    • Third party advertising and analytics companies
    • Third parties who may acquire Your information in connection with a merger, acquisition or other ownership transition
    • Third parties or affiliated companies when You request that we share Your information with them
    • Other third parties (including government entities) to comply with laws, regulations, or legal requests or to protect or defend our rights or the rights of any third party
    • Third parties when You agree to or request that we share Your information with them.
    Categories of Third Parties to Whom This Type of Personal Information Is Sold or Shared
    • Third party advertising, analytics, and similar marketing partners may have access to this data, including in order to better service you relevant advertisements, and this may be considered a “sale” or “share” under the CCPA in certain circumstances.
  • Internet or other similar network activity

    Examples: login information, areas of the Application You visit, and devices used to access the Application

    Business or Commercial Purpose(s) for which Information is Collected
    • To provide the Application to You and allow You to participate in the features the Application offer
    • To communicate with you
    • To help us improve the Application and to serve You better
    • For legal, regulatory, administrative, and internal business purposes
    • To protect against misuse of the Application, fraud, or criminal activity
    • To detect and troubleshoot problems, resolve disputes, and enforce applicable agreements and policies for the Application
    • For other purposes described to You at the time of collection or otherwise consistent with this Privacy Policy
    Categories of Sources from Which Collected
    • Cookies and other tracking technologies
    • Third party service providers and business partners
    Categories of Third Parties with whom Information is Shared/Disclosed for Business Purpose
    • Other Users
    • Service Providers
    • Third parties whose features are integrated with the Application, such as social media companies
    • Third party advertising and analytics companies
    • Third parties who may acquire Your information in connection with a merger, acquisition or other ownership transition
    • Third parties or affiliated companies when You request that we share Your information with them
    • Other third parties (including government entities) to comply with laws, regulations, or legal requests or to protect or defend our rights or the rights of any third party
    • Third parties when You agree to or request that we share Your information with them.
    Categories of Third Parties to Whom This Type of Personal Information Is Sold or Shared
    • Third party advertising, analytics, and similar marketing partners may have access to this data, including in order to better service you relevant advertisements, and this may be considered a “sale” or “share” under the CCPA in certain circumstances.
  • Inferences drawn from other personal information

    Examples: Preferences, characteristics, predispositions, behaviors

    Business or Commercial Purpose(s) for which Information is Collected
    • To provide the Application to You and allow You to participate in the features the Application offer
    • To help us improve the Application and to serve You better
    • To send you communications
    • For legal, regulatory, administrative, and internal business purposes
    • To protect against misuse of the Application, fraud, or criminal activity
    • To detect and troubleshoot problems, resolve disputes, and enforce applicable agreements and policies for the Application
    • For other purposes described to You at the time of collection or otherwise consistent with this Privacy Policy
    Categories of Sources from Which Collected
    • You
    • Third party service providers
    • Cookies and tracking technologies
    • Third party social media companies
    • Third party business partners such as data analytics providers, data brokers, advertising networks, or joint marketing partners
    Categories of Third Parties with whom Information is Shared/Disclosed for Business Purpose
    • Other Users
    • Service Providers
    • Third parties whose features are integrated with the Application, such as social media companies
    • Third party advertising and analytics companies
    • Third parties who may acquire Your information in connection with a merger, acquisition or other ownership transition
    • Third parties or affiliated companies when You request that we share Your information with them
    • Other third parties (including government entities) to comply with laws, regulations, or legal requests or to protect or defend our rights or the rights of any third party
    • Third parties when You agree to or request that we share Your information with them.
    Categories of Third Parties to Whom This Type of Personal Information Is Sold or Shared
    • Third party advertising, analytics, and similar marketing partners may have access to this data, including in order to better service you relevant advertisements, and this may be considered a “sale” or “share” under the CCPA in certain circumstances.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via .

Last updated 03/07/2024

This Business Associate Agreement (“Agreement”) by and between (hereinafter known as “Covered Entity”) and WoundAlly, a Covered Entity (a Health Care Clearinghouse) under HIPAA, providing Business Associate services (hereinafter known as “Business Associate”), comes into force from the moment of agreement with it by the user. Covered Entity and Business Associate shall collectively be known herein as “the Parties.”

WHEREAS, Covered Entity wishes to commence a business relationship with Business Associate whereby Business Associate will create, receive, maintain, or transmit PHI in order to provide products and services to Covered Entity pursuant to the Authorization Sheet and any underlying service agreement(s);

WHEREAS, the nature of the prospective contractual relationship between Covered Entity and Business Associate may involve the exchange of Protected Health Information (“PHI”) as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including all pertinent regulations issued by the Department of Health and Human Services (“HHS”);

WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI that Business Associate creates, receives, maintains, or transmits on Covered Entity’s behalf, in compliance with the Privacy and Security Rules.

NOW THEREFORE, in consideration of the mutual recitals above, and the exchange of information pursuant to this Agreement, the Parties agree as follows:

Definitions

Catch-all Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: “Breach,” “Business Associate,” “Covered Entity,” “Data Aggregation,” “Designated Record Set,” “Disclosure,” “Health Care Clearinghouse,” “Health Care Operations,” “Minimum Necessary,” “Notice of Privacy Practices,” “Public Health Authority,” “Required By Law,” “Research,” “Secretary,” “Security Incident,” “Subcontractor,” “Unsecured Protected Health Information,” and “Use.”

Discovery” shall mean the first day on which a Breach is known to Business Associate (including any person, other than the individual committing the Breach, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate (or person), to have occurred.

“HIPAA” or “Health Insurance Portability and Accountability Act of 1996” is Public Law 104-191, as codified at 42 U.S.C. §§ 1320d to 1320d-9 and amended, under which the Privacy and Security Rules were promulgated.

HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules in 45 CFR Part 160 and 164.

“HITECH Act” or “Health Information Technology for Economic and Clinical Health Act” are those provisions set forth in Title XIII of Public Law 111-5 as enacted on February 17, 2009.

Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).

Privacy Rule” is the regulation entitled “Standards for Privacy of Individually Identifiable Health Information,” promulgated under HIPAA and/or the HITECH Act that is codified at 45 CFR Part 160 and 164, Subparts A and E.

Protected Health Information”(“PHI”) and “Electronic Protected Health Information” (“ePHI”) shall have the meaning given to such terms in 45 CFR § 160.103, limited to the information created or received by Business Associate from, or on behalf of, Covered Entity.

Security Rule” is the regulation entitled “Security Standards for the Protection of Electronic Protected Health Information,” promulgated under HIPAA and/or the HITECH Act that is codified at 45 CFR, Part 160 and 164, Subparts A and C.

Obligations of Business Associate

Limitation(s) on Uses and Disclosures. Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, or as Required by Law.

Permitted Uses and Disclosures. Business Associate may use and disclose PHI created or received pursuant to the Authorization Sheet and any underlying service agreement(s) as follows:

  • To carry out the purposes of the Authorization Sheet and any underlying service agreement(s). Business Associate may use and disclose PHI to perform its obligations pursuant to the Authorization Sheet and any underlying service agreement(s), provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
  • Use for Management and Administration. Business Associate may use PHI if such use is necessary (i) for the proper management and administration of Business Associate or (ii) to carry out the legal responsibilities of Business Associate.
  • Disclosure for Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate if (i) the disclosure is Required by Law or (ii) Business Associate (a) obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law, or for the purpose for which it was disclosed to the person and (b) the person agrees to notify Business Associate of any instances in which it becomes aware the confidentiality and security of the PHI has been breached.
  • Data Aggregation Services. Business Associate may use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity.
  • De-Identification of PHI. Business Associate may use PHI to create de-identified information in accordance with 45 CFR § 164.514(b).
  • Treatment, Payment, and Health Care Operations of Other Covered Entities. Business Associate may use and disclose PHI for the treatment, payment, and health care operations of other covered entities, subject to the limitations in 45 CFR § 164.506(c), the Minimum Necessary requirements, where applicable, and other applicable restrictions of federal and state laws and regulations.
  • Public Health. Business Associate may use and disclose PHI for public health purposes in accordance with the requirements of 45 CFR §§ 164.512(b) and 164.514(e) and other applicable restrictions of federal and state laws and regulations.
  • Health Oversight. Business Associate may disclose PHI to a health oversight agency for oversight activities authorized by law in accordance with the requirements of 45 CFR § 164.512(d) and other applicable restrictions of federal and state laws and regulations.
  • Disclosures for Judicial and Administrative Proceedings and for Law Enforcement Purposes. Business Associate may disclose PHI in response to an order of a court or administrative tribunal, court-ordered warrant, subpoena, discovery request, or other lawful process, in accordance with the requirements of 45 CFR § 164.512(a), (e), and (f) and other applicable restrictions of federal and state laws and regulations.
  • Limited Data Sets. Business Associate may use PHI to create limited data set(s) in accordance with 45 CFR § 164.514(e), and may use or disclose such limited data sets for Health Care Operations, Research, or public health purposes pursuant to a data use agreement and in accordance with 45 CFR § 164.514(e) and other applicable restrictions of federal and state laws and regulations.
  • Authorization. Business Associate may use and disclose PHI as authorized by an Individual using an authorization that complies with the requirements of 45 CFR § 164.508.

Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.

Security Rule. With respect to ePHI, Business Associate shall comply with the applicable requirements of the Security Rule

Reporting of Impermissible Uses and Disclosures, Security Incidents, and Breaches. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement or any Security Incident of which Business Associate becomes aware, except that this section shall hereby serve as notice, and no additional reporting shall be required, of the regular occurrence of unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI. After discovery of an impermissible Use, Disclosure or Security Incident, Business Associate shall report such incident to the Covered Entity promptly without unreasonable delay. In the event that such use or disclosure or Security Incident constitutes a Breach of Unsecured Protected Health Information, such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed in connection with such Breach and any additional information set forth at 45 CFR § 164.410, to the extent possible. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for the purpose of investigating and responding to the Breach. Notification of Breach, or potential Breach, under this Agreement shall be made to Covered Entity as indicated in Section (X)(c) below.

Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that becomes known to Business Associate as a result of a Breach, or use or disclosure of PHI, by Business Associate in violation of the requirements of this Agreement.

Use of Subcontractors. Business Associate shall ensure that any of Subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agrees to the same or more stringent restrictions, conditions, and requirements that apply to the Business Associate with respect to such information, including compliance with the applicable requirements of the Security Rule.

Availability of Information to Covered Entity. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make available to Covered Entity PHI in a Designated Record Set as necessary to allow Covered Entity to satisfy its obligations under 45 CFR § 164.524. If an Individual requests such information directly from Business Associate, Business Associate must notify Covered Entity in writing within five (5) business days. Business Associate shall not give the Individual access to the information unless access is approved by Covered Entity. Covered Entity shall have full discretion to determine whether the Individual shall be given access.

Amendment of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make Covered Entity’s PHI available to Covered Entity so that Covered Entity may fulfill its obligations to amend such PHI pursuant to the Privacy Rule, including but not limited to, 45 CFR § 164.526. If an Individual requests that Business Associate amend the Individual’s PHI, Business Associate must notify Covered Entity in writing within five (5) business days and the Covered Entity may then amend the PHI through the use of the services. Covered Entity shall have full discretion to determine whether to accept an Individual’s request for amendment.

Accounting of Disclosures of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make available to Covered Entity a list of disclosures of PHI as required for Covered Entity to fulfill its obligations to provide an accounting pursuant to the Privacy Rule, including but not limited to, 45 CFR § 164.528. Business Associate shall implement a process that allows for such an accounting. If an Individual requests such an accounting directly from Business Associate, Business Associate must notify Covered Entity in writing within five (5) business days.

Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI, created or received pursuant to this Agreement, available to the Secretary of the United States Department of Health and Human Services, for the purpose of determining Covered Entity’s compliance with the Privacy and Security Rules as set forth in 45 CFR § 160.310.

Minimum Necessary Amount of PHI. Business Associate acknowledges that it shall make reasonable efforts to request from Covered Entity and disclose to its affiliates and Subcontractors, or other authorized third parties, only the minimum necessary PHI to accomplish the intended purpose of such requests or disclosures.

Standard Transactions. If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 CFR Parts 160-162.

Data Ownership. Business Associate acknowledges that Covered Entity is the owner of all the PHI obtained from or on behalf of the Covered Entity.

Privacy Rule Obligations. To the extent Business Associate is to carry out Covered Entity’s obligation under the Privacy Rule, Business Associates shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.

Furthermore, any specific listing of duties or functions to be performed by Business Associate for Covered Entity contained in a separate contract (or addendum thereto) between the Parties is hereby incorporated by reference into this Agreement for the sole purpose of further elaborating duties and functions that Business Associate is contractually undertaking on behalf of the Covered Entity.

Obligations of Covered Entity

Notice of Privacy Practices. Covered Entity shall not include in its notice of privacy practices under 45 CFR § 164.520 any limitation(s) that further limits Business Associate’s use or disclosure of PHI under this Agreement unless such a limitation(s) is required by law or Covered Entity receives Business Associate’s prior approval so that Business Associate can confirm that it can operationalize the limitation(s). In the event that Covered Entity is required to include such a limitation in its notice of privacy practices, Covered Entity shall promptly notify Business Associate of such limitation(s).

Revocation of Authorization. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes affect Business Associate’s use or disclosure of PHI.

Restrictions. Covered Entity shall not agree to any request for a restriction under 45 CFR § 164.522 that further limits Business Associate’s use or disclosure of PHI under this Agreement unless Covered Entity is required by law to agree to such a restriction or Covered Entity receives Business Associate’s prior approval so that Business Associate can confirm that it can operationalize the restriction. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

Requests to Use or Disclose PHI. Covered Entity shall not request or cause Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity or that is not otherwise expressly permitted under Section (II)(b) hereof.

Term and Termination

Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate when all underlying service agreement(s) involving PHI have terminated.

Termination for Cause. Upon Covered Entity’s knowledge of a material Breach by Business Associate, Covered Entity shall either:

  • Provide an opportunity for Business Associate to cure the Breach or end the violation, and terminate this Agreement and any underlying service agreement(s) if Business Associate does not cure the Breach or end the violation within the time specified by Covered Entity;
  • Immediately terminate this Agreement and any underlying service agreement(s) if Business Associate has breached a material term of this Agreement, and a cure is not possible.

Effect of Termination.

  • Except as provided in paragraph (c)(ii) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of the Covered Entity. Business Associate shall make reasonable efforts to apply and enforce this provision with respect to PHI that is in the possession of Subcontractors of Business Associate. Business Associate shall retain no copies of the PHI.
  • In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI, and limit further uses and disclosure of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

Disclaimer

Business Associate makes no warranty or representation that Covered Entity’s execution of this Agreement will satisfy all of Covered Entity’s applicable legal requirements. Covered Entity is solely responsible for all decisions made by Covered Entity regarding the safeguards of PHI.

No Third Party Beneficiaries

Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

Change in Applicable Laws or Regulations

In the event the laws or regulations of the United States or the State in which the majority of services are rendered are modified or amended in any material way with respect to this Agreement, this Agreement shall not be terminated but rather, to the extent feasible, shall be promptly amended by the Parties to operate in compliance with the existing law. To the extent any amendments to this Agreement shall be necessary to effectuate or clarify the obligations of the Parties pursuant to such changes to the HIPAA Rules; the Parties hereby agree to negotiate such amendments in good faith, subject to the right of either Party to terminate this Agreement in accordance with its terms.

Modification

This Agreement may only be modified through a written notice signed by the Parties and, thus, no oral modification hereof shall be permitted.

Interpretation

Should there be any conflict between the language of this contract and any other contract entered into between the Parties (either previous or subsequent to the date of this Agreement), the language and provisions of this Agreement shall control and prevail, unless in a subsequent written agreement the Parties specifically refer to this Agreement by its title and date, and, also, specifically state that the provisions of the later written agreement shall control over this Agreement. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act, and the HIPAA Rules.

Miscellaneous

A reference in this Agreement to a section in the Privacy Rule means the section as in effect or amended.

Nothing in this Agreement is intended to create an agency relationship between the Parties.

Any notice required under this Agreement to be given to Covered Entity or Business Associate shall be made in writing to: 25044 Peachland Ave Ste 110 Newhall, CA 91321

Last updated 03/07/2024