Updated: November 8th, 2021
eMurmur ("CSD Labs International Inc.", "we", "us", or "our") provide and make available the eMurmur application (the "Application"), related websites (the "Sites") and related services (the "Services"). All uses of these Sites, the Application, and the Services are subject to the terms and conditions contained in this Terms of Use agreement (the "Terms"). Please read these Terms carefully. Each time that you access, use, or browse the Sites and use the Application and/or the Services, you acknowledge that you are the age of majority in your jurisdiction of residence and that you have read, understand, and are fully accepting and agreeing to be bound by the terms, conditions and disclaimers contained in these Terms. If you do not agree to be bound by these Terms and to abide by all applicable laws, you must not use the Sites, the Application, and/or the Services.
References to "you" and "your" refer to all users of the Services, Application and Sites. This includes health care providers who use the Application, Sites or Services to provide health care services, patients who receive health care services who use the patient-facing elements of the Application, Sites or Services, and any other individual who visits the Sites, downloads or uses the Application or otherwise accesses or uses the Services.
If you are an individual using the Site, or are an individual who is a health care provider, or authorized user of a health care provider, using the Services, eMurmur will collect, use, and disclose your personal information in accordance with the Privacy Policy (found here). If you are a controller of personal information and provide it to eMurmur as permitted by this Agreement, eMurmur will process it in accordance with this Agreement and applicable law.
To the extent providing the Application to you requires us to process personal information (or personal data) on your behalf and such personal information/data is subject to the General Data Protection Regulation of the European Union or of the United Kingdom, our Data Protection Addendum included at Appendix A will also apply and form a part of these Terms.
To the extent you are a covered entity under the Health Insurance Portability and Accountability Act (("HIPAA") and us providing the Application requires you to disclose Protected Health Information to us (as Protected Health Information is defined in HIPAA) or that requires us to create, receive, transmit, or maintain PHI for or on behalf of you, our Business Associate Agreement included at Appendix B will also apply and form a part of these Terms.
eMurmur may modify these Terms, in whole or in part, from time to time in its sole discretion, effective immediately upon posting modified Terms to the Sites or the Application and, if you possess an eMurmur account, by directly communicating them to you when you log in to the Site or the Application; provided, however, that any modification to the Dispute Resolution section shall not apply to any disputes initiated prior to the applicable modification. By not terminating your user account within seven days after receiving a notice of modifications to these Terms as described above or by continuing to use or access the Sites, the Application, and/or the Services after revised Terms are posted to the Sites or the Application, you agree to comply with, and be bound by, such revised Terms. Unless explicitly stated otherwise, any future offers made available to you on the Sites or the Application that augment or otherwise enhance the current features of the Sites or the Application shall be subject to the latest Terms of Use.
eMurmur may also make improvements and changes in products or services described on the Sites, the Services, the Application or add new features at any time without notice to you.
We grant you permission to use the Sites, Application, and the Services subject to the restrictions in these Terms. Your use of the Sites, Application, and the Services is at your own risk.
Except as expressly permitted under the Terms, you agree that you may not use the Sites, the Application, and the Services to engage in any unlawful activity or to infringe the rights of any party. You further agree that you will not allow your employees or agents to do any of the following:
All text, graphics, user interfaces, visual interfaces, photos, trademarks, logos, sounds, music, artwork, and software (collectively, "Content"), including but not limited to the design, structure, selection, coordination, expression, and arrangement of such Content, contained on the Sites, the Application, and the Services is owned, controlled, or licensed by or to eMurmur, and is protected by trade dress, copyright, and other intellectual property laws.
Except as expressly provided in these Terms, no part of the Sites, the Application, and the Services and no Content may be copied, reproduced, republished, uploaded, modified, catalogued, posted, publicly displayed, encoded, translated, transmitted, or distributed in any way (including "mirroring") to any other computer, server, website, or other medium for publication or distribution or for any commercial enterprise, without eMurmur’s express prior written consent.
Upon your registration of an eMurmur account to access and use the Application and the Services, eMurmur hereby grants to you a non-exclusive, revocable, non-transferable, non-sublicensable, right to access and use the Application and the Services in accordance with the terms and conditions of these Terms.
You may use information on eMurmur products and services (such as data sheets, knowledge base articles, and similar materials) purposely made available by eMurmur for downloading from the Sites, the Application, and the Services, provided that you (1) do not remove any proprietary notice language in any copies of such documents, (2) use such information only for informational purposes and do not copy or post such information on any networked computer or broadcast it in any media, (3) do not make modifications to any such information, and (4) do not make any additional representations or warranties to third parties relating to such information.
eMurmur does not give medical advice. The Sites, the Application, and the Services may provide helpful health-related information and materials, but such information and materials are for informational and educational purposes only and are not intended to constitute professional advice, diagnosis or treatment, or to substitute for professional judgment. You assume full risk and responsibility for the use of information you obtain from or through the Sites, the Application, and the Services. In addition, we do not recommend or endorse any provider of health care or any third-party health-related products, items, or services.
The Application and the Services are intended to be used as part of physical assessment of a patient by healthcare professionals for supporting diagnosis decisions.
The Application is designed to allow automatic transmission of a patient’s lung sounds, heart sounds, bowel sounds, related auscultation data, and data analysis to the patient’s health care provider, and allow such health care providers to access the transmitted data via eMurmur’s Services.
The Application and the Services are not designed, intended for, or appropriate to replace the patient-healthcare provider relationship or to address emergency or life-threatening medical conditions and the Application and the Service should not be used in such circumstances.
In no event will eMurmur be liable or be responsible for any acts or omissions by a healthcare provider, including any medical malpractice.
Any content provided or accessed through the Application and the Services is for informational purposes only, and is not intended to cover all possible uses, directions, precautions, drug interactions, or adverse effects. You should consult with your healthcare provider regarding any medical conditions or before taking any drug, changing your diet, or commencing or discontinuing any course of treatment. By using the Application and the Services, you consent to engage in telehealth (e.g. internet, e-mail, or telephone-based interactions) with your healthcare provider. Your healthcare provider may provide you with an authorization form to allow information to be released/exchanged between different healthcare providers. Within telehealth practice, your medical information will remain confidential except as otherwise authorized in the Privacy Policy and in cases where you authorize disclosure or otherwise permitted under applicable law.
Telehealth through the Application and Services has potential risks, including services disruption or technical difficulties.
By agreeing to these Terms, you agree that eMurmur will not be liable for any breach of confidentiality if you communicate confidential or private information to eMurmur via unencrypted email, text, or phone messages.
You acknowledge and agree that all anonymized information collected from all users of the Application and the Services do not constitute your confidential information. eMurmur’s use of any anonymized and de-identified information will be in accordance with the terms and conditions of the privacy policy.
If you are concerned about your care or treatment or you believe or are advised that you have a serious or life-threatening condition, you should call the emergency number (such as 9-1-1 or 1-1-2) or go to the nearest open clinic or emergency room.
The Sites, the Application, and the Services may include links to third party websites that are controlled and maintained by others. Any link to other websites is not an endorsement of such websites and you acknowledge and agree that we are not responsible for the content or availability of any such sites.
The Sites, the Application, and the Services may provide you with the ability to create, upload, transmit, or share content ("User Content"). User Content may include the personal information of patients or, if you are a patient, your personal information.
By creating, posting, or sharing your User Content on or through the Sites, and subject to eMurmur’s Privacy Policy, you grant eMurmur a world-wide, non-exclusive, fully sub-licensable (through multiple tiers of distribution), royalty-free, transferable license to use, modify, remove, publish, transmit, or display your User Content for any purpose without compensation to you, including for operation of the Sites, the Application, and the Services and for promoting eMurmur and its products or services. You waive any rights, including all moral rights, you may have regarding your User Content being altered or manipulated in any way that may be objectionable to you. eMurmur reserves the right to refuse to accept, post, display, or transmit any User Content in its sole discretion.
You further acknowledge, agree, and consent to eMurmur de-identifying and anonymizing your User Content, including without limitation, your personal information (where you are a patient) and the personal information of your patients (where you are a health care provider). eMurmur will own all right, title and interest in and to all anonymized and de-identified information (except where not permitted by law) and all knowledge and insights derived from such information. For clarity, where consent of the individual subject of personal information is required under applicable law in order to allow eMurmur to de-identify and anonymize your User Content, you represent that you have obtained such consent.
You represent and warrant that (i) you own the User Content you post or provide on or through the Sites, the Application, or the Services or otherwise have the right to grant the license set forth above in these Terms, (ii) the uploading and use of your User Content on or through the Sites, the Application, or the Services does not violate any applicable law, statute, ordinance, or regulation, or the privacy rights, publicity rights, copyrights, trademarks, contract rights, intellectual property rights, or any other rights of any person, and (iii) the posting or submission of your User Content on the Sites, the Application, or the Services does not result in a breach of contract between you and a third party. You agree not to upload, submit, or provide incomplete, false, or misleading information, impersonate another person, or misrepresent your affiliation with a person or entity in the User Content you provide via the Sites, the Application, and the Services. You also agree that you will not harass, threaten, stalk, or abuse other Users of the Sites, the Application, or the Services or post or provide objectionable User Content. You may not post advertising or marketing links or content, except as specifically permitted by these Terms or with eMurmur express written consent. You agree that your User Content will not contain software viruses or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of the Sites, the Application, or the Services, or eMurmur’s technical infrastructure.
You assume all risks associated with the User Content you post, including anyone’s reliance on its quality, accuracy, or reliability. You agree to pay for all royalties, fees, and any other monies owed to any person by reason of User Content. You understand and agree that you will not obtain, as a result of your use of the Sites, the Application, and the Services, any right, title, or interest in or to others’ User Content delivered via the Sites. Except as provided within these Terms, you may not copy, reproduce, republish, upload, post, publicly display, encode, translate, transmit, or distribute in any way any other person’s User Content appearing on or through the Sites, the Application, or the Services. We do not represent or guarantee the truthfulness, accuracy, or reliability of User Content. You accept that any reliance on User Content will be at your own risk, and you accept the risk that you might be exposed to User Content that may be offensive, indecent, inaccurate, objectionable, or otherwise inappropriate. We are not responsible for the User Content, including for storing, protecting and retaining it. While the Service may include a feature that enables you to export User Content, we may alter or remove that feature. We may also delete or alter User Content at any time for any reason without notice to you. You may have obligations with respect to User Content, such a privacy and data protection laws, to modify, provide or delete your User Content that contains personal information. You will comply with such laws.
We reserve the right, in our sole discretion, to terminate or block your access to all or part of the Sites, the Application, or the Services or terminate your user account, with or without notice, on the basis of your violation of these Terms.
Upon termination of your subscription to the Application or the Services or your cancellation of your eMurmur account, your license to use and access the Application or the Services will be terminated.
Upon any termination of these Terms or your user account by either you or eMurmur, you must promptly destroy all materials downloaded or otherwise obtained from the Sites, the Application, or the Services as well as all copies of such materials, whether made in compliance with these Terms or otherwise, excluding User Content.
Although the Sites, the Application, or the Services may be accessible worldwide, not all features, products or services discussed, referenced, provided or offered through or on the Sites, the Application, or the Services are available to all persons or in all geographic locations. eMurmur reserves the right to limit, in its sole discretion, the provision and quantity of any feature, product or service to any person or geographic area. Any offer for any feature, product or service made on the Sites is void where prohibited. If you choose to access the Sites, the Application, or the Services, you do so on your own initiative and are solely responsible for complying with applicable local laws.
THE SITES, THE APPLICATION, OR THE SERVICES AND ALL MATERIALS, INFORMATION, SOFTWARE, AND PRODUCTS INCLUDED IN OR AVAILABLE THERETHROUGH ARE PROVIDED "AS IS" AND "AS AVAILABLE" FOR YOUR USE AND ARE PROVIDED WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, MERCHANTABLE QUALITY, DURABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. eMURMUR AND OUR AFFILIATES DO NOT WARRANT THAT THE SITES, THE APPLICATION, AND THE SERVICES, AND ANY MATERIALS, INFORMATION, SOFTWARE, AND PRODUCTS INCLUDED IN OR AVAILABLE THERETHROUGH ARE ACCURATE, RELIABLE, TIMELY, OR CORRECT; THAT THE SITES, THE APPLICATION, OR THE SERVICES WILL BE AVAILABLE AT ANY PARTICULAR TIME OR LOCATION; THAT ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR THAT THE SITES, THE APPLICATION, OR THE SERVICES ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. YOUR USE OF THE SITES AND CONTENT IS AT YOUR SOLE RISK. BECAUSE SOME JURISDICTIONS DO NOT PERMIT THE EXCLUSION OF CERTAIN WARRANTIES, THESE EXCLUSIONS MAY NOT APPLY TO YOU.
Nothing in these Terms shall be construed so as to exclude or limit the liability of eMurmur for death or personal injury as a result of the negligence of eMurmur or that of its employees or agents.
eMurmur reserves the right to do any of the following, at any time, without notice: (1) modify, suspend or terminate operation of or access to the Sites, the Application, or the Services or any portions thereof for any reason; and (2) interrupt the operation of the Sites, the Application, or the Services or any thereof, as necessary to perform routine or non-routine maintenance, error correction, or other changes.
UNDER NO CIRCUMSTANCES SHALL eMURMUR OR OUR AFFILIATES, SUBSIDIARIES, JOINT VENTURES, THIRD-PARTY SERVICE PROVIDERS, AND OUR RESPECTIVE EMPLOYEES, CONTRACTORS, AGENTS, OFFICERS, AND DIRECTORS (the "Released Parties") BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF, OR INABILITY TO USE, THE SITES, THE APPLICATION, OR THE SERVICES. THIS LMITATION APPLIES WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHER LEGAL THEORY, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN THE EVENT SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DAMAGES TO THE EXTENT INDICATED HERE, OUR LIABILITY IN SUCH JURISDICTIONS SHALL BE LIMITED TO THE FULLEST EXTENT PERMITTED BY LAW.
You agree to defend, indemnify, and hold the Released Parties harmless from and against all liabilities, damages, losses, costs and other expenses (including reasonable attorneys’ fees) that arise out of or related to any claims or actions brought against the Released Parties arising out of your violation of these Terms, your misuse of the Sites, the Application, or the Services, or your violation of any third-party rights, or any User Content you submit, post, transmit, or make available through the Sites, the Application, or the Services.
The materials appearing on eMurmur’s web site could include technical, typographical, or photographic errors. eMurmur does not warrant that any of the materials on the Sites, the Application, or the Services are accurate, complete, or current. eMurmur may make changes to the materials contained on its web site at any time without notice. eMurmur does not, however, make any commitment to update the materials.
These Terms constitute the entire agreement between you and eMurmur concerning your use of the Sites, the Application, or the Services. The failure of eMurmur to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. If any provision of these Terms should be determined to be invalid, illegal or unenforceable for any reason by any court of competent jurisdiction then such provision shall be severed and the remaining Terms shall survive and remain in full force and effect and continue to be binding and enforceable. The section titles in these Terms are for convenience only and have no legal or contractual effect.
These Terms and the relationship between you and eMurmur in connection with your use of the Sites, the Application, or the Services shall be governed by and construed in accordance with the laws of the province Ontario, and the applicable laws of Canada, without regard to its conflict of law provisions. You will bring any claim related to the Site, Services and Application in a court in Toronto, Ontario only.
For the avoidance of doubt, you acknowledge and understand that, with respect to any dispute with the Released Parties arising out of or relating to your use of the Sites or these Terms:
YOU ARE GIVING UP YOUR RIGHT TO HAVE A TRIAL BY JURY;
YOU ARE GIVING UP YOUR RIGHT TO SERVE AS A REPRESENTATIVE, AS A PRIVATE ATTORNEY GENERAL, OR IN ANY OTHER REPRESENTATIVE CAPACITY, OR TO PARTICIPATE AS A MEMBER OF A CLASS OF CLAIMANTS, IN ANY LAWSUIT INVOLVING ANY SUCH DISPUTE; AND
YOU MUST FILE ANY CLAIM WITHIN ONE (1) YEAR AFTER SUCH CLAIM AROSE OR IT IS FOREVER BARRED.
For any further information or if you have questions, please contact us at office@emurmur.com, or at the following address:
CSD Labs International Inc.
78 George St, Suite 204
Ottawa, Ontario, K1N 5W1
Canada
Data Processing Addendum
This Data Processing Agreement, including its schedules, ("DPA") is incorporated into and forms part of the agreement that incorporates this DPA by reference ("Agreement") between CSD Labs International Inc. ("eMurmur") and the customer / user identified in the Agreement ("Controller").
1.1 This DPA applies exclusively to the processing of Controller Data that is subject to Applicable Privacy Laws and done in connection with the Services. "Applicable Privacy Laws" means EU General Data Protection Regulation 2016/679 ("GDPR"), United Kingdom General Data Protection Regulation ("UK-GDPR") and laws implementing or supplementing the foregoing. "Controller Data" means any personal data that eMurmur processes on behalf of Controller under the Agreement. "Service" has the meaning provided in the Agreement.
1.2 The terms "controller", "data concerning health", "data subject", "personal data", "personal data breach", "processing", "processor" and "special category data" have the meaning provided in the GDPR.
1.3 The provisions of the Agreement that state how the Agreement is to be interpreted apply to the interpretation of this DPA.
1.4 This DPA forms a part of the Agreement. For clarity, the exclusions and limitations of liability set out in the Agreement apply to this DPA.
2.1 Details of Processing: eMurmur may process Controller Data on behalf of Controller. Schedule A sets out: (a) the subject matter and duration of the processing; (b) the nature and purpose of the processing; (c) the type of personal data being processed; and (d) the categories of data subject. Controller is the controller of all Controller Data and eMurmur, or its Sub-processor, is the processor.
2.2 Processing by eMurmur: eMurmur will, in respect of its processing of Controller Data: (a) process Controller Data only to the extent, and in such a manner, as is necessary for the purposes of the Agreement and in accordance with Controller’s documented instructions set out in this DPA (provided the instructions comply with Applicable Privacy Laws); and (b) process Controller Data as required by Applicable Privacy Laws, in which case eMurmur will inform Controller of the requirement prior to processing, unless prohibited by such Applicable Privacy Law on important grounds of public interest.
2.3 Controller’s Instructions/Processing: Controller will ensure the following comply with all applicable laws, Applicable Privacy Laws: (a) all instructions it provides to eMurmur with respect to the Services; and (b) its use of the Services, including its processing of personal data directly. Controller is solely responsible for the accuracy, quality, legality and means of acquisition of all Controller Data.
2.4 Unlawful Instructions: eMurmur will notify Controller where eMurmur learns that Controller has provided eMurmur with written instructions to process Controller Data that, in eMurmur’s reasonable opinion, would be in violation of Applicable Privacy Laws.
2.5 Special Categories of Personal Data: Excluding the data concerning health set out in Schedule A, the Services are not designed to process special category data and, therefore, Controller is prohibited from using the Services to process special category data (as described in Article 9 of GDPR).
2.6 Auscultation Data: As described in eMurmur’s Privacy Policy, available on its website, auscultation data is not personal data. Nothing in this DPA prohibits eMurmur from collecting or otherwise processing auscultation data for its own purposes or otherwise limit eMurmur’s rights in and to auscultation data and derivatives thereof.
3.1 Reasonable Assistance Before relying on this section, Controller must first use all of the self-serve features available in the Services that allow it to fulfil the request directly. Taking into account the nature of the processing, eMurmur will assist Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Controller’s obligation to respond to requests for exercising the data subject’s rights set out in Applicable Privacy Laws.
3.2 Direct Request: If a data subject that is the subject of Controller Data makes a request to exercise their rights under Applicable Privacy Laws directly to eMurmur, eMurmur will redirect the request to Controller where permitted by applicable law. If eMurmur is required by applicable law to respond to the request, eMurmur will do so and notify Controller, where permitted by applicable law.
4.1 Security: eMurmur will: (a) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and assist Controller in ensuring compliance with its obligations to secure Controller Data under Applicable Privacy Laws; (b) ensure that any person authorized to process Controller Data on behalf of eMurmur in connection with the Agreement is subject to a duty of confidentiality; and (c) provide Controller with all information and assistance necessary to investigate personal data breaches and, where required by Applicable Privacy Law, notify the relevant regulator and affected data subject of each applicable personal data breach.
4.2 Incident Notice: eMurmur will notify Controller without undue delay if eMurmur becomes aware of any personal data breach using the registration information provided by Controller. On Controller’s request, eMurmur will provide reasonable assistance to Controller in meeting Controller’s obligations under Applicable Privacy Laws with respect to such personal data breach.
5.1 Information: eMurmur will make available to Controller all information necessary to demonstrate compliance with the obligations set out in this DPA, which information may be made available through eMurmur’s website or through on-site document reviews or such other means as eMurmur deems appropriate.
5.2 Audit: With respect to audit rights, eMurmur will answer any reasonable questions regarding eMurmur’s compliance with this DPA sent to office@emurmur.com by Controller. eMurmur will assist with any other reasonable audit requests, provided that Controller provides eMurmur with a legal opinion from a duly qualified lawyer opining that such audit is required by Applicable Privacy Laws.
6.1 Transfers where Adequacy Finding: eMurmur may transfer Controller Data to a territory outside of the EEA or UK where that territory has a finding of adequacy or outside of the UK.
6.2 Transfers where No Adequacy Finding: eMurmur may transfer Controller Data to a territory outside of the EEA or UK where that territory does not have a finding of adequacy where such transfer is in accordance with another legal transfer mechanism as may be available for the lawful transfer of Controller Data.
7.1 Sub-processor Agreements: eMurmur may engage Sub-processors to process Controller Data (or otherwise subcontract or outsource the processing of any Controller Data to a third party), provided that it enters into a written contract with any Sub-processor that:
7.2 List of Sub-processors: eMurmur uses the Sub-processors set out in Schedule A for the activities set out in Schedule A in connection with the provision of the Services.
7.3 Changes to Sub-processors: A list of eMurmur’s Sub-processors is set out in Schedule B. eMurmur will notify Controller of any new or replacement Sub-processors by updating the list of Sub-processors published on its website. If Controller objects to the appointment of a new or replacement Sub-processor, it may notify eMurmur by contacting office@emurmur.com. Controller will be deemed to have accepted the Sub-processor if eMurmur does not receive an objection within 30 days of updating the list of Sub-processors. If an objection cannot be resolved by the parties within 30 days of receipt by eMurmur of the written objection, Controller may, on written notice to eMurmur in accordance with the Agreement, terminate the Agreement without further liability and with a refund for any prepaid, unused Fees.
7.4 Liability: eMurmur remains liable for the performance of its obligations under Applicable Privacy Law that it delegates to a Sub-processor (except to the extent caused or exacerbated by Controller).
8. 1Term: This DPA will remain in force until eMurmur returns or destroys the Controller Data in accordance with the following section.
8.2 Return/ Destruction: Controller directs eMurmur to destroy Controller Data that is in the custody of eMurmur or a Sub-processor within 180 days of the termination of the Agreement (except for archival backup copies, which eMurmur will delete in accordance with its records retention schedule), except to the extent applicable law requires storage of the Controller Data for an additional period.
| Subprocessor | Role | Location |
|---|---|---|
| Microsoft Corporation | Hosting our Services and content delivery; infrastructure monitoring; authentication |
The Netherlands (Data location EU) USA (Data location US) Toronto, Canada (LML, LMU) |
Mobile app crash reporting and analytics | USA |
| Twilio Inc. (SendGrid) | Email services | USA |
| Stripe Payments Canada, Ltd. | Payment processing | USA |
| Mailchimp (The Rocket Science Group LLC) | Newsletter and email management | USA |
Business Associate Addendum
This Business Associate Addendum (the "BAA") is incorporated into the into and forms part of the agreement (the "Agreement") that incorporates this BAA by reference between you ("Covered Entity") and CSD Labs International Inc. ("Business Associate") and is effective as of the date the Agreement is executed. Business Associate and Covered Entity are sometimes referred to individually as a "Party" and collectively as the "Parties."
WHEREAS, the Parties have executed an Agreement pursuant to which Business Associate will be performing certain Services to Covered Entity that require Covered Entity to disclose certain Protected Health Information ("PHI") to Business Associate or that require Business Associate to create, receive, transmit, or maintain PHI for or on behalf of Covered Entity (the "Services"); and
WHEREAS, the Parties wish to enter into this BAA in order to comply with the Health Insurance Portability and Accountability Act of 1996, ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and the final regulations to such Acts that the U.S. Department of Health and Human Services ("HHS") has promulgated and set forth in 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").
NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter contained, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, and intending to be legally bound hereby, the Parties hereto agree as follows:
Capitalized terms used but not otherwise defined in this BAA shall have the same meaning as those terms the Agreement or in the HIPAA Rules. A regulatory reference in this BAA means the section as in effect or as amended, and for which compliance is required.
2.1 Permitted Uses and Disclosures. Business Associate agrees to not use and/or disclose PHI other than as permitted or required by this BAA or as Required by Law. To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Rules, Business Associate shall comply with the provisions in the HIPAA Rules that would apply to Covered Entity in the performance of such obligation(s). Business Associate may use and disclose PHI created or received pursuant to this BAA as follows:
2.1.1To perform the Services, as further described in the Agreement and which include functions, activities, and services to assist with Covered Entity’s Treatment, Payment, or Health Care Operations functions, including but not limited to: hosting a data management system (and functions related thereto, such as storing PHI, securing PHI, making PHI remotely accessible to Covered Entity and third parties designated by Covered Entity, IT assistance (e.g., troubleshooting, incident response, etc.), and other functionality), software integration and connectivity between Covered Entity and other third parties, and other services that Covered Entity may request from time to time; provided that such use or disclosure would not violate 45 C.F.R. Part 164, Subpart E if done by Covered Entity;
2.1.2 For the Business Associate’s proper management and administration or to carry out the Business Associate’s legal responsibilities, provided that, with respect to disclosure of the Covered Entity’s PHI, either:
2.1.3 To provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B), to the extent requested by Covered Entity.
2.1.4 To report violations of law to appropriate Federal authorities consistent with 45 C.F.R 164.502(j)(1), or as otherwise Required By Law.
2.1.5 To create de-identified data consistent with 45 C.F.R 164.514.
2.2 Minimum Necessary. Each party will make reasonable efforts to use, disclose, or request only the minimum necessary PHI to accomplish the intended purpose.
2.3 Safeguards. Business Associate will use reasonable and appropriate safeguards (and, if applicable, comply with 45 CFR subpart C with respect to Electronic Protected Health Information) to prevent the unauthorized use or disclosure of PHI.
2.4 Reporting Requirements. Business Associate shall, without unreasonable delay but in no event later than sixty (60) days, notify Covered Entity of any Breach of Unsecured Protected Health Information, or other use or disclosure not permitted under this BAA, of which Business Associate becomes aware. Business Associate shall report Security Incidents that do not constitute a Breach of Unsecured Protected Health Information to Covered Entity in the form of an aggregate report on an annual basis or such other frequency that is reasonable under the circumstances. Business Associate further agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a Breach or other unauthorized use or disclosure of PHI.
2.5 Agents and Subcontractors. Business Associate will ensure that any agent or Subcontractor to whom it provides PHI agrees in writing to substantially similar restrictions and conditions that apply to Business Associate through this BAA.
2.6 Inspection of Books and Records. Business Associate will make its internal books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health of Human Services for the purpose of determining Covered Entity’s compliance with the HIPAA Rules.
2.7 Access. In the event that Business Associate maintains PHI in a Designated Record Set, Business Associate will provide access to PHI to Covered Entity in order to allow Covered Entity to satisfy its obligations under 45 C.F.R. § 164.524.
2.8 Amendment. In the event that Business Associate maintains PHI in a Designated Record Set, Business Associate will make amendments to PHI as directed by Covered Entity in order to allow Covered Entity to satisfy its obligations under 45 CFR § 164.526.
2.9 Accounting of Disclosures. Business Associate will make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
3.1 Privacy Notice. Covered Entity will notify Business Associate of any limitations in its Notice of Privacy Practices or other limitations Covered Entity has agreed to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
3.2 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
3.3 Restrictions. Covered Entity shall notify Business Associate of any restrictions in the use or disclosure of PHI from an Individual that Covered Entity has agreed to in accordance with 45 C.F.R 164.522.
4.1 Term. Upon termination of the BAA, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that the Business Associate still maintains in any form and retain no copies of such information. If return or destruction of the PHI is not feasible, Business Associate will extend the protections of this BAA to the PHI for so long as Business Associate maintains the PHI and will limit further uses and disclosures of such PHI to the purpose that renders return or destruction infeasible.
4.2 Termination for Cause. In the event that either Party violates a material term of this BAA, the other Party may terminate the BAA provided that non-breaching Party notifies the breaching Party of such breach and provides the breaching Party with an opportunity to cure the breach or end the violation. If such violation is not cured within thirty (30) days, the non-breaching Party may terminate this BAA.
The Parties agree to take reasonable actions to amend this BAA if amendment is necessary to comply with the HIPAA Rules.
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. This BAA shall supersede any previous BAA between the Parties that was entered into for the purpose of protecting PHI.