Metadvice has prepared these Terms of Use to help you understand the terms governing your use of our Services. We urge you to read these Terms of Use carefully because by registering and using our Services you are concluding a legally binding agreement. If you do not agree to these Terms of Use, please do not use our Services.
Metadvice’s mission is to save lives and improve the quality of life of patients with rare, and difficult-to-diagnose diseases. By making our innovative technology and tools available through our websites, web applications and mobile applications (“our Applications”), we intend to support healthcare professionals in their activities related to search and reference of precision medicine, capture and maintain a clinical data archives, facilitate easy peer communication, access relevant medical content, share clinical data with relevant stakeholders, support research activities and continue their medical training and education.
You agree that by registering for an account (“User Account”) and/or purchasing a subscription (“Subscription”) to access our website, online services provided through our applications, technology, tools and other information provided to you by us or through our applications, platforms and systems (collectively, the “Services”), you are entering (or if you have filled in the registration page that you are registering a company, organization, medical practice or other entity (a “Registrant”), then such Registrant is entering) into a legally binding agreement with Metadvice Ltd (“we,” “us,” “our,” and “Metadvice”) based on the terms of this User Agreement and our Privacy Policy, and to the extent applicable, our Research Terms and Conditions, which is hereby incorporated by reference (collectively referred to as the “Agreement”) and become a user of Metadvice (“User”).
If you are using agreeing on behalf of a Registrant to these Terms of Use (i.e., you have filled in the name of a company, organization, medical practice or other entity as the owner of the account), then (a) you represent and warrant that you have authority to agree to these terms on behalf of the Registrant, (b) the term “you” and “User” in this Agreement shall hereafter refer to Registrant (unless expressly stated it applies to you “personally”), and (c) you personally are nevertheless individually bound to comply with the terms of this Agreement even if the Registrant has a separate agreement with us. If you do not want to become a User or do not agree to abide by this Agreement, do not register for a User Account or purchase a Subscription and do not access, view, download or otherwise use any of the Services. By registering for a User Account and/or purchasing a Subscription, you acknowledge that you have read and understood the terms and conditions of this Agreement and that you agree to be bound by all of its provisions. By registering for a User Account and/or purchasing a Subscription, you also consent to use electronic signatures and acknowledge your registration as one. Please note that this User Agreement is also referred to as Metadvice’s “Terms of Use.”
Subscriptions:
Metadvice offers unpaid Subscriptions for limited Services (each an “Unpaid Subscription”) and paid Subscriptions providing additional Services provided by Metadvice directly or through third party vendors. A Registrant with a registered domain name may purchase a Subscription that enables individuals affiliated with such Registrant to register for a User Account using an email address at such domain name at no additional cost to the individual (a “Network Subscription”). Alternatively, a Subscription may have been purchased for a single registered account (an “Individual Subscription”). For purposes of clarity, all references to “Subscription(s)” hereunder shall apply to Unpaid Subscriptions, Network Subscriptions and Individual Subscriptions.
Your Obligations:
License and warranty for your submissions to Metadvice
You must comply with all applicable laws, the Agreement, as may be amended from time to time with or without advance notice, and the policies and processes explained below:
Service Eligibility
To be eligible to use the Services, you must meet the following criteria and represent and warrant that: (1) you personally are (a) 18 years of age or older, and (b) a certified physician, medical student, other health care professional or one of their patients; and (2) you personally and, if applicable, you the Registrant (a) are not currently restricted from the Services, or not otherwise prohibited from having a User Account, (b) are not a competitor of Metadvice or are not using the Services for reasons that are in competition with Metadvice, (c) have full power and authority to enter into this Agreement and doing so will not violate any other agreement to which you are a party, (d) will not violate any rights of Metadvice, including intellectual property rights such as copyright or trademark rights, and (e) agree to provide at your cost all equipment, software, and internet access necessary to use the Services.
Sign-In Credentials
You agree to: (1) Keep your password secure and confidential; (2) not permit others to use your login credentials to access your User Account; (3) refrain from using other Users’ User Accounts; (4) refrain from selling, trading, or otherwise transferring your User Account or any information and content of another Metadvice user to another party; and (5) refrain from charging anyone for access to any portion of the Services, or any information therein. Further, you are responsible for anything that happens through your User Account until you close down your User Account or prove that your User Account security was compromised due to no fault of your own.
Indemnification
You agree to indemnify and hold harmless Metadvice, its officers, employees, agents, subsidiaries, affiliates and other partners, from and against any claims, actions or demands, liabilities and settlements including without limitation, reasonable legal and accounting fees, resulting from, or alleged to result from your use of the Services, your violation of this Agreement, or your posting of content, except in each case due to Metadvice or the Services infringing the intellectual property rights of third parties or violating applicable law (other than due to content you provided).
Notifications and Service Messages
For purposes of service messages and notices about the Services to you, Metadvice may place a banner notice across its pages to alert you to certain changes such as modifications to this Agreement. Alternatively, notice may consist of an email from Metadvice to an email address associated with your User Account, even if we have other contact information. You also agree that Metadvice may communicate with you through your User Account or through other means including email, mobile number, telephone, or delivery services including the postal service about your User Account or services associated with Metadvice. You acknowledge and agree that we shall have no liability associated with or arising from your failure to do so maintain accurate contact or other information, including, but not limited to, your failure to receive critical information about the Services.
User-To-User Communication and Sharing
Metadvice offers various message boards and tools that facilitate peer communication. These message boards are designed to be used only by healthcare professionals and we do our best to grant access only to Users who are validated as such. However, we cannot guarantee that all users are indeed healthcare professionals.
We may decide to remove content from these channels, if we believe that the content violates this Agreement or others’ intellectual property rights. We can also decide to restrict access to Users who we suspect or believe are not healthcare professionals, at our sole discretion.
Please note that ideas you post and information you share may be seen and used by other Users, and Metadvice cannot guarantee that other Users will not use the ideas and information that you share on Metadvice. Therefore, if you have an idea or information that you would like to keep confidential and/or don’t want others to use, or that is subject to third party rights that may be infringed by your sharing it, do not share it on Metadvice. Metadvice IS NOT RESPONSIBLE FOR A USER’S MISUSE OR MISAPPROPRIATION OF ANY CONTENT OR INFORMATION YOU POST, UPLOAD, OR TRANSMIT WITHIN Metadvice.
Privacy
Our Privacy Policy, including our Data Sharing and Protection Policy, governing treatment of PHI is hereby incorporated into this Agreement by reference, and governs our treatment of any information, including personally identifiable information you submit to us. Please note that certain information, statements, data, and content which you may submit to Metadvice, might, or are likely to, reveal gender, ethnic origin, nationality, age, and/or other personal information. You acknowledge that your submission of any information, statements, data, and content to us is voluntary on your part.
Contributions to Metadvice
By submitting ideas, suggestions, documents, and/or proposals (“Contributions”) to Metadvice through its suggestion or feedback webpages, you acknowledge and agree that: (a) your Contributions do not contain confidential or proprietary information; (b) Metadvice is not under any obligation of confidentiality, express or implied, with respect to the Contributions; Metadvice shall be entitled to use or disclose (or choose not to use or disclose) such Contributions for any purpose, in any way, in any media worldwide; (d) Metadvice may have something similar to the Contributions already under consideration or in development; (e) you irrevocably assign to Metadvice all rights to your Contributions; and (f) you are not entitled to any compensation or reimbursement of any kind from Metadvice under any circumstances.
Posted Data
Certain information and content made available by Metadvice through the Services is gathered from publicly available data or submitted by other Users, and Metadvice cannot guarantee the accuracy of such information. Use of the Services by you is conditioned upon your agreement that all of the information and content is for informational and educational purposes only and should not be relied upon, and that as a User, you agree to hold harmless Metadvice and other Users and data suppliers for your use or reliance on such information.
Code of Conduct
To be eligible to use the Services, you must meet the following criteria and represent and warrant that: (1) you personally are (a) 18 years of age or older, and (b) a certified physician, medical student, other health care professional or one of their patients; and (2) you personally and, if applicable, you the Registrant (a) are not currently restricted from the Services, or not otherwise prohibited from having a User Account, (b) are not a competitor of Metadvice or are not using the Services for reasons that are in competition with Metadvice, (c) have full power and authority to enter into this Agreement and doing so will not violate any other agreement to which you are a party, (d) will not violate any rights of Metadvice, including intellectual property rights such as copyright or trademark rights, and (e) agree to provide at your cost all equipment, software, and internet access necessary to use the Services.
Service Eligibility
You hereby undertake to always take the following actions:
You hereby undertake never to take the following actions:
Your Rights:
Subject to your compliance with all your obligations under this Agreement, we grant you a limited, revocable, nonexclusive, nonassignable, nonsublicenseable license and right to access the Services, through a generally available web browser, mobile device or application (but not through scraping, spidering, crawling or other technology or software used to access data without the express written consent of Metadvice or its Users), view information and use the Services that we provide in accordance with this Agreement. Any other use is strictly prohibited and a violation of this Agreement. We reserve all rights not expressly granted in this Agreement, including, without limitation, title, ownership, intellectual property rights, and all other rights and interest in Metadvice and all related items.
Our Rights and Obligations:
Services Availability
For as long as Metadvice continues to offer the Services, Metadvice shall provide and seek to update, improve and expand the Services. As a result, we allow you to access Metadvice as it may exist and be available on any given day and have no other obligations, except as expressly stated in this Agreement. We may modify, replace, refuse access to, suspend or discontinue the Services, partially or entirely, or change and modify prices for all or part of the Services for you or for all our users in our sole discretion. All of these changes shall be effective upon their posting on our site or by direct communication to you unless otherwise noted. Metadvice further reserves the right to withhold, remove and or discard any content available as part of your User Account, with or without notice if deemed by Metadvice to be contrary to this Agreement. For avoidance of doubt, Metadvice has no obligation to store, maintain or provide you a copy of any content that you or other Users provide when using the Services.
Third Party Sites and Content
Metadvice may include links to third party web sites or content from third party providers (“Third Party Sites”) on our websites or through our Applications. You are responsible for evaluating whether you want to access or use a Third Party Site. You should review any applicable terms and/or privacy policy of a Third Party Site before using it.
Metadvice is not responsible for and does not endorse any features, content, advertising, products or other materials on or available from Third Party Sites. Accordingly, if you decide to access Third Party Sites, you do so at your own risk.
Third Party Materials
The Services may allow you to access certain third party data and databases. Your use of such third party materials through the Services is subject to the terms and conditions set forth in Exhibit B hereto and you hereby agree to be bound by such terms and conditions.
Disclosure of User Information
You acknowledge, consent and agree that we may access, preserve, and disclose your registration and any other information you provide if required to do so by law or in a good faith belief that such access preservation or disclosure is reasonably necessary in our opinion to: (1) comply with legal process, including, but not limited to, civil and criminal subpoenas, court orders or other compulsory disclosures; (2) enforce this Agreement; (3) respond to claims of a violation of the rights of third parties, whether or not the third party is a User, individual, or government agency; (4) respond to customer service inquiries; or (5) protect the rights, property, or personal safety of Metadvice, our Users or the public.
Disclosures of User information to third parties other than those required to provide customer support, administer this agreement, or comply with legal requirements are addressed in the Privacy Policy.
Connections and Interactions With Other Users
You are solely responsible for your interactions with other Users, including for sharing information with other Users through the Services. Metadvice may limit the number of colleague connections you may have to other Users and may, in certain circumstances, prohibit you from contacting other Users through use of the Services or otherwise limit your use of the Services. Metadvice reserves the right, but has no obligation, to monitor disputes between you and other members and to restrict, suspend, or close your User Account if Metadvice determines, in our sole discretion, that doing so is necessary to enforce this Agreement.
You agree that from time to time Metadvice may invite or otherwise make you aware of certain educational, promotional or financial opportunities relating to Your Communications and profile.
Term and Termination
Subscription Term
Subject to earlier termination as described herein, this Agreement will remain in full force and effect during the term of your Subscription (“Subscription Term”) while you use the Services. With respect to paid Network Subscriptions and Individual Subscriptions, the Subscription Term shall be the initial term of Services which you paid for when purchasing your Subscription (and which is typically one (1) year). If, when purchasing such Subscription, you agreed to the Subscription Term automatically renewing, then the Subscription Term shall automatically renew subject to your payment of the applicable renewal fee unless you notify us or we notify you at least thirty (30) days in advance of such renewal date with respect to a decision not to renew. With respect to Unpaid Subscriptions, the Subscription Term shall continue indefinitely until Metadvice or the User terminates this Agreement or the User’s User Account as described below.
Termination by User
YYou may terminate this Agreement (and your Subscription) for any or no reason, at any time, with notice to Metadvice. This notice will be effective upon Metadvice processing your notice. If you purchased a Network Subscription or Individual Subscription, in no event will you be eligible for a refund of any portion of the fees paid for the then-current Subscription Term.
Termination by Metadvice
If you have an Unpaid Subscription, Metadvice may, with or without cause, terminate the Agreement and your User Account at any time, with or without notice.
Without limiting the foregoing, if Metadvice reasonably believes that you have breached this Agreement, Metadvice may terminate the Agreement and your User Account for a paid Subscription or Unpaid Subscription at any time, with or without notice. This cancellation shall be effective immediately or as may be specified in the notice. Upon such termination, if you purchased a Network Subscription or Individual Subscription, in no event will you be eligible for a refund of any portion of the fees paid for the then-current Subscription Term. Termination of your User Account includes disabling your access to the Services and may also bar you from any future use of the Services.
Misuse of the Services
Without limiting its termination rights, Metadvice may restrict or suspend the User Account for a paid Subscription or Unpaid Subscription of any User who abuses or misuses the Services or offers competitive services. Misuse of the Services includes breach of any of your obligations under this Agreement or any other behavior that Metadvice, in its sole discretion, deems contrary to its purpose.
Network Users
If you registered for a User Account under a Network Subscription, Metadvice reserves the right to terminate your User Account and revoke your access to the Services immediately upon expiration or termination of such Network Subscription.
You agree that from time to time Metadvice may invite or otherwise make you aware of certain educational, promotional or financial opportunities relating to Your Communications and profile.
Effect of Termination
Upon the termination of your User Account, you lose access to the Services. The terms of this Agreement shall survive any termination, except the terms set forth under “Your Rights” hereof.
Disclaimer of Warranties
The Services (including, without limitation, the website and any platform applications) and all content and materials accessed through or downloaded from Metadvice are provided on an “as is” and “as available” basis. Metadvice does not control or vet User generated content for accuracy. We do not make and we disclaim all express and implied warranties and representations, including, but not limited to, any warranties of merchantability, fitness for a particular purpose, title, accuracy of data, and non-infringement. Without limiting the foregoing, we do not warrant that access to the Services will be uninterrupted or error-free or that defects in the website or mobile applications will be corrected. Metadvice is not responsible and makes no representations or warranties for the delivery of any messages sent through the Services to anyone. Any material, service, or technology described or used on the website may be subject to intellectual property rights owned by third parties who have licensed such material, service, or technology to us.
Medical Disclaimer
The contents of Metadvice, such as text, graphics, images, information obtained from Metadvice’s licensors, Users, employees and other material contained in the Services (“Content”) is for informational and educational purposes only and are not a substitute for the professional judgment of a health care professional in diagnosing and treating patients. Neither the content nor any other service offered by or through the Services is intended to be for medical diagnosis or treatment. Persons accessing this information assume full responsibility for the use of the information and agree that Metadvice is not responsible or liable for any claim, loss, or damage arising from the use of the information. Metadvice does not recommend or endorse any specific drugs, tests, physicians, products, procedures, opinions, “off-label” drug uses or other information that may be mentioned through the Services and Users are required to disclose any such conflicts of interest. Your reliance upon the Content obtained or used by you is solely at your own risk.
Metadvice reminds you that the Services are not meant to serve as a substitute for your own professional medical judgment. You should always exercise your professional judgment in evaluating your patients, and you should carefully consider any treatment plan. Metadvice encourages you to confirm the information made available or otherwise obtained through the Services with other reliable sources before undertaking any treatment.
How we may use the information we collect
Our Service help medical professionals and patients to select from relevant diagnostics and therapies, and facilitate easy peer communication. The information you choose to provide on our Service is used to help you describe yourself to other Users. Other information, that does not personally identify you as an individual, is collected by Metadvice from Users (such as, for example, patterns of utilization) and is exclusively owned by Metadvice. This information is used by us to continue to improve our Services and to perform our marketing communications.
Limitation of Liability
Under no circumstances shall Metadvice, its partners, contributors, agents, employees, directors, or affiliates be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages (even if it has been advised of the possibility of such damages), including but not limited to damages arising from your use of the Services (including the website or any platform applications) or any of the content or other materials accessed through or downloaded from Metadvice. Metadvice’s liability for damages for any claims whatsoever, and for all claims in the aggregate, regardless of the form of any claim or action, shall not exceed: (a) with respect to paid Network Subscriptions and Individual Subscriptions, the subscription fees paid by you for the Subscription Term in which the most recent claim arose; or (b) with respect to Unpaid Subscriptions, $100. This limitation of liability is part of the basis of the bargain between the parties and without it the terms and prices charged would be different. This limitation of liability shall apply regardless of whether (1) you base your claim on contract, tort, statute or any other legal theory, (2) we knew or should have known about the possibility of such damages, or (3) the limited remedies provided in this section fail their essential purpose.
Data Protection Addendums
Metadvice complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA, Metadvice may be considered a Business Associate. If you are a Covered Entity under HIPAA and are using the Services to process certain protected health information of individuals residing in the US, You and Metadvice agree to be bound by the terms of the Business Associates Addendum provided in Exhibit A.
Metadvice complies with the EU General Data Protection Regulation (GDPR). Under GDPR, Metadvice may be considered a Data Processor. If you are a Data Controller under GDPR and are using the Services to process certain protected health information of individuals residing in the EU, You and Metadvice agree to be bound by the terms of the Data Processing Addendum provided in Exhibit A.
Addresses for Notices
Metadvice Ltd
158 Montagu Mansions
London W1U 6LQ
For our users in Switzerland:
Metadvice SA (Suisse)
Chemin du Moulin du Choc 23
1121 Bremblens
Four our users in the US:
Metadvice
400 Berry St. SE
Vienna VA 22180
For Covered Entity/Data Controller:
The notice address for Covered Entity will be the address provided by that entity on the online registration page for the Metadvice service
General Terms
The notice address for Covered Entity will be the address provided by that entity on the online registration page for the Metadvice service
Severability
If any provision of this Agreement is found by a court of competent jurisdiction or arbitrator to be illegal, void, or unenforceable, the unenforceable provision will be modified so as to render it enforceable and effective to the maximum extent possible in order to effect the intention of the provision; and if a court or arbitrator finds the modified provision invalid, illegal, void or unenforceable, the validity, legality and enforceability of the remaining provisions of this Agreement will not be affected in any way.
Entire Agreement
You agree that this Agreement constitutes the entire, complete and exclusive agreement between you and us regarding the Services and supersedes all prior agreements and understandings, whether written or oral, or whether established by custom, practice, policy or precedent, with respect to the subject matter of this Agreement. You also may be subject to additional terms and conditions that may apply when you use or purchase certain other Metadvice services, third-party content or third party software.
Initial Posting and Amendments to This Agreement
This Agreement will be posted on https://www.metadvice.net. We reserve the right to modify, supplement or replace the terms of the Agreement, effective upon posting at https://www.metadvice.net or notifying you otherwise. For example, Metadvice presents a banner on the site when we have amended this Agreement or the Privacy Policy so that you may access and review the changes prior to your continued use of the site. If you do not want to agree to changes to the Agreement, you can terminate this Agreement at any time per this Agreement.
No Informal Waivers, Agreements or Representations
Our failure to act with respect to a breach of this Agreement by you or others does not waive our right to act with respect to that breach or subsequent similar or other breaches. Except as expressly and specifically contemplated by the Agreement, no representations, statements, consents, waivers or other acts or omissions by any Metadvice Affiliate shall be deemed legally binding on any Metadvice Affiliate, unless documented in a physical writing hand signed by a duly appointed officer of Metadvice.
No Injunctive Relief
In no event shall you seek or be entitled to rescission, injunctive or other equitable relief, or to enjoin or restrain the operation of the Services, exploitation of any advertising or other materials issued in connection therewith, or exploitation of the Services or any content or other material used or displayed through the Services.
Assignment and Delegation
You may not assign or delegate any rights or obligations under the Agreement. Any purported assignment and delegation shall be ineffective. We may freely assign or delegate all rights and obligations under the Agreement, fully or partially without notice to you. We may also substitute, by way of unilateral novation, effective upon notice to you, Metadvice for any third party that assumes our rights and obligations under this Agreement.
Complaints Regarding Content Posted on Our Website or Mobile Applications
We respond expeditiously to notices of claimed copyright infringement and it is our policy to terminate User Accounts for Users who are repeat infringers. If you believe any materials accessible on or from the Services infringe your copyright, you may request removal of those materials (or access thereto) from the Services by contacting Metadvice’s Copyright Agent (listed below), and providing the following information:
Data Protection Officer
Metadvice has a “Data Protection Officer” who is responsible for matters relating to privacy and data protection.
This Data Protection Officer can be reached at the following address:
Metadvice Ltd
Attn: Data Protection Officer
158 Montagu Mansions
London W1U 6LQ
United Kingdom
email: dpo@metadvice.net
Exhibit A - Data Protection Addendums
Business Associate Addendum
This Business Associate Addendum (the “Addendum”) is incorporated into the User Agreement (“Agreement”) and applies in respect of the provision of the Services to the User if the User is subject to the HIPAA, only to the extent the User (“Covered Entity”) is a using the Services provided by Metadvice (“Business Associate”) to process certain protected health information of individuals residing in the United States.
Witnesseth
WHEREAS, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which protects the confidentiality of health information;
WHEREAS, pursuant to HIPAA, the United States Department of Health and Human Services (“HHS”) promulgated Privacy Standards and Security Standards, each as defined below, governing confidential health information;
WHEREAS, Business Associate performs services through its provision of the Metadvice service (the “Service”) on behalf of Covered Entity;
WHEREAS, Business Associate’s provision of the Service requires Covered Entity to provide Business Associate with access to confidential health information; and
WHEREAS, in order to comply with the business associate requirements of HIPAA and its implementing regulations, Business Associate and Covered Entity must enter into an agreement that governs the uses and disclosures of such confidential health information by the Business Associate.
NOW, THEREFORE, in consideration of the foregoing recitals, the mutual promises and covenants set forth herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
Definitions.
Identification of the copyrighted work that you believe to be infringed. Please describe the work, and where possible include a copy or the location (e.g., URL) of an authorized version of the work.
For purposes of this Addendum, the following terms shall have the following meanings:
“Breach” when capitalized, “Breach” shall have the meaning set forth in 45 C.F.R. 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in this Addendum, the word shall have its ordinary contract meaning.
“Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103.
“Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. § 160.103.
“Aggregated Data” shall mean any data assembled as the result of “data aggregation” as that term is defined in 45 CFR § 164.501.
“De-Identified Data” shall mean any data meeting the specifications set out in 45 CFR § 164.514(a) and §164.514(a) or (b)(1) or (2).
“Electronic Media” shall have the meaning set forth in 45 C.F.R. 160.103, which is defined as electronic storage media (including memory devices in computers, hard drives, any removable or transportable digital memory medium, such as magnetic tape or disk, optical disk or digital memory card) or transmission media used to exchange information already in electronic storage media (including the Internet, extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media). Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged does not exist in electronic form before the transmission.
“Electronic Protected Health Information” or “EPHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media or (ii) maintained in any medium constituting Electronic Media. For instance, EPHI includes information contained in a patient’s electronic medical records and billing records. “EPHI” shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a Covered Entity in its role as employer.
“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
“HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, effective February 17, 2009.
“Individual” shall have the same meaning as set forth in 45 C.F.R. 160.103, defined as the person who is the subject of PHI, and shall include a personal representative in accordance with 45 C.F.R. 164.502(g).
“Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an individual, and
(i) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (a) identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, Subparts A, D, and E, as currently in effect.
“Protected Health Information” or “PHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media, (ii) maintained in any medium constituting Electronic Media; or (iii) transmitted or maintained in any other form or medium. For instance, PHI includes information contained in a patient’s medical records and billing records. “Protected Health Information” shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a Covered Entity in its role as employer.
“Required by Law” shall have the same meaning as the term “Required by law” in 45 C.F.R. 164.103.
“Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or any office or person within the U.S. Department of Health and Human Services to which/whom the Secretary has delegated his or her authority to administer the Privacy Standards and the Security Standards, such as the Director of the Office for Civil Rights.
“Security Standards” shall mean Security Standards for the Protection of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and C.
“Subsequent Business Associate” shall mean any agent, including subcontractors, of Business Associate to whom Business Associate discloses Protected Health Information or Electronic Protected Health Information.
“Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
All references to “days” in this Addendum shall mean calendar days. Capitalized terms used not defined herein or in the Agreement shall have the meanings ascribed to them in the Privacy Standards or the Security Standards.
Business Associate Obligations. Business Associate acknowledges and agrees that it is considered a “business associate” as defined by HIPAA and by regulations promulgated thereunder. As a business associate of Covered Entity, Business Associate shall comply with the following terms of this Addendum, as required pursuant to 45 C.F.R. § 164.504.
2.1 Permitted Uses and Disclosures. Business Associate agrees that it shall use and disclose Protected Health Information received from Covered Entity for the purposes of providing the Service, as otherwise permitted under this Addendum, or as Required by Law. Business Associate is authorized to use Protected Health Information to de-identify or aggregate any such data received hereunder in accordance with 45 C.F.R. § 164.514(a)-(c) and Business Associate shall have a non-exclusive, perpetual and unlimited royalty-free license to use and disclose the De-Identified or Aggregated Data collected or created from PHI received under this Addendum, including without limitations, for purposes of continuing to develop its Services and the underlying technologies, through research and development activities. Business Associate agrees to follow guidance issued by the Secretary regarding what constitutes “minimum necessary” with respect to the use or disclosure of PHI and EPHI. Until such time that such guidance is issued, Business Associate shall limit its use or disclosure of PHI and EPHI, to the extent practicable, to the limited data set (as defined in 45 C.F.R. 164.514(e)(2)), or to the minimum necessary to accomplish the intended purpose of such use, disclosure or request, respectively.
2.2 Disclosures to Subsequent Business Associates. Business Associate shall not disclose any PHI to any Subsequent Business Associate, unless and until Business Associate and the Subsequent Business Associate have entered into an agreement containing the same terms and conditions as set forth in this Addendum.
2.2.1 Business Associate, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, shall ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
2.3 Reporting Violations of Law. Consistent with the requirements of 45 C.F.R. 164.502(j)(1), Business Associate may disclose Protected Health Information to report violations of law to appropriate Federal and State authorities.
2.4 Appropriate Safeguards. Business Associate shall implement appropriate administrative, technical, and physical safeguards to prevent any use or disclosure of Protected Health Information not authorized by this Addendum. Specifically, Business Associate agrees to comply with the requirements of 45 C.F.R. 164.308, 164.310,164.312 and 164.316 to the same extent such requirements apply to Covered Entity.
2.5 Reporting of Illegal, Unauthorized or Improper Uses or Disclosures and Remedial Actions. Business Associate shall report to Covered Entity any illegal, unauthorized, or improper use or disclosure of Protected Health Information, Security Incident or any Breach (collectively, “Known Misuse”) by it or a Subsequent Business Associate without unreasonable delay and within ten (10) business days of obtaining knowledge of such Known Misuse. Additionally, if the Known Misuse is a Breach of Unsecured Protected Health Information, Business Associate shall comply with the requirements of 45 C.F.R. 164.410. Business Associate shall take, or, in the event that the acts or omissions of a Subsequent Business Associate gave rise to the Known Misuse, shall require a Subsequent Business Associate to take, commercially reasonable actions to mitigate the negative impact of any Known Misuse and adopt additional or improve existing safeguards to prevent recurrence. The parties acknowledge and agree that this section 2.5 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of unsuccessful security incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful security incidents” mean, without limitation, pings, and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI or EPHI.
2.6 Internal Practices, Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary, or their designees, for purposes of determining and facilitating Business Associate’s and Covered Entity’s compliance with the Privacy Standards and Security Standards.
2.7 Access to Protected Health Information.
2.7.1 Within ten (10) days of a request by Covered Entity, Business Associate shall provide Protected Health Information in its possession or in the possession of a Subsequent Business Associate to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.524 to provide Individuals with access to their Protected Health Information.
2.7.2 Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to access Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
2.8 Amendments to Protected Health Information.
2.8.1 Within ten (10) days of a request by Covered Entity, Business Associate shall provide Protected Health Information in its possession or in the possession of a Subsequent Business Associate to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.526 to provide Individuals the right to amend their Protected Health Information.
2.8.2 Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to amend Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
2.9 Accounting of Disclosures.
2.9.1 Within twenty (20) days of a request by Covered Entity, Business Associate shall provide Covered Entity with an accounting of all disclosures of Protected Health Information, other than disclosures excepted from the Privacy Standards accounting requirement under 45 C.F.R. 164.528(a)(1)(i)-(ix), made by Business Associate or by a Subsequent Business Associate in the previous six (6) years (but in no event prior to April 14, 2003) in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.528 to provide Individuals with an accounting of disclosures of their Protected Health Information.
2.9.2 Such accounting shall include, with respect to each disclosure: the date of the disclosure; the name (and address, if known) of the entity or person receiving the Protected Health Information; a description of the Protected Health Information disclosed; a statement of the purpose of the disclosure; and any other information the Secretary may require under 45 C.F.R. 164.528 (collectively, “Disclosure Information”).
2.9.3 Notwithstanding Section 2.11.2, for repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity, Business Associate may record: (a) the Disclosure Information for the first of these repetitive disclosures; (b) the frequency, periodicity or number of these repetitive disclosures made during the accounting period; and the date of the last of these repetitive disclosures.
2.9.4 Business Associate shall notify Covered Entity within ten (10) days of receiving a request from an Individual for an accounting of disclosures of Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
2.9.5 In accordance with the HITECH Act, the parties acknowledge that the Secretary shall promulgate regulations regarding the right of Individuals to receive an accounting of disclosures made for treatment, payment and healthcare operations during the previous three (3) years if such disclosures are made through the use of an electronic health record. The parties agree to comply with such regulations promulgated by the Secretary as of the effective date of those regulations.
2.10 Subpoenas, Court Orders, and Governmental Requests. If Business Associate receives a court order, subpoena, or governmental request for documents or other information containing Protected Health Information, Business Associate will use reasonable efforts to notify Covered Entity of the receipt of the request within ten (10) business days to provide Covered Entity an opportunity to respond. Business Associate may comply with such order, subpoena, or request as Required by Law or permitted by law.
2.11 Remuneration in Exchange for PHI. Except as permitted by the HITECH Act or regulations promulgated by the Secretary in accordance with the HITECH Act, and as of the effective date of such regulations, Business Associate shall not directly or indirectly receive remuneration in exchange for PHI unless Covered Entity notifies Business Associate that it obtained a valid authorization from the Individual specifying that the Individual’s PHI may be exchanged for remuneration by the entity receiving such Individual’s PHI.
Covered Entity Obligations.
3.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of limitation(s) in its notice of privacy practices, to the extent such limitation affects Business Associate’s permitted Uses or Disclosures.
3.2 Individual Permission. Covered Entity shall notify Business Associate of changes in, revocation of, permission by an Individual to use or disclose PHI, to the extent such changes affect Business Associate’s permitted Uses or Disclosures.
3.3 Restrictions. Covered Entity shall notify Business Associate of restriction(s) in the Use or Disclosure of PHI that Covered Entity has agreed to, to the extent such restriction affects Business Associate’s permitted Uses or Disclosures.
3.4 Consents and Authorizations. Covered Entity represents and warrants that any and all consents, authorizations, or other permissions necessary under the Privacy Standards or other applicable law (including state law) to transmit information through the Service and/or under this Addendum have been properly secured.
3.5 Marketing. Covered Entity represents and warrants that it has obtained any and all authorizations from Individual for any use or disclosure of PHI for marketing, unless the marketing communication is made without any form of remuneration (i) to describe medical services or products provided by either party; (ii) for treatment of the Individual; or (iii) for case management or care coordination for the Individual or to direct or recommend alternate treatments, therapies, providers or settings.
3.6 Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164.
Term and Termination.
4.1 Term. The Term of this Addendum shall commence on and this Addendum shall be effective as of the date on which Covered Entity electronically registers for the Service, and shall continue in effect for as long as Covered Entity is registered for the Service.
4.2 Termination for Cause. In the event either party determines that the other has engaged in a pattern of activity or practice that constitutes a material breach of a term of this Addendum and such violation continues for thirty (30) days after written notice of such breach has been provided, the party claiming a breach shall have the right to terminate Covered Entity’s participation on the Service or, if termination is not feasible, to report the breach to the Secretary.
4.3 Effect of Termination.
4.3.1 Return or Destruction of Protected Health Information; Disposition When Return or Destruction Not Feasible. Upon termination of this Addendum, the parties hereby acknowledge that the return or destruction of PHI received by the Business Associate from Covered Entity is not feasible, and that, therefore, Business Associate may retain a copy of such Protected Health Information provided that: (i) the provisions of this Addendum shall continue to apply to any such information retained following cancellation, termination, expiration, or other conclusion of Covered Entity’s participation on the Service; and (ii) Business Associate shall limit Uses and Disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI. Furthermore, Business Associate may de-identify or aggregate any PHI received under this Addendum and Business Associate shall have a non-exclusive, perpetual and unlimited royalty-free license to use and disclose the De-Identified or Aggregated Data collected or created from PHI received under this Addendum.
4.3.2 Reasonable Fees. All reasonable fees incurred to cause the return, destruction, or storage of Protected Health Information under this Section 4.3 shall be borne by the Covered Entity.
Miscellaneous.
5.1 Regulatory References. A reference in this Addendum to a section in HIPAA, the HITECH Act, the Privacy Standards, or the Security Standards means the section as in effect or as amended at the time.
5.2 Survival. The respective rights and obligations of the parties under Section 4.3 of this Addendum shall survive the termination of this Addendum.
5.3 Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits the parties to comply with the Privacy Standards and Security Standards. Except to the extent specified by this Addendum, all of the terms and conditions governing Covered Entity’s participation on the Service shall be and remain in full force and effect. In the event of any inconsistency or conflict between this Addendum and the terms and conditions governing Covered Entity’s participation on the Service, the terms and provisions and conditions of this Addendum shall govern and control.
5.4 Amendment. The parties shall work together through reasonable negotiations to amend this Addendum as necessary to comply with any changes in law, including, but not limited to, the promulgation of amendments to the Privacy Standards or Security Standards required by the HITECH Act or any other future laws, applicable to or affecting the rights, duties, and obligations of the parties under this Addendum or the terms and conditions governing Covered Entity’s participation on the Service.
5.5 Independent Relationship. None of the provisions of this Addendum are intended to create, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this Addendum and the terms and conditions governing Covered Entity’s participation on the Service.
5.6 Notices. All notices and notifications under this Addendum shall be sent in writing by traceable carrier to the listed persons on behalf of Business Associate and Covered Entity at the addresses indicated on the last page hereof, or such other address as a party may indicate by at least ten (10) days’ prior written notice to the other party. Notices will be effective upon receipt.
5.7 Construction and Jurisdiction. This Addendum shall be governed by and construed in accordance with the laws of the British Virgin Islands (excepting any conflict of laws provisions which would serve to defeat application of BVI law). Each of the parties hereto submits to the exclusive jurisdiction of the competent courts located within the British Virgin Islands for any suit, hearing or other legal proceeding of every nature, kind and description whatsoever in the event of any dispute or controversy arising hereunder or relating hereto, or in the event any ruling, finding or other legal determination is required or desired hereunder.
Data Processing Addendum
This Data Processing Addendum (the “Addendum”) is incorporated into the User Agreement (“Agreement”) and applies in respect of the provision of the Services to the User if the User is subject to the GDPR, only to the extent the User is a Controller of patient Personal Data (as defined below) that Metadvice Processes on behalf of the User. The Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR. This Addendum shall be effective for the term of the Agreement.
Definitions
For the purposes of the Addendum:
“GDPR” means the General Data Protection Regulation (EU) 2016/679, together with any national implementing laws in any Member State of the European Union, as amended, repealed, consolidated or replaced from time to time; and
“Personal Data”, “Data Subject”, “Data Protection Authority”, “Data Protection Impact Assessment”, “Process”, “Processor” and “Controller” will each have the meaning given to them in the GDPR.
Capitalized terms not otherwise defined herein or in the Agreement shall have the meanings ascribed to them in the GDPR.
Description and purpose of the processing
The Processor is authorized to process, on behalf of the Controller, the necessary Personal Data to provide the Service(s). Personal Data may include names, dates of birth, ethnicity, gender, medical record numbers, facial photos, clinical and medical information and genetic and biometric data. Specifically, Processor is authorized to de-identify Personal Data and use such de-identified data to continue to enhance and develop its Service and underlying technologies, through research activities.
Processor’s obligations with respect to the Controller
The Processor shall undertake to:
Sub-processing
The Processor shall inform the Controller in advance of any intended changes concerning the addition or replacement of other Processors. With the written authorization of Controller, the Processor may engage another Processor (hereinafter “the Sub-Processor“) to conduct specific processing activities. The Processor must clearly indicate to Controller which processing activities are being subcontracted out, the name and contact details of the Sub-Processor and the dates governed by the subcontract. The Controller has a minimum timeframe of ten (10) business days from the date on which it receives said information to object thereto. Such sub-processing is only possible where the Controller has not objected thereto within the agreed timeframe.
The Sub-Processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Controller. It is the initial Processor’s responsibility to ensure that the Sub-Processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the General Data Protection Regulation. Where the Sub-Processor fails to fulfil its data protection obligations, the initial Processor remains fully liable with regard to the Controller for the Sub-Processor’s performance of its obligations.
Data subjects’ right to information
It is the Controller’s responsibility to inform the data subjects concerned by the processing operations at the time data are being collected.
Exercise of data subjects’ rights
The Processor shall assist the Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
Where the data subjects submit requests to the Processor to exercise their rights, the Processor must forward these requests as soon as they are received by email to Controller.
Notification of personal data breaches
The Processor will reasonably assist the Controller in carrying out data protection impact assessments.
The Processor will reasonably assist the Controller with regard to prior consultation of the supervisory authority.
Security measures
The Processor undertakes to implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Data exit
The Processor undertakes to destroy all personal data within 90 days of receipt of a written request from Controller or from the time the Company ceases to provide the Services according to termination of the Agreement. Once destroyed, the Processor must demonstrate, in writing, that this destruction has taken place. All reasonable fees incurred to cause the destruction of Personal Data under this Section 3.8 shall be borne by the Controller.
The Data Protection Officer
The Processor states it has appointed a data protection officer in accordance with Article 37 of the GDPR and will provide the Controller the name and contact details of its data protection officer.
Record of categories of processing activities
The Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the Controller containing all the information required by GDPR.
At the request of Controller, the Processor will provide the Controller with the necessary documentation for demonstrating compliance with all of its obligations hereunder to reasonably allow Controller to perform a data protection impact assessment.
Controller’s obligations with respect to the Processor
The Controller undertakes to
Miscellaneous.