Provider Terms of Service
Effective Date: February 4, 2021
Heartbeat Health operates a virtual cardiovascular telemedicine platform that connects and supports health care providers and their patients. Provider desires to use and enable the use of the platform and related services to provide online communications and consultations for the benefit of patients.
IMPORTANT – PLEASE READ THESE TERMS OF SERVICE (THE “AGREEMENT”) CAREFULLY BEFORE ATTEMPTING TO ACCESS OR USE THE HEARTBEAT HEALTH PLATFORM, APPLICATION OR ANY RELATED SERVICES. THIS AGREEMENT CONSTITUTES A LEGALLY BINDING AGREEMENT BETWEEN YOU OR THE ENTITY WHICH YOU REPRESENT AND ARE AUTHORIZED TO BIND (THE “PROVIDER”), AND HEARTBEAT HEALTH, INC. (“HEARTBEAT HEALTH”). THIS AGREEMENT GOVERNS THE ACQUISITION AND USE OF THE HEARTBEAT HEALTH PLATFORM, APPLICATION AND RELATED SERVICES. CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN. BY (1) CLICKING A BOX INDICATING ACCEPTANCE OR (2) USING THE PLATFORM, THE APPLICATION OR THE SERVICES, YOU ACCEPT AND AGREE TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “YOU” OR “PROVIDER” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES.
Heartbeat Health may change or replace any terms of this Agreement prospectively at any time and for any reason at Heartbeat’s discretion. Heartbeat Health will post the most current version of the Agreement on its website and in its Application. Any changes to this Agreement will become effective when posted. By continuing to access or use the Services after the posting of such changes, Provider agrees to the terms of this Agreement, as modified. If Provider disagrees with any changes, it should stop using the Services.
a. “Application” means Heartbeat Health’s mobile and web application(s) through which the Platform and Services will be made accessible for use under this Agreement.
b. “Business Associate Addendum” means the Business Associate Addendum attached as Exhibit A, which is incorporated and made part of this Agreement.
c. “Documentation” means the user manuals, help guides or online help functions made available within the Platform, the App and Services, as may be updated from time to time.
d. “Effective Date” means the date of acceptance of this Agreement.
e. “Intellectual Property Rights” means collectively all patent, trade secret, trademark, copyright (including any moral rights or statutory termination rights), and similar rights for the protection of inventions, works of authorship, recordings, mask works, and identification of source or sponsorship for goods or services in commerce.
f. “Malicious Code” means viruses, worms, Trojan horses and other code, files, scripts, agents, or programs designed for a harmful or malicious purpose.
g. “Patient” means a patient of Provider who is authorized by Heartbeat Health to use the Platform pursuant to the terms of the Heartbeat Health End User License Agreement.
h. “Patient Data” means any data or information (i) submitted to the Platform by or on behalf of a Patient (ii) submitted to the Platform by Provider for the benefit of the Patient. Patient Data shall include, but not be limited to, all medical records, online health profiles and any other health and nutrition information maintained on the Platform.
i. “Patient Protected Health Information” has the meaning assigned to that term in Section 9 (Confidentiality).
j. “Permitted Use” means the provision of (i) cardiovascular services to Patients by Registered Clinicians and (ii) related non-medical support services by Registered Administrators.
k. “Platform” means the online, Software-as-a-Service, cardiology-specific telemedicine platform made available by Heartbeat Health under this Agreement via https://www.heartbeathealth.com/ or through the Application, as the same may be updated from time-to-time.
m. “Provider” means the provider of cardiovascular services that has accepted the terms and conditions of this Agreement. A “Provider” may be either an individual or an entity (such as a group practice) represented by an individual with authority to bind such entity.
n. “Provider Information” means all data or information submitted by or on behalf of Provider to the Platform pursuant to this Agreement, but excluding Patient Data. For the avoidance of doubt, Provider Information does not include machine learning, know-how, statistics, or artificial intelligence developed by Heartbeat Health in and as part of the Platform during its normal operation (“AI”), provided that such AI is anonymized.
o. “Registered Administrators” means Provider’s administrators who are registered and authorized to use the Platform pursuant to the terms of this Agreement.
p. “Registered Clinicians” means the Registered Physicians and nurse practitioners, physician assistants, nurses and other medical providers in good standing affiliated with the Provider and under the supervision of Registered Physicians who are registered authorized to use the Platform pursuant to the terms of this Agreement.
q. “Registered Physicians” means a physician providing cardiovascular care in good standing affiliated with the Provider who are authorized to use the Platform pursuant to the terms of this Agreement.
r. “Registered Users” means, collectively, Registered Clinicians and Registered Administrators.
s. “Services” means, collectively, all services delivered or made available via the Platform, including any and all features and content that Heartbeat makes available through the Platform, as further provided for in in Section 2.
t. “Service Order Form” means Heartbeat Health’s digital service order form completed by Provider, which identifies the specific Services ordered, the Registered Users authorized by Provider and the fees agreed upon by the Parties for use of the Platform. Service Order Forms shall be deemed incorporated herein by reference. No provisions of either party’s pre-printed purchase orders, acknowledgements, or click-through terms may modify this Agreement, and such other or additional terms or conditions are void and of no effect.
A. Provision of Platform. Subject to the terms of this Agreement, Heartbeat Health grants to Provider a limited, non-sublicensable, non-exclusive, non-transferable right to allow its Registered Users to access and use the Platform and the Application in accordance with the Documentation, solely for the Permitted Use. Provider shall be solely liable and responsible for Registered Users’ use of the Platform and Application. Provider agrees to provide sufficient training to all Registered Users in order to enable and ensure compliance with the terms of this Agreement.
B. Provider acknowledges and agrees that subscription(s) ordered hereunder are neither contingent on the delivery of any future functions or features, nor ordered in reliance on any oral or written public comments made by Heartbeat Health regarding future functions or features. The Platform, the Application, the Services, the AI and all Intellectual Property Rights therein are the exclusive property of Heartbeat Health and/or its licensors. Provider acquires no rights therein except as expressly provided herein, and Heartbeat Health expressly reserves all other rights therein.
C. None of the Platform or Application content should be considered medical advice or an endorsement, representation or warranty that any particular medication, procedure or treatment is safe, appropriate, or effective for Patients. Provider acknowledges and agrees that the Platform, Application the Services and AI provided hereunder by Heartbeat Health are purely administrative in nature, and that Heartbeat Health does not provide medical advice or make clinical, medical or other professional decisions. Provider is solely responsible for the conduct and content of consultations with Patients, and Heartbeat Health shall not control, direct, influence, or otherwise interfere with Registered Clinician’s professional judgment. Provider acknowledges that none of the Platform or Application content should be considered the authoritative version of the patient’s medical record. Provider is responsible for maintaining each Patient’s complete medical record within Provider’s own medical record system. Furthermore, Provider acknowledges that it is Provider’s responsibility to separately maintain and/or download any Provider Information or Patient Data it requires for use outside of the Platform. Neither the Platform nor the Application are interoperable with any electronic medical record system or other system.
D. Restrictions. Provider shall not and shall not permit any third party to: (a) allow access and/or use of the Platform or Application by anyone other than Registered Users; (b) rent, lease, loan, or sell access to the Platform or Application to any third party; (c) interfere with, disrupt, alter, translate, or modify the Platform, Application or any part thereof, or create an undue burden on the Platform or the networks or services connected to the Platform, including without limitation, any external websites that are linked to the Platform; (d) reverse engineer or access the Platform or Application to (i) build a competitive product or service, (ii) build a product using similar ideas, features, functions or graphics of the Platform or the Services, or (iii) copy any content, ideas, features, functions or graphics of the Platform, Application or the Services; (e) without Heartbeat Health’s express written permission, introduce software or automated agents or scripts so as to produce multiple accounts, generate automated replies, or to strip or mine data from the Platform; (f) perform or publish any performance or benchmark tests or analyses relating to the Platform or the use thereof; (g) cover or obscure any page or part of the Platform via HTML/CSS, scripting, or any other means; or (h) alter, obscure or remove any proprietary notices of Heartbeat Health or its suppliers on the Platform, the Application or the Services or any component. Except as expressly set forth herein, no express or implied license or right of any kind is granted regarding the Platform, the Application or the Services or any part thereof.
E. Account Registration. Provider will provide Heartbeat Health with information it requests in connection with creating a Platform account, including any assistance necessary to enable Heartbeat Health to verify applicable credentials and establish a unique username and password for each Registered User. Provider is solely responsible for all activities that occur under such username. Provider will ensure that the username and password issued to each Registered User will be protected as highly confidential information and used only by such Registered User. Provider agrees to notify Heartbeat Health promptly of any actual or suspected unauthorized use of a Registered User’s account, username or password. Heartbeat Health reserves the right to terminate any username and password that Heartbeat Health reasonably determines may have been used by an unauthorized third party.
F. Access to Non-Public Areas of the Platform. Heartbeat Health shall provide Provider with access to certain non-public areas of the Platform, including, but not limited to, certain designated areas for Registered Clinicians. Access to such non-public areas of the Platform shall be available to Provider after creating an account and password on the Platform, and completing the Registered Clinician or Registered Administrator registration process.
G. Maintenance of Provider Profile. Following the completion of the registration and verification process, Heartbeat Health shall post Provider’s profile on the Platform, which shall include (i) relevant information regarding Provider, including office location(s), staff member details, (ii) a description of each Registered Physician’s professional experience and credentials and (ii) images of Provider locations, Registered Physicians and other Provider staff members. Provider shall obtain and shall be responsible for maintaining all necessary consents in connection with such posting. The Registered Physician profile will be accessible on the Platform. Provider consents to the publication and redistribution of Provider’s profile, including all images contained therein. Heartbeat Health may also share elements of a Registered Physician profile and current state licensure status with prospective Platform users. Provider agrees to complete and submit to Heartbeat Health profile information for each Registered Physician to enable Heartbeat Health to post a profile in a format consistent with the other Registered Physician profiles. Provider shall be responsible for promptly notifying Heartbeat Health of all material changes in a Registered Physician’s profile information so that Registered Physician’s profile can be updated. Notwithstanding the foregoing, in the event that Heartbeat Health believes or becomes aware that a Registered Physician’s profile contains false or misleading information, Heartbeat Health reserves the right not to display or to remove from the Platform Registered Physician’s profile or any false or misleading part thereof. Heartbeat Health shall notify Provider of any such circumstance and shall re-post Registered Physician’s profile on the Platform once the matter has been addressed by Provider to Heartbeat Health’s reasonable satisfaction.
H. Fees. Provider shall pay all Platform subscription fees specified and agreed to by the Parties in US dollars and without any deduction for withholding or similar taxes. Except as otherwise specified herein or otherwise agreed to by the Parties, payment obligations are non-cancelable and fees paid are non-refundable. Unless otherwise agreed in writing, subscription fees due monthly in advance. Additional fees for products and services such as medical devices or patient monitoring may apply.
I. Updated Fees. Fees may change over time, however, Heartbeat Health will give Provider thirty (30) days prior notice, generally via email.
J. Overdue Charges. If any undisputed charges are not received from Provider by the due date, then at Heartbeat Health’s discretion, such charges may accrue late interest at the rate of one percent (1%) of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid.
K. Technical Services. Heartbeat Health will provide or facilitate technical support to Provider by electronic means with respect to operation of the Platform through the Heartbeat Health support resource center available weekdays during business hours (9 am – 5 pm ET). Heartbeat Health shall promptly seek resolution of any technical concerns raised by Provider, including service interruptions, but does not guarantee the Platform will be operated uninterrupted, error-free, or achieve any particular result or that all errors will be corrected or resolved.
L. Other Services. Heartbeat Health may implement or remove Services, enhancements, functionality or features on the Platform or Application from time to time. Prior to the implementation or removal of any Service, feature or enhancement, Heartbeat Health shall notify Provider by email at least thirty (30) days in advance of any material change (or such shorter period as may be reasonable under the circumstances). Continued use of the Platform or Application by Provider following the implementation of any material change in Services, features or enhancements on the Platform or Application as described in the change notice, will constitute Provider’s acceptance thereof and any such charges or additional fees associated with any such material change.
M. Provider Assessment Data. Provider acknowledges that Heartbeat Health collects information and data on Providers, Registered Clinicians, Registered Administrators and Patients and data on how the Platform, Application and Services are used and reserves the right to (a) use such information to improve the Platform, Application and Services, and (b) disclose to and share such information and data with third parties in an anonymous (as to source) and aggregated form at its discretion.
N. Feedback. In the event that Provider provides Heartbeat Health with any ideas, thoughts, criticisms, suggested improvements or other feedback related to the Platform, Application or Services (collectively “Feedback”), Provider agrees that Heartbeat Heath will own, and Provider hereby assigns to Heartbeat Health all of right, title, and interest in, such Feedback. To the extent that the foregoing assignment is ineffective for whatever reason, Provider agrees to grant and hereby grants to Heartbeat Health a nonexclusive, perpetual, irrevocable, royalty free, worldwide license (with the right to grant and authorize sublicenses) to make, have made, use, import, offer for sale, sell, reproduce, distribute, modify, adapt, prepare derivative works of, display, perform and otherwise exploit such Feedback without restriction.
O. Verifying Provider Credentials. When applicable, Heartbeat Health will verify the credentials of Registered Physicians and other health care practitioners after the Agreement has been signed. Provider represents and warrants that it has obtained the necessary consents from Registered Physicians and other health care practitioners to provide for such verification of credentials. Heartbeat Health and Provider acknowledge that access to certain areas of the Platform and publication of a Registered Physician’s profile is contingent upon Heartbeat Health’s successful verification of the credentials provided by or on behalf of Registered Physicians and other health care practitioners. If Heartbeat Health is unable to verify the credentials of a Registered Physician or other health care practitioner, access shall be limited accordingly. Furthermore, Heartbeat Health reserves the right, in its sole discretion, to terminate a Registered Physician’s access to the Platform in its entirety if it is unable to successfully complete the verification of credentials process.
3. Representations, Warranties and Covenants of the Parties.
B. Heartbeat Health. Subject to Paragraph C. (“Exclusion from Warranties”), Heartbeat Health warrants that (i) Heartbeat Health has validly entered into this Agreement and has the legal power to do so, (ii) the Platform and Application shall perform materially in accordance with the Documentation and this Agreement (iii) subject to Section 2.J, the functionality of the Platform or Application will not be materially decreased during a subscription term, and (iv) Heartbeat Health will use industry standard measures to not transmit Malicious Code to Provider, provided it is not a breach of this paragraph if Provider or a Registered User uploads a file containing Malicious Code into the Platform and later downloads the same file containing Malicious Code. For any breach of a warranty above, Heartbeat Health will, at no additional cost to Provider, use commercially reasonable efforts to conform to the warranty. If Provider is unable to conform to the warranty, Provider may terminate this Agreement and receive a pro rata refund of the fees paid for the terminated portion of the then-current subscription term. Provider will provide Heartbeat with a reasonable opportunity to remedy any breach and reasonable assistance in remedying any defects. The remedies set out in this subsection are Provider’s sole remedies for breach of the above warranty.
C. Exclusion from Warranties. The warranties in Paragraph B are void to the extent any failure to perform in accordance with the Documentation or any decrease in functionality is the result of (i) the Platform or Application not being used in accordance with the applicable Documentation or this Agreement, (iii) the Platform or Application having been modified or altered by Provider without Heartbeat Health’s knowledge and written permission, or (iv) Internet or network connections, streaming services, computers, equipment or devices not supplied by Heartbeat Health.
D. Disclaimer of Warranties. Except as expressly provided in this Agreement, the Platform, Application and the Services hereunder are provided “AS IS” and “AS AVAILABLE”. Heartbeat Health does not warrant, and specifically disclaims, any representation that the Platform, Application or any Service provided hereunder will meet the requirements of Provider or the requirements of any Registered User or that the Platform or Application will be uninterrupted, error-free, or achieve any particular result or that all errors can be corrected. other than for the express warranties made herein and to the extent permitted by applicable law, Heartbeat Health makes no warranties in connection with the Services, Platform or Application, whether express or implied, including without limitation to, any implied warranties of merchantability, fitness for a particular purpose, title, non-infringement of third party rights, loss of data and interference with Provider’s quiet enjoyment, and all such warranties are hereby disclaimed. The Platform, Application and Services may be subject to limitations, delays and other communications problems inherent in the use of the internet, and Heartbeat Health is not responsible for any delays, delivery failures or other damages resulting from such problems. In addition, Heartbeat Health disclaims all liability of any kind with respect to Heartbeat Health’s suppliers and Licensors. This provision shall apply even if any express warranty set forth in this Agreement fails of its essential purpose.
Provider shall maintain for itself and shall maintain or cause to be maintained with respect to the Registered Clinicians, professional liability insurance, including as necessary extended reporting period (i.e., “tail”) coverage. Such professional liability coverage shall be maintained with minimum coverage limits in the amount of $1,000,000 per occurrence or claim and $3,000,000 in the annual aggregate or such other minimum amounts as may be required under applicable state law or local law or standards of practice. Such insurance shall cover applicable claims against Provider or Registered Users even if filed after the termination or expiration of the Agreement. Provider acknowledges that such coverage shall not apply to any other professional services or activities. Upon Heartbeat Health’s written request, Provider will provide Heartbeat Health with certificates evidencing coverage. Provider shall provide Heartbeat Health with no less than thirty (30) days’ prior written notice of cancellation or any material change in such insurance coverage.
A. By Provider. Provider agrees to indemnify, defend and hold harmless Heartbeat Health, its affiliates, and each of its and their respective directors, officers, managers, employees, shareholders, agents, representatives, licensors, successors and assigns from and against any and all losses, expenses, damages and costs, including reasonable attorneys’ fees, that arise out of Provider’s use of the Platform, Application and Services (including use by Registered Users), violation of this Agreement by Provider or any other person using Provider’s account, or Provider’s violation of any rights of another.
B. By Heartbeat Health. Heartbeat Health shall defend Provider against any claim, demand, suit, or proceeding (a “Claim”) made or brought against Provider by a third party alleging that the Platform, Application or Services, or use of the Platform, Application or Services as permitted hereunder infringes or misappropriates the Intellectual Property Rights of a third party, and shall indemnify Provider for any damages, attorney fees and costs finally awarded against Provider as a result of, and for amounts paid by Provider under a court approved settlement of, a Claim. Notwithstanding the foregoing, in no event shall Heartbeat Health have any obligations or liability under this Section arising from: (i) use of the Platform, Application or Services in a manner not anticipated by or in violation of this Agreement or in combination with materials not furnished by Heartbeat Health; or (ii) any content, information, or data provided by Provider or other third parties. If the Platform, Application or Services are or are likely to become subject to a claim of infringement or misappropriation, then Heartbeat Health will, at its sole option and expense, either: (i) obtain for the Provider the right to continue using the Platform, Application or Services, as applicable; (ii) replace or modify the Platform, Application or Services to be non-infringing and substantially equivalent to the infringing Platform, Application or Services; or (iii) terminate Provider’s rights to use the Platform, Application or Services and refund pro-rata any prepaid fees for the infringing portion of the Platform or Services.
C. Indemnification Process. Each party’s indemnification obligations in this Section 5 are subject to: (i) prompt notification in writing of any claim (provided that the indemnified party’s failure to provide reasonable written notice shall only relieve the indemnifying party of its indemnification obligations hereunder to the extent such failure materially limits or prejudices the indemnifying party’s ability to defend or settle such claim); (ii) the transfer of sole control of the defense and any related settlement negotiations to the indemnifying party; and (iii) the indemnified party’s cooperation in the defense of such claim. Notwithstanding the foregoing, if the indemnifying party fails to respond in writing within ten (10) days after receiving notice of a claim from the indemnified party, stating that the indemnifying will fulfill its obligations pursuant to this Section, then the indemnified party shall have the right to assume the exclusive defense of the claim (including, without limitation, the investigation, trial, settlement, appeal, and payment of any losses) solely at indemnifying party’s expense. You will fully cooperate in the defense of any claim. THIS SECTION 5 STATES PROVIDER’S SOLE AND EXCLUSIVE REMEDIES FOR INFRINGEMENT OR CLAIMS ALLEGING INFRINGEMENT.
6. Limitation of Liability.
TO THE EXTENT LEGALLY PERMITTED UNDER APPLICABLE LAW, IN NO EVENT WILL HEARTBEAT HEALTH BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, EXEMPLARY, SPECIAL, OR INCIDENTAL DAMAGES, INCLUDING ANY LOST DATA AND LOST PROFITS, ARISING FROM OR RELATING TO THIS AGREEMENT EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. HEARTBEAT HEALTH’S TOTAL CUMULATIVE LIABILITY IN CONNECTION WITH THIS AGREEMENT, INCLUDING THE BUSINESS ASSOCIATE ADDENDUM, EXECUTED BY THE PARTIES IN CONNECTION HEREWITH, WHETHER IN CONTRACT OR TORT OR OTHERWISE, WILL NOT EXCEED THE GREATER OF $10,000 OR THE FEES RECEIVED BY HEARTBEAT HEALTH PURSUANT TO THIS AGREEMENT IN THE TWELVE MONTH PERIOD PRIOR TO THE DATE THE CLAIM AROSE. THIS SECTION WILL BE GIVEN FULL EFFECT EVEN IF ANY REMEDY SPECIFIED IN THIS AGREEMENT IS DEEMED TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
7. Suspension of Services.
In addition to the termination rights set forth in Section 8, Heartbeat Health shall have the right to suspend the Services, including without limitation, Provider’s access to the Platform and Application, if Heartbeat Health receives a Patient complaint with respect to a Registered User. In such event, Heartbeat Health may upon written notice to Provider suspend the Services until such time as Heartbeat Health has investigated and/or resolved the complaint to Heartbeat Health’s reasonable satisfaction or has exercised its other rights hereunder.
8. Term; Termination.
The subscription term of this Agreement shall be for an initial period of one (1) year commencing on the Effective Date, and thereafter shall automatically be renewed for successive one (1) renewal terms, unless terminated in accordance with this Section 8.
A. This Agreement may be terminated as follows:
(i) Either party may terminate this Agreement at any time upon ten (10) days’ prior written notice to the other Party; or
(ii) Heartbeat Health may terminate this Agreement immediately upon written notice to Provider if: (1) Provider breaches any of the representations or covenants set forth in this Agreement and does not cure the breach within ten (10) days after receiving written notice thereof from Heartbeat Health, or immediately if such breach is incapable of cure as determined by Heartbeat Health; (2) Provider fails to cure the breach of any other obligation hereunder within ten (10) days after receiving written notice thereof from Heartbeat Health; (3) or in response to a Patient compliant, provided that Heartbeat Health has completed its investigation of the complaint pursuant to Section 7 above.
B. Upon the effective date of the termination or expiration of this Agreement, Heartbeat Health shall: (i) deactivate all Registered User passwords and access to the Platform, including without limitation access to Patients’ online health profiles and any other health and nutrition information maintained on the Platform; and (ii) remove from the Platform all public facing references to Provider, including without limitation Provider’s profile. Further, promptly upon any termination or expiration of this Agreement, each party shall return to the other’s custody or destroy Confidential Information (as defined below) of the other Party; provided, however, Heartbeat Health shall have a continuing right to be afforded reasonable access to Physician’s Confidential Information as needed to complete its Services hereunder or as may be reasonably necessary for the defense of any judicial, administrative or disciplinary proceeding in which Heartbeat Health is a party, provided that such access does not violate any applicable patient confidentiality law or regulation. For avoidance of doubt, all data residing on the Platform which relates to individual Patients, including Patient Data, may be retained by Heartbeat Health at the direction of the Patient for the continued provision of Services to such Patients or for purposes specified by Patient.
9. Confidential Information.
10. Relationship of the Parties.
The relationship between Heartbeat Health and Provider hereunder shall be that of independent contractors, and nothing herein or the arrangements entered into pursuant to this Agreement shall render Heartbeat Health or its employees or subcontractors used in the conduct of Services hereunder an employee, partner, agent or joint venture party of Provider. Each party shall be responsible for paying its own employees and contractors rendering services on its behalf, including employment related taxes and insurance. Neither Party shall have the authority to make representations on behalf of the other party or bind the other party to any third party agreement.
A. Governing Law. This Agreement shall be governed by the laws of New York without regard to New York’s conflicts of law rules. Provider hereby expressly consents to the personal jurisdiction and venue in the state and federal courts for the county in which Heartbeat Health’s principal place of business is located for any lawsuit filed there against Provider by Heartbeat Health arising from or related to this Agreement.
B. Assignability. Except as otherwise expressly agreed by the other party in writing, neither party may assign any rights or obligations under this Agreement, other than as a result of a change in control in a party or the assignment to any corporate affiliate or successor in interest of the business of Heartbeat Health (with respect to which no consent of the other party is required). Further, Heartbeat Health shall have the right to delegate any obligation hereunder to any third party subcontractor.
C. Entire Agreement; Amendment. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter of this Agreement and supersedes all prior written and oral agreements between the Parties regarding the subject matter of this Agreement. This Agreement may not be amended or revised except with the written consent of the Parties or as otherwise provided below. In the event that Heartbeat Health desires to amend the terms of this Agreement, Heartbeat Health will notify Provider by email of the proposed amendment. The amendment will become effective thirty (30) days following the date the notice of amendment is sent to Provider unless the Provider responds to Heartbeat Health by email within such thirty (30) day period that the proposed amendment is not acceptable. In the event that Provider does not timely respond to a notice of amendment, the amendment will be deemed to be accepted by Provider. Heartbeat Health agrees to provide Provider with confirmation by email of the effective date of each such amendment.
D. Headings. Headings are used in this Agreement for reference only and shall not be considered when interpreting this Agreement.
F. Notices. Except as otherwise expressly provided in this Agreement, any notice or other communication required or permitted by this Agreement to be given to a party shall be in writing and shall be deemed given if delivered personally or by commercial messenger or courier service, or mailed by U.S. registered or certified mail (return receipt requested), or sent by email, to the party at the party’s address written below or at such other address as that party may have previously specified by like notice.
H. Severability. If any provision of this Agreement is found to be illegal or unenforceable, the other provisions shall remain effective and enforceable to the greatest extent permitted by law.
I. Waiver. No waiver of any provision hereof shall be valid unless set forth in writing by the party granting such waiver. If either party hereto waives a breach of one of the provisions hereof by the other party, that waiver shall not operate or be construed as a waiver of any other provision of this Agreement, or as a waiver of a subsequent similar breach hereof.
J. Change in Law. In the event that any federal, state or local law or regulation, or interpretation thereof, is enacted, amended, or repealed during the term of this Agreement that delays, suspends, cancels, eliminates or materially modifies any portion or element of the Platform, this Agreement shall not terminate and the Parties shall negotiate in good faith to amend the Agreement in a manner which conforms with such change in law as soon thereafter as practicable. To the maximum extent possible, any amendment hereto shall preserve the underlying economic and financial arrangements between the Parties.
K. Force Majeure. Any delay in the performance of any duties or obligations of either party will not be considered a breach of this Agreement if such delay is caused by a labor dispute, shortage of materials, fire, earthquake, flood, or any other event beyond the control of such party, provided that such party uses reasonable efforts, under the circumstances, to notify the other party of the cause of such delay and to resume performance as soon as possible
L. Survival. Any provisions of the Agreement containing proprietary rights, confidentiality obligations, disclaimers, limitations of liability and/or indemnity terms, and any provision of the Agreement which, by its nature, is intended to survive shall remain in effect following any termination or expiration of the Agreement.
M. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum (this “Addendum”), is made part of and incorporated into the Provider Terms of Service (“the Service Agreement”) by and between Provider (“Covered Entity”) and Heartbeat Health, Inc. (“Business Associate”), for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder (“HIPAA”) and the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”).
WHEREAS, Covered Entity is a covered entity as such term is defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information; and
WHEREAS, Business Associate has entered into the Service Agreement with Covered Entity, pursuant to which Business Associate may create and/or receive Protected Health Information for or on behalf of Covered Entity; and
WHEREAS, by providing services pursuant to the Service Agreement and creating and/or receiving Protected Health Information for or on behalf of Covered Entity, Business Associate shall become a business associate of Covered Entity, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Business Associate creates for, or receives from or on behalf of, Covered Entity.
NOW THEREFORE, in consideration of the mutual covenants, promises, and agreements contained herein, the parties hereto agree as follows:
For the purposes of this Addendum, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.
a. “Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.
b. “Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services.
c. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.
II. OBLIGATIONS OF BUSINESS ASSOCIATE.
a. Use and Disclosure of PHI.
i. Business Associate warrants that it, its agents and its subcontractors: (a) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this Addendum and the Service Agreement; (b) shall not use or disclose PHI other than as permitted or required by this Addendum or required by law; (c) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity; and (d) shall only use and disclose the minimum necessary PHI for its specific purposes.
ii. Subject to the restrictions set forth throughout this Addendum, Business Associate may use the information received from Covered Entity if necessary, for (a) the proper management and administration of Business Associate; or (b) to carry out the legal responsibilities of Business Associate.
iii. Subject to the restrictions set forth in throughout this Addendum, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that:
1. Disclosures are required by law, or
2. Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
iv. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Covered Entity by Business Associate pursuant to this Addendum with PHI, as defined by 45 C.F.R. 164.501, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Covered Entity.
v. Business Associate may de-identify any and all PHI created or received by Business Associate under this Addendum. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer Protected Health Information and no longer subject to this Addendum.
vi. Business Associate acknowledges that, as between Business Associate and Covered Entity, all PHI shall be and remain the sole responsibility of Covered Entity. .
vii. To the extent that Business Associate is to carry out any of Covered Entity’s obligations that are regulated by HIPAA, Business Associate shall comply with the HIPAA requirements that apply to the Covered Entity in the performance of such obligation.
b. Safeguards. Business Associate shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of Business Associate’s operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Addendum. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this Addendum.
c. Availability of Books and Records. Business Associate shall permit the Secretary and other regulatory and accreditation authorities to audit Business Associate’s internal practices, books and records at reasonable times as they pertain to the use and disclosure of PHI in order to ensure that Covered Entity and/or Business Associate is in compliance with the requirements of HIPAA.
d. Individuals’ Rights to Their PHI.
i. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Covered Entity to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Business Associate, within ten (10) business days upon receipt of written request by Covered Entity, shall make available to Covered Entity such PHI.
1. In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.
2. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Covered Entity will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Covered Entity pursuant to 45 CFR Section 164.524, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
ii. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Covered Entity to respond to a request by an Individual for an amendment to PHI, Business Associate shall, within ten (10) business days upon receipt of a written request by Covered Entity, make available to Covered Entity such PHI.
1. In the event that any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.
2. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Business Associate will make no such determinations. Any denial of amendment to PHI determined by Covered Entity pursuant to 45 CFR Section 164.526, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
3. Within ten (10) business days of receipt of a request from Covered Entity to amend an individual’s PHI in the Designated Record Set, Business Associate shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.
iii. In order to allow Covered Entity to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Business Associate shall, within ten (10) business days of a written request by Covered Entity for an accounting of disclosures of PHI about an Individual, make available to Covered Entity such PHI. At a minimum, Business Associate shall provide Covered Entity with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure.
1. In the event that any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.
2. Covered Entity will be responsible for preparing and delivering an accounting to Individual.
3. Business Associate shall implement an appropriate record keeping process to enable it to comply with the requirements of this Addendum.
e. Disclosure to Third Parties. Business Associate shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Business Associate for or on behalf of Covered Entity, pursuant to which agreement such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to Business Associate pursuant to the Addendum with respect to such PHI.
f. Reporting Obligations.
i. In the event of a Breach of any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date the Breach is discovered. Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the Business Associate’s response to the Breach.
ii. In the event of a use or disclosure of PHI that is improper under this Addendum but does not constitute a Breach, Business Associate shall report such use or disclosure to Covered Entity within ten (10) business days after the date on which Business Associate becomes aware of such use or disclosure.
iii. In the event of any successful Security Incident, Business Associate shall report such Security Incident in writing to Covered Entity within ten (10) business days of the date on which Business Associate becomes aware of such Security Incident. The parties acknowledge that unsuccessful Security Incidents (e.g., pings) occur within the normal course of business and shall not be reported pursuant to this Addendum.
III. OBLIGATIONS OF COVERED ENTITY.
a. Permissible Requests.
i. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Covered Entity.
ii. Covered Entity may request Business Associate to disclose PHI directly to another party only for the purposes allowed by HIPAA and the HITECH Act.
i. Covered Entity shall notify Business Associate of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
ii. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
iii. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
IV. TERM AND TERMINATION.
a. General Term and Termination. This Addendum shall become effective on the Effective Date set forth above and shall terminate upon the termination or expiration of the Service Agreement and when all PHI provided by either party to the other, or created or received by Business Associate on behalf of Covered Entity is, in accordance with this Section, destroyed, returned to Covered Entity, or protections are extended.
b. Material Breach. Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this Addendum and the portion(s) of the Service Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this Addendum and the portion(s) of the Service Addendum affected by the breach.
c. Return or Destruction of PHI. Upon termination of this Addendum for any reason, Business Associate shall:
i. If feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by Business Associate for or on behalf of Covered Entity that Business Associate or any of its subcontractors and agents still maintain in any form; or
ii. If Business Associate determines that such return or destruction is not feasible, extend the protections of this Addendum to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section shall survive the termination of this Addendum.
a. Amendment. If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this Addendum inconsistent therewith, the parties shall amend this Addendum to the extent necessary to comply with such amendments or interpretations.
b. Interpretation. Any ambiguity in this Addendum shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.
c. Conflicting Terms. In the event that any terms of this Addendum conflict with any terms of the Service Agreement, the terms of this Addendum shall govern and control.
d. Notices. Any notices pertaining to this Addendum shall be given in writing and shall be deemed duly given when personally delivered to a party or a party’s authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. Notices shall be deemed given upon receipt. Notices shall be addressed to the appropriate party as follows:
If to Covered Entity, to the address provided upon registration.
If to Business Associate:
HEARTBEAT HEALTH, Inc.
156 W 56th Street, Suite 1000
New York, NY 10019
e. Severability. The provisions of this Addendum shall be severable, and if any provision of this Addendum shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Addendum shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.