Thanks for using iCouch! Here we describe how we collect, use and handle your information when you use our websites, software and services ("Services").
We collect and use the following information to provide, improve and protect our Services:
We also collect information from and about the devices you use to access the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services.
Cookies and other technologies. We use technologies like cookies and pixel tags to provide, improve, protect and promote our Services. You can set your browser to not accept cookies, but this may limit your ability to use the Services.
We may share information as discussed below, but we won't sell it to advertisers or other third parties.
Other users. Our Services display information like your name, profile picture, and other information that you may have explicitly provided for the purposes of promoting your services.
Certain features let you make additional information available to others.
Law & Order. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of iCouch or our users; or (d) protect iCouch’s property rights.
Security. We have a team dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe in addition to things like two-factor authentication, encryption of files at rest, and alerts when new devices and apps are linked to your account.
Retention. We'll retain information you store on our Services for as long as we need it to provide you the Services. If you delete your account, we'll also delete this information. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
Around the world. To provide you with the Services, we may store, process and transmit information in the United States and locations around the world - including those outside your country. Information may also be stored locally on the devices you use to access the Services.
EU-US Privacy Shield and US-Swiss Safe Harbor. When transferring data from the European Union, the European Economic Area, and Switzerland, iCouch relies upon a variety of legal mechanisms, including contracts with our users. iCouch complies with the U.S.-Swiss Safe Harbor ("Safe Harbor") framework and its principles. We also participate in the EU-U.S. Privacy Shield Program ("Privacy Shield") and comply with its framework and principles.
If we are involved in a reorganization, merger, acquisition or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event.
Have questions or concerns about iCouch, our Services and privacy? Contact us at firstname.lastname@example.org.
Medical Information: ICOUCH DOES NOT PROVIDE MEDICAL ADVICE. DO NOTE USE THE SITE FOR EMERGENCY MEDICAL NEEDS. IF YOU EXPERIENCE A MEDICAL EMERGENCY CALL 911. The information on the Site, including data, text, software, music, sound, images, video, graphics, presentations, communications or other information (the “Content”) provided by iCouch does not constitute medical advice of any kind and it is not intended to be, and should not be, used to diagnose or identify treatment for a medical condition. Nothing on the Site should be construed as an attempt to offer or render a medical opinion or otherwise engage in the practice of medicine by iCouch.
ICOUCH DOES NOT RECOMMEND, REFER, ENDORSE, VERIFY, EVALUATE OR GUARANTEE ANY ADVICE, INFORMATION, TREATMENT, INSTITUTION, PRODUCT, PROFESSIONAL, COUNSELOR, PHYSICIAN, PROCEDURE, TEST, OPINION OR OTHER INFORMATION OR SERVICES PROVIDED BY ANY COUNSELOR USING THE SITE, AND NOTHING SHALL BE CONSIDERED AS A REFERRAL, ENDORSEMENT, RECOMMENDATION OR GUARANTEE OF ANY COUNSELOR. ICOUCH DOES NOT WARRANT THE VALIDITY, ACCURACY, COMPLETENESS, SAFETY, LEGALITY, QUALITY, OR APPLICABILITY OF THE CONTENT OR ANYTHING SAID OR WRITTEN BY ANY COUNSELORS OR ANY ADVICE PROVIDED, INCLUDING ANY INFORMATION CONTAINED IN ANY COUNSELOR LISTING. ICOUCH WILL NOT BE LIABLE FOR ANY DAMAGES SUSTAINED DUE TO RELIANCE BY THE USER ON SUCH INFORMATION OR ADVICE PROVIDED BY ANY COUNSELOR.
Age: If you are under 18 years old, you may use the Service, with or without registering, only with the approval of your parent or guardian.
Member Account, Password and Security: You are responsible for maintaining the confidentiality of your password and account, and are fully responsible for any and all activities that occur under your password or account. You agree to (a) immediately notify iCouch of any unauthorized use of your password or account or any other breach of security, and (b) ensure that you exit from your account at the end of each session when accessing the Service. iCouch will not be liable for any loss or damage arising from your failure to comply with this Section.
Modifications to Service: iCouch reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice. You agree that iCouch shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.
Authorization and Acknowledgement: In connection with using the Site and the Services to locate and schedule appointments with counselors or medical professionals, you understand that:
You agree to not use the Service to: post, email or otherwise transmit any content outside of any counseling sessions, that in the sole judgment of iCouch, (i) is unlawful, abusive, harassing, tortious, excessively violent, defamatory, obscene, libelous, invasive of another‘s privacy, infringing of an third party’s rights or otherwise objectionable; (ii) you do not have a right to transmit under any law or under contractual or fiduciary relationships; (iii) poses or creates a privacy or security risk to any person; or (iv) which may expose iCouch or its users to any harm or liability of any type; impersonate any person or entity, or falsely state or otherwise misrepresents your affiliation with a person or entity; advertise or offer to sell or buy any goods or services for any business purpose that is not specifically authorized; violate any applicable local, state, national or international law, or any regulations having the force of law; use the Service in any manner that could damage, disable, overburden, or impair the Service or interfere with any other party’s use and enjoyment of the Service; or obtain or attempt to access or otherwise obtain any materials or information through any means not intentionally made available or provided for through the Service.
Video Conferences: You may not modify, enhance, remove, interfere with, or otherwise alter in any way any portion of iCouch’s video conference transmission system (the “Video Application”), its underlying technology, any digital rights management mechanism, device, or other content protection or access control measure incorporated into the Video Application.
Personal Use: Unless otherwise specified, you agree not to display, distribute, license, perform, publish, reproduce, duplicate, copy, create derivative works from, modify, sell, resell, exploit, transfer or transmit for any commercial purposes, any portion of the Service, use of the Service, or access to the Service.
Fees: iCouch will use reasonable efforts to process the payments due from the user according to the terms agreed upon between user and an counselor within seven (7) working days from the execution date of each transaction.
iCouch’s billing system is not fault-free or flexible; therefore iCouch shall not be liable for any problems, miscalculations or malfunctions in processing the payments owed by the user. If the user thinks that a mistake has occurred he or she may send his or her concern to email@example.com.
Special Notice for International Use; Export Controls: Software available in connection with the Service and the transmission of applicable data, if any, is subject to United States export controls. No Software may be downloaded from the Service or otherwise exported or re-exported in violation of U.S. export laws. Downloading or using the Software is at your sole risk. You agree to comply with all applicable laws regarding the transmission of technical data exported from the United States or the country in which you reside.
Content Posted on the Site: You are solely responsible for the content and other materials you post on or through the Service or the Site or transmit to or share with other users, counselors or recipients (collectively, “Posted Content”). You will not post any content that you did not create or that you do not own all rights, title and interest in and to, including, without limitation, all copyright and rights of publicity contained therein. By posting any Posted Content you hereby grant and will grant iCouch and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicenseable, perpetual, irrevocable license to copy, display, transmit, distribute, store, modify and otherwise use your Posted Content in connection with the operation of the Service or the promotion, advertising or marketing thereof, in any form, medium or technology now known or later developed.
You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about the Site or the Service (“Submissions”), provided by you to iCouch are non-confidential and iCouch shall be entitled to the unrestricted use and dissemination of these Submissions for any purpose, commercial or otherwise, without acknowledgment or compensation to you.
Copyright Complaints: iCouch respects the intellectual property of others, and we ask our users and counselors to do the same. If you believe that your work has been copied in a way that constitutes copyright infringement, or that your intellectual property rights have been otherwise violated, you should notify iCouch or your infringement claim in accordance with the procedure set forth below.
iCouch will promptly process and investigate notices of alleged infringement and will take appropriate actions under the Digital Millennium Copyright Act (“DMCA”) and other applicable intellectual property laws with respect to any alleged or actual infringement. A notification of claimed copyright infringement should be emailed to iCouch’s Copyright Agent at [copyright@iCouch.me] (subject line: “DMCA” Takedown Request”). You may also contact us by mail at:
Attention: Copyright Agent
2319 Marblecrest Ln
Spring, TX 77386
To be effective, the notification must be in writing and contain the following information:
Counter-Notice: If you believe that your Posted Content that was removed (or to which access was disabled) is not infringing, or that you have the authorization from the copyright owner, the copyright owner’s agent, or pursuant to the law, to post and use the content in your Posted Content, you may send a written counter-notice containing the following information to the Copyright Agent:
If a counter-notice is received by the Copyright Agent, iCouch will send a copy of the counter-notice to the original complaining party informing that person that it may replace the removed content or cease disabling it in 10 business days. Unless the copyright owner files an action seeking a court order against the content provider, member or user, the removed content may be replaced, or access to it restored, in 10 to 14 business days or more after receipt of the counter-notice, at iCouch’s sole discretion.
Repeat Infringer Policy: In accordance with the DMCA and other applicable law, iCouch has adopted a policy of terminating, in appropriate circumstances and at iCouch’s sole discretion, the account of anyone deemed to be a repeat infringer. iCouch may also at its sole discretion limit access to the Site and/or terminate the memberships of anyone who infringes any intellectual property rights of others, whether or not there is any repeat infringement.
The Service may provide, or third parties may provide, links to other sites and resources on the Internet. iCouch has no control over such sites and resources and iCouch is not responsible for and does not endorse such sites and resources. You further acknowledge and agree that iCouch shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any content, events, goods or services available on or through any such hyperlinked site or resource. Any dealings you have with advertisers found while using the Service are between you and the advertiser, and you agree that iCouch is not liable for any loss or claim that you may have against an advertiser.
YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. THE SERVICE AND ANY CONTENT OR MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICE IS PROVIDED ON AN “AS IS”, “WITH ALL FAULTS”, AND “AS AVAILABLE” BASIS. ICOUCH EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING THE FOREGOING, ICOUCH MAKES NO WARRANTY THAT (I) THE SERVICE WILL BE EFFECTIVE, WILL FUNCTION WITHOUT DISRUPTIONS, DELAYS OR ERRORS, WILL BE RELIABLE OR ACCURATE, OR WILL MEET YOUR REQUIREMENTS, (II) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR-FREE, OR ACCESSIBLE AT TIMES OR LOCATIONS OF YOUR CHOOSING, (III) THE RESULTS OR INFORMATION THAT MAY BE OBTAINED FROM THE USE OF THE SERVICE WILL BE ACCURATE, RELIABLE TIMELY, OR COMPLETE, (IV) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE SERVICE WILL MEET YOUR EXPECTATIONS, AND (V) ANY ERRORS WILL BE CORRECTED. EXCEPT AS EXPRESSLY SET FORTH HEREIN, ICOUCH MAKES NO WARRANTIES ABOUT THE INFORMATION SYSTEMS, SOFTWARE AND FUNCTIONS MADE ACCESSIBLE THROUGH THE SITE OR ANY OTHER SECURITY ASSOCIATED WITH THE TRANSMISSION OF SENSITIVE INFORMATION.
ALWAYS USE CAUTION WHEN GIVING OUT ANY PERSONALLY IDENTIFYING INFORMATION ABOUT YOURSELF OR YOUR CHILDREN. ICOUCH DOES NOT CONTROL OR ENDORSE THE CONTENT, MESSAGES OR INFORMATION FOUND ON THE SERVICE AND, THEREFORE, ICOUCH SPECIFICALLY DISCLAIMS ANY LIABILITY WITH REGARD TO THE SERVICE AND ANY OTHER ACTIONS RESULTING FROM YOUR PARTICIPATION IN THE SERVICE.
YOU EXPRESSLY UNDERSTAND AND AGREE THAT ICOUCH SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY DAMAGES, OR DAMAGES FOR LOSS OF PROFITS INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF ICOUCH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, RESULTING FROM: (I) THE USE OR THE INABILITY TO USE THE SERVICE; (II) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM ANY GOODS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM THE SERVICE; (III) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (IV) STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE SERVICE; OR (V) ANY OTHER MATTER RELATING TO THE SERVICE. IN NO EVENT SHALL ICOUCH’S TOTAL LIABILITY TO YOU FOR ALL DAMAGES, LOSSES OR CAUSES OF ACTION EXCEED ONE HUNDRED DOLLARS ($100). SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS SET FORTH ABOVE MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE SERVICE OR WITH THESE TERMS OF SERVICE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USE OF THE SERVICE.
Any controversy or claim arising out of or relating to this contract, or the breach thereof, shall be settled by binding arbitration administered by the American Arbitration Association in accordance with its Commercial Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. Unless otherwise agreed to by the parties, the arbitration will be held in Houston, TX.
You agree that you are solely responsible for your interactions with any other user of the Service, including counselors. iCouch reserves the right, but has no obligation, to become involved in any way with disputes between you and any other user of the Service.
By using the Service, each user understands and agrees that all advice, information, treatments, institutions, products, professionals, physicians, procedures, tests, opinions or other information or services written or provided are so written or provided by counselors who are neither employees of iCouch nor controlled by iCouch. Each user understands and agrees that, although a mental or medical health professional, physician, other professional counselor may have been accessed through the Site, iCouch cannot predict or assess the competence of, or appropriateness for their needs. Each user understands and agrees that, iCouch does not validate or otherwise endorse the Content or any individual. iCouch has no control over, and cannot guarantee the availability of any counselor at any particular time. iCouch will not be liable for cancelled or otherwise unfulfilled appointments or any injury resulting therefrom, or for any other injury resulting from the use of the Site or Services whatsoever.
Users are strongly advised to perform their own investigation prior to selecting a counselor by making confirming telephone calls to the appropriate licensing authorities to verify listed credentials and education, and to further verify information about a particular counselor by confirming with (i) their current physician, (ii) counselor’s office, (iii) the medical association relative to the counselor’s specialty, and (iv) the appropriate state medical board or other governmental authority.
USERS WHO CHOOSE TO INTERACT WITH ANY MENTAL OR MEDICAL HEALTH PROFESSIONAL, PHYSICIAN OR OTHER PROFESSIONAL COUNSELOR ON THE SITE ACKNOWLEDGE THAT SUCH RELATIONSHIP IS STRICTLY WITH SUCH PROFESSIONAL AND NOT WITH ICOUCH. ICOUCH IS NOT INVOLVED IN ANY WAY WITH THE SUBSTANCE OF SUCH RELATIONSHIP OR THE ADVICE OR INFORMATION GIVEN THEREIN, AND DOES NOT VALIDATE THE INFORMATION OR ADVICE PROVIDED TO ANY USER BY THEIR COUNSELOR. EACH USER HEREBY RELEASES AND AGREE TO HOLD HARMLESS ICOUCH, ITS DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, SUCCESSORS, ADVISORS, CONSULTANTS, AND ASSIGNS FROM ANY AND ALL CAUSES OF ACTION AND CLAIMS OF ANY NATURE RESULTING FROM THE ACTS OF MEDICAL OR MENTAL HEALTH PROFESSIONALS, ANY OTHER PROVIDERS ACCESSED THROUGH THE SITE.
NO LICENSED MEDICAL PROFESSIONAL/PATIENT RELATIONSHIP IS CREATED BETWEEN USERS AND ICOUCH AND/OR COUNSELORS AND ICOUCH BY USING INFORMATION PROVIDED BY OR THROUGH THE USE OF THE SITE INCLUDING, BUT NOT LIMITED TO, LINKS TO OTHER SITES OR ANY ASSISTANCE ICOUCH MAY PROVIDE TO HELP USERS FIND AN APPROPRIATE COUNSELOR, MEDICAL PROFESSIONAL OR SPECIALIST IN ANY FIELD.
Practitioners hereby acknowledge that they are solely responsible for any and all advice, information, treatments, institutions, products, professionals, counselors, physicians, procedures, tests, opinions or other information or services written or provided, as applicable, to any iCouch user.
This BUSINESS ASSOCIATE AGREEMENT (“BAA”) is made by and between you (“Covered Entity” or “CE”) and ICOUCH, INC., a Delaware “C” corporation (“Business Associate” or “BA”) (each a “party” and, collectively, the “parties”) upon your indication that you understand and accept all of the terms and conditions herein (the “Effective Date”).
A. CE is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and, as such, must enter into so-called “business associate” contracts with certain contractors that may have access to certain patient medical information.
B. Pursuant to the terms of one or more agreements between the parties, whether oral or in writing (collectively, the “Agreement”), BA shall provide certain services to CE. To facilitate BA’s provision of such services, CE wishes to disclose certain information to BA, some of which may constitute Protected Health Information (“PHI”) (defined below).
C. CE and BA intend to protect the privacy and provide for the security of PHI disclosed to BA pursuant to the Agreement in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (“HITECH Act”), and regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HIPAA Regulations”) and other applicable laws, including without limitation state patient privacy laws, as such laws may be amended from time to time.
D. As part of the HIPAA Regulations, the Privacy Rule and the Security Rule (defined below) require CE to enter into a contract containing specific requirements with BA prior to the disclosure of PHI (defined below), as set forth in, but not limited to, Title 45, Sections 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”) and contained in this BAA.
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, CE and BA agree as follows:
1.1. Breach shall have the meaning given to such term under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
1.2. Business Associate shall have the meaning given to such term under 42 U.S.C. § 17938 and 45 C.F.R. § 160.103.
1.3. Covered Entity shall have the meaning given to such term under 45 C.F.R. § 160.103.
1.4. Data Aggregation shall have the meaning given to such term under 45 C.F.R. § 164.501.
1.5. Designated Record Set shall have the meaning given to such term 45 C.F.R. § 164.501.
1.6. Electronic Protected Health Information or EPHI means Protected Health Information that is maintained in or transmitted by electronic media.
1.7. Electronic Health Record shall have the meaning given to such term under 42 U.S.C. § 17921(5).
1.8. Health Care Operations shall have the meaning given to such term under 45 C.F.R. § 164.501.
1.9. Privacy Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
1.10. Protected Health Information or PHI means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes Electronic Protected Health Information.
1.11. Protected Information shall mean PHI provided by CE to BA or created or received by BA on CE’s behalf.
1.12. Security Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and C.
1.13. Unsecured PHI shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402 and guidance issued pursuant to the HITECH Act including, but not limited to that issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009), by the Secretary of the U.S. Department of Health and Human Services (“Secretary”).
2.1. Permitted Access, Use or Disclosure. BA shall neither permit the unauthorized or unlawful access to, nor use or disclose, PHI other than as permitted or required by the Agreement, this BAA, or as permitted or required by law. Except as otherwise limited in the Agreement or this BAA, BA may access, use, or disclose PHI (i) to perform its services as specified in the Agreement; and (ii) for the proper administration of BA, provided that such access, use, or disclosure would not violate HIPAA, the HITECH Act, the HIPAA Regulations, or applicable state law if done or maintained by CE. If BA discloses Protected Information to a third party, BA must obtain, prior to making any such disclosure, (i) reasonable written assurances from such third party that such Protected Information will be held confidential as provided pursuant to this BAA and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to promptly notify BA of any Breaches of confidentiality of the Protected Information, to the extent it has obtained knowledge of such Breach.
2.2. Prohibited Uses and Disclosures Under HITECH. Notwithstanding any other provision in this BAA, BA shall comply with the following requirements: (i) BA shall not use or disclose Protected Information for fundraising or marketing purposes, except as provided under the Agreement and consistent with the requirements of 42 U.S.C. § 17936; (ii) BA shall not disclose Protected Information to a health plan for payment or health care operations purposes if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, 42 U.S.C. § 17935(a); (iii) BA shall not directly or indirectly receive remuneration in exchange for Protected Information, except with the prior written consent of CE and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2); however, this prohibition shall not affect payment by CE to BA for services provided pursuant to the Agreement.
2.3. Appropriate Safeguards. BA shall implement appropriate safeguards designed to prevent the access, use or disclosure of Protected Information other than as permitted by the Agreement or this BAA. BA shall use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI. BA shall comply with each of its obligations under the applicable requirements of 45 C.F.R. §§ 164.308, 164.310, and 164.312 and the policies and procedures and documentation requirements of the HIPAA Security Rule set forth in 45 C.F.R. § 164.316.
2.4. Reporting of Improper Access, Use, or Disclosure.
(a) Generally. BA shall promptly notify CE of any Breach of security, intrusion or unauthorized access, use, or disclosure of PHI of which BA becomes aware and/or any access, use, or disclosure of data in violation of the Agreement, this BAA, or any applicable federal or state laws or regulations. BA shall take (i) prompt corrective action to cure any deficiencies in its policies and procedures that may have led to the incident, and (ii) any action pertaining to such unauthorized access, use, or disclosure required of BA by applicable federal and state laws and regulations.
(b) Breaches of Unsecured PHI. Without limiting the generality of the reporting requirements set forth in Section 2.4(a), BA also shall, following the discovery of any Breach of Unsecured PHI, notify CE in writing of such Breach without unreasonable delay and in no case later than sixty (60) days after discovery. The notice shall include the following information if known (or can be reasonably obtained) by BA: (i) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery (as defined in 42 U.S.C. § 17932(c)); (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, date of birth, addresses, account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); (iv) a brief description of what the BA has done or is doing to investigate the Breach and to mitigate harm to the individuals impacted by the Breach.
(c) Mitigation. BA shall establish and maintain safeguards to mitigate, to the extent practicable, any deleterious effects known to BA of any unauthorized or unlawful access or use or disclosure of PHI not authorized by the Agreement, this BAA, or applicable federal or state laws or regulations; provided, however, that unless otherwise agreed in writing by the parties or required by applicable federal or state laws or regulations, such mitigation efforts by BA shall not require BA to bear the costs of notifying individuals impacted by such unauthorized or unlawful access, use, or disclosure of PHI; provided, further, however, that BA shall remain fully responsible for all aspects of its reporting duties to CE under Section 2.4(a) and Section 2.4(b).
2.5. Business Associate’s Subcontractors and Agents. BA shall ensure that any agents or subcontractors to whom it provides Protected Information agree to the same restrictions and conditions that apply to BA with respect to such PHI. To the extent that BA creates, maintains, receives or transmits EPHI on behalf of the CE, BA shall ensure that any of BA’s agents or subcontractors to whom it provides Protected Information agree to implement the safeguards required by Section 2.3 above with respect to such EPHI.
2.6. Access to Protected Information. To the extent BA maintains a Designated Record Set on behalf of the CE, BA shall make Protected Information maintained by BA or its agents or subcontractors in Designated Record Sets available to CE for inspection and copying within ten (10) days of a request by CE to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524. If BA maintains an Electronic Health Record, BA shall provide such information in electronic format to enable CE to fulfill its obligations under the HITECH Act, including, but not limited to, 42 U.S.C. § 17935(e).
2.7. Amendment of PHI. To the extent BA maintains a Designated Record Set on behalf of CE, within ten (10) days of receipt of a request from the CE for an amendment of Protected Information or a record about an individual contained in a Designated Record Set, BA or its agents or subcontractors shall make PHI available to CE so that CE may make any amendments that CE directs or agrees to in accordance with the Privacy Rule.
2.8. Accounting Rights. Within ten (10) days of notice by CE of a request for an accounting of disclosures of Protected Information, BA and its agents or subcontractors shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.528, and its obligations under the HITECH Act, including but not limited to 42 U.S.C. § 17935(c), as determined by CE. BA agrees to implement a process that allows for an accounting to be collected and maintained by BA and its agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment, or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent BA maintains an electronic health record and is subject to this requirement. At a minimum, the information collected and maintained shall include, to the extent known to BA: (i) the date of the disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. The accounting must be provided without cost to the individual or the requesting party if it is the first accounting requested by such individual within any twelve (12) month period. For subsequent accountings within a twelve (12) month period, BA may charge the individual or party requesting the accounting a reasonable fee based upon BA’s labor costs in responding to the request and a cost-based fee for the production of non-electronic media copies, so long as BA informs the individual or requesting party in advance of the fee and the individual or requesting party is afforded an opportunity to withdraw or modify the request. BA shall notify CE within five (5) business days of receipt of any request by an individual or other requesting party for an accounting of disclosures. The provisions of this Section 2.8 shall survive the termination of this BAA.
2.9. Governmental Access to Records. BA shall make its internal practices, books and records relating to the use and disclosure of Protected Information available to CE and to the Secretary for purposes of determining BA’s compliance with the Privacy Rule.
2.10. Minimum Necessary. To the extent feasible in the performance of services under the Agreement, BA (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of Protected Information necessary to accomplish the purpose of the request, use, or disclosure. Because the definition of “minimum necessary” is in flux, BA shall keep itself informed of guidance issued by the Secretary with respect to what constitutes “minimum necessary.” Notwithstanding the foregoing, the parties agree that based on the nature of the services provided to CE by BA under the Agreement, BA may be unable to determine what constitutes “minimum necessary” under HIPAA, and thus BA shall be entitled to rely on CE’s direction as to what constitutes “minimum necessary” with respect to the access, use, or disclosure of CE’s PHI in the possession or under the control of BA.
2.11. Permissible Requests by Covered Entity. CE shall not request BA to use or disclose PHI in any manner that would not be permissible under HIPAA or the HITECH Act if done by CE or BA. CE shall not direct BA to act in a manner that would not be compliant with the Security Rule, the Privacy Rule, or the HITECH Act.
2.12. Breach Pattern or Practice by CE. Pursuant to 42 U.S.C. § 17934(b), if BA knows of a pattern of activity or practice of CE that constitutes a material breach or violation of CE’s obligations under the Agreement, this BAA, or other arrangement, BA must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, BA must terminate the applicable Agreement to which the breach and/or violation relates if feasible, or if termination is not feasible, report the problem to the Secretary of the Department of Health and Human Services.
3.1. Term. The term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI provided by CE to BA, or created or received by BA on behalf of CE, is destroyed or returned to CE.
(a) Material Breach by BA. Upon any material breach of this BAA by BA, CE shall provide BA with written notice of such breach and such breach shall be cured by BA within thirty (30) business days of such notice. If such breach is not cured within such time period, CE may immediately terminate this BAA and the applicable Agreement.
(b) Effect of Termination. Upon termination of any of the agreements comprising the Agreement for any reason, BA shall, if feasible, return or destroy all PHI relating to such agreements that BA or its agents or subcontractors still maintain in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, BA shall continue to extend the protections of this BAA to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
4. Compliance with State Law. Nothing in this BAA shall be construed to require BA to use or disclose Protected Information without a written authorization from an individual who is a subject of the Protected Information, or without written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
5. Amendment to Comply with Law. Because state and federal laws relating to data security and privacy are rapidly evolving, amendment of the Agreement or this BAA may be required to provide for procedures to ensure compliance with such developments. BA and CE shall take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule and other applicable laws relating to the security or confidentiality of PHI. BA shall provide to CE satisfactory written assurance that BA will adequately safeguard all PHI. Upon the request of either party, the other party shall promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule or other applicable laws. CE may terminate the applicable Agreement upon thirty (30) days written notice in the event (i) BA does not promptly enter into negotiations to amend the Agreement or this BAA when requested by CE pursuant to this Section or (ii) BA does not enter into an amendment to the Agreement or this BAA providing assurances regarding the safeguarding of PHI that CE, in its reasonable discretion, deems sufficient to satisfy the standards and requirements of applicable laws, within thirty (30) days following receipt of a written request for such amendment from CE.
6. No Third-Party Beneficiaries. Nothing express or implied in the Agreement or this BAA is intended to confer, nor shall anything herein confer upon any person other than CE, BA and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
7. Notices. All notices hereunder shall be in writing, delivered personally, by certified or registered mail, return receipt requested, or by overnight courier, and shall be deemed to have been duly given when delivered personally or when deposited in the United States mail, postage prepaid, or deposited with the overnight courier addressed as follows: If to CE, to the address set forth in your iCouch profile, as such may be amended from time-to-time. If to BA: iCouch, Inc. 2319 Marblecrest Ln Spring, TX 77386 Attn: Security Officer or to such other persons or places as either party may from time to time designate by written notice to the other.
8. Interpretation. The provisions of this BAA shall prevail over any provisions in the Agreement that may conflict or appear inconsistent with any provision in this BAA. This BAA and the Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Agreement shall remain in force and effect.
9. Entire Agreement of the Parties. This BAA supersedes any and all prior and contemporaneous business associate agreements or addenda between the parties and constitutes the final and entire agreement between the parties hereto with respect to the subject matter hereof. Each party to this BAA acknowledges that no representations, inducements, promises, or agreements, oral or otherwise, with respect to the subject matter hereof, have been made by either party, or by anyone acting on behalf of either party, which are not embodied herein. No other agreement, statement or promise, with respect to the subject matter hereof, not contained in this BAA shall be valid or binding.
10. Regulatory References. A reference in this BAA to a section of regulations means the section as in effect or as amended, and for which compliance is required.
11. Counterparts. This BAA may be executed in one or more counterparts, each of which shall be deemed to be an original, and all of which together shall constitute one and the same instrument.
Contact iCouch support at firstname.lastname@example.org to request a signed version of this document for your records.