© MEDEXPERT INTERNATIONAL, INC 2023 ALL RIGHTS RESERVED
TERMS AND CONDITIONS ×
User Agreement
Agreement between User and www.medexperthealth.com
Welcome to www.medexperthealth.com.
The www.medexperthealth.com (the "Site") is comprised of various
web pages operated by MedExpert
International, Inc. ("MedExpert").
www.medexperthealth.com is offered
to you conditioned on your acceptance without modification of the terms, conditions, and notices
contained herein (the “Terms”). Your use
of www.medexperthealth.com constitutes your agreement to all such terms. Please read these terms carefully and keep a copy of them for your reference.
www.medexperthealth.com
is an e-Commerce Site.
The
PURPOSE of this Site is to assist employers and organizations with compliance with state tracking, notification and reporting laws and policies. The notification process
includes sending notices to employees; county and state officials; and agencies (OSHA) on a timely basis.
User of the Site is responsible for adding accurate information to the Site,
including accurate worksite addresses and information; employee
names and contact information; and registering administrative users.
Accuracy of worksite identification, employee information and administrator
information is the sole responsibility of the User.
Privacy
Your use of www.medexperthealth.com is subject to MedExpert’s Privacy Policy. Please review our Privacy Policy, which also governs
the Site and informs users of our
data collection practices.
Electronic Communications
Visiting www.medexperthealth.com or sending emails to MedExpert constitutes electronic communications. You consent to receive electronic communications and you agree that all agreements notices, disclosures
and other communications that we
provide to you electronically via email and on the Site, satisfy any legal
requirement that such communications be in writing.
Your Account
If you use this site, you
are responsible for maintaining the confidentiality
of your account and password and for restricting access
to your computer, and you agree to accept responsibility for all
activities that occur under your account
or password. You may not assign or otherwise transfer your account
to any other person or entity.
You acknowledge that MedExpert
is not responsible for third party access
to your account
that results from theft or misappropriation of your account. MedExpert and its associates reserve
the right to refuse
or cancel service,
terminate accounts,
or remove or edit content in our sole discretion.
Children Under Thirteen
MedExpert does not knowingly collect, either online
or offline, personal information from persons under
the age of thirteen. If you are under
18, you may use www.medexperthealth.com only with permission of a parent or guardian.
Cancellation/Refund Policy
You may cancel your subscription at any time. Any cancellations made after 30 days
of service will not qualify for a refund. Please contact us at notification@medexpert.com with any questions.
Links to Third Party Sites of Third-Party Services
www.medexpert.com may contain links to other websites ("Linked
Sites"). The Linked Sites are not under the control of MedExperthealth and MedExpert is not
responsible for the contents of any Linked Site, including without limitation any
link contained in a Linked Site, or
any changes or updates to a Linked Site.
MedExpert is providing these links to you only as a convenience, and the inclusion of any link
does not imply endorsement by MedExpert of the site or any association with its operators.
Certain services made available via www.medexperthealth.com are delivered by third party sites and organizations. By using any product, service or functionality
originating from the www.medexperthealth.com domain, you hereby acknowledge and consent that MedExpert may share
such information and data with any third party with whom MedExpert has a HIPAA/HITECH legal contractual relationship
to provide the requested product, service
or functionality on behalf
of www.medexperthealth.com users and customers.
No Unlawful or Prohibited Use/Intellectual Property
You are granted a non-exclusive, non-transferable, revocable license to access and use www.medexperthealth.com strictly in accordance with these terms
of use. As a condition of your use of
the Site, you warrant to MedExpert that you will not use the Site for any purpose
that is unlawful
or prohibited by these Terms. You may not use the Site in any
manner which
could damage, disable, overburden, or impair the Site or interfere
with any other party's use and enjoyment
of the Site. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided for through the Site.
All content included as part
of the Service, such as text,
graphics, logos, images, as well as the compilation thereof, and any
software used on the Site, is the
property of MedExpert or its suppliers and protected by copyright and other laws that protect intellectual
property and proprietary rights. You agree to observe and
abide by all copyright and other proprietary notices, legends or other
restrictions contained in any such content
and will not make any changes thereto.
You will not modify, publish, transmit, reverse engineer,
participate in the transfer or sale, create derivative works, or in any way
exploit any of the content, in whole or in part, found on the Site. MedExpert
content is not for resale. Your use of the Site does not entitle you to make
any unauthorized use of any protected content, and in
particular you will not delete or alter any proprietary rights or
attribution notices in any content. You will use protected content solely for
your personal use and will make no other use of the content without the express
written permission of MedExpert and the copyright owner. You agree that you do
not acquire any ownership rights in any protected content. We do not grant you
any licenses, express or implied, to the intellectual property of MedExpert or
our licensors except as expressly authorized by these Terms.
International Users
The Service is controlled, operated, and administered by
MedExpert from our offices within the USA. lf you
access the Service from a location outside the USA, you are responsible for
compliance with all local laws. You agree that you will not use the MedExpert
Content accessed through www.medexperthealth.com in any country or in any
manner prohibited by any applicable laws, restrictions, or regulations.
Indemnification
You agree to indemnify,
defend and hold harmless MedExpert,
its officers, directors. employees, agents and third parties, for any losses,
costs, liabilities and expenses
(including reasonable attorney fees) relating to or arising
out of your use
of or inability to use the Site or service s, any user
postings made by you, your violation
of any terms of this Agreement or your violation of any rights of a third party,
or your violation of any applicable laws, rules or regulations. MedExpert reserves the right,
at its own cost, to assume the exclusive defense and control of any matter
otherwise subject to indemnification by you, in which event you will fully cooperate with MedExpert in asserting any available defenses.
Arbitration
In the event the parties are not able to resolve any dispute between
them arising out of or concerning these Terms
and Conditions, or any provisions hereof, whether in contract, tort, or otherwise at law or in equity for damages or any other relief, then such dispute shall
be resolved only by final
and binding arbitration pursuant to the Federal
Arbitration Act, conducted by a single neutral arbitrator and administered by the American Arbitration Association, or a similar arbitration service
selected by the parties, in a location mutually agreed
upon by the parties. The arbitrator's
award shall be final, and
judgment may be entered upon it in any court
having jurisdiction. In the event
that any legal or equitable action, proceeding or arbitration arises out of or concerns these Terms
and Conditions, the prevailing party shall be entitled to recover
its costs and reasonable attorney's fees.
The parties agree to arbitrate all disputes and claims
in regard to these Terms
and Conditions or any
disputes arising
as a result of these Terms
and Conditions, whether directly or indirectly, including Tort
claims that arc a result
of these Terms and Conditions. The parties agree that the Federal Arbitration Act governs
the interpretation and
enforcement of this provision. The entire dispute including the scope and enforceability of this arbitration provision shall be determined by the Arbitrator. This arbitration provision shall
survive the termination of theseTem1s and Conditions.
Class Action Waiver
Any arbitration under these Terms and Conditions will take
place on an individual basis; class arbitrations and
class/representative/collective actions are not permitted. THE PARTIES AGREE
THAT A PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN EACH'S INDIVIDUAL
CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PUTATIVE CLASS,
COLLECTIVE AND/ OR REPRESENTATIVE PROCEEDING, SUCH AS IN THE FORM OF A PRIVATE
ATTORNEY GENERAL ACTION AGAINST THE OTHER. Further, unless both you and
MedExpert agree otherwise arbitrator may not consolidate more than one person's
claims and may not otherwise preside over any form of a representative or class
proceeding.
Liability Disclaimer
THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN
OR AVAILABLE THROUGH THE SITE MAY INCLUDE INACCU compliance with
all local laws. You agree that you will not use the
MedExpert Content accessed through www.medexpert.com in any country or in any manner prohibited by any applicable
laws, restrictions or regulations.
Liability Disclaimer
THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN
OR AVAILABLE THROUGH THE SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS.
CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MEDEXPERT
INTERNATIONAL INC. AND/OR ITS SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN
THE SITE AT ANY TIME.
MEDEXPERT INTERNATIONAL, INC. AND/OR ITS SUPPLIERS MAKE NO
REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS
AND ACCURACY OF THE INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED
GRAPHICS CONTAINED ON THE SITE FOR ANY PURPOSE. TO THE MAXIMUM EXTENT PERMITTED
BY APPLICABLE LAW, ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND
RELATED GRPAHICS ARE PROVIDED “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY
KIND. MEDEXPERT INTERNATIONAL, INC. AND/OR ITS SUPPLIERS HEREBY DISCLAIM ALL
WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS,
SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS
OF MERCHANTBILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND
NON-INFRINGEMENT.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO
EVENT SHALL MEDEXPERT INTERNATIONAL, INC. AND/OR ITS SUPPLIERS BE LIABLE FOR ANY
DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUETIAL DAMAGES OR ANY
DAMAGES WHATSOEVER INCLUDING, WITHOT LIMITATION, DAMAGES FOR LOSS OF USE, DATA
OR PRFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE
OF THE SITE, WITH THE DELAY OR INABILITY TO USE THE SITE OR RELATED SERVICES,
THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY IFORMATION,
SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE SITE, OR
OTHERWISE ARISING OUT OF THE USE OF THE SITE, WHETHER BASED ON CONTRACT, TORT,
NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVN IF MEDEXPERT INTERNATIONAL, INCL
OR ANY OF THE SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMEAGES, because some states/jurisdictions do not allow
the exclusion or limitation of liability for consequential or incidental
damages, the above limitation ma not appl to you. If you are dissatisfied with
any portion of the site, or with any of discontinue using the site.
Termination/Access Restrictions
MedExpert reserves the right, in its sole discretion, to
terminate your access to the Site and the related services or any portion
thereof at any time, without notice. The maximum extent permitted by law, this
agreement is governed by the laws of the State of California and you hereby
consent to the exclusive jurisdiction and venue of courts in California in all
disputes arising out of or relating to the use of the Site.
Use ofd1e Site
is unauthorized in any
jurisdiction that
does not give effect to all provisions of these Terms,
including, without
limitation, this section.
You agree that no
joint venture, partnership, employment, or agency relationship exists
between you and MedExpert as a result of this agreement
or use of the Site.
MedExpert’s performance of this agreement
is subject to existing laws
and legal process,
and nothing contained in this
agreement is derogation of MedExpert’s right
to comply with governmental , court and law enforcement requests or requirements relating
to your use of the Site or information
provided to or gathered
by MedExperthealth with respect to
such use. If any part of this agreement is determined to be invalid
or unenforceable pursuant to applicable law including, but not limited
to, the warranty
disclaimers and liability limitations
set forth above, then the invalid or unenforceable provision will be
deemed superseded by a valid, enforceable
provision that most closely matches
the intent of the original provision and the remainder of the agreement
shall continue in effect.
Unless otherwise
specified herein, this
agreement constitutes the entire agreement between
the user and MedExperthealth with respect to
the Site and it supersedes
all prior or contemporaneous communications
and proposals, whether electronic, oral or written, between the user and MedExpert
, the respect to the Site. A printed
version of this
agreement and
of any notice given in electronic
form shall be admissible in judicial
or administrative proceedings based upon or relating to this agreement to the same
extent and subject to the same
conditions as other business documents and records originally generated and maintained in printed
form. It is the express
wish to the parties that
this agreement and all related
documents be written
in English.
Personal Identifying Information and Personal Health
Information
READ CAREFULLY; REQUIRED COMPLIANCE WITH HIPAA/HITECH LAWS TO
PROTECT INDIVIDUAL PERSONAL HEALTH INFORMATION
The
COVID-19 compliance program requires access, storage and electronic transmission
of personal identifying information and personal health information (PHI). ALL PERSONAL IDENTIFYING INFORMATION AND
PERSONAL HEALTH INFORMATION MUST BE KEPT CONFIDENTIAL AND IN COMPLIANCE WITH
HIPAA AND HITECH LAWS. All COVID-19
testing or related medical services will be stored and transmitted in a manner
that ensures the confidentiality of employees PHI, with
the exception of unredacted information on COVID-19 cases
that are required by law to be provided to the local health department,
CDPH, Cal/OSHA, the National Institute for Occupational Safety and Health
(NIOSH), and or as otherwise required by law.
All
employees’ medical records will also be kept confidential in accordance with
HIPAA/HITECH regulations, with the following exceptions: (1) Unredacted
medical records provided to the local health department, CDPH, Cal/OSHA, NIOSH,
or as otherwise required by law upon request; and (2) Records that do
not contain individually identifiable medical information or from which
individually identifiable medical information has been removed.
Transfer
and storage of PHI requires a Business Associate Agreement that
protects individuals by enforcing compliance with the Health Insurance
Portability and Accountability Act (HIPAA) and HITECH. MedExpert is the
Business Associate and a “User” who is managing the health information of their
employees is, for the purpose of this agreement, the Covered Entity.
MedExpert and User, “The Parties,” desire to protect the privacy and security
of all such PHI in compliance with all Applicable Laws, as hereinafter defined,
including the Health Insurance Portability and Accountability Act of 1996, as
supplemented and amended, and all the rules and regulations promulgated, or in
the future promulgated, thereunder (collectively, “HIPAA”), and the purpose of
this Agreement is to ensure compliance with HIPAA as may be amended from time to
time, including all associated existing and future rules and regulations, when
and as each is effective.
The
parties desire that this Agreement set forth the (1) permitted and required
uses and disclosures of PHI by the Business Associate; (2) required safeguards
to prevent unauthorized disclosure of the PHI; (3) reporting requirements in
the event of any unauthorized use or disclosure of the PHI; (4) requirements
regarding any subcontractors or agents of the Business Associate; (5)
provisions for the termination of this Agreement and the requirements regarding
the handling of the PHI upon termination of the Agreement; and (6) such other
terms and conditions as set forth in this Agreement; all with the purpose of
ensuring compliance with HIPAA.
DEFINITIONS
All capitalized terms used in this Agreement not otherwise defined
in this Agreement have the meanings
established for purposes of HIPAA.
"Applicable Laws" or "Applicable Law"
shall mean HIPAA and all other federal, state and local laws, regulations and
rules to the extent such other laws are not preempted by HIPAA, all as such
laws are amended, or as may be amended from time to time.
“Breach” as defined in 45 C.F.R. 164.402 means
the acquisition, access, use or disclosure of PHI in a manner not permitted by
the HIPAA Rules which compromises the security or privacy of the PHI as defined
in 45 C.F.R. 164.402.
"Business Associate" shall
generally have the same meaning as the term "business associate" at 45
C.F.R.
160.103, and in reference to the party to this Agreement, shall mean the
Business Associate set forth above in this Agreement.
"Covered Entity" shall generally have the same
meaning as the term "covered entity" at 45 C.F.R. 160.103, and in reference to the party to this
Agreement, shall mean the Covered Entity set forth above in this Agreement.
"Designated Record Set"
shall be as defined in 45 C.F.R. 164.501 and means a group of records
maintained by or for Covered Entity that is: (i) the
medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the
enrollment, payment, claims adjudication, and case or medical management record
systems maintained by or for a health plan; or (iii) used, in whole or in part,
by or for Covered Entity to make decisions about Individuals. For purposes of
this paragraph, the term record means any item, collection, or grouping of
information that includes PHI and is maintained, collected, used, or
disseminated by or for Covered Entity.
“Electronic Protected Health Information” (“ePHI”) is
defined in 45 C.F.R. 160.103 and means PHI that is transmitted by, or
maintained in, electronic media.
"Health Care Operations" shall be as defined in 45
C.F.R. 164.501 and means any of the following activities of Covered Entity to
the extent that the activities are related to covered functions: (i) conducting quality assessment and improvement
activities, including outcomes evaluation and development of clinical
guidelines, provided that the obtaining of generalizable knowledge
is not the primary purpose
of any studies resulting from such
activities; patient safety activities; population-based activities relating to
improving health or reducing health care costs, protocol development, case
management and care coordination, contacting of health care providers and
patients with information about treatment alternatives; and related functions
that do not include treatment; (ii) reviewing the competence or qualifications
of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting
training programs in which students, trainees, or practitioners in areas of
health care learn under supervision to practice or improve their skills as
health care providers, training of non-health care professionals,
accreditation, certification, licensing, or credentialing activities; (iii)
except as prohibited under 45 C.F.R. 164.502(a)(5)(i),
underwriting, enrollment, premium rating, and other activities relating to the
creation, renewal or replacement of a contract of health insurance or health
benefits, and ceding, securing, or placing a contract for reinsurance of risk
relating to claims for health care (including stop-loss insurance and excess of
loss insurance), provided that the requirements of 45 C.F.R. §164.514(g)
relating to uses and disclosures of PHI for underwriting and related purposes
are met, if applicable; (iv) conducting or arranging for medical review, legal
services, and auditing functions, including fraud and abuse detection and
compliance programs; (v) business planning and development, such as conducting
cost-management and planning-related analyses related to managing and operating
the Covered Entity, including formulary development and administration,
development or improvement of methods of payment or coverage policies; and (vi)
business management and general administrative activities of Covered Entity,
including, but not limited to: (A) management activities relating to
implementation of and compliance with the requirements of the HIPAA Rules; (B)
customer service, including the provision of data analyses for policy holders,
plan sponsors, or other customers, provided that PHI is not disclosed to such
policyholder, plan sponsor, or customer; (C) resolution of internal grievances;
(D) the sale, transfer, merger, or consolidation of all or part of Covered
Entity with another covered entity, or an entity that following such activity
will become a covered entity and due diligence related to such activity; and
(E) consistent with the applicable requirements and limitations of 45 C.F.R.
§164.514, creating de-identified health information or a limited data set, or
fundraising and fundraising communications for the benefit of Covered Entity.
"HIPAA" means the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, as supplemented
and amended by HITECH and other Applicable Laws, and any and
all references in this Agreement to HIPAA shall also be deemed
to include all associated existing
and future rules and regulations, when and as each is effective, including the rules enacted as a
result of HITECH and the Omnibus Rule, effective March 26, 2013 (the
"Omnibus Rule"). HIPAA is hereby incorporated into this Agreement by
this reference.
"HIPAA Rules" shall include the Privacy,
Security, Breach Notification, and Enforcement Rules and the administrative
requirements generally set forth at 45 C.F.R. Parts 160, 162 and 164 and any
other rules in effect or adopted in the future under HIPAA including, without
limitation, the rules enacted as a result of HITECH and the Omnibus Rule. All
such HIPAA Rules and the applicable and related standards, requirements and
implementation specifications, rules and regulations are hereby incorporated by
this reference into this Agreement.
"HITECH" means the Health Information
Technology for Economic and Clinical Health Act of 2009, enacted as part of the
American Recovery and Reinvestment Act of 2009, Public Law 111-5, Title XIII of
Division A and Title IV of Division B as codified at 42 U.S.C. §§17901-17953,
and any and all references in this Agreement to HITECH
shall be deemed to include all associated existing and future rules and
regulations, when and as each is
effective.
"Individual" as defined in 45 C.F.R. 160.103 means a
person (as defined in 45 C.F.R. 160.103) who
is the subject of the PHI, or that person's
personal representative to the extent
set forth in 45 C.F.R.
164.502(g).
"Individually Identifiable Health Information"
is as defined in 45 C.F.R. 160.103.
“PHI” means Protected Health Information, as defined in 45 C.F.R. §
160.103, which means any Individually Identifiable Health Information, whether
oral or recorded in any form or medium, that is transmitted or maintained in
electronic media or any other form or medium, except as specifically excluded
under paragraph 2 of the PHI definition in 45 C.F.R. 160.103.
“Privacy Rule” is a part of the HIPAA Rules and
means the federal privacy regulations codified at 45 C.F.R. Parts 160, 162 and
164 (Subparts A, C & E), as such may be amended from time to time.
"Required By Law"
as defined in 45 C.F.R. 164.103, means a mandate contained in law that compels Covered
Entity or Business
Associate to make a use or disclosure of PHI and that is enforceable in a court of law. This may include, but is
not limited to, court orders and court-ordered warrants; subpoenas or summons
issued by a court, grand jury, a governmental or tribal inspector general, or
an administrative body authorized to require the production of information; a
civil or an authorized investigative demand; Medicare conditions of
participation with respect to health care providers participating in the
program; and statutes or regulations that require the production of
information, including statutes or regulations that require such information if
payment is sought under a government program providing public benefits.
“Security Rule” is a part of the HIPAA Rules and
means the federal security regulations codified at 45 C.F.R. Parts 160, 162 and
164 (Subparts A & C), as such may be amended from time to time.
RESPONSIBILITIES
OF MedExpert as BUSINESS ASSOCIATE
Permitted Uses and Prohibited Uses. MedExpert agrees to use or
disclose PHI only as permitted or required pursuant to this Agreement and in
compliance with HIPAA and the HIPAA Rules or as otherwise Required by Law.
Furthermore,
MedExpert shall not use or disclose PHI in any manner that would constitute a
violation of HIPAA or the HIPAA Rules including the applicable portions of 45
C.F.R. Parts 162 and 164 (such as Subpart E of Part 164) if so used or
disclosed by Covered Entity, except that MedExpert may use PHI: (i) for the proper management and administration of Business
Associate; or (ii) to carry out the legal responsibilities of MedExpert
provided the disclosures are Required by Law. MedExpert may use and disclose to
a subcontractor or agent the PHI in its possession for the purposes described
in the first part of this paragraph, provided that any subcontractor or agent
to which MedExpert discloses PHI for those purposes provides satisfactory,
reasonable written assurances in advance that: (i)
the information will be held confidentially and used or further disclosed only
as Required by Law; (ii) the information will be used only for the purpose for
which it was disclosed to the subcontractor or agent; (iii) the subcontractor
or agent agrees to the same restrictions and conditions that apply
to MedExpert with respect
to the PHI; and (iv) the subcontractor or agent promptly
will notify MedExpert of any
instances of which it becomes aware in which the confidentiality of the
information has been breached.
To
the extent MedExpert is to carry out one or more of Covered Entity's
obligations under Subpart E of 45 C.F.R. Part 164, MedExpert shall comply with
the requirements of such obligations that apply to the Covered Entity in the
performance of such obligation.
Appropriate Safeguards. MedExpert represents that it has
in place, and agrees to use, appropriate policies, procedures and safeguards
that adequately safeguard any PHI (including ePHI) from use or disclosure other
than as provided for by this Agreement, and MedExpert specifically agrees, on
behalf of itself, its subcontractors and agents, to safeguard and protect the
confidentiality of PHI consistent with Applicable Law, including currently
effective provisions of HIPAA and the HIPAA Rules. MedExpert shall implement
and maintain a comprehensive information privacy and security program that
includes (i) administrative, technical and physical safeguards, (ii) policies and
procedures, and (iii) documentation in the same manner as required for Covered
Entity and other covered entities ("Privacy and Security Program"). MedExpert
shall implement and use its appropriate Privacy and Security Program to: (i) prevent use or disclosure of PHI other than as permitted
by this Agreement and in compliance with all Applicable Laws; (ii) reasonably and
appropriately protect the confidentiality, integrity, and availability of the
PHI and ePHI that MedExpert creates, receives, maintains, or transmits; and
(iii) comply with the Security Rule requirements including those set forth in
45 C.F.R. §§ 164.304, 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316.
Safeguarding Electronic PHI. With respect to PHI, MedExpert
shall comply with the applicable standards, implementation specifications and
requirements of Subpart C of 45 C.F.R. 164 with respect to ePHI that MedExpert
creates, receives, maintains, or transmits electronically. Furthermore, MedExpert
shall implement administrative, technical, and physical safeguards as described
in the Security Rule, which reasonably and appropriately protect the confidentiality,
integrity, and availability of such electronic PHI. Without limiting the
foregoing, MedExpert shall: (i) ensure that any
agent, including any subcontractor, to whom MedExpert provides
ePHI agrees to implement reasonable and appropriate safeguards to protect such ePHI; (ii) report to the Covered
Entity any “Security Incident” as defined by the Security Rule (including the
attempted or successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in your
information system containing the Covered Entity’s PHI) of which MedExpert
becomes aware; and (iii) make its policies, procedures, practices, records,
compliance reports and documentation available to the Secretary to determine
compliance with the Security Rules and the applicable administrative
simplification provisions of HIPAA and the HIPAA rules, and otherwise as
Required by Law.
Notification of Unauthorized Use or Disclosure,
or Other Breach. During the term of this Agreement, MedExpert shall notify
Covered Entity without unreasonable delay, and in any event within twenty-four
(24) hours of its discovery (as defined by 45 C.F.R. 164.410(a)(2)) by MedExpert,
of (i) any suspected or actual Breach of security,
intrusion or unauthorized use or disclosure of PHI or electronic PHI, or any
other actual or suspected use or disclosure of PHI, electronic PHI or other data in violation of this Agreement
or any Applicable Law; (ii)
any use or disclosure of PHI not provided for by this Agreement of which it
becomes aware, including any Breaches of Unsecured PHI, in accordance with 45
C.F.R. 164.410 or 45 C.F.R. § 164.504(e)(2)(ii)(C) or any other HIPAA Rule; (iii)
any Security Incident of which MedExpert becomes aware in accordance with 45
C.F.R. § 164.314(a)(2)(C); or (iv) any incident that involves an unauthorized
acquisition, access, use, or disclosure of PHI, even if MedExpert believes the
incident will not rise to the level of a Breach.
The
notification shall include, to the extent possible, and shall be supplemented
on an ongoing basis with: (i) the identification of
all individuals whose Unsecured PHI was or is reasonably believed to have been
accessed, acquired, used, disclosed or involved; (ii) all other information
reasonably requested by Covered Entity to enable Covered Entity and MedExpert
to perform and document Risk Assessments in accordance with 45 C.F.R. Part 164
subparts C, D and E including 45 C.F.R. 164.308 with respect to the incident to
determine whether a Breach of Unsecured PHI occurred; (iii) the incident,
including the date of the Breach and the date of the discovery of the Breach,
if known; (iv) who made the unauthorized use or received the unauthorized
disclosure; (v) the types of Unsecured PHI involved in the Breach; (vi) any
specific steps the Individual should take to protect him or herself from
potential harm related to the Breach; (vii) what the Business Associate is
doing to investigate the Breach, to mitigate harm to Individuals and to protect
against further Breaches; (viii) contact procedures for how the Individual can
obtain further information from MedExpert; (ix) such other information,
including the Risk Assessment analysis prepared by MedExpert, as Required by
Law or as reasonably requested by the Covered Entity or the Privacy Official,
and (x) all other available information reasonably necessary or required to
provide notice to Covered Entity, any other applicable covered entities,
Individuals, HHS or the media, all in accordance with the data breach
notification requirements set forth in 45 C.F.R. Parts 160 & 164.
Notwithstanding the foregoing, in Covered Entity’s sole discretion and in
accordance with its directions, MedExpert shall conduct, or pay the costs of
conducting, an investigation of any incident required to be reported under this
Section 2.4. If in the opinion of the Covered Entity the incident qualifies as
a Breach, MedExpert shall carry out the appropriate notification
responsibilities, at its sole cost and expense, if so
directed by Covered Entity, after receiving the Covered Entity's approval of MedExpert's
plan of proposed notifications and the specific content of such notifications
or shall reimburse Covered Entity for the cost and expense of such
notifications if Covered Entity chooses to make them. MedExpert shall require all of its subcontractors and agents who experience these
events related to the Covered Entity to report the event to MedExpert in such a
time so that MedExpert shall comply with the notification requirements
described in this section.
Corrective Action. MedExpert shall take: (i) prompt corrective action to cure any deficiencies which
led or could lead to a Breach or a Security Incident; and (ii) any action
pertaining to such unauthorized disclosure required by Applicable Laws and with
Covered Entity's approval as to the actions to be taken, which shall not be
unreasonably withheld. MedExpert shall conduct a Risk Assessment to determine
whether a Breach occurred and inform the Covered Entity of its assessment.
MedExpert's Subcontractors and Agents.
To the extent that MedExpert uses one or more subcontractors or agents,
including any person to whom MedExpert delegates a function, activity or
service, or who may create, receive, maintain, transmit or have access to PHI,
then each such subcontractor or agent shall sign an agreement with MedExpert
containing the same provisions, restrictions and conditions on the use or
disclosure of PHI that apply to MedExpert as this Agreement, including all
terms and conditions mandated by the Privacy Rule and the Security Rule, including
but not limited to, 45 C.F.R. 164.502(e)(1), 164.504(e)(2)(ii)(D),
164.308(b)(2) and 164.314(a)(2)(iii) (the "Subcontractor Agreement").
MedExpert shall obtain satisfactory assurances that its subcontractor or agent
will appropriately safeguard the PHI. To the extent that MedExpert provides PHI
or ePHI to a subcontractor or agent, it shall require the subcontractor or
agent to implement reasonable and appropriate safeguards to protect PHI and the
ePHI consistent with the requirements of this Agreement, and further
identifying Covered Entity as a third party
beneficiary with rights of enforcement and indemnification from such
subcontractors or agents in the event of any violation of the Subcontractor
Agreement. MedExpert shall implement and maintain sanctions against agents and
subcontractors that violate such restrictions and conditions and shall mitigate
the effects of any such violation and shall be responsible for any costs and
liabilities therefrom. MedExpert shall be liable to Covered Entity for any
acts, failures or omissions of the agent or subcontractor in providing the
services as if they were MedExpert's own acts, failures or omissions, to the
extent permitted by Applicable Law. MedExpert further expressly warrants that
its agents or subcontractors will be specifically advised of, and will comply
in all respects with, the terms of this Agreement.
Governmental Access to Records. Unless
otherwise prohibited by Applicable Law, MedExpert shall make its internal practices, books and records
relating to the use
and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services
(the "Secretary") for purposes of determining
compliance with HIPAA and HIPAA Rules. MedExpert shall immediately notify
Covered Entity upon receipt by MedExpert of any such requests for access by the
Secretary of HHS, and shall provide Covered Entity
with a copy thereof as well as a copy of all materials disclosed pursuant
thereto. MedExpert shall provide to Covered Entity a copy of any PHI that MedExpert
provides to the Secretary concurrently with providing such PHI to the
Secretary.
Documentation of Disclosures. MedExpert
agrees to document any requests for disclosures of PHI and provide information
related to such disclosures as would be required for Covered Entity to respond to a request
by an Individual for an accounting of disclosures of PHI in accordance
with 45 C.F.R. 164.528. In the event that the request for an accounting is delivered
directly to MedExpert or its subcontractors or agents, MedExpert shall within
five (5) business days of a request forward it to Covered Entity in writing.
Upon receipt of such a request directly from an Individual or forwarded from MedExpert,
Covered Entity shall request that MedExpert shall document and make available
to Covered Entity the information necessary for Covered Entity (or its
applicable Covered Entity customer) to make an accounting of disclosures of PHI
about an Individual to the requesting Individual. MedExpert shall comply with
such request within ten (10) business
days after receiving a written request from Covered Entity and shall provide
such information to the Covered Entity or, when and as directed by Covered
Entity, make that information available directly to an Individual, all in
accordance with the requirements for accounting for disclosures in the HIPAA
Rules, including 45
C.F.R.
§ 164.528.
MedExpert
agrees to implement a process that allows for an accounting of disclosures to
be collected and maintained by MedExpert and its subcontractors and agents for
at least six (6) years prior to the request for the accounting in accordance
with 45 C.F.R. 164.528 and all Applicable Law. At a minimum, such information
shall include: (A) the date of disclosure; (B) the name of the entity or person
who received PHI and, if known, the address of the entity or person; (C) a
brief description of PHI disclosed; and (D) a brief statement of purpose of the
disclosure that reasonably informs the Individual of the basis for the
disclosure, or a copy of the Individual's authorization, or a copy of the
written request for disclosure. It shall be Covered Entity's responsibility to
prepare and deliver any such accounting of disclosures requested to the
Individual. MedExpert shall not disclose any PHI except as permitted by this
Agreement.
Access to PHI. MedExpert shall make PHI maintained by MedExpert or
its or subcontractors or agents in Designated Record Sets about an Individual available (i) to Covered
Entity for inspection and copying within five (5)
business days of a request by Covered Entity (whether an original request or a
request from Covered Entity which was forwarded to it per below) to enable
Covered Entity to fulfill its obligations under the Privacy Rule, including,
but not limited to, 45 C.F.R. Section 164.524, or (ii) when and as directed by
Covered Entity, MedExpert shall provide that access directly to an Individual,
all in accordance with the requirements of 45 C.F.R. § 164.524. In the event that the request for access to PHI is delivered
directly to MedExpert or its agents or subcontractors, MedExpert shall within
five (5) business days of a request, forward it to Covered Entity in writing.
It shall be Covered Entity's responsibility to respond to any such request for
access to PHI. MedExpert shall not disclose any PHI except as permitted by this Agreement.
Electronic Copies. Notwithstanding Section 2.9, in the event that MedExpert uses or maintains an electronic
health record of PHI of or about an Individual, then MedExpert shall provide an
electronic copy (at the request of Covered Entity, and in the reasonable time
and manner requested by Covered Entity but in no event more than five (5)
business days after the request) of the PHI, to Covered Entity or, when and as
directed by Covered Entity, directly to an Individual.
Amendment of PHI. To the extent that MedExpert maintains
Designated Record Sets, within ten (10) business days of receipt
of a request from Covered
Entity for an amendment of PHI or a record
about an Individual contained in a Designated Record Set, MedExpert or
its agents or subcontractors shall make such
PHI available to Covered Entity for amendment and incorporate any such amendment
to enable Covered
Entity to fulfill its obligations under the Privacy Rule, including, but
not limited to, 45 C.F.R. Section 164.526. If any Individual requests an
amendment of PHI directly from MedExpert or its agents or subcontractors, MedExpert
must notify Covered Entity in writing within five (5) business days of the
request as it shall be Covered Entity's responsibility to determine whether any
such amendment should be made and to make any such amendments. Any denial of
amendment of PHI maintained by MedExpert or its agents or subcontractors shall
be the responsibility of Covered Entity. MedExpert shall not disclose any PHI
except as permitted by this Agreement.
Communication on Requests. MedExpert shall accommodate requests
for confidential communications in accordance with 45 C.F.R. § 164.522, as
directed by Covered Entity or, if applicable, as directed by the Individual to
whom the PHI relates, with the consent of Covered Entity. MedExpert shall also
notify Covered Entity in writing within
five (5) business
days after MedExpert’s receipt directly from an Individual of any request for an
accounting of disclosures, access to, or amendment of PHI or for confidential
communications as contemplated in Sections 2.8-2.11.
Minimum PHI Necessary. MedExpert (and its agents or
subcontractors) shall request, use or disclose only the minimum amount of PHI
necessary to accomplish the purpose of the request, use or disclosure as per 45
C.F.R. 164.502(b). MedExpert shall maintain a written policy delineating the standards
it will use in determining the minimum necessary information for its uses and
disclosures of PHI in accordance with standards set forth in the Privacy Rule.
Prohibited Payments. MedExpert shall not directly or indirectly
receive remuneration or payment in exchange for any PHI and shall not sell any
PHI. MedExpert shall not receive direct or indirect remuneration or
payment for marketing or marketing communications which include PHI relating to
Covered Entity or its Individuals.
Prohibited Communications. MedExpert shall not make or cause to be
made any communication about a product or service that is not considered a
Health Care Operation.
Mitigation. MedExpert shall mitigate, to the extent practicable,
any harmful effect that is known to MedExpert of a use or disclosure of PHI by MedExpert
that is not permitted by this Agreement.
Compliance with Law. MedExpert shall comply with all Applicable Laws.
Domestic Use. MedExpert shall not use, transfer, transmit, or
otherwise send or make available, any PHI outside of the geographic confines of
the United States of America without Covered Entity’s advance written consent.
Government Program Requirements. To the extent that MedExpert
receives, uses or discloses PHI pertaining to Individuals enrolled in managed
care plans through which Covered Entity participates in government funded
health care programs, receipt use and disclosure of the PHI pertaining to those
Individuals shall comply with the applicable program requirements.
Data Ownership. MedExpert acknowledges that MedExpert has no
ownership rights with respect to the PHI.
Retention of PHI. MedExpert and its subcontractors or agents shall
retain all PHI throughout the term of the Agreement and shall continue
to maintain such information for a period
of no less than six (6)
years after termination of the Agreement.
Contradictory Terms; Construction of Terms. This Agreement shall
be interpreted as broadly as necessary to implement and comply with HIPAA and
the HIPAA Rules. The parties agree that any ambiguity in this Agreement
shall be resolved
in favor of a
meaning that complies and is consistent with HIPAA and the HIPAA
Rules. To the extent any provision of this Agreement appears contradictory to,
or ambiguous with, another term of this Agreement (“Contradictory Terms”), the
Contradictory Terms shall be interpreted for the purpose of the
Covered
Entity’s and MedExpert's compliance with HIPAA and the HIPAA Rules, and shall
be superseded to the extent and only to the extent necessary to resolve such
contradiction or ambiguity provided that the terms of this Agreement shall be
construed to allow for compliance by the Covered Entity and MedExpert with
HIPAA and the HIPAA Rules.
Survival. The provisions of this Agreement regarding
indemnification, Article 4, Article 5 and protection of PHI shall survive the
expiration or termination for any reason of this Agreement.
Changes to Terms
MedExpert reserves the right, in its sole discretion, to change the Terms under which www.medexperthealth.com is offered. The most current
version of the Terms will supersede all previous versions. MedExpert
encourages you to periodically review the Terms
to stay informed
of our updates.
Contact Us
MedExpert welcomes your questions or comments regarding the
Terms:
MedExpert International, Inc.
1300 Hancock Street
Redwood City, California 94063
Email Address: notification@medexpert.com
Effective of December 21, 2020