RIJUVEN PRIVACY POLICY
RIJUVEN PRODUCTs (as defined in the RIJUVEN TERMS OF USE) use algorithms and identifiers (e.g., serial numbers) to link patient demographics to patient data. You are responsible for the accuracy and consistency of all identifiers and patient demographic information (e.g., patient name, date of birth, etc.) whether entered by you or provided by another system. The accuracy and consistency of this information will impact how the RIJUVEN PRODUCT matches patients with patient data. You are responsible for all clinical decisions related to a patient based on patient data reported on the RIJUVEN PRODUCT.
If you are an END USER of RIJUVEN PRODUCTS legally established in the United States of America, you are a “Covered Entity” as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). You and your authorized users will have the ability to transmit, store, and retrieve certain Protected Health Information (“PHI”) through the RIJUVEN PRODUCT. In addition, you will have the ability to grant access to information in the RIJUVEN PRODUCT. You agree to use patient data consistent with permitted and required uses under HIPAA and in accordance with other applicable laws. We may act as a Business Associate for purposes of compliance with HIPAA and will provide the Services in compliance with the HIPAA Agreement attached as Exhibit 1.
RIJUVEN PRODUCTs may share your PHI and patient data with Rijuven partners through an Application Programming Interface (“API”). The API allows a Rijuven partner to copy and store your PHI and patient data in their system and to, potentially, add and update your PHI and patient data in RIJUVEN PRODUCTS. A Rijuven partner must explicitly obtain your permission to access your data or you must provide permission by accepting such terms and conditions in the Rijuven partner’s terms of use, privacy notice or other similar instrument. If you have reason to believe that a Rijuven partner has inappropriately accessed your PHI or patient data, you should notify Rijuven by e-mail at info@rijuven.com. Rijuven requires its partners to take at least the same level of care with your PHI and patient data as does Rijuven and to comply with all laws, regulations and practices regarding the care and use of PHI and patient data as applicable. You understand and agree that Rijuven has no liability, expressed or implied, with regard to Rijuven partner’s use of the PHI and patient data, whether you authorized such use or not.
Equipment and Software Requirements
You will supply and maintain at least one personal computer and one mobile device, each with access to the Internet, in order to access the RIJUVEN PRODUCT (each a “COMPUTING DEVICE”). If you access the RIJUVEN PRODUCT using a COMPUTING DEVICE, you agree: (1) to supply, maintain and utilize a reputable browser or the most recent version of a RIJUVEN APP as applicable (“SOFTWARE”); (2) the SOFTWARE, and any future upgrades, will be loaded and operational on your COMPUTING DEVICE and you will supply and maintain a modem, or similar equipment when applicable, to access the RIJUVEN PRODUCT; (3) to receive information by electronic transmission of a visual display of the text; (4) that 128-bit encryption is required for the use of the RIJUVEN PRODUCT; (5) that our liability for viruses, worms, trojan horses, or other similar harmful components that may enter your computer system by downloading information, software, or other materials from using the RIJUVEN PRODUCT will be limited to the replacement value of the affected hardware, software or other material or fees paid by you to RIJUVEN subject to the Warranty Disclaimer and Limitation of Liability sections of RIJUVEN’s TERMS OF USE.
Access
During your enrollment for the RIJUVEN PRODUCT, you are required to select or will be assigned a Master User ID and Password (“CREDENTIALS”). The CREDENTIALS provide you with control over access to the RIJUVEN PRODUCT through the ability to add/edit/inactivate additional user accounts and their passwords (“USER CREDENTIALS”) and access capabilities. You are responsible for all user accounts added, edited or inactivated through the use of the CREDENTIALS and for any Fees incurred or initiated via those accounts. Use of these USER CREDENTIALS is the agreed security procedure to access the RIJUVEN PRODUCT through any COMPUTING DEVICE. You agree to keep USER CREDENTIALS confidential to prevent unauthorized access to your accounts and to prevent unauthorized use of the RIJUVEN PRODUCT.
In order to maintain secure communications, you agree to protect the security of your CREDENTIALS, USER CREDENTIALS, numbers, codes, marks, signs, public keys or other means of identification (“ACCESS CODES”). We reserve the right to block access to the RIJUVEN PRODUCT to maintain or restore security to our RIJUVEN PRODUCTs, if we reasonably believe your ACCESS CODES have been or may be obtained or are being used or may be used by an unauthorized person(s).
Your Responsibility
You are responsible for all COMPUTING DEVICES and SOFTWARE required for users authorized by you through the issuance of USER CREDENTIALS to use the RIJUVEN PRODUCT. You will notify RIJUVEN immediately if you believe your account has been accessed or your CREDENTIALS or USER CREDENTIALS have been taken or used without your permission, or there is a suspected or actual violation of data security, and will inform us, in writing, of the need to deactivate USER CREDENTIALS for an authorized user due to security concerns for any other reason. You agree to report to RIJUVEN immediately, the discovery of any type of discrepancies, anomalies, or errors, detected in result reports obtained via the RIJUVEN PRODUCT. You will immediately report to RIJUVEN the discovery of any virus or other system corruption (whether on the RIJUVEN PRODUCT or on your own system, including hardware or software that is connected).
You agree it is your responsibility to comply with all applicable laws and to ensure adequate security of your COMPUTING DEVICES, equipment and related peripherals. You are responsible for obtaining and maintaining all necessary consents, permissions or authorizations, required or advisable in connection with the transmission, storage, retrieval, viewing and/or disclosure of your patients’ PHI through the Services or the Site or on the RIJUVEN PRODUCT.
RIJUVEN Responsibility
We, or a third party acting as our agent, are responsible for the operation and maintenance of all hardware and software necessary to deliver the RIJUVEN PRODUCT. However, neither we, nor our agent(s) will be liable:
• If you have not properly followed RIJUVEN PRODUCT instructions on how to retrieve and view data;
• If your COMPUTING DEVICES, equipment and/or the software were not working properly and this problem was or should have been apparent to you when you attempted to access the RIJUVEN PRODUCT;
• If circumstances beyond our or our agent’s control prevent display of information or the making of a data retrieval, despite precautions taken. Such circumstances include but are not limited to computer failure, telecommunication outages, postal strikes and other labor unrest, delays caused by payees, fires, floods, and other natural disasters.
Maintenance
We may on a regular basis perform maintenance on our equipment or the RIJUVEN PRODUCT, which may result in interrupted service or errors in the RIJUVEN PRODUCT. We also may need to change the scope of our RIJUVEN PRODUCT from time to time. We will attempt to provide prior notice of such interruptions and changes but cannot guarantee that such notice will be provided.
Title and Archival of Data
You shall maintain title to any data created by you and your authorized users in using the RIJUVEN PRODUCT. You grant Rijuven a license to use such data for the purposes of operating and supporting the RIJUVEN PRODUCTs. You agree the RIJUVEN PRODUCTs are not a permanent medical record archive or storage system. Instead, you agree to download or otherwise retain any data created in using the RIJUVEN PRODUCT and to store such data separately within your own records. You and your authorized users may print the data entered into or produced by the RIJUVEN PRODUCT. Any responsibility for archiving the data or otherwise complying with your medical record policies and procedures is solely your and your authorized users responsibility. RIJUVEN does not provide any services related to archival of data. In the event that RIJUVEN does offer archiving functionality in the future, this AGREEMENT will be amended to address archival processes and responsibility.
Proprietary Information
You acknowledge and agree RIJUVEN PRODUCTs are the proprietary property of RIJUVEN. You agree RIJUVEN PRODUCTs embody substantial creative rights, confidential and proprietary information, copyrights, trademarks and trade secrets, all of which shall remain the exclusive property of RIJUVEN. You may not copy, reproduce, modify, reverse engineer or decompile any portion of RIJUVEN PRODUCTs. You may only use RIJUVEN PRODUCTS for internal purposes, as provided in this AGREEMENT. Rijuven owns all rights, title, and interest in and to all copyright, trademark, service mark, patent, trade secret or other intellectual property and proprietary rights worldwide in and to the RIJUVEN PRODUCT.
Confidentiality
Each Party acknowledges that it and its employees, agents, contractors or representatives, in the performance of the services described in this Agreement, may be exposed to or acquire information which is proprietary or confidential to the other. Any and all information of any form obtained by a Party or its employees, agents, contractors or representatives in the performance of the Agreement will be deemed to be confidential and proprietary information of the disclosing Party. Each Party agrees to hold such information in strict confidence and not to disclose such information to third parties or to use such information for any purpose whatsoever other than in the performance of their respective obligations hereunder and to advise each of its employees, agents, contractors and representative of their obligations to keep such information confidential. Notwithstanding the foregoing, neither Party’s obligation of confidentiality hereunder will apply to any information (a) which, at the time of disclosure, is publicly available or in the public knowledge; (b) which, after disclosure, lawfully becomes part of the public knowledge through publication or otherwise, but through no fault of the non-disclosing Party; (c) which the non-disclosing Party possesses at the time of the disclosure of such information and which was not acquired, directly or indirectly, from the disclosing Party; or (d) is acquired by the non-disclosing Party from a third party who has a right to disclose such information.
Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information to the extent required by law to do so, provided that the Receiving Party gives the Disclosing Party reasonable advanced notice of the compelled disclosure and assistance should the Disclosing Party wish to contest the legality of the disclosure. If such assistance is requested, the Disclosing Party agrees to reimburse the Receiving Party for the reasonable cost of such assistance.
Each Party’s obligations will survive the expiration or termination of this Agreement for a two- year period.
Indemnity
Subject to the Limitation of Liability sections of RIJUVEN’s TERMS OF USE, RIJUVEN, at its own expense, will indemnify and hold you, your subsidiaries, affiliates or assignees, and their directors, officers, employees and agents harmless and defend any and all actions brought against same with respect to any claim, demand, cause of action, debt or liability, including attorneys' fees, expert’s fees, and court costs, to the extent that it arises directly from any patent, copyright, trade secret, or other proprietary right of a third party, or the gross negligence or willful misconduct of RIJUVEN in the performance of RIJUVEN PRODUCTs.
You, at your own expense, will indemnify and hold harmless Rijuven, its subsidiaries, affiliates or assignees, and their directors, officers, employees and agents and defend any and all actions brought against same with respect to any claim, demand, cause of action, debt or liability, including attorneys’ fees, experts’ fees, and court costs, to the extent that it arises from your acts or omissions, including, but not limited to the use of the RIJUVEN PRODUCT or any patient data stored or transmitted by you using the RIJUVEN PRODUCT as permitted by this Agreement.
The indemnifying Party will control such defense and all negotiations relative to the settlement of any such claim referenced in this section. Each Party will promptly provide the other with written notice of any claim which such Party believes falls within the scope of this section.
Waiver
A waiver of any term or provision of this Agreement at any time shall not be deemed a waiver of the term or provision in the future.
Exhibit 1
HIPAA AGREEMENT
You, (“Covered Entity”) have entered into a Customer Agreement (“Customer Agreement”) with Rijuven Corp. (“Rijuven” or “Business Associate”) under which Rijuven may act as a Business Associate to the Covered Entity. In the event Business Associate does have access to, make, or use protected health information (“PHI”) of patients of Covered Entity, the parties agree as follows:
1. Obligations and Activities of Business Associate
a. Business Associate agrees to not use or disclose PHI other than as permitted or required by the Customer Agreement this Addendum or as required by law.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement.
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware.
e. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from Covered Entity, or created by Business Associate on behalf of Covered Entity agrees to the same or similar restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
f. Business Associate agrees to provide access, or to cause its agents or subcontractors to provide prompt access, at the request of Covered Entity, to PHI in a Designated Record Set to Covered Entity, in order to meet the requirements under C.F.R. § 164.524. In the event that any Individual requests access to the Individual’s PHI directly from Business Associate, Business Associate shall promptly forward such request to Covered Entity. Any disclosure of PHI or decision not to disclose the PHI requested by an Individual shall be the sole responsibility of Covered Entity.
g. Business Associate agrees to make any amendment(s), or cause its agents or subcontractors to make any amendment(s), to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526, at the request of Covered Entity or an Individual, in a reasonable time and manner. In the event that any Individual requests access to the Individual’s PHI directly from Business Associate, Business Associate shall promptly forward such request to Covered Entity. Any disclosure of PHI or decision not to disclose the PHI requested by an Individual shall be the sole responsibility of Covered Entity.
h. Business Associate shall record, and shall cause its agents and subcontractors to record, for each disclosure of PHI not excepted from disclosure accounting under section 1.i below: (i) the disclosure date; (ii) the name and (if known) address of the person or entity to whom Business Associate made the disclosure; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure. For repetitive disclosures Business Associate makes to the same person or entity (including Covered Entity) for a single purpose, Business Associate may provide (i) the disclosure information for the first of these repetitive disclosures; (ii) the frequency, periodicity or number of these repetitive disclosures; and (iii) the date of the last of these repetitive disclosures. Business Associate will make this disclosure information available to Covered Entity promptly upon Covered Entity’s request. Business Associate shall also make available, and cause its agents and subcontractors to make available, such information to Covered Entity.
i. Business Associate need not record disclosure information or otherwise account for disclosures of PHI that this Agreement or Covered Entity in writing permits or requires (i) for the purpose of Covered Entity’s treatment activities, payment activities or health care operations; (ii) to the Individual who is the subject of the PHI disclosed, (iii) to the persons involved in that Individual’s health care or payment for health care; (iv) for notification for disaster relief purposes; (v) for national security or intelligence purposes; or (vi) to law enforcement officials or correctional institutions regarding inmates.
j. Business Associate must have available for Covered Entity the disclosure information required by this section for a minimum of six (6) years from the later of the date of the creation of the Designated Record Set or the date the Designated Record Set was last in effect.
k. Business Associate agrees to implement administrative, physical and technical safeguards that will reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
l. Business Associate agrees to report to the Covered Entity any security incident, as defined in 45 CFR § Section 164.304, of which Business Associate becomes aware.
m. Business Associate agrees to make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from Covered Entity or created by Business Associate on behalf of Covered Entity, promptly available to the Secretary or its designee for purposes of the Secretary determining Covered Entity's compliance with the Privacy or Security Rules.
2. Permitted Uses and Disclosures by Business Associate
a. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI on behalf of, or to provide services to, Covered Entity for the following purpose:
Operating the RIJUVEN PRODUCTs (as defined in the Customer Agreement).
b. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate, to provide data aggregation services relating to the health care operations of Covered Entity, if any, or to carry out the legal responsibilities of the Business Associate.
3. Obligations of Covered Entity
a. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
i. Covered Entity will notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
ii. Covered Entity will notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
iii. Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
iv. Covered Entity will disclose the minimum amount of PHI necessary for Business Associate to perform the function in section 2.a. Further, if Business Associate can perform the function in 2.a, and other related services, without the need for PHI, then Covered Entity agrees not to disclose any PHI.
4. Permissible Requests by Covered Entity
Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible if done by Covered Entity; however, the Parties agree that Business Associate may use and disclose such information as necessary to ship products to patients in accordance with the Customer Agreement.
5. Term and Termination
a. Term. The Term of this Addendum will be effective as of the Effective Date of the Customer Agreement, and will terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
b. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity will either:
i. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Addendum and the Customer Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
ii. Immediately terminate this Addendum and the Customer Agreement if Business Associate has breached a material term of this Addendum and cure is not possible; or
iii. If neither termination nor cure is feasible, Covered Entity may report the violation to the Secretary.
c. Effect of Termination.
i. Except as provided in paragraph (2) of this section, upon termination of this Addendum or the Customer Agreement, for any reason, Business Associate will return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision will apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate will retain no copies of the PHI.
ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate will provide to Covered Entity notification of the conditions that make return or destruction infeasible and will extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6. Miscellaneous
a. Regulatory References. A reference in this Agreement to a section in the Privacy or Security Rules means the section as in effect or as amended. Terms used, but not otherwise defined, in this Agreement, will have the same meaning as those terms in the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
c. Conflicts. To the extent any term of this Addendum is inconsistent with any term of the Customer Agreement, the term of this Addendum shall control.