Updated September 2020
If you have any questions, please contact us at email@example.com.
Thank you for selecting Updox. By using our software, subscription service and/or our website, you agree to comply with our Terms of Service, as stated herein. The software we license to you and the users in your business or organization is referred to as the “Service”.
Your use of this Service is an unconditional acceptance of our Terms of Service; provided you have the legal capacity to enter into contracts for yourself or for your organization. You are required to provide current and accurate information as part of our account registration process. We reserve the right to change or modify our Terms of Service at any time without prior notice; however, we will post any new Terms of Service on our website.
All users must be 13 years or older to use this Service. Accounts and user logins may not be registered via automated methods. You may create separate logins for as many users as you need but sharing of user logins is not permitted. You must maintain the security of your account and all user passwords. You may not use this Service for any illegal or unauthorized purposes, such as violating third party copyrights. You may not use the Direct messaging service for marketing purposes. For services that send automatic calls and/or text messages (e.g. appointment reminders), obtain prior documented consent from the consumer as specified in the Telephone Consumer Protection Act (TCPA). You are responsible for your account, user activities, and posted content. This service is for use only within the United States of America and the US Territories and thus not subject to the European Union General Data Protection Rule (GDPR).
A valid credit card is required for all paying accounts. We will bill you for this Service in advance on a monthly or annual basis respectively which is non-refundable. Monthly subscriptions may be cancelled at any time with 30 days advance notice. For example, if you provided notice of your intent to cancel on June 1st, and your next monthly invoice date is June 10th, your account cancellation would be effective starting with your July 10th billing date. You’ll retain full access through that cancellation date of July 10th. There will be no refunds or credits allowed, including upgrade or downgrade refunds or prorated months (i.e. credits for partial service months). We will not offer a refund because the service was not used. Billing discrepancies must be reported within two billing cycles. We will charge your credit card for any downgrade in plan level at the new rate upon the start of your next billing cycle. We will charge your credit card for any upgrade in plan level at the new rate immediately.
Our monthly and annual fees are exclusive of taxes or levies imposed by taxing authorities. You are responsible for payment of all such taxes or levies imposed on you as an account holder. If you choose to downgrade your account, we are not liable for the resulting loss of content, features, or capacity.
After receiving your cancellation notice your account will be closed and your users/patients will no longer have access to the content or services. The content will be destroyed approximately 30 days later to allow time for the final billing and reconsiderations. Alternatively, you may request us to retain your content in storage or to delay the date when the content will be destroyed. Once the content is destroyed it cannot be recovered. We will not be liable for any loss resulting from cancellation.
We reserve the right to modify or discontinue the Service (or any part thereof) with or without notice to you. Prices of all Services, including but not limited to monthly subscription plan fees, are subject to change upon 30 days notice from us. Such notice will be posted to our website or the Service. We are not liable to you or any third party for any modification, price change, suspension or discontinuance of the Service.
Your profile and the content you provide to the Service remain yours. However, by sending your content to other users (via any of the available methods), you agree to allow others to view and share your content. We do not pre-screen content but we have the right to refuse or remove any content that is available via this Service. The look and feel of this Service is Copyrighted © 2009–2018 Updox LLC. All rights reserved. You may not duplicate, copy, modify, or reuse any portion of the HTML/CSS or visual design elements without our prior, express written permission.
Your use of this Service is at your sole risk. The Service is provided on an “as is” and “as available” basis. Technical support is only provided to paying account holders. You understand that we use third party vendors to help provide the Service to you. You must not modify the Service or another website to falsely imply association with the Service, our company or any other service we provide. You agree not to violate our copyright and not to reproduce, duplicate, copy, sell, resell, modify or exploit any portion of the Service or access to this Service without our prior, express written permission. You must not store or post pornographic, obscene, defamatory, threatening or otherwise objectionable content, or content that violates any person’s intellectual property or links to such content, through the Service. You must not transmit any malicious programs such as viruses, worms and other code or programs intended to inflict harm.
THE SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WE EXPRESSLY DISCLAIM ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. NO INFORMATION OR ASSISTANCE, WHETHER WRITTEN OR ORAL, PROVIDED BY US OR ANY THIRD PARTY TO YOU SHALL CREATE OR EXTEND ANY WARRANTY. WE DO NOT WARRANT THAT OUR SERVICE WILL BE UNINTERRUPTED OR FREE OF ERRORS OR OMISSIONS AND WE DO NOT GUARANTEE THE PRIVACY, SECURITY, AUTHENTICITY AND NON-CORRUPTION OF ANY INFORMATION TRANSMITTED THROUGH THIS SERVICE OR THE INTERNET. WE SHALL NOT BE RESPONSIBLE FOR ANY DELAYS, ERRORS, FAILURE TO PERFORM, INTERRUPTIONS OR DISRUPTIONS IN THE SOFTWARE OR SERVICES CAUSED BY OR RESULTING FROM FORCE MAJEURE EVENTS, ACTS OF THIRD PARTIES, OMISSIONS OR CONDITIONS BEYOND OUR REASONABLE AND FORSEEABLE CONTROL.
We shall have no liability, whether under any legal theory of warranty, contract, tort (including our negligence or the negligence of any third party), strict liability, or otherwise, regarding the Service or other actions performed by us and relating in any way to this Terms of Service, except as specified in the HIPAA Business Associate Agreement. In no event shall we or any third parties be liable for any special, indirect, incidental, or consequential damage or loss of any nature (such as damages for delay, damage to property, lost profits, death or injury to person, or any claims of those not a party to this Agreement) which may arise in connection with the Service or other acts performed under or relating to this Terms of Service.
We reserve the right to suspend or cancel your account access if in our reasonable judgment, your account is the source or target of a violation of any of these terms, or for any other situation we deem reasonably necessary.
If any provision herein shall be held to be invalid or unenforceable for any reason, the remaining provisions shall continue to be valid and enforceable.
Our Terms of Service are subject to the governing laws of the State of Ohio. Only courts of competent jurisdiction in Columbus, Ohio shall have original jurisdiction over any disputes arising hereunder or relating to the Software or Services.
We may assign these Terms of Service to the surviving entity in a sale, merger or reorganization, or to any purchaser of all or substantially all of the assets of the business to which these Terms of Service relates, or to any affiliate of such entity. Subject to the foregoing, these Terms of Service shall be binding upon and inure to the benefits of the parties to these Terms of Service and their respective heirs, legal representatives, successors and permitted assigns.
If you have any questions, feel free to contact us at firstname.lastname@example.org.
Last Modified: 03/03/2021
This HIPAA Business Associate Agreement (“BAA”) amends and is made part of the Master Services Agreement (“Service Agreement”), by and between you (“Entity”) and Updox LLC (“Associate”).
Entity and Associate agree that the parties incorporate this BAA into the Service Agreement in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations set forth at 45 C.F.R. Parts 160 and Part 164 (the “HIPAA Rules”). To the extent Associate is acting as a Business Associate of Entity pursuant to the Service Agreement, the provisions of this BAA shall apply, and Associate shall be subject to the penalty provisions of HIPAA as specified in 45 CFR Part 160.
1. Definitions. Capitalized terms not otherwise defined in this BAA shall have the meaning set forth in the HIPAA Rules. References to “PHI” mean Protected Health Information maintained, created, received or transmitted by Associate from Entity or on Entity’s behalf.
2. Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this BAA or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules, Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such obligation. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Entity directly; (b) otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Entity directly and provided that Entity gives its prior written consent; (c) to perform Data Aggregation services relating to the health care operations of Entity; (d) to report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.502(j)(1); (e) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”), provided that Associate may only disclose PHI for Associate’s Operations if the disclosure is Required By Law or Associate obtains reasonable assurance, evidenced by a written contract, from the recipient that the recipient will: (1) hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (2) notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (f) to de-identify PHI in accordance with 45 C.F.R. § 164.514(b), provided that such de-identified information may be used and disclosed only consistent with applicable law. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this BAA, Associate shall comply with the terms of the restriction request.
3. Safeguards. Associate will use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI other than as permitted by this BAA. Associate will also comply with the provisions of 45 CFR Part 164, Subpart C of the HIPAA Rules with respect to electronic PHI to prevent any use or disclosure of such information other than as provided by this BAA.
4. Subcontractors. In accordance with 45 CFR §§ 164.308(b)(2) and 164.502(e)(1)(ii), Associate will ensure that all of its subcontractors that create, receive, maintain or transmit PHI on behalf of Associate agree by written contract to comply with the same restrictions and conditions that apply to Associate with respect to such PHI.
5. Minimum Necessary. Associate represents that the PHI requested, used or disclosed by Associate shall be the minimum amount necessary to carry out the purposes of the Service Agreement. Associate will limit its uses and disclosures of, and requests for, PHI (i) when practical, to the information making up a Limited Data Set; and (ii) in all other cases subject to the requirements of 45 CFR § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
6. Obligations of Entity. Entity shall notify Associate of (i) any limitations in its notice of privacy practices, (ii) any changes in, or revocation of, permission by an individual to use or disclose PHI, and (iii) any confidential communication request or restriction on the use or disclosure of PHI that Entity has agreed to or with which Entity is required to comply, to the extent any of the foregoing affect Associate’s use or disclosure of PHI.
7. Access and Amendment. In accordance with 45 CFR § 164.524, Associate shall permit Entity or, at Entity’s request, an individual (or the individual’s designee) to inspect and obtain copies of any PHI about the individual that is in Associate’s custody or control and that is maintained in a Designated Record Set. If the requested PHI is maintained electronically, Associate must provide a copy of the PHI in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by Entity and the individual. Associate will, upon receipt of notice from Entity, promptly amend or permit Entity access to amend PHI so that Entity may meet its amendment obligations under 45 CFR § 164.526. If a request for access or amendment is of PHI is received by Associate from any entity other than Entity, Associate will promptly inform Entity of such request.
8. Accounting. Except for disclosures excluded from the accounting obligation by the HIPAA Rules and regulations issued pursuant to HITECH, Associate will record for each disclosure that Associate makes of PHI the information necessary for Entity to make an accounting of disclosures pursuant to the HIPAA Rules. In the event the U.S. Department of Health and Human Services (“HHS”) finalizes regulations requiring Covered Entities to provide access reports, Associate shall also record such information with respect to electronic PHI held by Associate as would be required under the regulations for Covered Entities beginning on the effective date of such regulations. Associate will make information required to be recorded pursuant to this Section available to Entity promptly upon Entity’s request for the period requested, but for no longer than required by the HIPAA Rules (except Associate need not have any information for disclosures occurring before the effective date of this BAA).
9. Inspection of Books and Records. Associate will make its internal practices, books, and records, relating to its use and disclosure of PHI, available upon request by HHS to determine compliance with the HIPAA Rules.
10. Reporting. To the extent Associate becomes aware or discovers any use or disclosure of PHI not permitted by this BAA, any Security Incident involving electronic PHI or any Breach of Unsecured Protected Health Information involving PHI, Associate shall promptly report such use, disclosure, Security Incident or Breach to Entity. Associate shall mitigate, to the extent practicable, any harmful effect known to it of a Security Incident, Breach or use or disclosure of PHI by Associate not permitted by this BAA. Notwithstanding the foregoing, the parties acknowledge and agree that this section constitutes notice by Associate to Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI. All reports of Breaches shall be made in compliance with 45 CFR § 164.410.
11. Term and Termination. This BAA shall be effective as of the effective date of the Service Agreement and shall remain in effect until termination of the Service Agreement. Either party may terminate this BAA and the Service Agreement effective immediately if it determines that the other party has breached a material provision of this BAA and failed to cure such breach within thirty (30) days of being notified by the other party of the breach. If the non-breaching party determines that cure is not possible, such party may terminate this BAA and the Service Agreement effective immediately upon written notice to other party.
Upon termination of this BAA for any reason, Associate will, if feasible, return to Entity or destroy all PHI maintained by Associate in any form or medium, including all copies of such PHI. Further, Associate shall recover any PHI in the possession of its agents and subcontractors and return to Entity or securely destroy all such PHI. In the event that Associate determines that returning or destroying any PHI is infeasible, Associate may maintain such PHI but shall continue to abide by the terms and conditions of this BAA with respect to such PHI and shall limit its further use or disclosure of such PHI to those purposes that make return or destruction of the PHI infeasible. Upon termination of this BAA for any reason, all of Associate’s obligations under this BAA shall survive termination and remain in effect (a) until Associate has completed the return or destruction of PHI as required by this Section and (b) to the extent Associate retains any PHI pursuant to this Section.
12. Third Parties. Notwithstanding anything in this BAA or the Service Agreement to the contrary, Associate will not be liable for any in violation of HIPAA, this BAA, or the Service Agreement, or use or disclosure of PHI in violation thereof, that is caused by any entity or individual other than Associate, including but not limited to third party vendors selected by Entity to provide services to Entity related to the services provided under the Service Agreement.
13. General Provisions. In the event that any final regulation or amendment to final regulations is promulgated by HHS or other government regulatory authority with respect to PHI, the parties shall negotiate in good faith to amend this BAA to remain in compliance with such regulations. Any ambiguity in this BAA shall be resolved to permit Entity and Associate to comply with the HIPAA Rules. Nothing in this BAA shall be construed to create any rights or remedies in any third parties or any agency relationship between the parties. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. The terms and conditions of this BAA override and control any conflicting term or condition of the Service Agreement and replace and supersede any prior business associate agreements in place between the parties. All non-conflicting terms and conditions of the Service Agreement remain in full force and effect.
Electronically signed by Mike Witting, Updox SVP of Technology: