Updated September 2020
If you have any questions, please contact us at email@example.com.
Thank you for selecting Updox. By using our software, subscription service and/or our website, you agree to comply with our Terms of Service, as stated herein. The software we license to you and the users in your business or organization is referred to as the “Service”.
Your use of this Service is an unconditional acceptance of our Terms of Service; provided you have the legal capacity to enter into contracts for yourself or for your organization. You are required to provide current and accurate information as part of our account registration process. We reserve the right to change or modify our Terms of Service at any time without prior notice; however, we will post any new Terms of Service on our website.
All users must be 13 years or older to use this Service. Accounts and user logins may not be registered via automated methods. You may create separate logins for as many users as you need but sharing of user logins is not permitted. You must maintain the security of your account and all user passwords. You may not use this Service for any illegal or unauthorized purposes, such as violating third party copyrights. You may not use the Direct messaging service for marketing purposes. For services that send automatic calls and/or text messages (e.g. appointment reminders), obtain prior documented consent from the consumer as specified in the Telephone Consumer Protection Act (TCPA). You are responsible for your account, user activities, and posted content. This service is for use only within the United States of America and the US Territories and thus not subject to the European Union General Data Protection Rule (GDPR).
A valid credit card is required for all paying accounts. We will bill you for this Service in advance on a monthly or annual basis respectively which is non-refundable. Monthly subscriptions may be cancelled at any time with 30 days advance notice. For example, if you provided notice of your intent to cancel on June 1st, and your next monthly invoice date is June 10th, your account cancellation would be effective starting with your July 10th billing date. You’ll retain full access through that cancellation date of July 10th. There will be no refunds or credits allowed, including upgrade or downgrade refunds or prorated months (i.e. credits for partial service months). We will not offer a refund because the service was not used. Billing discrepancies must be reported within two billing cycles. We will charge your credit card for any downgrade in plan level at the new rate upon the start of your next billing cycle. We will charge your credit card for any upgrade in plan level at the new rate immediately.
Our monthly and annual fees are exclusive of taxes or levies imposed by taxing authorities. You are responsible for payment of all such taxes or levies imposed on you as an account holder. If you choose to downgrade your account, we are not liable for the resulting loss of content, features, or capacity.
After receiving your cancellation notice your account will be closed and your users/patients will no longer have access to the content or services. The content will be destroyed approximately 30 days later to allow time for the final billing and reconsiderations. Alternatively, you may request us to retain your content in storage or to delay the date when the content will be destroyed. Once the content is destroyed it cannot be recovered. We will not be liable for any loss resulting from cancellation.
We reserve the right to modify or discontinue the Service (or any part thereof) with or without notice to you. Prices of all Services, including but not limited to monthly subscription plan fees, are subject to change upon 30 days notice from us. Such notice will be posted to our website or the Service. We are not liable to you or any third party for any modification, price change, suspension or discontinuance of the Service.
Your profile and the content you provide to the Service remain yours. However, by sending your content to other users (via any of the available methods), you agree to allow others to view and share your content. We do not pre-screen content but we have the right to refuse or remove any content that is available via this Service. The look and feel of this Service is Copyrighted © 2009–2018 Updox LLC. All rights reserved. You may not duplicate, copy, modify, or reuse any portion of the HTML/CSS or visual design elements without our prior, express written permission.
Your use of this Service is at your sole risk. The Service is provided on an “as is” and “as available” basis. Technical support is only provided to paying account holders. You understand that we use third party vendors to help provide the Service to you. You must not modify the Service or another website to falsely imply association with the Service, our company or any other service we provide. You agree not to violate our copyright and not to reproduce, duplicate, copy, sell, resell, modify or exploit any portion of the Service or access to this Service without our prior, express written permission. You must not store or post pornographic, obscene, defamatory, threatening or otherwise objectionable content, or content that violates any person’s intellectual property or links to such content, through the Service. You must not transmit any malicious programs such as viruses, worms and other code or programs intended to inflict harm.
THE SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WE EXPRESSLY DISCLAIM ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. NO INFORMATION OR ASSISTANCE, WHETHER WRITTEN OR ORAL, PROVIDED BY US OR ANY THIRD PARTY TO YOU SHALL CREATE OR EXTEND ANY WARRANTY. WE DO NOT WARRANT THAT OUR SERVICE WILL BE UNINTERRUPTED OR FREE OF ERRORS OR OMISSIONS AND WE DO NOT GUARANTEE THE PRIVACY, SECURITY, AUTHENTICITY AND NON-CORRUPTION OF ANY INFORMATION TRANSMITTED THROUGH THIS SERVICE OR THE INTERNET. WE SHALL NOT BE RESPONSIBLE FOR ANY DELAYS, ERRORS, FAILURE TO PERFORM, INTERRUPTIONS OR DISRUPTIONS IN THE SOFTWARE OR SERVICES CAUSED BY OR RESULTING FROM FORCE MAJEURE EVENTS, ACTS OF THIRD PARTIES, OMISSIONS OR CONDITIONS BEYOND OUR REASONABLE AND FORSEEABLE CONTROL.
We shall have no liability, whether under any legal theory of warranty, contract, tort (including our negligence or the negligence of any third party), strict liability, or otherwise, regarding the Service or other actions performed by us and relating in any way to this Terms of Service, except as specified in the HIPAA Business Associate Agreement. In no event shall we or any third parties be liable for any special, indirect, incidental, or consequential damage or loss of any nature (such as damages for delay, damage to property, lost profits, death or injury to person, or any claims of those not a party to this Agreement) which may arise in connection with the Service or other acts performed under or relating to this Terms of Service.
We reserve the right to suspend or cancel your account access if in our reasonable judgment, your account is the source or target of a violation of any of these terms, or for any other situation we deem reasonably necessary.
If any provision herein shall be held to be invalid or unenforceable for any reason, the remaining provisions shall continue to be valid and enforceable.
Our Terms of Service are subject to the governing laws of the State of Ohio. Only courts of competent jurisdiction in Columbus, Ohio shall have original jurisdiction over any disputes arising hereunder or relating to the Software or Services.
We may assign these Terms of Service to the surviving entity in a sale, merger or reorganization, or to any purchaser of all or substantially all of the assets of the business to which these Terms of Service relates, or to any affiliate of such entity. Subject to the foregoing, these Terms of Service shall be binding upon and inure to the benefits of the parties to these Terms of Service and their respective heirs, legal representatives, successors and permitted assigns.
Updated April 2018
If you have any questions, feel free to contact us at firstname.lastname@example.org.
This agreement (the “Agreement”), effective upon acceptance, is between you (the “Company”) and Updox LLC (the “Business Associate”).
For purposes of this Agreement, the following terms shall have the following prescribed meanings.
“Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA privacy rule which compromises the security or privacy of the Protected Health Information.
“Data Aggregation Services” means, with respect to Protected Health Information created or received by the Business Associate, the combining of such Protected Health Information by the Business Associate with Protected Health Information received by the Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
“Designated Record Set” means a group of records maintained by or for a covered entity that is: (i) the medical records and billing records about individuals maintained by or for the covered entity; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for a covered entity to make decisions about individuals.
“Electronic Media” means electronic storage media on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card, and transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, if the information exchanged did not exist in electronic form immediately before the transmission.
“Electronic Protected Health Information” means Protected Health Information that is (i) transmitted by Electronic Media, or (ii) maintained in any medium described as Electronic Media.
“HIPAA” means the security and privacy requirements as reflected in 42 U.S.C. 1320d et. seq. and such regulations as may be promulgated thereunder from time to time (currently, 45 CFR 164.102 through 164.534).
“HITECH” means the Health Information Technology for Economic and Clinical Health Act of 2009 as reflected in 42 U.S.C. 17921 et. seq. and such regulations as may be promulgated thereunder from time to time.
“Principal Agreement” means the written contract or agreement between the Company and the Business Associate, pursuant to which the Business Associate provides services to the Company of the type that require the parties to enter into this Agreement pursuant to HIPAA.
“Protected Health Information” means individually identifiable health information that is (i) transmitted by Electronic Media, (ii) maintained in any medium described as Electronic Media, or (iii) transmitted or maintained in any other form or medium. “Protected Health Information” does not include individually identifiable health information: (i) in education records covered by the Family Educational Right and Privacy Act (20 U.S.C. section 1232g), (ii) in records described at 20 U.S.C. section 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.
“Unsecured Protected Health Information” means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of HITECH.
Terms used but not defined in this Agreement shall have the meaning ascribed to them in HIPAA and HITECH.
The Business Associate shall be permitted and required to use Protected Health Information only to provide services to Company as provided in the Principal Agreement and as permitted and required under this Agreement. The Business Associate shall not use or further disclose Protected Health Information in any manner that: (a) would violate the terms of this Agreement; or (b) if done by the Company, would violate HIPAA, except that (i) the Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, and (ii) the Business Associate may provide Data Aggregation Services relating to the health care operations of the Company and may create de-identified data in accordance with the standards set forth in 45 C.F.R. § 164.514(b), which data may be used for any purpose in furtherance of its responsibilities to Company. The Business Associate may disclose Protected Health Information for the purposes described in (b)(i) of this Section II only if the disclosure is required by law or the Business Associate obtains satisfactory assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and that the person will notify the Business Associate of any instance where the confidentiality of the Protected Health Information has been breached.
Notwithstanding anything in the Principal Agreement to the contrary, the Business Associate shall:
(a) Not use or further disclose Protected Health Information other than permitted or required by this Agreement or required by law;
(b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than provided for by this Agreement;
(c) Comply with Subpart C of 45 CFR Part 164 and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Company as required by HIPAA;
(d) Report to the Company any use or disclosure of the Protected Health Information not provided for by this Agreement, of which it becomes aware, including breaches of Unsecured Protected Health Information pursuant to Section III(l) below;
(e) Report to Company any security incident of which it becomes aware; the parties agree that this constitutes ongoing reporting by Business Associate of unsuccessful security incident attempts that do not result in unauthorized access, use, disclosure, modification, or interference with an information system such as pings on a firewall, port scans, attempts to log on to a system or enter a database with an invalid password or username, and malware (e.g. worms, viruses), and that no further report is required.
(f) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate, agree to the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information (and, in the case of Electronic Protected Health Information, that such subcontractors agree to implement reasonable and appropriate safeguards to protect it);
(g) Make available to the Company Protected Health Information maintained in a Designated Record Set to the extent required by, and in accordance with, HIPAA;
(h) Make available to Company an individual’s Protected Health Information maintained in a Designated Record Set for amendment and incorporate any amendments to that individual’s Protected Health Information to the extent required by, and in accordance with, HIPAA;
(i) Make available to Company the information required to provide an accounting of disclosures of an individual’s Protected Health Information to the extent such accounting is required by, and in accordance with, HIPAA;
(j) To the extent Business Associate is to carry out one or more of Company’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Company in the performance of such obligations.
(k) Make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by the Business Associate on behalf of, the Company available to the Secretary of Health and Human Services (or its delegate) for purposes of determining the Company’s compliance with HIPAA;
(l) Report to Company any Breach of Unsecured Protected Health Information known or reasonably believed by Business Associate. Notice shall be in writing and provided to Company without unreasonable delay, but no later than thirty (30) calendar days following the discovery of the Breach. Such notice will include, to the extent possible, the identification of each individual whose Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during the Breach. Such notice shall also include the following information: (i) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, or other types of information were involved); (iii) any steps individuals should take to protect themselves from potential harm resulting from the Breach; (iv) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further breaches; and (v) contact procedures for obtaining additional information; and
(m) At termination of this Agreement, if feasible, return or destroy (at the Company’s option) all Protected Health Information received from, or created or received by the Business Associate on behalf of, the Company that the Business Associate still maintains in any form and retain no copies of such Protected Health Information or, if such return or destruction is not feasible, extend the protections of this Agreement to the Protected Health Information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible.
(n) Business Associate shall not directly or indirectly accept remuneration in exchange for using or disclosing any of Covered Entity’s PHI, except as permitted by HIPAA, including in exchange for services or functions performed pursuant to the services agreement between the parties.
(o) Business Associate shall not use or disclose Covered Entity’s PHI for marketing except for or on behalf of Covered Entity with Covered Entity express written consent and the individual’s authorization.
The Company shall notify the Business Associate of any limitation(s) in the applicable notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect the Business Associate’s use or disclosure of Protected Health Information.
The Company shall notify the Business Associate of any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect the Business Associate’s use or disclosure of Protected Health Information.
The Company shall notify the Business Associate of any restriction to the use or disclosure of Protected Health Information that the Company is aware of, to the extent that such restriction may affect the Business Associate’s use or disclosure of Protected Health Information.
The Company shall not request the Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by the Company. Notwithstanding the foregoing language, the Business Associate may use or disclose Protected Health Information for Data Aggregation Services as permitted by 42 CFR 164.504(e)(2)(i)(B) or the management and administrative activities of the Business Associate in accordance with this Agreement.
This Agreement may be amended only in writing and only by the mutual consent of the parties. Notwithstanding the foregoing, the parties agree to negotiate in good faith to amend this Agreement in order to comply with any changes to HIPAA, including any changes to HITECH, that affect the parties’ obligations under this Agreement.
This Agreement shall become effective as of the later of the dates of the signatures below. This Agreement shall remain in effect until the earlier of:
(i) The date the parties mutually agree in writing to terminate this Agreement;
(ii) The date the Principal Agreement is terminated. No separate notice shall be required to terminate this Agreement upon termination of the Principal Agreement; or
(iii) If Company determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within thirty (30) days of receiving written notice of such violation, then Business Associate authorizes termination of this Agreement.
It is the intent of the parties that the terms of this Agreement be interpreted so as to cause the Principal Agreement to comply with the privacy and security requirements of HIPAA and the requirements of HITECH. Accordingly, this Agreement shall amend the Principal Agreement to the extent provided herein regardless of whether this Agreement formally satisfies the requirements of the Principal Agreement for amendment of the Principal Agreement. To the extent any provisions of this Agreement conflict with the terms of the Principal Agreement, this Agreement shall govern.
Breach Liability. Notwithstanding anything in this Agreement or the Principal Agreement to the contrary, Business Associate shall not be liable for any use or disclosure of Protected Health Information in violation of this Agreement or HIPAA that is caused by any entity or individual other than Business Associate, including, but not limited to, the transmission of Protected Health Information to an unintended recipient, unless such transmission to an unintended recipient was caused by Business Associate.
No Liability for Company Vendors. Notwithstanding anything in this Agreement or the Principal Agreement to the contrary, Business Associate shall not be liable for the actions of any third party vendors selected by the Company for services, including, but not limited to, information technology support, training, and implementation.
Entire Agreement. This Agreement constitutes the entire understanding and agreement between the parties concerning the subject matter of this Agreement, and supersedes all prior negotiations, agreements and understandings between the parties, whether oral or in writing, concerning its subject matter.
Assignment. Neither party may assign this Agreement, nor delegate any duty hereunder, without the prior written consent of the other party, provided, however, that either party may assign this Agreement to the surviving entity in a sale, merger or reorganization, or to any purchaser of all or substantially all of the assets of the business to which this Agreement relates. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the parties to this Agreement and their respective heirs, legal representatives, successors, and permitted assigns.
Further Assurances. Each party will cooperate with the other and execute and deliver to the other party such other instruments and documents and take such other actions as may be reasonably requested from time to time by the other party to carry out, evidence and confirm the intended purposes of this Agreement.
Survival. Notwithstanding any contrary provision in this Agreement, the provisions of this Agreement shall continue in force beyond the term of this Agreement to the extent necessary or appropriate to give such provisions their intended effect, unless and until the parties specifically agree in writing to the contrary.
Waiver. The rights and remedies of the parties are cumulative and not alternative. Neither the failure nor any delay on the part of any party in exercising any right, power, or privilege under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power or privilege preclude any other or further exercise thereof or exercise of any other right, power or privilege.
Governing Law. This Agreement shall be governed by the laws of the jurisdiction provided in the Principal Agreement. If the Principal Agreement does not specify such a jurisdiction, this Agreement shall be governed by the laws of the State of Ohio.
Force Majeure. Neither party shall be liable or deemed to be in default for any delay or failure in performance under this Agreement or other interruption of services deemed resulting, directly or indirectly, from acts of God, civil or military authority, acts of public enemy, war, accidents, fires, explosions, earthquakes, floods, or strikes, or similar cause beyond the reasonable control of either party.
Relationship of Parties. None of the provisions of this Agreement is intended to create nor shall be deemed or construed to create any relationship between the parties hereto other than that of independent entities contracting with each other hereunder solely for the purpose of effecting the provisions of this Agreement.
No Third Party Beneficiaries. Nothing herein is intended to give nor shall have the effect of giving, any enforceable rights to any third parties who are not parties hereto or successors or permitted assigns of the parties hereto, whether such claims are asserted as third party beneficiary rights or otherwise.
Counterparts. This Agreement may be executed in one or more counterparts each of which shall be deemed to be an original and all of which together shall constitute one and the same instrument.
Notice. Notices required under this Agreement shall be sent by regular mail to the address of each party set forth below or such other address as that party may designate in a notice properly delivered to the other parties.
IN WITNESS WHEREOF, the Company and the Business Associate, each by their duly authorized representatives, have caused this Agreement to be executed and delivered as of the acceptance date.
Electronically signed by Updox Compliance: