DermDetect Business Associate Agreement for Customers/Participants

DermDetect Business Associate Agreement for Customers

This DermDetect Business Associate Agreement (“BA Agreement”) becomes effective as of the date on which the authorized party accepting this BA Agreement completes the electronic acceptance process and signs the consent and release of liability agreement prior to any screening. The authorized party electronically accepting this BA Agreement represents and warrants that it has the authority to bind Customer(as defined in the DermDetect End User Services Agreement or other applicable agreement (“Underlying Agreement”)and agree to the terms and conditions of this BA Agreement.

Pursuant to the Underlying Agreement, DermDetect distributes services to Customer. In connection with such services, DermDetect may receive, use, and/or disclose for or on behalf of Customer certain Protected Health Information relating to individuals that is subject to protection under HIPAA.

Customer represents it is a Covered Entity or a Business Associate of a Covered Entity. By reason of such activities, the parties believe that DermDetect is a Business Associate of Customer in the delivery of the DermDetect HIPAA Services to Customer. Customer and DermDetect wish to comply in all respects with the requirements of HIPAA applicable to the relationship between covered entities and their business associates.

This BA Agreement shall be limited exclusively to Customer’s use of the DermDetect HIPAA Services, as that term is defined below, and shall apply to no other agreements, products, or services of DermDetect.

  1. Terms used, but not otherwise defined in this BA Agreement shall have the same meaning as those terms set forth in the Privacy Rule or the Security Rule.
    • Breach. “Breach” shall mean the unauthorized acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information. “Breach” excludes:
      1. any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Customer or DermDetect, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
      2. any inadvertent disclosure by a person who is authorized to access Protected Health Information at Customer or DermDetect to another person authorized to access Protected Health Information at Customer or DermDetect, if the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
  • a disclosure of Protected Health Information where Customer or DermDetect has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Except as provided in exceptions (i)-(iii) above, the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule is presumed to be a Breach unless the Customer or DermDetect, as applicable, demonstrates that there is a low probability that the Protected Health Information has been compromised based on a risk assessment of at least the following factors:

  1. the nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification.
  2. the unauthorized person who used the Protected Health Information or to whom the disclosure was made.
  • whether the Protected Health Information was actually acquired or viewed; and
  1. the extent to which the risk to the Protected Health Information has been mitigated.

(b) Business Associate. Business Associate” has the same meaning as the term “business associate” in 45 CFR § 160.103.

(c) Covered Entity. “Covered Entity” has the same meaning as the term “covered entity” in 45 CFR §160.103.

(d) DermDetect HIPAA Services. “DermDetect HIPAA Services” shall mean the services listed athttps://www.DermDetect.com/about/trust-center/DermDetect-hipaa-services.html,provided to Customer pursuant to the Underlying Agreement, for which Customer has paid the applicable fees. To comply with the Privacy Rule and the Security Rule, some features or functionality of the DermDetect HIPAA Services may be limited or unavailable. Customer must configure and operate the DermDetect HIPAA Services in accordance with DermDetect’s HIPAA documentation, as described athttps://www.DermDetect.com/about/trust-center/DermDetect-hipaa-documentation.html. DermDetect may, in its sole discretion, modify the list of DermDetect HIPAA Services at any time to add or remove Services. DermDetect will provide at least 6 months prior notice at the page linked above if DermDetect decides to remove an existing service from the DermDetect HIPAA Services. However, DermDetect will not be obligated to provide notice under the prior sentence if the removal is necessary to address an emergency or threat to the security or integrity of DermDetect, respond to claims, litigation, or loss of license rights related to third-party intellectual property rights, or comply with the law or requests of a government entity.

(e)Designated Record Set. “Designated Record Set” has the same meaning as the term “designated record set” in 45 CFR § 164.501.

(f) Electronic Protected Health Information. “Electronic Protected Health Information” has the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information received by DermDetect from or on behalf of Customer.

(g )HIPAA. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, or modified, including by the Health Information Technology for Economic and Clinical Health Act, and its implementing rules and regulations.

(h) Individual. “Individual” has the same meaning as the term “individual” in 45 CFR § 160.103.

(i) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

(j) Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR §160.103, limited to the information received by DermDetect from or on behalf of Customer.

(k) Required by Law. “Required by Law” has the same meaning as the term “required by law” in 45 CFR § 164.103.

(l) Secretary. “Secretary” has the same meaning as the term “secretary” in 45 CFR § 160.103.

(m) Security Incident. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system that provides access to Electronic Protected Health Information.

(n) Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 164 subpart C.

2.Obligations and Activities of DermDetect. DermDetect agrees to:

(a) not use or further disclose Protected Health Information other than as permitted or required by this BA Agreement or as Required by Law.

(b) use, disclose and request only the minimum necessary amount of Protected Health Information necessary to perform its services for Customer.

(c) use appropriate safeguards and comply with the Security Rule with respect to Electronic Protected Health Information to prevent use or disclosure of the Protected Health Information other than in accordance with this BA Agreement.

(d) mitigate, to the extent practicable, any harmful effect that is known to DermDetect of a use or disclosure of Protected Health Information by DermDetect in violation of the requirements of this BA Agreement, the Privacy Rule or the Security Rule.

(e) report to Customer any use or disclosure of the Protected Health Information not in accordance with this BA Agreement of which DermDetect becomes aware, including any Breach of unsecured Protected Health Information and any Security Incident.  For all reporting obligations under this BA Agreement, the parties acknowledge that, because DermDetect does not know the nature of the Protected Health Information contained in any of the Customer’s accounts, it will not be possible for DermDetect to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may been subject to a Security Incident or Breach.

(f) in accordance with the Privacy Rule and the Security Rule, ensure that any subcontractor to whom it provides Protected Health Information agrees to the same restrictions and conditions that apply to DermDetect with respect to such information.

(g) to the extent any Protected Health Information is in a Designated Record Set, make available Protected Health Information to the extent, for the purposes and in the manner required by 45 CFR §164.524 (Access of Individuals to Protected Health Information) and 45 CFR §164.526 (Amendment of Protected Health Information) and incorporate any amendment to Protected Health Information as required under 45 CFR §164.526.

(h) to the extent DermDetect is to carry out one or more of Customer’s obligations under the Privacy Rule, DermDetect shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.

(i) make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or received by DermDetect on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer's compliance with the Privacy Rule or the Security Rule.

(j) document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528 (Accounting of disclosures of Protected Health Information). For avoidance of doubt, DermDetect will document and make available to Customer the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528 of which DermDetect is aware if requested by the Customer. Because DermDetect cannot readily identify which Individuals are identified or what types of Protected Health Information are included in a Customer’s accounts, Customer will be solely responsible for identifying which Individuals, if any, any have been included in Customer data that may have been disclosed and for providing a brief description of the Protected Health Information disclosed.

(k) provide to Customer, at a time and in a manner agreed by the parties, information collected in accordance with Section 2

(j) of this BA Agreement to permit Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.

3.Permitted Uses and Disclosures by DermDetect.

(a) General Use and Disclosure Provisions. Subject to the terms of this BA Agreement, DermDetect may use or disclose Protected Health Information to provide the DermDetect HIPAA Services to Customer, provided that such use or disclosure would not violate the Privacy Rule if done by Customer.

(b)Specific Use and Disclosure Provisions. DermDetect may use or disclose Protected Health Information for the proper management and administration of DermDetect (such as for the purposes of quality improvement and product or service testing, support; and system maintenance) or to carry out the present and/or future legal responsibilities of DermDetect; provided that, DermDetect shall disclose such Protected Health Information only: (i) as Required by Law or (ii) to persons from which DermDetect obtains reasonable assurances that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies DermDetect of any instances of which it is aware in which the confidentiality of the information has been breached

(c)Report Violations of Law. DermDetect may use Protected Health Information to report violations of law appropriate to Federal and State authorities consistent with 45 CFR § 164.502(j)(1).

(d) Data Aggregation. DermDetect may use Protected Health Information to aggregate data as permitted by45 C.F.R. § 164.504(e)(2)(i)(B).

(e)De-Identification. DermDetect may use Protected Health Information to create de-identified information pursuant to the requirements set forth at 45 C.F.R. § 164.514(a)-(c).

4.Obligations of Customer. Customer agrees that, to the extent applicable, it:

(a) will configure and operate the DermDetect HIPAA Services only in accordance with DermDetect’s HIPAA documentation, available at https://www.DermDetect.com/about/trust-center/DermDetect-hipaa-documentation.html.

(b) will not upload PHI to any service that is not designated as a DermDetect HIPAA Service. DermDetect does not act as a Business Associate with respect to any services other than the DermDetect HIPAA Services.

(c) has included, and will include, in the Customer’s Notice of Privacy Practices required by the Privacy Rule, a provision stating that the Customer may disclose Protected Health Information for health care operations and payment purposes. Upon request, Customer will provide DermDetect with a copy of Customer’s Notice of Privacy Practices, as well as any changes to such Notice.

(d) has provided to DermDetect notice of any limitation(s) in Customer’s Privacy Practices to the extent such limitation(s) may affect DermDetect’s performance of services for Customer or use or disclosure of Protected Health Information.

(e) will provide, upon the reasonable request of DermDetect, copies of any consent, authorization, acknowledgment or permission by an Individual to use or disclose Protected Health Information which may affect DermDetect’s performance of services for Customer or use or disclosure of Protected Health Information.

(f) has obtained, and will obtain, from Individuals consents, authorizations and other permissions (if any) necessary or required by laws applicable to Customer for DermDetect and Customer to fulfill their respective obligations and under this BA Agreement.

(g) will provide DermDetect with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect DermDetect's performance of services for Customer or use or disclosure of Protected Health Information.(h)will notify DermDetect of any restriction to the use or disclosure of Protected Health Information that it has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect DermDetect’s use or disclosure of Protected Health Information.

(i) will, upon request of DermDetect, notify DermDetect of the name of and contact information for the privacy official designated by Customer in accordance with 45 CFR §164.530.

5.Permissible Requests by Customer. Customer shall not request DermDetect to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Customer, except as set forth in Section 3(b) above.

6.Term and Termination

(a)Term This BA Agreement shall remain in effect for so long as the Underlying Agreement is in effect between Customer and DermDetect for DermDetect to perform activities or services for or on behalf of Customer. Upon the termination of any such Underlying Agreement, this BA Agreement automatically terminates without notice.

(b)Termination for Breach Customer shall have the right to terminate this BA Agreement upon any material breach of this BA Agreement; provided, however, that prior to any such termination, Customer shall provide DermDetect with notice of the existence of an alleged material breach and provide DermDetect an opportunity to cure the alleged material breach. In the event DermDetect fails to cure the material breach within thirty (30) days of receipt of written notice, Customer may thereafter immediately terminate this BA Agreement.

(c)Effect of Termination.

(i) Except as provided in paragraph (ii) of this Section, upon termination of this BA Agreement for any reason, DermDetect shall return or destroy all Protected Health Information received from Customer, or created or received by DermDetect on behalf of Customer, or convert such Protected Health Information to a de-identified format consistent with the Privacy Rule. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of DermDetect. DermDetect shall retain no copies of the Protected Health Information.

(ii) In the event that DermDetect determines that returning or destroying the Protected Health Information is infeasible, DermDetect shall provide to Customer notification of the conditions that make return or destruction infeasible. DermDetect shall extend the protections of the BA Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as DermDetect maintains such Protected Health Information. The parties agree that to the extent that DermDetect is Required by Law to maintain copies of Protected Health Information, return of such Protected Health Information shall be deemed infeasible and DermDetect shall have the right to retain such Protected Health Information as Required by Law; provided, however, that DermDetect shall only use or disclose such Protected Health Information for the purposes of and as Required by Law. The respective rights and obligations of DermDetect under Section 6 of this BA Agreement shall survive the termination of this BA Agreement.

  1. Miscellaneous

(a) Regulatory References. A reference in this BA Agreement to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended, and for which compliance is required.

(b) Amendment. The Parties agree to take such action as is reasonably necessary to amend this BA Agreement from time to time as is necessary for Customer or DermDetect, as applicable, to comply with the requirements of HIPAA.

(c) Survival. The respective rights and obligations of DermDetect under Section 6 of this BA Agreement shall survive the termination of this BA Agreement.

(d) Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits Customer or DermDetect, as applicable, to comply with HIPAA. Any conflict between the terms of this BA Agreement and any other agreement relating to the same subject matter, which is the Business Associate requirements under HIPAA, shall be resolved so that the terms of this BA Agreement supersede and replace the relevant terms of any such other agreement.

(e) No Beneficiary. There are no third-party beneficiaries to this BA Agreement, including but not limited to any Individuals who are subject of the Protected Health Information.

(f) Governing Law. Except to the extent that HIPAA or other federal law applies, the governing law and jurisdiction to resolve any dispute that arises with respect to this BA Agreement are as specified in the Underlying Agreement.

(g) Integration. This BA Agreement is the sole and complete agreement between the parties relating to obligations under HIPAA, and supersedes any prior agreements, understandings, and communications relating thereto.  Notwithstanding the foregoing, the Underlying Agreements shall govern all other terms between the parties including without limitation, terms related to the services provided, payment obligations, and limitation of liability with respect to both the Underlying Agreements and this BA Agreement.

(h)Severability. The provisions of this BA Agreement shall be severable, and if any provision of this BA Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BA Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

Privacy Policy and HIPAA – DermDetect LLC

DermDetect LLC is committed to ensuring your personal information is kept secure and private. This privacy notice sets out what you can expect when we collect information about you or when you use our website.

Use of Our Website

When you visit our website we collect standard internet log information and details of visitor behavior patterns. We collect this information to find out things such as the number of visitors to the various parts of the site and we do so in a way which does not identify anyone.

Cookies

Cookies are small text files which are placed on your computer by websites that you visit. There are two main types: ‘session’ and ‘persistent’. ‘Session’ cookies are temporary and only remain in the cookie file of your computer until you close your browser when they are deleted. ‘Persistent’ cookies are stored permanently on your computer until they either expire or are deleted. DermDetect uses both types.

Cookies are widely used to enable the collection of information, to enable navigation around a website or to make websites work, or work more efficiently. To enhance a user’s experience cookies can also be used to remember information so you do not have to retype it each time you visit a website, for example, your name and email address, or to remember preferences like the language in which the website is displayed.

DermDetect also uses cookies to enable better understanding of how the website is used (for example which pages are seen, how often, return visits to the site), so that we can improve and tailor the content of the site, and also to help ensure the security and authenticity of our registration for access to secure areas of our site.

DermDetect does not use cookies to track your internet usage after leaving our website, nor do we use cookies which can store personal information about you which others could read and understand. Cookies cannot be used to access your computer and obtain information about you or read any material held on your computer. Cookies will not be used to contact you for marketing purposes.

Most web browsers are usually set up to accept cookies. You can delete cookies and you can usually adjust your browser so that your computer rejects cookies, but please note if you disable cookies you will not be able to register or log on to secure areas on our site. Information about cookies and how to reject them can be found from the Information Advertising Bureau at www.allaboutcookies.org

Security of Data

If you register to use online, password-protected portions of our website we will ask you to provide us with certain up to date information about you, which we will handle securely. We maintain strict security standards and procedures intended to prevent unauthorized access to your data and we use technologies such as data encryption and firewalls to achieve this.

Use of the Information We Collect From You

We use the information we collect from you to:

  • Administer your account.
  • Assess your needs to determine suitable products and services
  • Fulfill your order for our services.
  • Link or combine with other information we receive from third parties to help understand your needs, provide you with better service and for marketing purposes.
  • Provide, improve, maintain and operate our services.
  • Send you administrative messages, invoices, order confirmations, security alerts, support messages, technical notices, and updates.
  • Investigate and respond to illegal activities or fraudulent transactions and/or fraudulent use of our website.
  • Respond to customer service requests and provide support.
  • Respond to your comments, concerns and questions.
  • Send you requested information and for other purposes which we have notified you about.

We are based in the United States and the information we collect is governed by U.S. law. By accessing or using our services or website or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S.

Information Sharing

Except as provided for in any service or subscription agreement you entered into with us, if any, and this Policy, we do not disclose your personal information to third parties without your consent.

We do not sell any of your personal information to third parties or allow third parties to use it for their marketing purposes. We use third-party intermediaries to manage payment processing. These intermediaries are solely links in the distribution chain and are not permitted to store, retain, or use the information provided except for purposes of payment processing.

We may share your information with third party vendors, consultants and other service providers who are working on our behalf and require access to your information to carry out that work, such as to process billing, provide customer support, etc. For example, we may use third-party data centers to host our website or to store documents uploaded to our application. We obtain appropriate contractual and technical protections to limit these service providers’ use and disclosure of your personal information.

We release personal information if we believe we must do so to comply with the law, to comply with a subpoena, bankruptcy proceedings, or similar legal process, to enforce any agreements you entered into with us, if any, or to protect the rights and safety of our company, our customers, our individual users, and the general public.

If we involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via a prominent notice on our Web site of any change in ownership that affects your personal information, as well as any choices you may have regarding your personal information.

On-Line Payments

The security of your payment information is important to us. If you make payments on our website, you will be asked for credit card or PayPal information. We use a payment gateway – a site specifically secured to process this information – for these payments, for which we pay a fee. Your personal credit card information is never stored or available anywhere on our website.

HIPAA AND HITECH SECURITY

HIPAA and HITECH provide national minimum standards to protect an individual’s protected health information (PHI). The U.S. Department of Health and Human Services (HHS) manages and enforces these standards.

The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of a HIPPA encryption strategy.

The HITECH act then expands the compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule.

HIPAA was originally created to streamline healthcare processes and reduce costs by standardizing certain common health care transactions while protecting the security and privacy of individuals’ PHI. HITECH expanded on the privacy and security requirements of HIPAA.

HIPAA and HITECH focus on PHI, which generally includes any personally identifiable information regarding an individual’s physical or mental health, the provision of health care to him or her, or payment for related services. PHI also includes any personally identifiable demographic information, including, for example, name, address, phone numbers, and Social Security numbers

These standards affect the use and disclosure of PHI by covered entities (such as health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) and their business associates.

DermDetect enables all users of our website to process, maintain, and store protected health information.

The 4 HIPAA Rules

HIPAA Privacy Rule

HIPAA’s Privacy Rule restricts intentional and unintentional use or disclosure of PHI that is in violation of the requirements of HIPAA.

  1. Do not allow impermissible use or disclosure of PHI
  2. Provide breach notification to the covered entity
  3. Provide individual or the covered entity access to the PHI
  4. Disclose PHI to the secretary of the HHS if compelled to do so
  5. Provide an accounting of disclosures
  6. Comply with the requirements of HIPAA security rule

HIPAA Security Rule

HIPAA’s Security Rule requires covered entities to put in place detailed administrative, physical, and technical safeguards to protect electronic PHI

HIPAA Enforcement Rule

It spells out penalties, and procedures for hearings

HIPAA Breach Notification Rule

It requires healthcare providers to notify patients in the case of breach of unsecured PHI

The DermDetect website is delivered via servers hosted in data centers that are HIPAA compliant.

Our Security policy mandates all of the following

  • Physical Safeguards – Only authorized DermDetect employees can access the servers
  • Administrative Safeguards – Access to the data within the application is controlled by the covered entity, while Access to the server is controlled by DermDetect team. DermDetect provides role-based access control to restrict access to certain users.
  • Technical Safeguards – DermDetect maintains an active monitoring system to find and fix any vulnerabilities in Operating System, Web Server, and Database.

A note on encryption – DermDetect doesn’t encrypt data ‘in rest’.

Contact data is stored in a database without encryption. Direct access to the database is only allowed to users who can log in to the server directly. This is restricted to only a few administrators in our operations team. We have logs tracking all access to the servers.

When being transmitted the data is encrypted using SSL.

Breach notification

If a breach has occurred at the service level, DermDetect will alert you.

CONTACT INFORMATION

Questions regarding our Policy or the practices concerning our Web Properties should be directed here as a security question, or by regular mail addressed to DermDetect LLC, Attn: Legal, 320 North Carson Street, Carson City, NV 89701 USA.