Last Updated: April 1st, 2020
Changes to This Policy
We may change this Policy from time to time. If we make any changes to this Policy, we will change the “last updated” date above. If there are material changes to this Policy, we will notify you more directly. We encourage you to check this Policy whenever you use our Web sites and services to understand how your personal information is used.
We collect information from you in various ways when you use our Web sites and services. We may also supplement this information with information from other companies. We collect two general types of information, namely personal information and aggregate data. As used in this Policy, the term “personal information” means information that specifically identifies an individual (such as a name and email address), and demographic and other information when directly linked to information that can identify an individual.
Our definition of personal information does not include “aggregate” data. Aggregate data is information we collect about a group or category of services or users from which individual user identities have been removed. In other words, no personal information is included in aggregate data. Aggregate data helps us understand trends in our users’ needs so that we can better consider new features or otherwise tailor our services. This Policy in no way restricts or limits our collection and use of aggregate data, and we may share aggregate data about our users with third parties for various purposes, including to help us better understand our customer needs and improve our services and for advertising and marketing purposes.
The following are the specific types of information we collect from you.
Information You Give Us. We collect information you give us on our Web site and when you register for and use our services. Examples include the following:
Registration and Profile Information
When you use our services or update your profile, we may collect various kinds of information about you including, your name and email address; your title, company and other profile information you provide; demographic information; and information you upload like photos, files, and documents.
Contact Information. We collect the email addresses you provide for contacts you enter or upload into your private contacts page. When you choose to collaborate or share files with others, we also collect email addresses you provide to email invitations to those individuals on your behalf.
1. NO RENDERING OF ADVICE
The information contained within this website is provided for informational purposes only and is not intended to substitute for obtaining accounting, tax, or financial advice from a professional accountant. Presentation of the information via the Internet is not intended to create, and receipt does not constitute, an accountant-client relationship. Internet subscribers, users and online readers are advised not to act upon this information without seeking the service of a professional accountant. Any U.S. federal tax advice contained in this website is not intended to be used for the purpose of avoiding penalties under U.S. federal tax law. DrillDown Solution specifically disclaims any liability for any direct, indirect, incidental, consequential or special damages arising out of or in any way connected with access to or use of the website (even if DrillDown Solution has been advised of the possibility of such damages), including liability associated with any viruses which may infect a user’s computer equipment.
2. COPYRIGHT & TRADEMARKS
The trademarks, logos and service marks displayed on this website are the property of DrillDown Solution. Users are prohibited from using any of these without the written permission of DrillDown Solution. All content on the website is protected by copyright. Users are prohibited from modifying, copying, distributing, transmitting, displaying, publishing, selling, licensing, creating derivative works or using any content on the website for commercial or public purposes.
3. NO WARRANTIES
Information provided on this web site is provided “as is” without warranty of any kind, either express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, or non-infringement. DrillDown Solution periodically adds, changes, improves, or updates the information and documents on this web site without notice. DrillDown Solution assumes no liability or responsibility for any errors or omissions in the content of this web site. Your use of this web site is at your own risk. Under no circumstances and under no legal theory shall DrillDown Solution, its suppliers, or any other party involved in creating, producing, or delivering this website’s contents be liable to you or any other person for any indirect, special, incidental, or consequential damages of any character arising from your access to, or use of, this web site.
4. CONFIDENTIALITY OF USER COMMUNICATIONS
Except as required by law, DrillDown Solution will maintain the confidentiality of all user communications that contain personal user information, and which are transmitted directly toDrillDown Solution.
5. LINKED INTERNET WEBSITES
DrillDown Solution does not verify, confirm, guarantee, or warrant the accuracy of any information contained on the websites that may be linked to from these pages. They are provided as links merely for the convenience of our site visitors and are for informational purposes only. By “hyperlinking” to other websites, DrillDown Solution makes no endorsement of the views or opinions stated therein. Further, hyperlinks to other websites are not intended to be referrals or endorsements of the linked entities.
6. TRANSMISSION OF PERSONAL DATA
User acknowledges and agrees that by providing DrillDown Solution with any personal or proprietary user information through the website, user consents to the transmission of such personal or proprietary user information as necessary for processing in accordance with DrillDown Solution’ standard business practices.
7. LAWS AND REGULATIONS
User access to and use of the Site is subject to all applicable federal, state and local laws and regulations.
8. ACCESS TO PASSWORD PROTECTED/SECURE AREAS
Accesses to and use of password protected and/or secure areas of the Website are restricted to authorized users only. Unauthorized individuals attempting to access these areas of the Website may be subject to prosecution.
Cookies and Web Beacons
DrillDown Solution may send you communications or data regarding our Websites and services, including but not limited to (i) notices about your use of our Web sites and services, including any notices concerning violations of use, (ii) updates, and (iii) promotional information and materials regarding our products and services. You may opt-out of receiving promotional emails from DrillDown Solution by following the opt-out instructions provided in those emails. You may also opt-out of receiving promotional emails and other promotional communications from us at any time by emailing email@example.com with your specific request. Opt-out requests will not apply to transactional service messages, such as security alerts and notices about your current account and services. Please allow 72 hours for opt out requests to take full effect.
If you have any questions about this Policy, you should first contact us at firstname.lastname@example.org. If you do not receive a response or your inquiry has not been satisfactorily addressed, you should then contact the Office of Civil Rights (OCR). Listen to recorded information about filing complaints at 1-866-627-7748 (TDD: 1-800-537-7697).
Any questions about this Policy should be addressed to email@example.com.
THIRD PARTY SERVICES AND CONTENT.
- Definitions Capitalized terms not defined in this policy will be defined as provided in HIPAA, the HITECH ACT and their implementing rules.
- All transactions using DrillDown Solution’s services are between the transacting parties only. The Services may contain features and functionalities linking you or providing you with certain functionality and access to third party content, including Web sites, directories, servers, networks, systems, information and databases, applications, software, programs, products or services, and the Internet as a whole; you acknowledge that we are not responsible for such content or services. We may also provide some content to you as part of the Services. However, DrillDown Solution is not an agent of any transacting party, nor or we a direct party in any such transaction. Any such activities, and any terms associated with such activities, are solely between you and the applicable third-party. Similarly, we are not responsible for any third-party content you access with the Services, and you irrevocably waive any claim against us with respect to such sites and third-party content. DrillDown Solution shall have no liability, obligation or responsibility for any such correspondence, purchase or promotion between you and any such third-party. You should make whatever investigation you feel necessary or appropriate before proceeding with any online or offline transaction with any of these third parties. You are solely responsible for your dealings with any third party related to the Services, including the delivery of and payment for goods and services. Should you have any problems resulting from your use of any third party services, or should you suffer data loss or other losses as a result of problems with any of your other service providers or any third-party services, we will not be responsible unless the problem was the direct result of our breaches.
In accordance with the provisions of the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, including the Privacy Rule and Security, as amended (“HIPAA”), you agree to follow and abide to the following standards (all undefined terms in Sections 18 and 19 have their meaning defined by the HIPAA regulations):
- You will ensure that your use of the Services complies with applicable law, including but not limited to laws relating to maintenance of privacy, security, and confidentiality of patient and other health information.
- You agree to implement and maintain appropriate administrative, physical and technical safeguards to protect information within the Services. Such safeguards must comply with federal, state, and local requirements, including the Privacy Rule and the Security Rule.
- You will maintain appropriate security with regard to all personnel, systems, and administrative processes used by you or members of your workforce to transmit, store and process electronic health information through the use of the Services.
- By using the Service, you consent to the terms of the Business Associate Agreement set forth below and you agree to protect any information received through such communication services in accordance with the terms of such business associate agreement.
- You acknowledge that other federal and state laws impose additional restrictions on the use and disclosure of certain types of health information, or health information pertaining to certain classes of individuals.
- You agree that you are solely responsible for ensuring that personal health information is subject to the restrictions of the Privacy Rule and applicable law. In particular, you will:
- Not make available to other users through the Service any information in violation of any restriction on use or disclosure (whether arising from your agreement with such users or under law);
- Obtain all necessary consents, authorizations or releases from individuals required for making their personal health information available to DrillDown Solution:
- Include such statements (if any) in your notice of privacy practices as may be required.
- DrillDown Solution is committed to maintaining the confidentiality of information entrusted to us, especially individually identifiable personal and health information. DrillDown Solution follows its HIPAA policies and procedures. You are responsible for determining if the Service meets your compliance standards.
USE OF PROTECTED HEALTH INFORMATION.
Our services may require us access to software that may include Protected Health Information that you or your personnel input or upload onto third party Services or that DrillDown Solution receives on your behalf from your authorized service providers or our third party partners (“Your Health Information”). You retain all rights with regard to Your Health Information, and DrillDown Solution will only use such information as expressly permitted in this Agreement and our Business Associate Agreement. You authorize DrillDown Solution, as your business associate, to use and disclose Your Health Information as follows.
- DrillDown Solution has no control over the uses and disclosures that the business associate makes of Your Health Information, and the recipient may be subject to its own legal or regulatory obligations (including HIPAA) to retain such information and make such information available to patients, governmental authorities and others as required by applicable law or regulation.
- DrillDown Solution may “De-Identify” (means health information that has been de-identified in accordance with the provisions of the Privacy Rule) Your Health Information and use and disclose de-identified information.
- DrillDown Solution may create limited data sets from Your Health Information, and disclose them for any purpose for which you may disclose a limited data set; and you hereby authorize DrillDown Solution to enter into data use agreements on your behalf for the use of limited data sets, in accordance with applicable law and regulation.
- DrillDown Solution may use Your Health Information in order to prepare analyses and reports, such as activity or quality-metrics reports, or any other reports the Service makes available, in order to render these reports to you. Preparation of such analyses and reports may include the use of data aggregation services relating to your treatment and health care operations, which DrillDown Solution may perform using Your Health Information. Such reporting will be done in a manner that does not make any disclosure of Your Health Information that you would not be permitted to make.
- DrillDown Solution may use Your Health Information for the proper management and administration of the Service and our business, and also as required to carry out its legal responsibilities. DrillDown Solution may also disclose Your Health Information for such purposes if the disclosure is required by law, or DrillDown Solution obtains reasonable assurances from the recipient that it will be held confidentially and used or further disclosed only (i) as required by law or for the purpose for which it was disclosed to the recipient, and the recipient notifies DrillDown Solution of any instances of which it is aware in which the confidentiality of the information has been breached. Without limiting the foregoing, DrillDown Solution may permit access to the system by our contracted system developers under appropriate confidentiality agreements.
- From time to time DrillDown Solution may incorporate information it receives from your authorized service providers; (including any third party product or services) or our third party partners into the Service provided to you. Such information may include, without limitation, clinical information such as lab results, imaging results, eligibility information, and prescription history; and shall, upon incorporation into the Service, be treated as “Your Health Information” for all purposes hereunder. You hereby authorize DrillDown Solution to request and receive such information on your behalf from such authorized service providers or Drilldown Solution’s third party partners.
- You are solely responsible for affording individuals their rights with respect to relevant portions of Your Health Information, such as the rights of access and amendment. You will not undertake to afford an individual any rights with respect to any information in the Service other than Your Health Information.
You hereby transfer and assign to DrillDown Solution all right, title and interest in and to all De-Identified Information that DrillDown Solution makes from Your Health Information as outlined herein. You agree that DrillDown Solution may use, disclose, market, license and sell such De-Identified Information for any purpose without restriction, and that you have no interest in such information, or in the proceeds of any sale, use, license, or other commercialization thereof. You acknowledge that the rights conferred by this Section are a major consideration for the provision of the Service, and absent these provisions, DrillDown Solution would not enter into this Agreement and agree to provide the Services.
Uses and Disclosures of PHI.
- Healthcare Provider may from time to time disclose PHI in conjunction with Healthcare Provider’s receipt of services under the Agreement. For purposes of this BAA, “Protected Health Information” (PHI) is limited to PHI, as defined in HIPAA, HITECH and their implementing rules, that is accessed, used, processed or disclosed pursuant to the Agreement.
- Neither party will access, use, process or disclose such PHI for any purpose other than as permitted under this BAA and applicable law. Each party may access, use, process and disclose the PHI it receives for the proper management and administration of such party, to perform its obligations under and receive the benefits of the service delivered under the Agreement and to otherwise carry out its legal responsibilities; provided, however, that in all cases such use is permitted under applicable law. Either party may disclose PHI if the disclosure is required by law. Either party may also disclose PHI for the proper management and administration of the business of such party, provided it obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law and for the purpose for which it was disclosed.
- Each party will maintain appropriate safeguards including, but not limited to, administrative, organizational, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI.
- If either party becomes aware of any unauthorized access to or use, processing or disclosure of unsecured PHI, it will so notify the other party. Such notice will contain: (i) the date of discovery of the unauthorized access, use, processing or disclosure; (ii) a listing of the identification of individuals and/or classes of individuals who are subject to the unauthorized access, use, processing or disclosure; and (iii) a general description of the nature of the unauthorized access, use, processing or disclosure. The party responsible for such unauthorized access, use, processing or disclosure will perform an appropriate risk assessment to determine whether the PHI has been compromised. In performing the risk assessment, such party will consider a combination of factors such as: (i) the nature and extent of the PHI affected, (ii) the unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (iii) whether PHI was acquired or viewed and (iv) the extent to which the risk to the PHI has been mitigated. The results of such risk assessment will be provided to the other party. DrillDown Solution is not responsible for monitoring Healthcare Provider’s own access to or use, processing or disclosure of PHI.
- In the event of an unauthorized access to or use, processing or disclosure of unsecured PHI, the party responsible for such unauthorized access to or use, processing or disclosure of unsecured PHI will use reasonable efforts to mitigate, to the extent practicable, any harmful effect arising from such unauthorized access to or use, processing or disclosure of unsecured PHI.
- The parties will cooperate with respect to any required notifications that must be made to the individuals or the media with respect to any unauthorized access to or use, processing or disclosure of unsecured PHI.
- With respect to any subcontractor or agent to whom either party provides PHI, the disclosing party will first contractually obligate such subcontractor or agent to agree to protect such PHI pursuant to terms and conditions at least as protective as the terms of this Business Associate Agreement.
- DrillDown Solution may de-identify any and all PHI that is in its possession or control provided that DrillDown Solution implements de-identification criteria in accord with applicable law. De-identified information does not constitute PHI and is not subject to the terms of this BAA.
Compliance with Law
- Each party is responsible for its own compliance with any and all existing or subsequent laws, whether by statute, regulation, common law, or otherwise, related to its access to or use, processing or disclosure of PHI. Healthcare Provider agrees that it will have and maintain appropriate consents from data subjects, as may be necessary, for DrillDown Solution to access, use, process and disclose PHI in accordance with its delivery of services under the Agreement and as otherwise permitted under this BAA.
- The parties will provide each other only the minimum amount of PHI necessary for us to perform the Service described in the Agreement.
- Upon request by the Department of Health and Human Services (“HHS”), each party will make available to HHS the internal practices, books, and records of such party relating to the use and disclosure of PHI for purposes of ensuring compliance with the provisions of HIPAA and the HITECH Act.
- In the event that DrillDown Solution receives an inquiry from an individual for access to or the right to amend PHI, it will advise Healthcare Provider of that communication and the request. The parties will cooperate in making PHI available to the individual and in making the requested amendment of PHI. The Healthcare Provider will retain and make available on request information required to provide an accounting of disclosures in accordance with the provisions of HIPAA and the HITECH Act.
Termination and Destruction of PHI.
- In the event that either party reasonably determines that the other has accessed, used, processed or disclosed unsecured PHI in a manner inconsistent with a material term of this Agreement, it will provide written notice of such breach to the other party and specify in reasonable detail any such breach. Upon receipt of such written notice, the receiving party will have 30 days to achieve compliance with this BAA or to establish a reasonable schedule for compliance with this BAA. In the event that a party fails or refuses to comply with this obligation, the other party may terminate this BAA upon written notice. If either party reasonably determines that the other party has accessed, used, processed or disclosed PHI in a manner inconsistent with this BAA following written notice of a prior breach, the non-breaching party may immediately terminate the Agreement.
- Within thirty (30) days of termination of this BAA, DrillDown Solution will return to Healthcare Provider, or destroy, the PHI made available to DrillDown Solution by the Healthcare Provide that is in its control and take reasonable steps to ensure that DrillDown Solution has no means of identifying or re-identifying individuals who are the subject of such PHI. DrillDown Solution will also obligate any subcontractor to return to DrillDown Solution, or destroy, any such PHI in the subcontractor’s control.
- In the event that DrillDown Solution is unable to return or destroy the PHI in its control, DrillDown Solution will continue to protect such PHI from further disclosure.
Limitation of Liability.
UNDER NO CIRCUMSTANCES WILL DRILLDOWN SOLUTION OR ITS AFFILIATES, OR ANY OF ITS OR THEIR RESPECTIVE DIRECTORS, OFFICERS, SHAREHOLDERS, PROPRIETORS, PARTNERS, EMPLOYEES, AGENTS, REPRESENTATIVES, SERVANTS, ATTORNEYS, PREDECESSORS, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOST PROFITS AND DAMAGES THAT RESULT FROM INCONVENIENCE, DELAY, OR LOSS OF USE) ARISING OUT OF ITS ACCESS TO OR USE, PROCESSING OR DISCLOSURE OF PHI, EVEN IF IT OR THEY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages; thus, this limitation may not be applicable.
All notices and other communications required or permitted to be given by DrillDown Solution to you under this Agreement will be deemed to be properly given on the date when sent by email to the email address for you last recorded by DrillDown Solution or sent by postal mail or private courier to the postal address for you last recorded by DrillDown Solution. All notices and other communications required or permitted to be given by you to us under this BAA will be deemed to be properly given on the date when sent by postal mail or private courier to 5132 NO 300 W, Suite 200 Provo, UT 84064 , Attention: Legal Department.
If you have questions, please contact us at 801-225-8474 or firstname.lastname@example.org