License to use ResMed’s HI Services
In consideration of the Service fees, if applicable, ResMed grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use ResMed’s HI Services in accordance with these Terms.
“Effective Date” will be the date on which you first agree to these Terms. Your access or use of the Services, including ResMed’s HI Services will be deemed acceptance of these Terms.
“Services” includes but is not limited to health related and other information, communication, compliance, cloud-based data storage, retrieval, patient management system and online support program provided to you by ResMed through one or more of ResMed’s HI Services. The Services may be modified from time to time to remove or include additional services, beyond those Services offered today, those additional services will be governed by these Terms.
“System” includes ResMed flow generators, ventilators and any other hardware and software provided by ResMed in connection with the Services.
These Terms will commence on the Effective Date and will remain in effect so long as you access or use ResMed’s HI Services or the Terms are otherwise terminated.
We may stop providing the Services on notice to you (a “ Termination Notice”) if:
· providing the Services would create a substantial economic or technical burden or material security risk for us, or if it is necessary for us to do so to comply with the law or requests of governmental entities; or
· the use of the Services by you or our provision of any of the Services to you has become impractical or unfeasible for any legal, business or regulatory reason.
On any termination of these Terms:
· all your rights under these Terms will terminate within 15 days from the date of the Termination Notice; and
· you remain responsible for all fees and charges you have incurred through to the date of termination.
If applicable, you agree to pay the applicable Service fee(s) for ResMed’s HI Services.
ResMed’s HI Services may use algorithms and identifiers (e.g., serial numbers) to link the data obtained from the sleep device (“ Device Data”) to patient data. You are responsible for the accuracy and consistency of all identifiers and patient demographic information (e.g., patient name, date of birth, etc.). The accuracy and consistency of this information will impact how the System matches patients with patient data.
Through ResMed’s HI Services you may access your patient’s data. In certain circumstances, you may also have access to your patients’ data, notices or other communications we have provided to your patients relating to other ResMed services.
ResMed does not, through ResMed’s HI Services or its available functions, provide medical advice. ResMed’s HI Services are intended solely as a resource and informational tool. We are not medical professionals and we do not discuss or advise on any issues relating to medical treatment or diagnosis. Accordingly, you are responsible for all reliance and clinical decisions based on patient data and information reported on ResMed’s HI Services. ResMed’s HI Services are not intended to, and do not provide, medical advice.
ResMed’s HI Services are tools that can assist you in the provision of health services, but it is not a substitute for competent human intervention and discretionary thinking. Therefore, you agree that you will be responsible for each of the following, as applicable, when using ResMed’s HI Services: (i) entering information accurately and completely; (ii) reading information displayed accurately; (iii) confirming the accuracy of life threatening information and critically important results that are accessed or stored though ResMed’s HI Services in the same manner that such information and results would be confirmed or verified if it were in paper form or as would otherwise be confirmed or verified if you were using applicable standards of good medical practice; and (iv) reporting any errors or suspected errors discovered in the course of using ResMed’s HI Services.
Patient data is protected by laws and regulations governing the privacy and security of health information. In your dealings with all personal data, you must comply with applicable laws and regulations as set out in your local jurisdiction.
By entering and accessing patient data through the Services, you represent and warrant that you have obtained and will maintain the right and authorization to do so, by receiving a written and signed authorization from the patient or otherwise as required under laws governing your jurisdiction.
If you are in the United States, you represent and warrant to ResMed that you have obtained and will maintain all permissions, authorizations and appropriate consents from your patients required under (i) the Telephone Consumer Protection Act of 1991 (“TCPA”) and any other Federal, State or local laws and regulations applicable to automated outbound contacts by phone, texts or email with consumers; and (ii) The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and related regulations for the transmission, storage, retrieval, access, use and/or disclosure of protected health information of patients for the provision of ResMed’s HI Services. You will be responsible for determining the patients’ healthcare provider eligibility, coverage and replacement schedules for patients’ supplies.
For United States Customers, we will provide ResMed’s HI Services in compliance with the HIPAA Business Associate Addendum incorporated into these Terms as Exhibit A.
For European Customers, we will provide ResMed’s HI Services in compliance with the European data protection laws and the Data Processing Agreement incorporated into these Terms as Exhibit B, based on the valid consent of patients you are responsible to procure.
You will supply and maintain a personal computer with access to the Internet to access ResMed’s HI Services. Specifically, you agree (1) to use appropriate browser software per ResMed’s minimum system requirements to access ResMed’s HI Services; (2) to supply and maintain a modem, or similar equipment when applicable, to access the ResMed’s HI Services; and (3) to receive information by electronic transmission of a visual display of text.
To access ResMed’s HI Services you must create an account or an account may have been created for you.
The first user may add, edit and inactivate additional user accounts, passwords and access capabilities (Access Codes). You are responsible for all user accounts and Access Codes.
Access Codes are required to access ResMed’s HI Services. You will keep all Access Codes confidential to prevent unauthorized access and to prevent unauthorized use of ResMed’s HI Services.
You will protect the security of Access Codes and other means of identification for access to, and use of, ResMed’s HI Services.
You may only create one account per user and you must ensure that any additional user account is created in the same legal entity. You must not create additional user accounts in any other entity. If you permit other persons to use ResMed’s HI Services, you are responsible for any Service fees incurred by such third persons on your behalf.
We reserve the right to disable your or your organization’s access to ResMed’s HI Services, if we reasonably believe your Access Codes have, or may have been, obtained in an illegal or unauthorized manner or are being used, or may be used, by an unauthorized person(s).
You are responsible for the acts and omissions of each User and third person as if they were your acts or omissions.
You are responsible for all of the equipment, internet access and software required to access and use ResMed’s HI Services. ResMed reserves the right to terminate your access to ResMed’s HI Services if not used for six consecutive months.
You will notify us immediately if you believe your account and/or your Access Code(s) have been accessed, taken or used without your permission, or if there is a suspected or actual violation of the security of ResMed’s HI Services. In addition, you will inform us immediately in writing of the need to deactivate an Access Code due to potential or actual security concerns or for any other reason.
You agree to immediately report to ResMed the discovery of any type of discrepancy, anomaly or error detected in information obtained from, or delivered to, ResMed’s HI Services. You will also immediately report to ResMed the discovery of any virus or corruption in ResMed’s HI Services or on your own equipment used to connect to or otherwise access the ResMed’s HI Services that potentially affect or do affect ResMed’s HI Services. You agree that it is your responsibility to comply with all applicable laws and to ensure adequate security of your equipment and related peripherals.
Some of ResMed’s HI Services are intended solely for normal home use and are not cleared by the applicable regulatory authority in your local jurisdiction for use in acute healthcare settings or in other locations where the wireless transmission of information may interfere with the operation of essential equipment, such as life support, nuclear facilities, or aircraft navigation or communication systems, in which interference could lead to death, personal injury or severe physical or environmental damage. You represent and warrant that neither you nor your patients will use ResMed’s HI Services in such a location and that you will provide express instructions to your patients regarding the appropriate location for use.
For United States users, you will not offer ResMed’s HI Services outside the United States or Canada without ResMed’s prior written consent.
We, or a third party acting as our agent, are responsible for the operation and maintenance of hardware and software necessary to deliver ResMed’s HI Services. However, neither we, nor our agent(s) will be liable:
· if you have not properly followed ResMed’s HI Services instructions on how to retrieve and view data;
· if your internet access, equipment and/or software were not working properly and this problem was or should have been apparent to you when you attempted to access ResMed’s HI Services;
· if circumstances beyond our or our agent's control prevent display of information or the making of a data retrieval, despite precautions taken. Such circumstances include but are not limited to computer failure, telecommunication outages, postal strikes and other labor unrest, delays caused by payees, fires, floods, and other natural disasters.
We may on a regular basis, perform on-site or remote maintenance, modifications, upgrades or other refinements of ResMed’s HI Services. Such works may result in interrupted service or errors in the ResMed’s HI Services. If we anticipate an interruption to ResMed’s HI Services, we will attempt to provide prior notice of such interruptions but cannot guarantee that such notice will be provided. If we do not anticipate an interruption to the ResMed’s HI Services, we may not provide you prior notice.
You and/or your users will have access to any patient data created by you and your users in the course of using ResMed’s HI Services so long as you remain an active ResMed customer. Specifically, if you discontinue purchases from ResMed, breach any of your obligations to ResMed, or if any of your accounts are terminated for any reason, then your access to ResMed’s HI Services may be modified, suspended, reassigned, or terminated by ResMed at its sole and absolute discretion.
Furthermore, you agree that ResMed may enable system tracking technology, including, for example, for inventory control and/or channel verification purposes. You agree that ResMed’s HI Services are not a permanent medical record archive or storage system. You acknowledge and agree that it is your responsibility to download or otherwise retain any data created in using the System and to store such data separately within your own records. In addition, you are solely responsible for archiving the data or otherwise complying with your medical record policies and procedures. ResMed does not provide any services related to archival of data. If ResMed does offer archiving functionality in the future, these Terms will be amended to address archival processes, payment and responsibility.
For users in France
To the extent necessary, you grant ResMed’s support services in Europe the permission to access patient data for the purposes of operating and supporting ResMed’s HI Services.
You also grant ResMed permission for the purposes of anonymizing the data and using anonymized data in accordance with applicable law. You are responsible to obtain any necessary consent from patients for ResMed’s use of patient data in accordance with these Terms.
For users anywhere outside France
To the extent necessary, you grant ResMed permission to use patient data for the purposes of operating and supporting ResMed’s HI Services and for the purposes of de-identifying the data and using de-identified data in accordance with applicable law. You are responsible to obtain any necessary consent from patients for ResMed’s use of patient data in accordance with these Terms.
ResMed does not and will not provide medical advice or service to you, your users or your patients. Content available through ResMed’s HI Services is solely for informational and educational purposes. Neither the content nor the patient reports are to be used as a substitute for professional judgment of healthcare providers in diagnosing and treating patients.
EXCEPT AS PROVIDED IN THESE TERMS, RESMED’S HI SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, RESULTS, ACCURACY, COMPLETENESS, ACCESSIBILITY, COMPATIBILITY, SECURITY, FREEDOM FROM COMPUTER VIRUS OR CONTINUED AVAILABILITY, AND THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF RESMED’S HI SERVICES IS WITH YOU. SOME JURISDICTIONS LIMIT OR DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, THEREFORE THE ABOVE EXCLUSION OF IMPLIED WARRANTIES MAY NOT APPLY TO YOU.
ResMed does not warrant that the functions contained in ResMed’s HI Services will meet your requirements or that its operation will be uninterrupted or error-free or compatible with the other software or hardware of your systems. RESMED'S SOLE OBLIGATION OR LIABILITY UNDER THIS SECTION AND THE FOREGOING LIMITED WARRANTY IS THE REPAIR OR REPLACEMENT OF RESMED’S HI SERVICES, OR AT RESMED'S DISCRETION, REFUND OF SERVICE FEES PAID BY YOU FOR RESMED’S HI SERVICES IN THE TWELVE MONTHS PRECEDING SUCH AN EVENT.
Limitations on Liability and Remedies for users anywhere outside Europe
IN NO EVENT WILL RESMED BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, INCLUDING, WITHOUT LIMITATION, ANY LOSS OF DATA, LOSS OF PROFITS OR LOST SAVINGS, ARISING OUT OF THESE TERMS OR CONNECTED IN ANY WAY WITH THE USE, MISUSE OR INABILITY TO USE RESMED’S HI SERVICES, EVEN IF RESMED HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY. SHOULD WE HAVE ANY LIABILITY TO YOU OR ANY THIRD PARTY FOR ANY DIRECT LOSS, HARM OR DAMAGE, (EXCEPT INSURED CLAIMS, AND THE PARTIES' RESPECTIVE EXPRESS INDEMNITY OBLIGATIONS), THE TOTAL LIABILITY OF RESMED FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION (WHETHER IN CONTRACT, TORT OR OTHERWISE ) WILL NOT EXCEED THE LESSER OF THE AGGREGATE AMOUNT OF THE SERVICE FEES YOU HAVE PAID TO US FOR RESMED’S HI SERVICES DURING THE TWELVE MONTHS IMMEDIATELY PRECEDING THE DAY THE ACT OR OMISSION OCCURRED THAT GAVE RISE TO THE CLAIM OR USD $3,000.00 (UNITED STATES DOLLARS). YOU UNDERSTAND AND ACKNOWLEDGE THAT ABSENT YOUR AGREEMENT TO THIS LIMITATION OF LIABILITY, WE WOULD NOT PROVIDE YOU ACCESS TO RESMED’S HI SERVICES. THE LIMITATIONS PROVIDED IN THIS SECTION WILL APPLY EVEN IF ANY OTHER REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.
Your exclusive remedy in the event of the complete and unrecoverable failure of ResMed’s HI Services to operate or perform is limited to, at ResMed's discretion, providing available back-up information, or refunding the Service fees you have paid to ResMed for ResMed’s HI Services during the 12 months immediately preceding the date of such failure.
ResMed’s HI Services relies on third-party products and services to provide parts of the ResMed’s HI Services. For example, we rely on mobile operating system vendors and mobile carriers to enable connectivity and mobile device notifications through the Service. These third-party products and services are beyond our control and they may not operate in a reliable manner, be available 100% of the time, or become obsolete due to newer technology. ResMed is not responsible for any damages or losses, whether foreseeable or remote, due to the operation of third-party products.
Limitations on Liability and Remedies for users in Europe
To the extent permitted by applicable laws, ResMed will not be liable for any (i) loss of profits, revenue, contracts or anticipated savings, or (ii) loss of, or damage to, data, or (iii) indirect or consequential losses that were not foreseeable (losses or damages are foreseeable if either it is obvious that it will happen or if, at the time you consented to these Terms, both you and us knew it might happen), or (iv) losses caused by events outside our reasonable control.
If, notwithstanding the other provisions of these Terms, ResMed is found to be liable to you for any damage or loss which arises out of, or is in any way connected with, these Terms or your use of ResMed’s HI Services, to the extent permitted by applicable laws, ResMed’s liability shall in no event exceed an amount equal to the lesser of the total of any fees for ResMed’s HI Services received by ResMed from you or EUR €2500 (Euro).
Nothing in these Terms limits or excludes our responsibility for fraudulent representations made by us or for death or personal injury caused by our negligence or wilful misconduct, or any other liability that cannot be excluded or limited under applicable laws.
ResMed’s HI Services are the proprietary property of ResMed. ResMed’s HI Services embody substantial creative rights, confidential and proprietary information, copyrights, trademarks and trade secrets, all of which will remain the exclusive property of ResMed. You and your users, employees, agents and representatives will not copy, reproduce, modify, reverse engineer or decompile any portion of ResMed’s HI Services. You and your users, patients, employees, agents and representatives will use ResMed’s HI Services as provided in these Terms. Except as otherwise disclosed, ResMed and its licensors own all rights, title, and interest in and to all copyright, trademark, service mark, patent, trade secret or other intellectual property and proprietary rights worldwide in and to ResMed’s HI Services.
You, at your own expense, will indemnify and hold harmless ResMed and its assignees, and their directors, officers, employees, agents and representatives, and defend any and all actions brought against same with respect to any claim, demand, cause of action, debt or liability, including reasonable attorneys' fees, experts' fees, and court costs, to the extent that it arises from or relates to:
· the acts or omissions of you, your users, directors, officers, employees, agents, or representatives, including but not limited to the use of ResMed’s HI Services or any patient data stored or transmitted using ResMed’s HI Services; or
· your failure or alleged failure to obtain any or all permissions, authorizations and "opt-in" consents from each patient required under applicable Federal, State or local laws and regulations.
Nothing in these Terms will be construed to constitute either party as the partner, employee, or agent of the other, except that if ResMed contacts any patient based on the consent you obtained from the patient as required under these Terms, ResMed will be considered your agent authorized to contact the patient within the scope of consent provided by the patient. Neither party has any authority to bind the other in any respect. Each party will remain an independent contractor, responsible only for its own actions. Each party will conduct all of its business in its own name and in such manner as such party may see fit, at its own expense.
For users in North, South and Central America and Canada
These Terms will be governed by and construed in accordance with the laws of the State of California, United States, without regard or giving effect to its conflict of laws principles.
For users in Europe and the Middle East
These Terms and any non-contractual obligations arising out of or in connection with these Terms will be governed by and construed in accordance with the laws of England, without regard to its conflict of laws principles. We both agree to submit to the non-exclusive jurisdiction of the courts of England, which means that you may bring a claim to enforce your consumer protection rights in connection with these Terms in England or in any country in Europe in which you live.
This section is without prejudice to national data protection law which may be designated as applicable as the law of the country where the Customer is established. This section shall also not apply to the Data Processing Agreement set out in Exhibit B to these Terms.
For users anywhere apart from North, South and Central America, Canada, Europe and Middle East
These Terms will be governed by and construed in accordance with the laws of New South Wales, Australia without regard to its conflict of laws principles.
All controversies and claims arising under or relating to these Terms are to be resolved in accordance with the governing laws set out in clause 19 above. All proceedings shall be conducted in the language of the governing law. Each party shall bear its own costs, expenses and attorneys' fees (and all related costs and expenses) incurred in connection with any proceeding arising from or related to any transaction contemplated by these Terms, and in connection with enforcing any judgment or order thereby obtained. Each party further agrees to waive any right to pursue a dispute by asserting a disputed claim in a representative capacity, or participating in a class action with respect to ResMed’s HI Services.
We may give notices or other communications required under these Terms by posting or providing links on other communications through the sites providing access to ResMed’s HI Services.
You may not assign, novate or otherwise transfer any of your rights under these Terms without our prior written consent, and any such attempt to do so without our consent will be null and void.
We may in our discretion assign, novate or otherwise transfer without further consent or notification any of our rights and delegate any of our duties under these Terms to a company affiliated with us or to any other party.
If any portion of these Terms is held to be invalid or unenforceable, the remaining portions of these Terms will remain in full force and effect. Any invalid or unenforceable portions will be deemed modified to the extent necessary to render such term or provision enforceable whilst preserving to the fullest permissible extent the intent of the original portion. If such construction is not possible, the invalid or unenforceable portion will be severed from these Terms but the rest of these Terms will remain in full force and effect.
These Terms constitute the complete agreement between you and ResMed with respect to their subject matter and supersede any prior agreement or communication, unless agreed upon individually. These Terms and HI Services are subject to change from time to time. In such cases, ResMed will provide you with any changes to these Terms and you will be asked to re-accept them.
A waiver of any term or provision of these Terms at any time will not be deemed a waiver of the term or provision in the future.
These Terms represent the full and final agreement of the parties as to the subject matter and supersedes any prior written or oral agreement. In the event of any conflict between these Terms and other agreements, these Terms will control except in the limited instance of a separately negotiated business associate agreement or an AirView contract executed between your organization and ResMed.
ResMed will be relieved of its obligations under these Terms for failure to perform any of its obligations under these Terms, if the failure is due to an event outside ResMed’s control.
By clicking on the "I Agree" button below, I acknowledge that I am electronically signing these Terms and agreeing to be legally bound by all of the terms, conditions and notices contained or referenced in these Terms.
THIS ADDENDUM IS APPLICABLE TO UNITED STATES CUSTOMERS ONLY
Customer and ResMed (defined above in the Terms) have entered into a ResMed Healthcare Informatics Terms of Use (the "Terms"), under which ResMed may create, receive, maintain, or transmit protected health information ("PHI") of Customer’s patients. To the extent that Customer is a "Covered Entity," and a ResMed entity is a "Business Associate," as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HIPAA Omnibus Rule at 45 C.F.R. part 160 and 45 C.F.R. part 164 ("Omnibus Rule"), and the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act") and implementing regulations, then Customer and ResMed agree as follows with respect to access to PHI through use of one or more of ResMed’s HI Services or otherwise:
I. GENERAL PROVISIONS
Section 1. Effect. This HIPAA Business Associate Addendum ("Addendum") defines, supplements, modifies and amends the Terms with respect to PHI. The terms and provisions of this Addendum will supersede any other conflicting or inconsistent terms and provisions in the Terms with respect to PHI. Absent a different agreement, this Addendum shall govern ResMed’s obligations with respect to PHI from Customer.
Section 2. Definitions. All capitalized terms used herein without definition shall have the respective meanings assigned to such terms in 45 C.F.R. Parts 160 and 164 (the "HIPAA Regulations").
Section 3. Amendment. ResMed and Customer agree to amend this Addendum to the extent necessary to allow either ResMed or Customer to comply with the HIPAA Regulations promulgated or to be promulgated by the Secretary of the Department of Health and Human Services or other related regulations or statutes.
II. OBLIGATIONS OF RESMED
Section 1. Use and Disclosure of Protected Health Information. ResMed may use and disclose PHI only as required to satisfy its obligations under the Terms, as permitted by Customer, as directed by the patient who is the subject of the PHI, or as Required by Law, but shall not otherwise use or disclose any PHI. The parties contemplate that ResMed may disclose PHI to subcontractors as part of the Services provided under the Terms. ResMed shall not, and shall ensure that its directors, officers, employees, affiliates, subcontractors and agents do not, use or disclose PHI received from Customer in any manner that would constitute a violation of 45 C.F.R. Parts 160 and 164, Subparts A and E (the "Privacy Standards") if used by Customer. Except as otherwise limited in the Terms or this Addendum, ResMed may use PHI (i) for ResMed’s proper management and administration, (ii) to carry out the legal responsibilities of ResMed, or (iii) to provide Data Aggregation services relating to the Health Care Operations of Customer if required under the Terms. Except as otherwise limited in the Terms or this Addendum, ResMed may disclose PHI (i) for the proper management and administration of ResMed, (ii) to carry out ResMed’s legal responsibilities if (a) the disclosure is Required by Law, or (b) ResMed obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person and the person notifies ResMed of any instances of which it is aware in which the confidentiality of the information has been breached. Further, ResMed may de-identify any and all PHI in accordance with 45 C.F.R. § 164.514(b) and use such de-identified data in any manner determined by ResMed. Notwithstanding any other provision contained in this Addendum, Customer expressly authorizes ResMed to (i) disclose PHI for the Treatment activities of a health care provider; (ii) disclose PHI to another covered entity or health care provider for the Payment activities of the entity that receives the PHI; and (iii) disclose PHI to another covered entity for Health Care Operations activities of the entity that receives the PHI, if each entity either has or had a relationship with the Individual who is the subject of the PHI being disclosed, the PHI pertains to such relationship, and the disclosure is for certain Health Care Operations of the covered entity in accordance with 45 C.F.R. § 164.506(c)(4)(i).
Section 2. Safeguards Against Misuse of Information. ResMed shall use appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Addendum and comply with applicable provisions of 45 C.F.R. Part 164, Subpart C with respect to electronic PHI that it creates, receives, maintains, or transmits on behalf of Customer.
Section 3. Reporting of Disclosures of Protected Health Information. ResMed will report to Customer any use or disclosure of PHI or any Security Incident in violation of this Addendum of which it becomes aware. Notwithstanding the foregoing, the parties acknowledge and agree that this Section 3 constitutes notice by ResMed to Customer of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Customer shall be required. Unsuccessful Security Incidents means, without limitation, pings and other broadcast attacks on ResMed’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Customer’s electronic PHI.
Section 4. Notification of Breach. ResMed shall, within sixty (60) days following discovery of a Breach of Unsecured PHI, notify Customer of such Breach. Such notice shall include the identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, breached. ResMed’s obligation to report under Section 3 and this Section 4 is not and will not be construed as an acknowledgement by ResMed of any fault or liability with respect to any use, disclosure, Security Incident or Breach.
Section 5. Agreements by Third Parties. ResMed shall obtain and maintain a written agreement with each affiliate, agent or subcontractor that creates, receives, maintains, or transmits Customer’s PHI on behalf of ResMed. Under the agreement, such affiliate, agent or subcontractor shall agree to the same restrictions and conditions that apply to ResMed pursuant to this Addendum with respect to such PHI.
Section 6. (a)Access to Information. If ResMed maintains PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, then upon request of Customer, ResMed shall provide access to such PHI in a Designated Record Set to the Individual in order for Customer to comply with the requirements under 45 C.F.R. § 164.524. Subject to Section 6(b) below, if ResMed receives a direct request from an Individual for access to PHI, it will forward the request to Customer to fulfill. If ResMed provides copies or summaries of PHI to an Individual on behalf of the Customer, it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. § 164.524(c)(4). Notwithstanding the foregoing, if the PHI that is the subject of a request for access is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such information, ResMed shall provide access to the PHI in the electronic form and format requested. Further, if an Individual’s request for access directs ResMed to transmit the copy of PHI directly to another person designated by the Individual, ResMed shall provide the copy to the person designated by the Individual. The Individual’s request must be in writing, signed by the Individual, and clearly identify the designated person. Section 7. Availability of Protected Health Information for Amendment . If ResMed maintains PHI in a Designated Record Set, ResMed agrees to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set, in order for Customer to comply with 45 C.F.R. § 164.526. If ResMed receives a direct request from an Individual for amendment to PHI, it will forward the request to Customer to fulfill.
Section 8. Accounting of Disclosures. Within forty-five (45) days of notice by Customer to ResMed that it has received a request for an accounting of disclosures of PHI, other than related to the Treatment of a patient, the processing of Payments related to such Treatment, or the Health Care Operations of a covered entity or its business associate and not relating to disclosures made earlier than six (6) years prior to the date on which the accounting was requested, ResMed shall make available such information as is in ResMed’s possession and is required for Customer to make the accounting required by 45 C.F.R. § 164.528. If ResMed receives a direct request from an Individual for an accounting of disclosures of PHI, it will forward the request to Customer to fulfill.
Section 9. Availability of Books and Records. ResMed agrees to make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by ResMed on behalf of, Customer available to the Secretary for purposes of determining Customer’s compliance with the Privacy Standards.
Section 10. Remuneration in Exchange for PHI. Except for the purposes set forth in the Terms and as otherwise provided by law, ResMed shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless Customer receives a valid HIPAA authorization.
Section 11. Minimum Necessary. ResMed shall make reasonable efforts to limit the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Section 12. Performance of Customer’s Obligations. If ResMed agrees to carry out an obligation of Customer under 45 C.F.R. Part 164, Subpart E, ResMed shall comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Customer in the performance of such obligations.
III. OBLIGATIONS OF CUSTOMER
Section 1. Minimum Necessary. Customer shall disclose to ResMed only that PHI which Customer determines is reasonably necessary to achieve the intended purpose of the disclosure.
Section 2. Changes in Policies and Procedures. Customer shall notify ResMed prior to implementing any change in their privacy or security policies and procedures, including its Notice of Privacy Practices, which would affect ResMed’s obligations hereunder.
TERM AND TERMINATION
Section 1. Term. This Addendum will become effective on the Effective Date of the Terms and, unless otherwise terminated as provided herein, will have a term that will run concurrently with that of the last expiration date or termination of the Terms.
Section 2. Termination Upon Breach of Provisions Applicable to Protected Health Information. Any other provision of the Terms notwithstanding, this Addendum and the Terms may be terminated by Customer upon thirty (30) days written notice to ResMed in the event that ResMed breaches any material provision contained in this Addendum and such breach is not cured within such thirty (30) day period.
Section 3. Effect of Termination. Upon termination of the Terms and this Addendum ResMed shall either return or destroy all PHI received from Customer or created or received by ResMed on behalf of Customer and which ResMed still maintains in any form. ResMed shall not retain any copies of such PHI. Notwithstanding the foregoing, to the extent that it is not feasible to return or destroy such PHI, the terms and provisions of this Addendum shall survive termination and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.
TO CUSTOMERS who are established in the European Economic Area and Switzerland ONLY
All capitalized terms used herein without definition shall have the respective meanings assigned to such terms in the European Community’s Directive 95/46/EC and Directive 2002/58/EC and the Federal German Data Protection Act (the “BDSG ”) .
Customer and ResMed SAS, Parc Technologique de Lyon, 292 Allée Jacques Monod, 69791 Saint Priest Cedex (Processor), represented by ResMed agreed as follows:
Scope of the Agreement
1. ResMed Inc. and its wholly-owned subsidiaries and affiliates (ResMed Group) have developed an online application ( AirView) to monitor testing and therapy in the area of sleep-disordered breathing from a distance.
2. The Device Data, including serial number and usage data, is uploaded into AirView. Customer is able to link Device Data to data that identifies an individual patient like patient name, date of birth, social security number, health data, etc. (Personal Data).
3. Device Data, such as the length of time the device and the mask are used, leakage figures, pressure values or the apnea–hypopnea index, is transmitted to AirView.
4. Customer is able to use algorithms and identifiers (e.g., serial numbers) to link Device Data to Personal Data – such as patient name, date of birth, social security number and health data.
5. This Data Processing Agreement (Agreement) governs the legal relations between Customer and Processor as the legal recipient of Device Data and Personal Data. The Processor processes any personal data (including Device Data and Patient Data) received from the Customer solely for the purpose of processing such data on behalf of the Customer only.
Rights and Obligations of the Customer
6. Responsibility. Customer is the controller vis-à-vis the patients concerned, responsible in particular for justification (i.e., via consent) of any transmission of Device Data and Personal Data to the Processor and for decisions concerning the processing and use of the respective data.
7. Duty of Notification. Customer must inform Processor immediately if he or she ascertains errors or irregularities in the data processing by Processor.
8. Instructions. Customer may issue reasonable instructions as to the manner, scope and procedure of data processing, in addition to those specified in this Agreement. Such instructions must be issued in writing, including by email.
Processor’s Rights and Obligations
9. Subject to Instructions, Limitation of Use. Under an assignment and according to instructions from Customer, Processor may process Personal Data of the Customer’s patients exclusively for the purposes stated in this agreement. Processor may not use the Personal Data for any other purposes. ResMed may anonymize or de-identify any and all personal Data and use such anonymize or de-identified data in any manner determined by ResMed.
10. Processing of data. The processing and use of the Personal Data by Processor will take place in the territory of a Member State of the European Union or any other country that the European Commission has declared as having an adequate level of protection of personal data by reason of its domestic law or of the international commitments it has entered into.
11. Duty of Notification. The Processor shall immediately inform the Customer in the event of substantial disruption of the services, of possible infringements of applicable data protection laws or of this Agreement and of any other irregularity in relation to the processing of the Customer’s Device and/or Patient Data arising from the Processor, its employees or other third parties.
12. Supervision. During the Term (defined below), Processor will monitor compliance with the data protection provisions of this Agreement and the instructions issued.
Technical and Organizational Measures
13. Scope, Documentation. Processor has implemented adequate technical and organizational measures (TOMs) to ensure data security. Detailed description of the TOMs is available on Customer’s request.
14. Documentation. Processor will adequately and comprehensively document the processing of data to enable Customer to prove proper use of the data.
15. Audit Right. Customer may, themselves or via a third party expert bound by confidentiality obligations, audit the TOMs and processing of Personal Data, subject to providing notification of the exact scope of the audit at least 15 days in advance and receiving written approval of such scope by the Processor. The audit will be conducted during the usual business hours of the Processor and without disrupting the business activities of the Processor. Such audit right may not be exercised more than once a year. Any internal and external costs incurred on Processor by such audit shall be borne by Customer. The Processor shall use its reasonable endeavors to support such audits. If any audit finds that the Processor is, or that AirView is, not in compliance with the provisions of this Agreement and/or applicable data protection law, the exclusive remedy of the Controller, and the exclusive obligation of the Service Provider shall be that: (i) the parties will discuss such finding, and (ii) the Processor shall take, at its own cost, all corrective actions including any temporary work-arounds necessary to comply with the provisions of this Agreement and/or applicable data protection law.
16. Progress. TOMs are subject to technical progress and development, and Processor may implement alternative improved measures provided statutory requirements are met.
Correction, Blocking and Deletion of Data
17. If a data subject approaches Processor directly with a request for access to, correction or deletion of her or his data, Processor will forward this request to Customer. The Processor may only correct, delete or block any Personal Data upon the relevant data subject’s instructions.
Sub-Contractors
Admissible Sub-Contractors. Customer grants Processor (i) permission to engage Informatique de Securité SAS, at 2 Avenue des Puits, 71300 Montceau-les-Mines, France as sub-contractor for the processing or use of personal data as well as (ii) ResMed SAS, a company incorporated in France (company registration number 407775170) whose registered office is Parc Technologique de Lyon, 292 allée Jacques Monod, 69791 Saint Priest Cedex, France for the purpose of providing support services. Processor has the right to select another or additional sub-contractor(s) only after notifying Customer. Customer may object to the change or addition of the sub-contractor within 21 days from notification of the change or addition.
18. Agreements with Sub-Contractors. Processor must set out the contractual agreements with sub-contractors in such a way that they reflect the data protection provisions agreed in this Agreement.
Term of the agreement
19. Term. This Agreement commences and expires simultaneously with the AirView Terms between Customer and ResMed. Upon termination of the AirView Term, the Processor will return and delete all personal data, unless applicable retention laws dictate otherwise.
20. Written Form. Amendments or waiver to this Agreement must be in writing.
21. Applicable Law. This Agreement shall be governed by the laws of Customer place of incorporation.