This Policy is Effective as of September 30, 2014.
Table of contents
- SCOPE AND PURPOSE
- SPECIAL NOTE FOR MINORS
- WHAT INFORMATION DO WE COLLECT?
- HOW DO WE USE YOUR INFORMATION?
- SHARING YOUR INFORMATION
I. SCOPE AND PURPOSE:
Please note that this policy does not apply when:
- You have given us your consent to share or use information about you;
- We believe that we need to share information about you to provide a service that you have requested from us or from others;
- We are required by law to disclose information; or
- We believe that it is necessary to protect our rights or to avoid liability or violations of the law.
If you have any questions about this policy or any other aspects of your privacy with respect to athenahealth, please contact us at: athenahealth, Inc., Attn: Chief Compliance Officer, 311 Arsenal Street, Watertown, MA 02472.
California Residents: Pursuant to California’s Shine the Light law, you have the right to request information regarding how athenahealth shares your information with third party vendors, if at all, for their marketing purposes. Please use the above contact address to submit a request.
III. SPECIAL NOTE FOR MINORS:
athenahealth values the privacy of those under the age of 18 and does not wish to obtain any information from or about them through the application. If you are under 18 and are not supervised by an adult, please do not use the application.
IV. WHAT INFORMATION DO WE COLLECT?
The following types of information may be collected through the application:
Information you provide to us:
During the registration process we may ask for any or all of the following information: your name, email address, practice name, date of birth, postal address and/or postal code, profession, specialty, medical school, year of graduation, mobile phone number, NPI and the last four digits of your social security number. During this process, we may also request your photograph to be used in connection with the services; When an application user sets up his or her profile, we ask for his or her name, gender, office contact information, place of residency, year residency completed, practice specialty areas, practice type, taxonomy, place of employment, hospital affiliations, whether he or she is accepting new patients, insurance accepted, languages spoken, and clinical interests which may be then populated into the Provider Directory; Any other information you provide in any athenaText profile/user account may be collected by us. Please note that if you choose not to provide categories of requested information, you may not be able to use certain features of the application.
Information we receive from third parties about you:
We may collect additional information about you from third parties, including the American Medical Association (AMA) to assist us in providing you with services.
Information automatically collected about you:
- Whenever you use our application, we may automatically collect data about your device such as your device ID and related device identifier information (e.g., cookies information, web beacon technologies, IP Address, etc.), and information about how you use our application;
- When you use our mobile application to find medical professionals near you, we collect your precise geolocation data;
- When a user sends a message using the application, the receiver and athenahealth will be able to view if the receiver has viewed the message. Similarly, if a sender’s message fails to deliver, we will be able to view that information;
- Athena will view and monitor which users are logging on to and using the application, and view how frequently such users access the application;
- When you use the application, we may ask for a list of “contacts” and their contact information to enable you to send messages to those contacts through the application;
- We may collect data about the equipment used to visit the application and the patterns of utilization of the application.
athenahealth will not collect personal information unless your voluntary consent has been obtained to track such information.
V. HOW DO WE USE YOUR INFORMATION?
We use information collected to improve upon the functionality of the application. For example, we may track the number of visitors using certain portions or features of the application to make changes that may be necessary to improve the application’s functionality. We may use information collected from you in order to
- track the popularity of features on the application to guide the development of new features;
- send you related information, including confirmations, technical notices, updates, security alerts, and support and administrative messages;
- send you invitations, by email or other means, from other athenaText users to connect and/or communicate through our application; and
- communicate with you via email, mobile alerts and other messaging services about commercial, non-commercial, sponsored and non-sponsored clinical information.
VI. SHARING YOUR INFORMATION
Table of contents
- OUR INFORMATION
- PROVIDER DIRECTORY
- PROPRIETARY RIGHTS
- LINKING TO US
- PASSWORD AND USER RESTRICTIONS
- USER CONDUCT
- INFORMATION THAT YOU PROVIDE TO THE SERVICES
- GENERAL PRACTICES REGARDING USE STORAGE
- LAWS THAT GOVERN THIS AGREEMENT
- TERMINATION AND MODIFICATION
- ADDITIONAL TERMS
- COMPLETE AGREEMENT
We provide Athena users with access to a wide array of resources which may be provided to you in a variety of mediums and devices now known or hereinafter developed, including mobile applications. These resources include, without limitation, applications and communication tools, including content licensed from our licensors (collectively, the "Services"). For the avoidance of doubt, the Services do not include athenaClinicals®, athenaCollector®, athenaCommunicator®, athenaCoordinator® Enterprise, athenaCoordinator® Analytics, or athenaCoordinator® Core.
II. OUR INFORMATION
The information that we make available through the Services is intended for physicians and other healthcare professionals. While we hope you find the Services helpful, they are not meant to serve as a substitute for your own clinical judgment as a healthcare professional and you should evaluate and independently verify the information and results from Services we provide. We do not provide professional advice or recommend particular products through our Services. If you are a consumer who chooses to use the Services, you do so at your own risk. You should not use the Services to transmit any information requiring urgent attention. Doing so may create a delay in your receiving necessary medical treatment and could result in loss of life, permanent injury or significant deterioration in your health. If you believe you have an urgent medical matter, you should call 911 immediately or proceed to the nearest emergency room. If the matter is not urgent but you need a response in a timely fashion, please contact your healthcare professional’s office directly by telephone during regular business hours.
III. PROVIDER DIRECTORY
The Provider Directory is provided for informational purposes only. You assume full responsibility for the communications with any individual you contact through the Provider Directory. The database of information which drives the Provider Directory does not contain sufficient information with which to verify credentials under the standards of the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), National Committee for Quality Assurance (NCQA) of the Utilization Review Accreditation Committee (URAC), and use of the Provider Directory to verify the credentials of physicians is prohibited. The inclusion of a healthcare professional in the Provider Directory is not an endorsement of any such healthcare professional by Athena, any of its licensors, affiliates or any third party sponsor of any component of the Services. Athena does not guaranty the accuracy of the information included in the Provider Directory and assumes no liability for any inaccuracies contained therein.
IV. PROPRIETARY RIGHTS
Athena owns all rights to its logos and trademarks used in connection with the Services. All other logos and trademarks used in connection with the Services are the property of their respective owners.
You acknowledge and agree that the Services and information, content, software and applications presented to you through the Services or used in connection with the Services contain proprietary and confidential information that is protected under U.S. and international intellectual property laws, including copyright, trademarks, service marks, patents or other proprietary rights and laws. Except as expressly authorized by us or our licensors, you agree not to sell, rewrite, modify, reproduce, distribute (via the Internet or other public computer based information system), redistribute, create derivative works (including translating), rent or provide any information presented to you through the Services, in whole or in part, to an unauthorized party. Further, you are prohibited from using, downloading, publishing, republishing, transferring, selling, leasing, licensing, duplicating, or "scraping" for commercial or any other purpose any database, in whole or in part, in any medium whatsoever, underlying any of the Services including, without limitation, the Provider Directory.
V. LINKING TO US
Usually, we don't mind if you include a simple link from your website to our website(s). However, you must first ask our permission if you intend to frame our website(s) or incorporate all or a portion of our website(s) into a different site or product in such a way that is not clear to the users that we are the source of the content. You are not allowed to link to us if you engage in the publication or promotion of illegal, obscene, or offensive content, or if the link in any way negatively impacts on our reputation.
VI. PASSWORD AND USER RESTRICTIONS
By using the Services, you represent that you are 18 years of age or older.
VII. USER CONDUCT
You are responsible for all communications, information, data, text, music, sound, graphics, messages and other material ("Content") that you upload, post, transmit, email or otherwise distribute using the Services. Neither we nor our licensors are responsible for the consequences of the Content posted by you or any other party through the Services, and as such, do not guarantee the accuracy, integrity or quality of such Content. You understand that by using the Services, you may be exposed to Content that is offensive or objectionable. In no event will we be liable in any way for any Content or for any loss or damage of any kind incurred as a result of the use of any Content uploaded, posted, transmitted, emailed or otherwise made available through the Services. In cases where you feel threatened or believe someone else is in danger, you should contact your local law enforcement agency immediately. If you think there is a medical emergency, call your doctor or 911 immediately.
When you use the Services, you agree not to:
- Violate local, state, national, or international laws;
- Post, upload, email, transmit or otherwise distribute any Content that infringes on the intellectual property rights of others or on the privacy or publicity rights of others;
- Post, upload, email, transmit or otherwise distribute any Content that is unlawful, harmful, obscene, defamatory, threatening, harassing, abusive, slanderous, hateful, or embarrassing to any other person or entity as we may determine in our sole discretion;
- Harm minors in any way;
- Post advertisements or solicitations of business;
- Forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Services;
- Post, upload, email, transmit or otherwise distribute chain letters, pyramid schemes, unsolicited or unauthorized advertising or spam;
- Impersonate another person or business entity or stalk or otherwise harass another person;
- Post, upload, email, transmit or otherwise distribute viruses or other harmful computer code designed to interrupt, destroy or limit the use of any computer software or hardware;
- Harvest or otherwise collect information about others, including email addresses;
- Allow any other person or entity to use your identification;
- Interfere with or disrupt the Services or computers, networks or other hardware connected to the Services, or disregard any requirements or policies of networks connected to the Services;
- Engage in any other conduct that restricts or inhibits any other person from using or enjoying the Services, or which, in our sole judgment, exposes us or our licensors, customers or suppliers to any liability or detriment of any type;
- Fail to respect other members' privacy. This includes revealing another user's password, phone number, address, or any other personally identifiable information;
- Create member names, or post, solicit or send messages, text or photographs that are sexually explicit, that denigrate, threaten, abuse or harm others in any way; or
We may (but are not obligated to) do any or all of the following without notice:
- Record or pre-screen the dialogue through the Services;
- Investigate an allegation that a communication does not conform to the terms of this section and determine in our sole discretion to remove or request the removal of the Content;
- Edit Content.
You agree and acknowledge that the processing and transmission of content transmitted in connection with the Services, including your Content, may involve transmissions over various networks and devices and modifications may be required for such transmissions.
VIII. INFORMATION THAT YOU PROVIDE TO THE SERVICES
Athena does not make any representations or guaranty about whether the Services are adequate to meet your privacy and security compliance obligations under HIPAA or any other standards, laws, rules or regulations. You are responsible for assessing your privacy and security needs and determining whether your use of our Services is appropriate to comply with your obligations.
X. GENERAL PRACTICES REGARDING USE AND STORAGE
You acknowledge that Athena may establish general practices and limits concerning use of the Services, including without limitation the maximum number of days that messages, postings or other uploaded Content will be retained by the Services, the maximum number of messages that may be sent from or received by an account on the Services, the maximum size of any message that may be sent from or received by an account on the Services, the maximum disk space that will be allotted on Athena’s servers on your behalf, and the maximum number of times (and the maximum duration for which) you may access the Services in a given period of time. You agree that Athena has no responsibility or liability for the deletion or failure to store any messages and other communications or other Content maintained or transmitted by the Services. You acknowledge that Athena reserves the right to modify these general practices and limits from time to time.
In addition to complying with these Terms and Conditions, with respect to your use of the Services, you are wholly responsible for complying with any applicable compliance, security and termination of access policies, including but not limited to any employer or affiliate policies governing the use, disclosure and/or storage of content on your mobile device. Athena has no responsibility or liability for your failure to comply with such applicable policies. Athena does not monitor the employment status or appropriateness of user access to the Services.
When using the Services, information will be transmitted over a medium that may be beyond the control of Athena, our licensors or suppliers. Accordingly, neither Athena, its licensors nor suppliers assume liability for or relating to the delay, failure, interruption or corruption of any data or other information transmitted in connection with your use of the Services. You are responsible for obtaining and maintaining all connectivity, computer software, hardware and other equipment needed to access the Services and all charges related to the same.
XII. LAWS THAT GOVERN THIS AGREEMENT
XIV. TERMINATION AND MODIFICATION
Your use of the Services is at your own risk. The Services and information included therein are provided on an "as is" basis. WE AND OUR LICENSORS AND SUPPLIERS, TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIM ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, ACCURACY, NON-INFRINGEMENT OF THIRD PARTIES' RIGHTS, FITNESS FOR PARTICULAR PURPOSE AND THAT THE SERVICES WILL MEET YOUR REQUIREMENTS AS AN END USER OF THE SERVICES. NEITHER ATHENA NOR ITS LICENSORS OR SUPPLIERS WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE.
Without limiting the foregoing, we, our licensors, and our suppliers make no representations or warranties about the accuracy, reliability, completeness, currentness, or timeliness of the Services or information contained therein. The Services may contain links to websites, other applications or information collected from other parties. Athena does not sponsor, operate, control or endorse any of these sites or applications, nor the information, products or services provided by such third parties, nor does Athena make any guarantee, warranty or representation regarding the accuracy of information collected from such third parties or any guarantee, warranty or representation regarding any equipment utilized by the user in connection with the Services that has not been provided by Athena.
XVIII. ADDITIONAL TERMS
XIX. COMPLETE AGREEMENT
Enter your mobile number into the athenaText application to receive a standard rate alert for verifying the application. Receive 2 messages per request. Text STOP to 67588 to opt out. Text HELP to 67588 for help or call 1-800-230-2150 for more information. Message and Data Rates May Apply. Participating carriers include: Alltel, AT&T, MetroPCS, Cricket, T-Mobile, U.S. Cellular, Sprint, Boost, Virgin Mobile and Verizon Wireless.
For customer support please call 1-800-230-2150 or email athenaText Support.
Date of Last Revision: September 30, 2014
Business Associate Agreement
- ARTICLE 1 - DEFINITIONS
- ARTICLE 2 - ATHENA'S DUTIES
- ARTICLE 3 - USER'S DUTIES
- ARTICLE 4 - BUSINESS ASSOCIATE PERMITTED PURPOSES
- ARTICLE 5 - BUSINESS ASSOCIATE DISCLOSURES
- ARTICLE 6 - BUSINESS ASSOCIATE TERMINATION
- ARTICLE 7 - BUSINESS ASSOCIATE DEFAULT
- ARTICLE 8 - ATHENA BUSINESS RECORDS
I. ARTICLE 1 - DEFINITIONS
For purposes of this BAA:
- “Athena” means athenahealth, Inc., a Delaware corporation;
- “BAA” means this Business Associate Agreement;
- The following terms used in this BAA shall have the same meaning as those terms under HIPAA: Breach; Business Associate; Designated Record Set; HITECH Act; and Unsecured PHI;
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, and associated regulations, as they may be amended from time to time;
- “PHI” means “protected health information” as that term is used under HIPAA;
- “Privacy Rule” means the privacy standards in 45 C.F.R. Part 160 and Part 164, subparts A and E;
- “Security Rule” means the Security Standards in 45 C.F.R. Part 160 and Part 164, subparts A and C;
- “User” means the end-user who has registered or subscribed to the Services (as defined in the Agreement);
- “User PHI” means PHI that Athena receives from the User through its use of the Services.
II. ARTICLE 2 - ATHENA'S DUTIES
- not use or disclose User PHI except (i) as required or permitted by law, (ii) as permitted under the terms of the Agreement or any permission of User under the Agreement, or (iii) as incidental under HIPAA to another permitted use or disclosure;
- use reasonable and appropriate safeguards to prevent use or disclosure of User PHI other than as provided in the Agreement;
- implement administrative, physical, and technical standards in accordance with the Security Rule to protect the confidentiality, integrity, and availability of User PHI in electronic form (“EPHI”);
- not use or disclose User PHI in a manner that Athena knows would violate the requirements of HIPAA if done by User
- mitigate, to the extent practicable, any harmful effect of a use or disclosure of User PHI by Athena that is known to Athena to be in violation of the requirements of the Agreement;
- report to User as soon as practicable and as required by HIPAA and the HITECH Act any known use or disclosure of User PHI by Athena not as provided by the Agreement and any “Security Incident” with respect to User EPHI as defined in the Security Rule. Additionally, Athena will notify User of any Breach of Unsecured PHI, and such notification shall be made without unreasonable delay following the date of discovery to enable User to comply with the Breach disclosure requirements under the HITECH Act. Athena shall include within such notice identification, to the extent possible, of each individual whose Unsecured PHI has been, or is reasonably believed by Athena to have been, accessed, used, or disclosed through the Breach and any other valuable information known to Athena that User is required to include in its notice to affected individuals. The reporting requirement set forth hereunder shall include, without limitation, disclosures that Athena is aware of that would need to be included in User’s accounting of disclosures under HIPAA and/or HITECH Act, provided that Athena is required by HIPAA and the HITECH Act as a business associate of User to include such disclosures;
- at the request of User, provide access to User PHI in a Designated Record Set to User or, as properly directed by User, to an individual in order to meet the requirements under 45 C.F.R. §164.524;
- at the request of User, make any amendment to such User PHI in a Designated Record Set that User properly directs or agrees to pursuant to 45 C.F.R. §164.526
- make its internal practices, books and records relating to the use and disclosure of User PHI available to the Secretary of Health and Human Services for purposes of the Secretary’s determination of User’s compliance with HIPAA requirements;
- document such disclosures of User PHI and information related to such disclosures as would be required for User to respond to a request by an individual for an accounting of disclosures of it in accordance with 45 C.F.R. §164.528;
- provide to User information collected in accordance with this Article to permit User to respond to an appropriate request for an accounting of disclosures of User PHI in accordance with 45 C.F.R. §164.528; and
- to the extent that Athena is to carry out any User obligation(s) under the HIPAA Privacy Standards, comply with the requirements of the HIPAA Privacy Standards that apply to User in the performance of such obligation(s).
III. ARTICLE 3 - USER'S DUTIES
- not request, direct, or cause Athena to use or disclose PHI unless the use or disclosure is in compliance with applicable law relating to the privacy and security of patient data and is the minimum amount necessary for the legitimate purpose of such use or disclosure;
- notify Athena of any limitation in its notice of privacy practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Athena’s use or disclosure of User PHI;
- notify Athena of any changes in, or revocation of permission by, an individual to use or disclose User PHI, to the extent that such changes may affect Athena’s use or disclosure of User PHI; and
- notify Athena of any restriction on the use or disclosure of User PHI that User has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Athena’s use or disclosure of User PHI.
IV. ARTICLE 4 - BUSINESS ASSOCIATE PERMITTED PURPOSES
Athena’s use and disclosure of User PHI is permitted for the following purposes:
- to provide the Services;
- as expressly permitted in the Agreement;
- as required by law
- to provide data aggregation services as permitted by 45 C.F.R. §164.504(e)(2)(i)(B);
- for the proper management and administration of Athena, including, without limitation, making and maintaining reasonable business records of transactions in which Athena has participated or the Services have been used (including back-up documentation); and
- to de-identify User PHI and use such de-identified information in accordance with 45 C.F.R. §164.514(b).
V. ARTICLE 5 - BUSINESS ASSOCIATE DISCLOSURES
To the extent that it discloses User PHI pursuant to the purpose in Article 4(c) or (e) that is not also for another of the purposes under Article 4, Athena will
- obtain reasonable assurances from the person or entity to whom the PHI is disclosed that such person or entity will maintain confidentiality of the PHI and not use or further disclose it except as required by law or for the purpose for which it was disclosed to the person or entity and
- require the person or entity to whom the PHI is disclosed to notify Athena of any instances of which that person or entity is aware in which the confidentiality of such information has been breached.
XI. ARTICLE 6 - BUSINESS ASSOCIATE TERMINATION
Upon termination of the Agreement, Athena will return, destroy, or continue to extend protections to and limit the use and disclosure of User PHI to the extent required by and in accordance with 45 C.F.R. §164.504(e)(2)(ii)(I), provided that the parties agree that it is not feasible in light of reasonable business requirements, regulatory compliance requirements, and the rights and obligations under the Agreement for Athena to return or destroy its business records and transaction databases, including, but not limited to, records and databases of transactions for which User has used the Services or in which Athena has engaged on behalf of User or records and databases that reflect the use of the Services and information that User or Athena has entered into Athena’s products in the course of the Agreement to enable or perform the Services.
XII. ARTICLE 7 - BUSINESS ASSOCIATE DEFAULT
Any material default by Athena of its obligations under Articles 2, 4 and 5 will be deemed a default of a material provision of the Agreement, and, if cure of such default and termination of the Agreement are not feasible, User may report the default to the U.S. Secretary of Health and Human Services.
XIII. ARTICLE 8 - ATHENA BUSINESS RECORDS
Subject to the other requirements and limitations of this BAA, the business records of Athena and all other records, electronic or otherwise, created or maintained by Athena in performance of the Agreement will be and remain the property of Athena, even though they may reflect or contain User PHI or other information concerning or provided by User. All de-identified information created by Athena in compliance with the Agreement will belong exclusively to Athena, provided that User will not hereby be prevented from itself creating and using its own de-identified information.