PLEASE READ THESE TERMS AND CONDITIONS BEFORE ACCESSING OUR SECURE WEBSITE OR ENGAGING IN ANY TELEHEALTH SESSIONS WITH A PROVIDER
Plain Language Overview
At The Live Network Inc. (TLN), we take privacy very seriously. Many of us who work here were concerned about privacy and ethical data usage long before it was in the news. To that end, this document our associated privacy documents spell out how we collect and use data when you visit one of our sites. The short version is that we use such data to provide the services that you are seeking, optimize the services that you are seeking, and let you know about other services that might be relevant to you. While our general, public, websites are fairly straightforward, our secure Telehealth portions are held to even higher standards with regard to security and privacy. TLN provides a platform for healthcare providers (often called “covered entities”) and healthcare clients (often called “patients,” “clients,” “users,” etc) to meet and offer or receive services. In order to make that happen, we have to create, monitor, and store data. This data is often accorded the highest forms of protection and TLN and other professionals using the platform are required to keep it safe, protected, and private. At TLN, we have a range of legal, professional, and contractual obligations to protect your data. In the unlikely event that some sort of data breach were to occur, we or our professional partners would typically be required to let you know.
WHEREAS, one or more Covered Entities (healthcare providers, therapists, other similar professionals, etc.) has retained The Live Network, Inc. (“TLN”, “Business Associate”) as a Business Associate to provide certain services to be performed for or on behalf of the Covered Entity, which are described and set forth in one or more separate agreements for services between the Parties, order form(s), and/or statement(s) of work (collectively, “Service Agreement”) and, in connection with those services, Business Associate may use or disclose certain individual health information that is subject to protection under the HIPAA Privacy & Security Rules; and
WHEREAS, the TLN and the Covered Entity have established the terms under which Business Associate may use or disclose PHI such that the Covered Entity may comply with applicable requirements of the HIPAA Privacy & Security Rules and the requirements of the HITECH Act that are applicable to business associates.
RESPONSIBILITIES OF BUSINESS ASSOCIATE
In short, TLN will be required to act as a Business Associate as defined under HIPAA and as elucidated in the Business Associate Agreement signed with a Covered Entity. An overview of most of the specific details of these responsibilities as a Business Associate are given below:
1.1 Permitted Uses and Disclosures. Except as otherwise provided in the Business Associate Agreement (“BAA”) with the Covered Entity, Business Associate agrees to use PHI only as necessary to provide the services set forth in a Service Agreement and Business Associate agrees to limit disclosure of PHI, to the extent practical, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. Business Associate will not use or further disclose PHI other than as permitted or required by the BAA or a Service Agreement or as required by law.
1.2 Safeguards. Business Associate agrees to implement and use appropriate administrative, physical, and technical safeguards to (a) prevent use or disclosure of PHI; and (b) reasonably protect the confidentiality, integrity, and availability of the ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. Such safeguards include a written information security policy, a response plan for Security Incidents, periodic security awareness training, and confidentiality/nondisclosure agreements with those independent subcontractors and consultants with which Business Associate has delegated duties under the BAA.
1.3 Reporting a Breach. Business Associate agrees to promptly report to Covered Entity any use or disclosure of PHI not provided for by the BAA of which it becomes aware, including Unsecured PHI and any Security Incident of which Business Associate becomes aware.
1.4 Internal Practices. Business Associate agrees to make available its internal practices, books, and records relating to the use and disclosure of PHI created for or from Covered Entity to the U.S. Department of Health and Human Services for purposes of determining Business Associate’s compliance with the HIPAA Privacy & Security Rules or the BAA.
1.5 Disclosure Accounting. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI. In addition, within twenty (20) days after receiving a written request from Covered Entity, Business Associate will make available to Covered Entity the information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, in accordance with 45 C.F.R. § 164.528.
1.6 Subcontractors. Business Associate will require its subcontractors to provide reasonable assurance, evidenced by written agreement, of compliance with the same privacy and security obligations, restrictions, and conditions with respect to PHI and ePHI as applies to Business Associate through the BAA. Business Associate may disclose PHI to other business associates of Covered Entity without requiring the written agreement described herein.
1.7 Availability of Information. Business Associate agrees to provide access to Covered Entity, within twenty (20) days after receiving a written request from Covered Entity, to PHI in a Designated Record Set about an Individual, sufficient to allow Covered Entity to provide access to such Individual to his or her PHI, in compliance with the requirements of 45 C.F.R. §164.524. Business Associate will make such information available in an electronic format where required by the HITECH Act.
1.8 Amendment of Information. To the extent that the PHI in Business Associate’s possession constitutes a Designated Record Set, within twenty (20) days after a written request by Covered Entity, Business Associate will make PHI available to Covered Entity as reasonably required to fulfill Covered Entity’s obligations to amend such PHI pursuant to the HIPAA Privacy & Security Rules and Business Associate will, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate, all in accordance with 45 C.F.R. §164.526.
1.9 Business Associate Response to Direct Requests by Individuals. For PHI held by Business Associate, in the event that any Individuals request access or amendment to, or an accounting of, disclosures of PHI, Business Associate will promptly notify Covered Entity so that Covered Entity may respond directly to the Individual. If Business Associate receives notice that Covered Entity has not timely complied with such Individual’s request, then Business Associate may respond directly to any such Individuals who contact Business Associate directly. In such event, Business Associate will notify Covered Entity and Covered Entity must cooperate with Business Associate and reimburse Business Associate for all costs and expenses in responding.
1.10 Management and Administration. Business Associate agrees to only use or disclose PHI received in its capacity as a business associate to Covered Entity for Business Associate’s own operations if: (a) the use relates to the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate or to provide data aggregation services relating to health care operations of Covered Entity; or (b) the disclosure of information received in such capacity will be made in connection with Business Associate’s performance of the services set forth in a Service Agreement and such disclosure is required by law or Business Associate receives assurance from the person to whom the information will be disclosed that it will be kept confidential and the person further agrees to notify Business Associate of any Security Incident or Breach.
1.11 Data Aggregation Services. Except as otherwise explicitly prohibited by the BAA, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
1.12 Prohibited Communications. Business Associate will not knowingly make or cause to be made any communication about a product or service that is prohibited by 42 U.S.C. § 17936(a).
1.13 Prohibited Fundraising. Business Associate will not knowingly make or cause to be made any written fundraising communication that is prohibited by 42 U.S.C. § 17936(b).
1.14 Carrying Out Covered Entity’s Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
1.15 Mitigation of Damages. Business Associate agrees to mitigate, to the extent practical, any harmful effect that is known to Business Associate of the use or disclosure of PHI by Business Associate in violation of the requirements of the BAA.
1.16 Prohibition on Sale of PHI. Except as provided in Section 13405(d)(2) of the HITECH Act, neither Business Associate nor Covered Entity shall receive remuneration in exchange for any PHI of an Individual absent a valid authorization from such Individual.
PERMITTED USES AND DISCLOSURES OF PHI
Unless otherwise explicitly limited in the BAA, in addition to any other uses and/or disclosures permitted or required by the BAA, TLN may engage in a range of common practices that are allowed under HIPAA and as such may:
2.1 Make any and all uses and disclosures of PHI necessary to provide the services set forth in a Service Agreement to Covered Entity.
2.2 Use and disclose to subcontractors and agents the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate.
2.3 Subject to the confidentiality provisions of the BAA, de-identify any and all PHI received or created by Business Associate under the BAA, which de-identified information shall not be subject to the BAA and may be used and disclosed on Business Associate’s own behalf, all in accordance with the de-identification requirements of the HIPAA Privacy & Security Rules.
2.4 Provide Data Aggregation Services relating to the Health Care Operations of the Covered Entity in accordance with the HIPAA Privacy & Security Rules.
2.5 Identify Research projects conducted by Business Associate, third parties for which PHI may be relevant, obtain on behalf of Covered Entity documentation of individual authorizations or an Institutional Review Board or a Privacy Board waiver that meets the requirements of 45 C.F.R. §164.512(i)(1) (each an “Authorization” or “Waiver”) related to such projects, provide Covered Entity with copies of such Authorizations or Waivers, subject to confidentiality obligations (“Required Documentation”); and disclose PHI for such Research.
2.6 Make PHI available for reviews preparatory to Research and obtain and maintain written representations in accordance with 45 C.F.R. §164.512(i)(1)(ii) that the requested PHI is sought solely as necessary to prepare a Research protocol or for similar purposes preparatory to Research, that the PHI is necessary for the Research, and that no PHI will be removed in the course of the review.
2.7 Use the PHI to create a Limited Data Set in compliance with 45 C.F.R. 164.514(e) for Research, Health Care Operations, or Public Health purposes.
2.8 Use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(J)(1).
RESPONSIBILITIES OF COVERED ENTITY
In general, Covered Entities function independently and maintain their own responsibilities apart from any formal employee/employer relationship with TLN. The following describes some (but not all) of the responsibilities of a Covered Entity:
3.1 Any and all Covered Entities retain all of their individual and collective responsibilities under HIPAA/HITECH.
3.2 The Covered Entity alone is acting in the capacity as a Covered Entity under HIPAA and is responsible for all of the basic functions of clinical and professional practice including without limitation: assessment, diagnosis, treatment, and discharge. TLN is neither an employer nor employee of any Covered Entity nor a Covered Entity itself. TLN is not engaged in the practice of medicine, psychology, or any other regulated profession, but rather serves as Business Associate to duly appointed Professionals seeking to engage in activities that are a part of their typical and proper duties. TLN does not exercise any managerial or other direct oversight over any of the Professionals/Covered Entities and does not assume any responsibility for their actions (including omissions and commissions related to the practice of any profession).
3.3 Any requests for records etc. should ideally be directed to the Covered Entity in question rather than TLN.
3.4 Relevant Privacy Practices and management of PHI not immediately maintained by TLN will be the responsibility of the Covered Entity in question. TLN is neither responsible for such practices or maintenance or making any kind of warranty as to their fitness for any purposes.
RESPONSIBILITIES OF THE USER / CLIENT
Even the strongest encryption and technical safeguards cannot guarantee privacy if our platform is used poorly. As such, it is incumbent upon Users of the Site to also cultivate good privacy habits and engage in good privacy practices.
4.1 Encryption. Business Associate offers and requires encryption related to the transmission of data for the provision of services set forth in a Service Agreement with a Covered Entity. If a Covered Entity or Site User does not use encryption, Covered Entity or Site User is fully responsible for any resulting liability caused by failing to encrypt information such as PHI. User acknowledges that such an action will constitute a material breach of this agreement and that the User or Covered Entity will assume full liability for such a breach and hold TLN and its employees and officers harmless for any damages resulting from such a failure to encrypt.
4.2 Passwords. TLN requires the use of strong passwords related to the provision of services set forth in a Service Agreement and these Terms. The User agrees that they are responsible for maintaining the integrity of such passwords and must take reasonable measures to prevent them from being disclosed to third parties. Any actions taken by third parties given such a password by the User shall be as if the User had taken the action. In such a case, the User agrees to assume full liability and to hold TLN and its employees and officers harmless for any damages resulting from such a grant of access.
4.3 Privacy. TLN requires that the User maintain privacy with regard to PHI. User agrees that any remote access of the HIPAA-compliant portions of the Site or areas that have any PHI or can be reasonably expected to have PHI be done in a manner that does not compromise the privacy or the integrity of the PHI. This includes, but is not limited to: only engaging in telehealth sessions or viewing such portions of the Site in a secure (non-public) environment, logging out of sessions when done, taking precautions against spyware and malware, only logging in from trusted devices and locations, avoidance of negligent privacy practices, resetting of passwords if there is any concern about them being compromised, the selection of strong passwords, and general discrete comportment. If you compromise privacy in ways beyond the control of TLN, TLN will not be held responsible for such disclosures of breaches. You agree to hold TLN and its employees and officers harmless for any damages resulting from such oversights with regard to privacy.
BILLING, CHARGES, AND DISPUTES
At TLN, we try to promote good business practices in every aspect of our operations. Still, we may be constrained in some of our behaviors by existing agreements and the nature and scope of our operations. TLN is not a bank; we do not keep cash reserves on hand to handle financial transactions directly or to loan money for even short periods of time. While we will make reasonable efforts to assist in straightening out billing problems or disagreements that might arise from the use of the Site, we may be limited in the remedies available to us. This section outlines the basic billing procedures and practices of the Site.
5.1 Because of our use of a third party payment processing service (Stripe), we may be limited in our ability to immediately cancel or reverse a payment. If you have a billing problem and contact us within 24 hours of the charge, we may be able to effect a speedy resolution (though we are not specifically obligated to do so). If you have a billing issue with a Provider or the payment processor, you may have to take it up directly with them should you pursue an adjustment or other remedy after the first 24 hours. You can see a much more detailed description of Stripe’s policies and practices at: https://stripe.com/us/connect-account/legal
5.2 Fees charged by Providers are set and maintained by them. We do not have a direct employer/employee relationship with them in either direction. If you have a dispute with one or the Providers, you may need to take it up with them directly. The platform allows the Providers to charge a range or differing fees for differing services. Any given Provider may have policies and practices that are different from those of TLN. It is wise to contact them directly about any additional questions or concerns you might have about their distinctive business practices.
CONSENT FOR SERVICES
At TLN, we strive to consistently provide quality Services to Site visitors, Users, and professional Providers. By your use of the Site, you consent to the Services provided by TLN and you also acknowledge that any services not provided by TLN are the responsibility of those providing them not TLN, its directors, officers, or employees.
6.1 By your use of the Site, you consent to TLN receiving, storing, and using information (including PHI) either directly or on behalf of one or more Covered Entities.
6.2 By your use of any Service on the Site, you consent to that Service (including but not limited to Telehealth Services).
6.3 Contact. We may send discrete contact reminders via SMS or email to you on behalf of the Covered Entity, provided that you have agreed to the same and that any information is substantially limited in that it only contains a prompt to log in to the system to read a pending message or to view a pending event or similar, substantially limited purpose and that such reminders contain no PHI or identifiers beyond the number or email given by you for such a purpose.
6.4 You may be asked to provide additional, specific, consent for services offered by Providers on the Site. Their requirements and your acceptance or refusal of them is a matter to be settled between yourself and the Provider in question. TLN does not specifically endorse their services, nor does TLN warrant that their services and consent procedures are necessarily in accordance with one another.
6.5 You are of course free to quit using the specific Services of TLN at any time. If you elect to continue or discontinue the services of Covered Entity or other Professional, you may wish to consider such a course of action carefully and with the support of relevant and competent professional opinion. You acknowledge that any choices you make in this regard are of your own volition and are ultimately your own responsibility.
7.1 Interpretation and References. Any ambiguity in the BAA or these Terms shall be resolved to maintain compliance with the HIPAA Privacy & Security Rules and the HITECH Act. A reference to a section of the HIPAA Privacy & Security Rules means the section in effect or as amended and for which compliance is required.
7.2 Governing Law. The BAA and these Terms are governed by the laws of the State of Michigan. The federal and state courts located in Michigan will have jurisdiction to adjudicate any dispute arising out of or relating to the BAA or these Terms. Each Party hereby consents to the jurisdiction of such courts and waives any right it may otherwise have to challenge the appropriateness of such forums, whether on the basis of the doctrine of forum non conveniens or otherwise.
7.3 No Third Party Beneficiaries. The Parties agree there are no intended third party beneficiaries under these Terms. Nothing express or implied in these Terms is intended to confer upon any person, other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. This provision shall survive termination of the BAA and any Service Contract or Subscription.
7.4 Citizens of the EU. While TLN consistently strives to meet or exceed best practices in the areas of privacy, reliability, and ethical conduct, the site was not specifically designed for use in the European Union or its jurisdictions.
Effective as of July 23, 2018