HIPAA Data Use Agreement (DUA)
- Preamble and Definitions.
1.1. This Data Use Agreement (“DUA”) is effective as of the date Agent registers for an account with Zues or otherwise uses Zues’s products or services (the “Effective Date”) and is by and between Zues Software Inc. (“Covered Entity”) and Agent (“Data Recipient”) pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”), as amended, and related privacy, security, breach notification, and enforcement regulations defined at 45 C.F.R. Parts 160 and 164 (“HIPAA Rules”).
1.2. The parties intend for this DUA to:
- support Covered Entity in disclosing a Limited Data Set, as defined under the HIPAA Rules (the “Disclosed Limited Data Set”), to Data Recipient solely for the purposes of health care operations; and
- ensure that Data Recipient implements and maintains appropriate safeguards and uses the Disclosed Limited Data Set only for permitted purposes, pursuant to this DUA and the HIPAA Rules.
1.3. Capitalized terms used and not otherwise defined in this DUA shall have the meanings set forth in the HIPAA Rules.
- Data Disclosure and Use.
2.1. Permitted Data Use. Data Recipient must only receive or use the Disclosed Limited Data Set for purposes of the Specified Data Recipient Program as set forth in Section 1.2(a) and cannot otherwise use or disclose the Disclosed Limited Data Set unless required by law or authorized by Covered Entity in writing.
2.2. Safeguards. Data Recipient must use appropriate safeguards as defined under the HIPAA Rules and related Department of Health and Human Services guidance, including but not limited to requirements listed in our Terms of Service, available at https://catepult.com/terms-of-service, our Privacy Policy, available at https://catepult.com/privacy-policy, and our Information Security Policy, available at https://catepult.com/information-security-policy to prevent any use or disclosure of the Disclosed Limited Data Set other than as provided for by this DUA.
2.3. Reporting Unauthorized Use or Disclosure. Data Recipient must immediately, but in all cases in no more than 48 hours, report to Covered Entity any use or disclosure of the Disclosed Limited Data Set not provided for by this DUA of which it becomes aware. Data Recipient must report any unauthorized use or disclosure of the Disclosed Limited Data Set by email at admin@catepult.com.
2.4. Data Recipient Agents. Data Recipient must not disclose the Disclosed Limited Data Set to any third party, including any agent or contractor, without Covered Entity’s prior written consent. Data Recipient may disclose the Disclosed Limited Data Set to those third parties listed in Attachment A (Permitted Third-Party Data Recipients). Data Recipient must ensure that any agents or other third parties to whom it discloses the Disclosed Limited Data Set each agree to the same restrictions and conditions that apply to Data Recipient regarding the Disclosed Limited Data Set.
2.5. No Identification of Individuals. Data Recipient must not attempt to identify or contact any specific individual whose information appears in the Disclosed Limited Data Set.
2.6. Retention and Destruction. Data Recipient must retain the Disclosed Limited Data Set only for the reasonable duration of the Specified Data Recipient Program, unless otherwise authorized by Covered Entity in writing. Data Recipient will promptly and securely destroy the Disclosed Limited Data Set, using industry-accepted methods, on termination of this DUA or completion of the Specified Data Recipient Program, whichever occurs first, and promptly provide Covered Entity with a written certification of such destruction.
2.7. Audits and Inspections. Data Recipient will grant Covered Entity, or its authorized representatives, reasonable access to its personnel, facilities, and the Disclosed Limited Data Set to conduct audits, inspections, or otherwise to allow Covered Entity to verify compliance with the terms of this DUA.
2.8. Derived Works and Publication. Data Recipient must provide Covered Entity with a copy of any results, reports, or other outputs derived from the Disclosed Limited Data Set. Data Recipient must provide Covered Entity with a reasonable opportunity, but not less than five (5) business days, to review and grant written approval of any reports or other publications derived from the Disclosed Limited Data Set prior to distributing such materials outside Data Recipient, including for purposes of, but not limited to, any peer review, submission to any federal or state agency, demonstration, presentation of findings, synopsis of research, or publication. The retention and destruction requirements in Section 2.6 (Retention and Destruction) apply to any Disclosed Limited Data Set data contained in derived works.
- Term and Termination.
This DUA and Data Recipient’s authorization to use or retain Disclosed Limited Data Set will remain in effect from the Effective Date until terminated. Either party may terminate this DUA at any time, with or without cause, by providing thirty (30) days written notice to the other party. The terms of this DUA shall remain effective in their entirety until Covered Entity receives the certificate of data destruction as set forth in Section 2.6 (Retention and Destruction). Section 4 (Indemnification) shall survive the termination of this DUA.
Indemnification.
Subject to any applicable federal, state, or local laws regarding governmental immunity or governmental agencies and tort claims, Data Recipient shall indemnify, defend, and hold harmless Covered Entity, Covered Entity’s subsidiaries or affiliates, and their respective trustees, directors, officers, grantors, employees, agents, and contractors from any claims, losses, damages, expenses, civil monetary penalties, and costs (including attorneys’ and court fees and expenses) arising out of or related to (a) any breach of this DUA by Data Recipient or its agents or contractors, including any Breach or alleged Breach of Unsecured Protected Health Information, or (b) any negligence or wrongful acts or omissions by Data Recipient or its agents or contractors, including without limitation, failure to perform Data Recipient’s obligations under this DUA, the HIPAA Rules, or other applicable federal, state, or local laws.
- Amendment.
The parties will cooperate to amend this DUA as necessary from time to time to reflect changes in circumstances or applicable law, including HIPAA and the HIPAA Rules. All amendments to this DUA must be in writing and signed by both parties.
- Other Provisions.
6.1. Assignment. This DUA shall be binding on the successors and assigns of Covered Entity and Data Recipient. However, Data Recipient may not assign this DUA, in whole or in part, without Covered Entity’s written consent. Any attempted assignment in violation of this provision shall be null and void.
6.2. Counterparts. The parties may execute this DUA in counterparts, all of which together shall constitute one agreement.
6.3. Entire Agreement and Severability. This DUA is the complete agreement between the parties and supersedes all previous agreements or representations, written or oral, regarding the Disclosed Limited Data Set and any related matters as addressed in this DUA. If any part of this DUA is held to be unenforceable, the remainder shall continue in effect.
6.4. Independent Contractors. The relationship between the parties is that of independent contractors. This DUA does not create any agency, joint venture, or partnership relationship between the parties.
6.5. Interpretation. Any ambiguity in this DUA shall be resolved in favor of a meaning that permits the parties to comply with applicable law, including HIPAA and the HIPAA Rules.
6.6. No Third-Party Beneficiaries. Nothing express or implied in this DUA is intended to or shall confer any rights, remedies, obligations, or liabilities on any person other than the parties and their respective successors or assigns.
6.7. Notices. Any notices required or permitted under this DUA must be in writing and sent by United States mail, electronic mail with written acknowledgement of receipt, overnight delivery service, or facsimile transmission to the addresses for each party provided below or such different addresses as a party may later designate in writing. Notices regarding the unauthorized use or disclosure of the Disclosed Limited Data Set must follow the specific requirements listed in Section 2.3 (Reporting Unauthorized Use or Disclosure).
6.8. Regulatory References and Compliance with Laws. A reference in this DUA to the HIPAA Rules or any other applicable law means the section as in effect or as amended, and with which Covered Entity or Data Recipient must comply. Each party represents and warrants that it shall comply with applicable law, including HIPAA and the HIPAA Rules, in the performance of this DUA.
6.9. Use of Name and Trademarks. Data Recipient shall not use the name(s) or trademark(s) of Covered Entity in any advertising, publicity, endorsement, promotion, or other publicly available document without Covered Entity’s prior written consent.
6.10. Waiver. Neither party’s delay or omission in exercising any right or remedy under this DUA will constitute waiver or prevent the applicable party’s ability to exercise any right or remedy in the future.
- Information Security Policy. Data Recipient must use appropriate safeguards as defined under the HIPAA Rules and related Department of Health and Human Services guidance, including but not limited to, those described in our Information Security Policy, available at https://catepult.com/information-security-policy. You acknowledge and understand that you received and read a copy of Zues’s Information Security Policy, and understand that it is your responsibility to be familiar with and abide by its terms.
- Acknowledgment of Receipt and Review By registering for an account with Zues and using Zues’s Services, You acknowledge and understand that you received and read a copy of Zues’s Data Use Agreement, and understand that it is your responsibility to be familiar with and abide by its terms. This Agreement is not promissory and does not set terms or conditions of employment or create an employment contract.
ATTACHMENT A—Permitted Third-Party Data Recipients
Data Recipient may disclose the Disclosed Limited Data Set to only to the following third parties, for the stated purposes. Data Recipient must ensure that any agents or other third parties to whom it provides the Disclosed Limited Data Set each agree to the same restrictions and conditions that apply to Data Recipient regarding the Disclosed Limited Data Set, according to the DUA.
Permitted Third Party | Permitted Purpose for Disclosure |