Noted

Terms of Service

Introduction

Welcome to Noted ("we," "our," "us"). These Terms of Service ("Terms") govern your use of our HIPAA-compliant software-as-a-service (SaaS) platform designed for home health care providers ("Service"). By accessing or using the Service, you agree to comply with these Terms. If you do not agree, please do not use the Service.

Definitions

  • Protected Health Information (PHI): Individually identifiable health information as defined under HIPAA.
  • Business Associate Agreement (BAA): A legal contract between us and a Covered Entity outlining responsibilities for safeguarding PHI.
  • Covered Entity: A healthcare provider or organization subject to HIPAA regulations.
  • User Roles: Includes Company Admins, Nurses, and other authorized personnel accessing PHI.

HIPAA Compliance

We are a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). As such:

  • We will safeguard all PHI in compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
  • We will sign a BAA with each Covered Entity using our Service. The terms of the BAA are incorporated into this Agreement by reference.
  • We will implement administrative, technical, and physical safeguards to protect PHI, including:
    • Encryption of PHI at rest and in transit using NIST-approved standards.
    • Multi-factor authentication for user access.
    • Role-based access controls to limit PHI access to authorized personnel.

User Roles and Responsibilities

Company Admins:

  • Manage user access and ensure compliance with HIPAA rules within their organization.
  • Conduct regular audits of user activity logs provided by the platform.

Nurses:

  • Access only assigned patient records and maintain confidentiality.
  • Report any unauthorized access or security incidents immediately.

Noted:

  • Provide audit logs tracking all access to PHI.
  • Notify Covered Entities of any breach involving PHI within 60 days as required by the Breach Notification Rule.

Data Processing and Ownership

  • Data Ownership: All PHI entered into the platform remains the property of the Covered Entity. We act solely as a processor of this data.
  • Anonymized AI Processing: Any data processed using AI tools is anonymized where possible and handled securely.
  • Audit Trails: Comprehensive logs are maintained for all actions involving PHI to support compliance investigations.

Security Measures

We employ stringent security measures, including:

  • Role-based access controls ensuring users can only access data relevant to their role.
  • End-to-end encryption for all PHI during storage and transmission.
  • Regular vulnerability assessments and penetration testing.
  • Physical security measures for servers hosting PHI, including restricted access and disaster recovery protocols.

Breach Notification

In the event of a data breach involving PHI:

  • We will notify affected Covered Entities within 60 calendar days of discovery.
  • We will provide detailed information on the breach's nature, affected data, mitigation steps taken, and recommendations for further actions.

Business Associate Agreement (BAA)

The BAA governs our obligations regarding PHI protection. Key terms include:

  • Restrictions on the use or disclosure of PHI except as permitted under HIPAA or required by law.
  • Obligations to return or destroy all PHI upon termination unless infeasible.
  • Cooperation with Covered Entities during audits or investigations by regulatory bodies.

Administrative Safeguards

  • Workforce training on HIPAA compliance is conducted regularly for all employees handling PHI.
  • Policies are in place for incident response, risk management, and reporting unauthorized disclosures.

Physical Safeguards

  • Data centers hosting PHI are secured with controlled access systems, surveillance cameras, and environmental protections against disasters.
  • Devices used to access PHI are monitored for compliance with security policies.

Technical Safeguards

  • Systems include audit controls to log access to ePHI.
  • Unique user IDs are assigned to track system activity effectively.
  • Transmission security protocols prevent interception of ePHI during data transfers.

Limitations of Liability

While we take extensive measures to ensure HIPAA compliance:

  • The Company is responsible for ensuring proper use of the Service in compliance with applicable laws.
  • We are not liable for breaches caused by user negligence or failure to follow security protocols.

Termination

Upon termination:

  • All access to PHI will be revoked immediately.
  • We will return or securely destroy all PHI as specified in the BAA unless otherwise required by law.

Amendments

We reserve the right to update these Terms as necessary to comply with changes in laws or regulations or improve our Service. Users will be notified of significant changes via email or platform notifications.