This Service Agreement (“SA”), effective as of today (“Effective Date”) is entered into by and between The Live Network, Inc. DBA Therapy Live (“Service Provider”, “we”, “our”, “us”, “TLN”, or the “Company”) and you on behalf of yourself/itself and your/its subsidiaries (“Healthcare Provider” or “Provider” or “you”) For purposes of this SA, Provider and TLN may each be referred to as a “Party” and collectively as “Parties.”
TLN as service provider, will have the role of providing services so that the Provider can provide Telehealth services to users of the Site and includes collection, using, storing, and disclosing PHI (as defined below) as required for the Provider to provide Telehealth Services and the user to receive Telehealth Services in accordance with the Consent and Patient Terms of Service. This SA also applies to any and all additional services provided by TLN to Provider via platforms not directly accessible to Users via the Site but that involve collecting, using, storing, processing or disclosing PHI in any manner. The Telehealth services include all of the following:
- 256-Bit Elliptical Encryption
- Encrypted Telehealth
- Appointment Scheduler
- Customizable Calendar
- Client Appointment Portal
- Automated Reminders
- Encrypted Messaging
- Encrypted Client Storage
- Electronic Health Records
- Client Session Notes
- Customize Services Offered
- Billing Portal
Providers may choose to use one or more of the services outlined above.
WHEREAS, Provider has retained TLN to provide certain services to be performed for or on behalf of Provider, which are described above and, in connection with those services, TLN may use or disclose certain PHI in accordance with the consents provided where required by law, and applicable privacy laws;
WHEREAS, the Parties desire to establish the terms related to the services provided by TLN to assist Provider in providing Telehealth Services to users of the Site and/or such additional services provided by TLN as outlined in any Statements of Work entered by the Parties; and
NOW THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth, Provider and TLN hereby agree as follows:
1.1. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted by Applicable Privacy Laws that compromises the security or privacy of the PHI.
1.2 “Applicable Privacy Laws” means privacy laws applicable to Provider in the jurisdiction in which it is providing services.
1.3. “PHI” means “personal health information” as, and is defined to include all personal information that is considered personal health information/health information under applicable privacy laws and that is provided or generated limited to the information received from, or received or created on behalf of, Provider by TLN in the course of providing Telehealth Services or any additional services outlined in Statements of Work entered by the Parties.
1.4. “Security Incident” means an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system and involving PHI that is created, received, maintained, or transmitted by or on behalf of Provider in electronic form.
This SA shall be applicable solely to PHI received by TLN from Provider with the consent of the User, where required by applicable law, and created, received, processed or maintained by TLN in connection with Provider’s use of Telehealth Services or any additional services outlined in Statements of Work entered by the Parties. It is further understood and agreed that this SA does not apply to the Public Engagement portions of the Site or any current or future services not explicitly intended to receive, store, or transmit PHI. Provider agrees that it will not create, submit or store PHI in connection with any services not specifically designed for the receiving, storing, or transmitting or PHI. The use of any public and/or unsecured portions of the Site to receive, store, or transmit PHI in any form is prohibited and constitutes a material breach of this SA.
3. RESPONSIBILITIES OF TLN
3.1 Permitted Uses and Disclosures. TLN agrees to use PHI in accordance with the User consent obtained for the Telehealth Services and Healthcare Client Terms and Conditions only as necessary to provide the Telehealth Services set forth in this SA or any additional services outlined in Statements of Work entered by the Parties and TLN agrees to limit uses and disclosure of PHI to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. TLN will not use or further disclose PHI other than as permitted or required by this SA, User consent, or Statements of Work or as required by applicable law. TLN shall comply with all applicable laws at all times.
3.2 Safeguards. TLN agrees to implement and use appropriate administrative, organizational, physical and technical safeguards to (a) prevent unauthorized use or disclosure of PHI; and (b) reasonably protect the confidentiality, integrity, and availability of the PHI that TLN creates, receives, processes, maintains, or transmits on behalf of Provider. Such safeguards include a written information security policy, a response plan for Security Incidents/Breaches, periodic security awareness training, and confidentiality/nondisclosure agreements with those independent subcontractors and consultants with which TLN has delegated duties under this SA. TLN’s physical and technical safeguards are described in Schedule A.
3.3 Reporting a Breach. TLN agrees to promptly report to Provider any unauthorized access, use, disclosure, loss or theft of PHI not provided for by this SA of which it becomes aware and any Security Incident of which TLN becomes aware. Provider will be responsible for notifying their Users/patients and/or provincial, federal or territorial privacy commissioners in accordance with their obligations under Applicable Privacy Laws.
3.4 Assistance with Breach Investigation. In the event of a Breach, TLN will provide reasonable assistance to, and cooperate with, Provider in investigating the Breach and TLN agrees to provide the following information in writing to Provider: (a) Identification of each individual who is the subject of PHI that has been, or is reasonably believed by TLN to have been accessed, acquired, or disclosed; (b) a brief description of the events; (c) date of the potential Breach; (d) date of discovery; (e) type of PHI involved; (f) any preliminary steps taken to mitigate the damage; and (g) a description of the investigatory steps taken.
3.5 Internal Practices. TLN agrees to make available its internal practices, books, and records relating to PHI that TLN uses, creates, receives, processes, maintains, stores, transmits or discloses in the course of providing the Telehealth Services or any additional services outlined in Statements of Work entered by the Parties for purposes of determining compliance with this SA.
3.6 Disclosure Accounting. TLN agrees to document such accesses and disclosures of PHI and information related to such accesses and disclosures as would be required for Provider to respond to a request by an individual for an accounting of access to or disclosures of PHI. In addition, within twenty (20) days after receiving a written request from Provider, TLN will make available to Provider the information necessary for Provider to make an accounting of access and disclosures of PHI about an individual.
3.7 Subcontractors. TLN will require its subcontractors to provide reasonable assurance, evidenced by written agreement, of compliance with the same privacy and security obligations, restrictions, and conditions with respect to PHI as applies to TLN through this SA. TLN currently only subcontracts with IBM to provide services as set out in Schedule A and with Stripe to process payments for services.
3.8 Availability of Information. TLN agrees to provide access to Provider, within twenty (20) days after receiving a written request from Provider, to PHI about an Individual, sufficient to allow Provider to provide access to such Individual to his or her PHI, in compliance with the requirements of applicable privacy laws.
3.9 Amendment of Information. Within twenty (20) days after a written request by Provider, TLN will make PHI available to Provider as reasonably required to fulfill Provider’s obligations to amend such PHI pursuant to applicable privacy law and TLN will, as directed by Provider, incorporate any amendments to PHI into copies of such PHI maintained by TLN.
3.10 Requests by Individuals. For PHI held by TLN, in the event that any Individuals request access or amendment to PHI, TLN will promptly notify Provider so that Provider may respond directly to the Individual.
3.11 Management and Administration. TLN agrees to only use or disclose PHI if the use relates to the proper management and administration of the provision of Telehealth Services or any additional services outlined in Statements of Work entered by the Parties, or to carry out the legal responsibilities of TLN;
3.12 Data Aggregation Services. TLN may use PHI to provide data aggregation services to Provider on the instructions of and strictly in accordance with the written instructions of the Provider.
3.13 Prohibited Communications. TLN will not knowingly make or cause to be made any communication about a product or service that is prohibited by applicable privacy law.
3.14 Mitigation of Damages. TLN agrees to mitigate, to the extent practical, any harmful effect that is known to TLN of the use or disclosure of PHI by TLN in violation of the requirements of this SA.
3.15 Availability of Data. Provider shall at all times during the term of this SA have access to all PHI received by TLN from Provider or created, maintained or received by TLN on behalf of Provider, including in .csv format that the Provider can export to an alternative system or platform, all at no additional cost to Provider. As between TLN and Provider, Provider retains ownership of all rights in all PHI received by TLN from Provider or created, maintained or received by TLN on behalf of Provider, and all such data shall be stored in Canada and segregated from the data of other providers and their patients.
3.16 TLN shall make all reasonable efforts to ensure the availability of the Services at all times.
3.17 TLN shall provide technical support to providers between the hours of Monday to Friday 9 am to 5pm, excluding statutory holidays with a response time of less than 24 hours. TLN will also provide emergency after-hour support.
3.18 TLN shall not directly solicit any of the Provider’s patients whether during or after the term of this Agreement. Direct soliciting would not include general marketing of the site, site updates, newsletters, services, or products that are available to all visitors and members of the site. Direct soliciting, which shall be prohibited, would include, direct marketing and targeted to patients or specific groups of patience based on patient identifiable information as related to their treatment.
4. RESPONSIBILITIES OF PROVIDER
4.1 Identification of Records. With respect to the records Provider furnishes to TLN, Provider will identify those records that it considers to be PHI for purposes of this SA. The Parties mutually agree that portions of the site specifically and explicitly identified as a part of the Telehealth Services, and that the entering of data into any fields within platforms or sites associated with any additional services outlined in any Statements of Work entered into by the Parties, will constitute such identification of records.
4.2 Minimum Necessary. Provider will provide to TLN only the minimum PHI necessary to perform the services set forth in a Service Agreement.
Users must agree to enter/sign a consent to Telehealth Services prior to accessing Telehealth Services via the Site. For any additional services outlined in Statements of Work entered by the Parties, Provider will ensure that it has consent of the User/patient/client to collect, use, disclose and/or transfer PHI to TLN, as required by applicable law.
4.3 Increased Privacy Protections. In the event that Provider honors a request to restrict the use or disclosure of PHI, Provider will notify TLN of any restriction to the extent any such restriction may limit TLN ’s ability to use and/or disclose PHI as permitted or required under this SA or impose obligations on TLN additional to or inconsistent with the obligations assumed under this SA. However, should such revisions materially increase TLN’s cost of providing services under this SA, Provider shall reimburse TLN for such increase in cost.
4.4 Privacy Notice Limitations. Provider will notify TLN of any limitations in its Notice of Privacy Practices/Privacy Policies, to the extent that any such limitation may affect TLN’s use or disclosure of PHI or impose obligations on TLN additional to or inconsistent with the obligations assumed under this SA or the user’s consent. In the event that any such limitation materially increases TLN’s cost of providing services under this SA, Provider agrees to reimburse TLN for such increase in cost.
4.5 Changes in Permission. Provider will notify TLN of any changes in or revocation of permission by a User/patient/client to use or disclose PHI, to the extent that such changes may affect TLN’s use or disclosure of PHI or impose obligations on TLN additional to or inconsistent with the obligations assumed under this SA or the User’s consent. In the event that any such change in or revocation of permission materially increases TLN’s cost of providing services under this SA, Provider agrees to reimburse TLN for such increase in cost.
4.6 Breach Notification. In the event of a Breach or Security Incident arising from the actions or inactions of TLN or through the back-end portions of the Site (hacking, successful server intrusion, etc.), the parties will cooperate to determine whether notice is to be given to any individuals, regulators, law enforcement agencies, consumer reporting agencies, media outlets, information and privacy commissioners , or others as required by law or as deemed advisable by the parties.. TLN will be solely responsible for the costs of providing such notice.
In the event of a Breach or Security Incident arising from the actions or inactions of the Provider or through the front-end portions of the Site (unsecured password, grant of access to unauthorized third parties, malware on the Provider’s computer, loss of laptop, etc.), Provider will have the sole responsibility to determine whether notice is to be given to any individuals, regulators, law enforcement agencies, consumer reporting agencies, media outlets, the Information and Privacy Commissioner, or others as required by law or in Provider’s discretion. Provider will be solely responsible for providing such notice and for the costs thereof. In addition, TLN may, at its discretion, and at its cost, also provide notice, though doing so shall not be construed as relieving the Provider of their responsibilities or the assumption of any liability whatsoever for the Provider’s actions or inactions, unless explicitly agreed to in writing.
In the event of a Breach or Security Incident arising from indeterminate origins, TLN and Provider will work to collaboratively determine whether notice is to be given to any individuals, regulators, law enforcement agencies, consumer reporting agencies, media outlets, information and privacy commissioners, or others as required by law or in the Parties’ discretion. Both Parties will share responsibility for providing such notice and will share the costs thereof. In the event that the Parties cannot come to a timely agreement about how to proceed, each Party will be responsible for taking reasonable actions and each Party will assume the costs thereof. In the event that later investigation indicates that the Breach or Security Incident occurred through the actions, inactions, or negligence of the other Party, a Party may request, and is entitled to receive, compensation for any costs incurred in the notification process.
4.7 Other Agents. Provider agrees to be solely responsible for ensuring that any contractual relationships it has with other individuals or entities comply with applicable privacy laws.
4.8 Permissible Uses Only. Except as otherwise provided under this SA or with the user’s consent, Provider will not ask TLN to use or disclose PHI in any manner that would not be permissible under applicable privacy laws.
4.9 Encryption. TLN offers and requires encryption related to the transmission of data for the provision of services set forth in a Service Agreement. If Provider does not use encryption available on the site for the collection, use, disclosure or storage of PHI (for example by publicly posting PHI), Provider is fully responsible for any resulting liability caused by failing to encrypt information such as PHI. Provider acknowledges that such an action will constitute a material breach of this SA and that the Provider will assume full liability and hold TLN and its employees and officers harmless for any damages resulting from such a failure to encrypt PHI,
4.10 Passwords. TLN requires the use of strong passwords related to the provision of services set forth in a Service Agreement. Provider agrees that it is responsible for maintaining the integrity of such passwords and must take reasonable measures to prevent them from being disclosed to third parties. Any actions taken by third parties given such a password by the Provider shall be as if the Provider had taken the action. In such a case, the TLN agrees to assume full liability and to hold TLN and its employees and officers harmless for any damages resulting from such a grant of access.
4.11 Privacy. TLN requires that Provider and its subcontractors or designees maintain privacy with regard to PHI. Provider agrees that any remote access of the portions of the Site or areas that have any PHI or can be reasonably expected to have PHI be done in a manner that does not compromise privacy or the integrity of the PHI. This includes, but is not limited to: only engaging in Telehealth Services sessions or reviewing charts in a secure (non-public) environment, logging out of sessions when done, taking precautions against spyware and malware, only logging in from trusted devices and locations, avoidance of negligent privacy practices, resetting of passwords if there is any concern about them being compromised, the selection of strong passwords, and general professional comportment.
4.12 Professional Qualifications. Providers are obligated to comply with all of their individual obligations under the applicable laws in the province or territory where they are practicing including that they are qualified and licensed to offer Telehealth services. Providers are solely responsible for ensuring that they are duly licensed to practice in the province or territory in which they are providing Telehealth services to Users and in the jurisdiction in which Users are receiving Telehealth services.
5. PERMITTED USES AND DISCLOSURES OF PHI
Unless otherwise explicitly limited in this SA or user consent, in addition to any other uses and/or disclosures permitted or required by this SA, TLN may:
5.1 Make any and all uses and disclosures of PHI necessary to provide the Telehealth services or any additional services as set out in a Statement of Work entered by the Parties or to carry out the legal responsibilities of TLN.
5.2 Use and disclose to subcontractors and agents the PHI in its possession for its proper management and administration of the provision of Telehealth Services or any additional services outlined in Statements of Work entered by the Parties .
6. TERM AND TERMINATION
6.1 Term. This SA will continue in full force and effect for as long as Provider makes use of Telehealth Services and/or a Statement of Work remains in full force and effect. The term of this SA will be effective as of the Effective Date and will continue in effect unless terminated as authorized in Section 6.2. In addition, certain provisions and requirements of this SA will survive expiration or termination in accordance with Section 7.3 herein.
6.2 Termination for Cause. Without limiting the rights of the Parties as set out in the SA, each Party will have the right to terminate this SA and the Statement of Work if the other Party has engaged in a pattern of activity or practice that constitutes a material violation or breach of its obligations regarding PHI under this SA. Prior to terminating this SA, the terminating Party will provide the other Party with an opportunity to cure the material violation or breach. If the breaching Party fails to cure the violation or breach within [fifteen (15) days], or, with respect to a breach that cannot be remedied within the [fifteen (15) day] period, such longer period of time as may be required to remedy the breach in the circumstances, as determined by the terminating Party, then this SA and any additional the Statement of Work entered by the Parties shall be terminated as soon as administratively feasible.
6.3 Termination for Convenience. Provider may terminate this SA without cause by providing thirty (30) days written notice to TLN. TLN may terminate this SA without cause by providing ninety (90) days written notice to Provider.
6.4 Effect of Termination. Except as otherwise provided herein or explicitly agreed to in writing, the Parties agree that upon termination of this SA for any reason, TLN will return to Provider in a .csv format to Provider and at no additional cost to Provider and within ten (10) days of the request, all PHI received by TLN from Provider or created, maintained or received by TLN on behalf of Provider, or, if agreed to by Provider, destroy all PHI received from Provider or created, maintained, or received by TLN on behalf of Provider by the later of one (1) year after the termination of this SA or one (1) year after the account deactivation of a User/client of the Provider. In the event that TLN reasonably determines return or destruction of the PHI by such a date is not feasible, TLN will notify Provider of the conditions that make return or destruction not feasible. In the event of the continued maintenance above or upon mutual agreement of the Parties, TLN may retain the PHI and will continue to extend all protections, limitations, and restrictions contained in this SA to TLN’s use and/or disclosure of PHI for so long as TLN maintains such PHI.
6.5 Cooperation. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal, provincial, territorial or state governmental authority for additional information and documents or any governmental investigation, complaint, action, or other inquiry.
7.1 TLN (“Indemnifying Party”) shall indemnify the Provider and their respective employees and subcontractors (collectively, “Indemnified”) against any liability, loss, damages, costs and expenses (including reasonable legal fees) (collectively, “Damages”), incurred by the Provider that results from the negligence, default in performance, breach of this Agreement, wilful misconduct or any statutory or regulatory offences committed by TLN with respect to the collection, use, storage or disclosure of PHI, provided that: the Provider shall provide prompt written notice of any claim that might give rise to such liability; co-operate in the defence of such claim; and the Provider shall at its option require that TLN assume responsibility for the defence of or response to such third party claim.
Provider agrees to indemnify, defend, and hold harmless TLN, its officers, directors and its employees for any amounts claimed by a user against TLN, its officers, directors and its employees arising out of or in connection with the negligence, default in performance, breach of this Agreement, wilful misconduct or any statutory or regulatory offences committed by Provider with respect to the collection, use, storage, or disclosure of PHI, provided that TLN shall provide prompt written notice of any claim that might give rise to such liability; co-operate in the defence of such claim; and that TLN shall at its option require the Provider to assume responsibility for the defence of or response to such third party claim.
7.2 No Party shall be liable to the other Party or Parties in any way for any indirect, punitive, incidental, special or consequential damages, including, but not limited to, loss of savings or profit, nor for any lost revenue. This Section 7.2 shall not limit or exclude TLN’s liability with respect to TLN’s negligence, default in performance, breach of this Agreement, wilful misconduct or any statutory or regulatory offences committed by TLN with respect to the collection, use, storage or disclosure of PHI. This limitation shall apply whether or not such damages are foreseeable and whether or not the defaulting Party has been advised of the possibility of such damages.
7.3 TLN shall maintain and pay for adequate privacy and security breach insurance coverage and shall maintain coverage in the amount of at least one million dollars per occurrence and not less than one million dollars in the annual aggregate.
7.4 Upon request by a Party, the other Party shall provide a valid certificate of insurance that confirms the above requirements.
8.1 Interpretation and References. Any ambiguity in this SA or a Service Agreement shall be resolved to maintain compliance with applicable privacy law.
8.2 Survival. Sections 3.18,, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3 and Section 8.2 shall survive the expiration or termination for any reason of this SA or a Service Agreement.
8.3 Contact. TLN may send discrete contact reminders via SMS or email to Users/clients/patients of the Provider, provided that such Users/clients/patients have agreed to the same and that information is substantially limited in that it only contains a prompt to log in to the system to read a pending message or to view a pending event or similar, substantially limited purpose and that such reminders contain no PHI or identifiers beyond the number or email given by a User/client/patient for such a purpose.
8.4 Governing Law. This SA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable in the Province of Ontario. Each Party irrevocably and unconditionally attorns to the exclusive jurisdiction of the Courts of the Province of Ontario.
8.5 Independent Contractor. TLN, including its directors, officers, employees and agents, is an independent contractor and not an agent of Provider or a member of its workforce. Without limiting the generality of the foregoing, Provider will have no right to control, direct, or otherwise influence TLN’s conduct in the course of performing the services, other than through the enforcement of this SA or a Service Agreement, or the mutual amendment of the same. Likewise, no portion of this SA should be construed as implying that the Provider is in some way employed by TLN or engaging the provision of services on behalf of TLN. Without limiting the generality of the foregoing, TLN will have no right to control, direct, or otherwise influence Provider’s conduct in the course of performing their services, other than through the enforcement of this SA or a Service Agreement, or the mutual amendment of the same.
8.6 No Third Party Beneficiaries. The Parties agree there are no intended third party beneficiaries under this SA. Nothing express or implied in this SA is intended to confer upon any person, other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. This provision shall survive termination of this SA and a Service Agreement.
8.7 European Union. While the TLN consistently strives to meet or exceed the best practices in the areas of privacy, reliability, and ethical conduct, the Site was not specifically designed for use within the European Union or its jurisdictions.
8.8 Amendments. No amendment of this SA will be effective unless set out in writing and signed by both Parties.
8.9 Assignment. This SA cannot be assigned by either of the Parties without the prior written consent of the other Party.
8.10 Execution and Delivery. This SA may be executed in counterparts, including counterparts by facsimile transmission or scanned emailed copies. Each of such counterparts will constitute an original document and such counterparts, taken together, will constitute one and the same instrument.
8.11 Independent Legal Advice. Each of the Parties acknowledge having read and understood this SA, having had the opportunity to obtain independent legal advice regarding this SA and having done so or refused to do so of their own volition.
IN WITNESS WHEREOF, the Parties acknowledge and agree to this SA on the Effective Date.