CALL US FREE: (310) 280-4436

General Terms and Conditions

Last Updated: September 22, 2022

These General Terms and Conditions (these “Terms”) are offered to you by MH Sub I, LLC and other related entities and affiliates (collectively, “WebMD Care” “we,” “us,” “our”) and govern your subscription for an Enhanced Profile (“Enhanced Profile Subscription”), including the ability to place a business summary, photo and links to your website on the profile page and an account hosted by us to store consumer inquiries (“Services”). These Terms, together with any additional terms on the applicable order form for each Enhanced Profile Subscription (“Order Form”), our Privacy Policy and any and all other policies or procedures related to the use of the Services as updated from time to time by WebMD Care (“Additional Terms”) constitute a binding, legal agreement between you and WebMD Care (collectively, the “Agreement”). Your continued use of the Services after any such change takes effect will be deemed to constitute your acceptance of any such change and your agreement to the new terms. In the event of a conflict between an Order Form and these Terms, the Order Form will govern such conflict. This Agreement will be effective as of the date you sign up for an account, or by accessing or using the Services. (“Effective Date”).

  1. PAYMENT

You will pay WebMD Care for the Services according to the fees set forth in the applicable Order Form. All fees and charges are nonrefundable. Failure to remit full payment by the payment due date will result in the immediate suspension of the Services. In the event of any pricing change, WebMD Care will provide written notice to you at least two (2) weeks prior to the pricing change taking effect. You may cancel the automatic renewal of your Enhanced Profile Subscription at least two (2) business days prior to the start of the next billing cycle if paying on a fixed-fee or flat-fee. Your cancellation notification must be emailed to your account manager. Cancellations by voicemail will not be accepted. WebMD Care will not credit you for partial months of service.

  1. CONTENT OWNERSHIP AND REPRESENTATIONS

You acknowledge and agree that all information, data, text, photographs, images, video, survey responses, messages or other materials communicated or transmitted using the Services, including your trademarks, logos and other branded materials (“Content”), whether publicly posted or privately transmitted, are owned by you and are your sole responsibility. You, and not WebMD Care, are responsible for all Content that you (or WebMD Care at your direction) uploads, posts, emails, distributes, communicates, transmits, or otherwise makes available to you or your clients using the Services, or that is otherwise made available through the use of your WebMD Care account or profile.

  1. WEBMD CARE LICENSE

You grant to WebMD Care a non-exclusive, irrevocable, royalty-free, worldwide, perpetual, transferable, worldwide, unrestricted right and license, with the right to sublicense, to use, reproduce, modify, adapt, copy, distribute, create derivative works of, translate, edit, reformat, perform and display (publicly or otherwise) the Content in connection with the Services, including incorporating Content into any form, medium or technology now known or later developed through the universe, for the purposes of developing, providing, displaying, and marketing the Services. WebMD Care may compile and use aggregated non-personal information taken from your Content and provide such information to third parties. You represent that you own, or otherwise have sufficient rights and authorization in and to all Content such that you may grant to WebMD Care the license granted above. You acknowledge that users may rely upon the Content when requesting an appointment with your office and you agree that the Content you or your office submits will be accurate, complete and not misleading in any respect.

  1. NO REFERRALS OR GUARANTEES

Neither WebMD Care nor the Services are a physician or dentist referral service. The Services are a form of advertising and do not guarantee you will receive new business. WebMD Care does not guarantee that any lead will become a client or need the services they sought.

  1. SERVICE MONITORING

We reserve the right to view, monitor and record activity used in connection with the Services without notice to or permission from you. We may disclose any records, electronic communications, information, materials or other content of any kind at our sole discretion. If it comes to our attention, or we are notified of an allegation, that the use of the Services contains any false, deceptive or misleading information or violates these Terms, then we may, but have no obligation to, investigate the allegation and determine in our sole discretion whether to remove or request the removal of the same from the Services.

  1. TERM AND TERMINATION

This Agreement commences on the Effective Date, and continues through the latest expiration of all Enhanced Profile Subscription(s) and Order Forms subject to this Agreement, unless earlier terminated as provided herein. We reserve the right, at any time and for any reason, without notice to you: (i) to deny you access to the Services; (ii) to change, remove or discontinue the Services; or (iii) to terminate this Agreement. Upon termination of this Agreement, you may no longer access, browse or use the Services. If a Service is withdrawn, then you will only pay WebMD Care the pro rata fees for such Services through the date the Services ceased to be provided.

  1. YOUR REPRESENTATIONS, WARRANTIES AND OBLIGATIONS

7.1 License to Practice
 

You represent that you are a provider validly licensed to practice dentistry or medicine, as applicable, and/or your advertised specialty as required by the applicable jurisdictions in which you practice. You are solely responsible for compliance with all laws, rules, and regulations governing dentist or physician advertising, ethical obligations, licensure, and the practice of dentistry and/or medicine, promulgated by any applicable jurisdiction, court, dental or medical association (as applicable), and any other governing body which are applicable to you, your office locations and staff or other representatives and your use of the Services. You will notify us immediately if there is a change in your applicable licensure status.

7.2 Insurance
 

During the term of this Agreement, you represent that you hold professional liability insurance in an amount appropriate for your practice and required by your state. Upon our request, you agree to provide written proof and evidence of such professional liability insurance within three (3) business days of our request.

7.3 Content
 

You are solely responsible for the Content. You are liable for any material protected by copyright, trademark, patent or trade secret law used in the Content without the permission of the author or owner, and for defamatory materials in any of your Content. WebMD Care is not responsible for reviewing the Content before it appears on the Services. You represent and warrant that (i) the Content you provide and any other provided information will be in compliance with the laws, rules, and regulations governing advertising, ethics, communications with patients and potential patients, licensure, and other obligations governing the Services in the state and locality in which you and your office are licensed (collectively "Advertising and Ethics Rules"); (ii) the Content contains no offensive, harassing, inflammatory, defamatory, indecent, or obscene material, (iii) the Content is not false, misleading, deceptive, or fraudulent; (iv) you will endeavor in good faith to honor all promises, offers, and statements you make in the Content and in any related materials, products, services, or communications you offer or make through the Content; (v) you own or are authorized to use the Content and all trademarks, trade names, and similar materials of any kind which are included in the Content; and (vi) the Content does not infringe upon or violate any intellectual property, proprietary, or other rights of WebMD Care and any third party. WebMD Care reserves the right, in its sole discretion, to refuse to display or to remove from the Services at any time any Content that it reasonably regards as violating this provision. WebMD Care reserves the right to release current or past information related to you if WebMD Care believes that you or any of your Content, any of the Services you ordered, or your account is in violation of any criminal laws or is being used to commit unlawful acts, or if the information is subpoenaed. You will notify WebMD Care promptly of any changes or inaccuracies in the Content of which you are aware or should be aware of at any time during the Term which are reasonably required to be made or corrected in order for the Content to be complete and accurate in all material respects and not misleading in any way.

7.4 Cooperation
 

You will reasonably and promptly cooperate with WebMD Care and its third party providers, throughout the term of this Agreement in providing accurate and complete information necessary for the provision of the Services and to allow WebMD Care to comply with the reporting obligations and Advertising and Ethics Rules related to the provision of the Services.

7.5 Communications
 

You agree that you assume all responsibility for determining which of the leads to pursue. If you include your email address or other contact information in any profile, posting or other content, resulting in your receiving email or other communications sent from any third party, you acknowledge that you have the sole discretion whether to respond to that sender, who may be an impostor, and you do so at your sole risk. You are solely responsible for assessing the integrity, authenticity, honesty and trustworthiness of all persons with whom you choose to communicate. You agree that WebMD Care will have no liability or responsibility whatsoever for any communications, agreements or transactions between you and any third party.

7.6 Surcharges
 

You agree that you will not charge more than your usual or customary fees to consumers matched with you pursuant to the Services.

7.7 TCPA Compliance
 

You agree that calling leads through the use of auto-dialer technology of any kind, including, but not limited to, prerecorded calls or calls/text messages to cellular phones, are at your own risk. You assume any and all liability for violations of the Telephone Consumer Protection Act of 1991, as amended (the “TCPA”), and other state and federal privacy laws. You agree to indemnify us against such liability resulting from your actions or inactions in violation of the TCPA and other state and federal privacy laws.

  1. HIPAA AND LAWS

In accordance with the provisions of the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, including the Privacy Rule and Security, as amended ("HIPAA"), you agree to follow and abide to the following (all undefined terms have their meaning defined by the HIPAA regulations):

  • Ensuring that your use of the Services complies with applicable law, including but not limited to laws relating to maintenance of privacy, security, and confidentiality of patient and other health information.
  • Implement and maintain appropriate administrative, physical and technical safeguards to protect information within the Services.
  • Such safeguards must comply with federal, state, and local requirements, including the Privacy Rule and the Security Rule.
  • Maintain appropriate security with regard to all personnel, systems, and administrative processes used by you or members of your workforce to transmit, store and process electronic health information through the use of the Services.
  • By using our Services, you consent to the terms of our WebMD Care Business Associate Agreement set forth below and you agree to protect any information received through such communication services in accordance with the terms of such business associate agreement.
     
  1. SPECIALLY PROTECTED INFORMATION:
     

We apply the standards of the Privacy Rule in permitting access to the Services.

  • You acknowledge that other federal and state laws impose additional restrictions on the use and disclosure of certain types of health information, or health information pertaining to certain classes of individuals.
  • You agree that you are solely responsible for ensuring that personal health information is subject to the restrictions of the Privacy Rule and applicable law. In particular, you will:
    • not make available to other users through the Services any information in violation of any restriction on use or disclosure (whether arising from your agreement with such users or under law);
    • obtain all necessary consents, authorizations or releases from individuals required for making their personal health information available to us; and
    • include such statements (if any) in your notice of privacy practices as may be required.

 

We are committed to maintaining the confidentiality of information entrusted to us, especially individually identifiable personal and health information. We follow the policies and procedures we have documented in our HIPAA Privacy Policy and Security Policy. Some acquired companies, including their products and services may operate under their own privacy policies until we integrate their privacy practices with ours. You are responsible for determining if the Services meet your compliance standards.

  1. OUR USE OF PROTECTED HEALTH INFORMATION

Our Services may include use of your patients' Protected Health Information that you or your personnel input or upload onto the Services or that we receive on your behalf from your authorized service providers or our third party partners ("Your Health Information"). You retain all rights with regard to Your Health Information, and we will only use such information as expressly permitted in this Agreement and our Business Associate Agreement. You authorize us, as your business associate, to use and disclose Your Health Information as follows:

  • We will permit access to Your Health Information by business associates to whom you have consented to provide access to the Services and who have otherwise agreed to integrate with our systems pursuant to appropriate assurances (i.e. practice management integration vendor). You acknowledge that once we have granted access rights to another provider or covered entity (or their respective business associates), we have no control over the uses and disclosures that the business associate makes of Your Health Information, and the recipient may be subject to its own legal or regulatory obligations (including HIPAA) to retain such information and make such information available to patients, governmental authorities and others as required by applicable law or regulation.
  • We may "De-Identify" (means health information that has been de-identified in accordance with the provisions of the Privacy Rule) Your Health Information and use and disclose de-identified information as provided by Section 11.
  • We may create limited data sets from Your Health Information, and disclose them for any purpose for which you may disclose a limited data set; and you hereby authorize us to enter into data use agreements on your behalf for the use of limited data sets, in accordance with applicable law and regulation.
  • We may use Your Health Information in order to prepare analyses and reports, such as activity or quality-metrics reports, or any other reports the Services makes available, in order to render these reports to you. Preparation of such analyses and reports may include the use of data aggregation services relating to your treatment and health care operations, which we may perform using Your Health Information. Such reporting will be done in a manner that does not make any disclosure of Your Health Information that you would not be permitted to make.
  • We may use Your Health Information for the proper management and administration of the Services and our business, and to carry out our legal responsibilities. We may also disclose Your Health Information for such purposes if the disclosure is required by law, or we obtain reasonable assurances from the recipient that it will be held confidentially and used or further disclosed only (a) as required by law (as such term is defined in 45 CFR §164.103), or (b) for the purpose for which it was disclosed to the recipient, and the recipient notifies us of any instances of which it is aware in which the confidentiality of the information has been breached. Without limiting the foregoing, we may permit access to the system by our contracted system developers under appropriate confidentiality agreements.
  • We may use Your Health Information and Directory Information (defined below) to contact your patients on your behalf for certain Services, including (a) for treatment and health care operations messages, including sending appointment requests and reminders or post-visit treatment satisfaction surveys; (b) to request authorization on your behalf from your patients to use or disclose their health information for any purpose for which use or disclosure may be made with an appropriate authorization, including marketing purposes; and (c) to provide information about health-related products or services that you provide, or that we provide on your behalf as your business associate.
  • From time to time we may incorporate information we receive from your authorized service providers, or our third party partners into the Services we provide to you. Such information may include, without limitation, clinical information such as lab results, imaging results, eligibility information, and prescription history; and shall, upon incorporation into the Services, be treated as "Your Health Information" for all purposes hereunder. You hereby authorize us to request and receive such information on your behalf from such authorized service providers or our third party partners.
     
  1. DE-IDENTIFIED INFORMATION

In consideration of our provision of the Services, you hereby transfer and assign to us all right, title and interest in and to all De-Identified Information that we make from Your Health Information. You agree that we may use, disclose, market, license and sell such De-Identified Information for any purpose without restriction, and that you have no interest in such information, or in the proceeds of any sale, license, or other commercialization thereof. You acknowledge that the rights conferred by this Section are the principal consideration for the provision of the Services, without which we would not enter into this Agreement.
 

  1. INDIVIDUALS’ RIGHTS

You are solely responsible for affording individuals their rights with respect to relevant portions of Your Health Information, such as the rights of access and amendment. You will not undertake to afford an individual any rights with respect to any information in the Services other than Your Health Information.

  1. ELECTRONIC COMMUNICATIONS

Use of the Internet and electronic communication tools are solely at your own risk and are subject to all applicable local, state, federal, and international laws and regulations. While we have endeavored to create secure and reliable Services, please be advised that the confidentiality of any communication or material transmitted to us over the Internet, including email, cannot be assured. You acknowledge that no method of transmission over the Internet, or method of electronic storage, including email, is 100% secure.


13.1 Email
 

We retain the right, at our sole discretion, to restrict the volume of messages transmitted or received by you in order to maintain the quality of our email services to other customers and to protect our computer systems. Email Services may not be used for bulk mail or mass mailings.

Privacy and Security Rules


The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).
 

You must ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C and take the following precautions and when using e-mail or text Services to avoid unintentional disclosures:

  • Verify the e-mail address and phone number for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.
  • Limit the amount or type of information disclosed through the unencrypted e-mail or text message.

You further represent:

  • You have appropriate privacy notices warning patients about the potential security risks of transmitting protected health information using email over the non-secure portion of the Internet.
  • You have accurately disclosed your practice’s privacy practices including mentioning you have business associates who may host, transmit and store personal information in connection with email, text, appointment reminders and other services.
  • You have obtained and documented patient consent to include personal health information in email and text message.
  • You will manually encrypt transmitted files including PHI that you are sending to patients.

CAN-SPAM
 

You agree to comply with all elements of CAN-SPAM and safe sender email practices. This includes but is not limited to including unsubscribe links, your full contact information in all correspondence, and not releasing private and/or confidential information. You may only use email services for those customers with which you have an existing business relationship and which have indicated that they accept correspondence from you. You may not attempt to spoof sender domains, send spam or other offending email. Because of carrier technologies, we make no expressed or implied warranty of individual message receipt. We are not liable for any issues that arise associated with the content that you provide or unforeseen liabilities of it being delivered.

13.2 Text Messages

We may automate text message communications as a Service, but you are responsible for ensuring that the recipients of those communications have provided prior express written consent to receive them. The prior express written consent must identify that you may be sending text messages related to your goods and services using automated technology and that your customer affirmatively agrees to receive such messages. The prior express consent must include your customers’ written or electronic acceptance. Specifically, by entering a cell phone number into your management system or the WebMD Care system and not opting such cell phone out of the WebMD Care text message feature, you are directing WebMD Care to automatically send text message reminders and other communications to such cell phone and certifying that the user of such cell phone consents to the receipt of those messages. For Canada based businesses, you agree to adopt the double opt-in process comprising of 1) you may only use text message services for those customers with which you have an existing business relationship and which have indicated that they accept correspondence from you and 2) the customers must reply to an opt-in message from their handset. For reliable delivery, you must adhere to message limitations including length and delivery. You are responsible for all liability for any failure to receive consent or failure to opt users out of the text message feature. Additionally, you may not attempt to spoof sender domains, send spam or other offending text messages. We make no expressed or implied warranty of individual message receipt. Standard text message rates apply for all text message services. We are not liable for any issues that arise associated with the content that you provide or unforeseen liabilities of it being delivered.

  1. DISCLAIMERS

EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND. THE SERVICES MAY CONTAIN TECHNICAL OR OTHER INACCURACIES. TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO: (I) ANY WARRANTIES CONCERNING THE AVAILABILITY, ACCURACY, RELIABILITY, COMPLETENESS, CURRENCY, QUALITY, PERFORMANCE OR SUITABILITY OF THE SERVICES; (II) ANY WARRANTIES CONCERNING COMPLIANCE WITH APPLICABLE FEDERAL AND STATE LAWS , INCLUDING ADVERTISING OR REFERRAL SERVICES AND (III) ANY IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOU ASSUME ALL RISK FOR ANY VIOLATION OF THE ADVERTISING AND ETHICS RULES. WE DO NOT REPRESENT OR WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT DEFECTS, IF ANY, WILL BE CORRECTED. YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICES IS ENTIRELY AT YOUR OWN RISK. FURTHER, WE EXPRESSLY DISCLAIM ANY AND ALL RESPONSIBILITY AND LIABILITY WITH RESPECT TO SEPARATE AGREEMENTS YOU MAY MAKE WITH PATIENTS, CONSUMERS OR USERS, AND YOU WILL LOOK SOLELY TO SUCH PERSONS AND/OR ENTITIES WITH RESPECT TO ANY AND ALL CLAIMS ARISING OUT OF SUCH AGREEMENTS.

  1. LIMITATION OF LIABILITY

WEBMD CARE WILL NOT BE LIABLE FOR ANY DAMAGES RESULTING FROM YOUR USE OF, OR RELIANCE UPON, THE SERVICES. IN THE EVENT OF ANY PROBLEM WITH THE SERVICES, YOUR SOLE REMEDY IS TO CEASE USING THE SERVICES. UNDER NO CIRCUMSTANCES WILL WE OR ANY OF OUR DIRECTORS, OFFICERS, SHAREHOLDERS, PROPRIETORS, PARTNERS, EMPLOYEES, AGENTS, REPRESENTATIVES, SERVANTS, ATTORNEYS, PREDECESSORS, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOST PROFITS AND DAMAGES THAT RESULT FROM INCONVENIENCE, DELAY, OR LOSS OF USE) ARISING OUT OF USE OF THE SERVICES, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN THE EVENT THAT, NOTWITHSTANDING THE FOREGOING EXCLUSIONS OF LIABILITY, WEBMD CARE OR ANY OF OUR DIRECTORS, OFFICERS, EMPLOYEES, OR AGENTS IS LIABLE TO YOU FOR ANY AMOUNTS UNDER THIS AGREEMENT UNDER ANY THEORY OF RECOVERY, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, SUCH TOTAL LIABILITY, IN RESPECT OF SUCH AMOUNTS, WILL NOT EXCEED THE AMOUNTS PAID BY YOU FOR THE SERVICES DURING THE 12 MONTHS IMMEDIATELY PRECEDING THE DATE OF THE CLAIM OR CAUSE OF ACTION. IN ADDITION TO THE FOREGOING, WEBMD CARE SHALL NOT BE LIABLE FOR ANY LOSS, INJURY, CLAIM, LIABILITY OR DAMAGE OF ANY KIND RESULTING FROM YOUR NON-COMPLIANCE WITH ALL LOCAL AND STATE ETHICS RULES, INCLUDING BUT NOT LIMITED TO RULES PROMELGATED BY STATE LICENSING BOARDS AND AUTHORITIES, OR OTHER APPLICABLE RULES OR FROM YOUR VIOLATION OF SUCH RULES. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages; thus, this limitation might not apply to you.

  1. INDEMNIFICATION

You will defend, indemnify, and hold WebMD Care, its shareholders, directors, officers, employees, agents, partners or licensees harmless for all claims, demands, liabilities, damages, losses and expenses (including reasonable attorneys’ fees) arising out of or in connection with: (i) your use of the Services, including your use of or reliance on any information or materials obtained through the use of the Services; (ii) your breach of this Agreement, including any of your representations and warranties under this Agreement, (iii) your contravention of any applicable law, statute, ordinance, or regulation, including, but not limited to, the Advertising and Ethics Rules; and (iv) your violation or infringement of any intellectual property rights or privacy rights of any third party.

  1. CONFIDENTIALITY

The Agreement, including but not limited to its terms, conditions and pricing information is "Confidential Information" of WebMD Care. You will receive and maintain Confidential Information in trust and confidence and not disclose or provide access to the Confidential Information to any third party. You will further limit disclosure within your organization to those persons who have a "need-to-know". You understand disclosure of Confidential Information may cause competitive harm to WebMD Care. If you breach this confidentiality provision, WebMD Care may, at its option, and in addition to any other remedy it may have under the Agreement, at law or in equity, immediately terminate the Services provided under the Agreement.

  1. ELECTRONIC COMMUNICATIONS

You have affirmatively opted in to, or otherwise validly and expressly consented to, receiving communications from us. Use of the Services is solely at your own risk and is subject to all applicable local, state, federal, and international laws and regulations. While we have endeavored to create  secure and reliable Services, please be advised that the confidentiality of any communication or material transmitted to us or by us over the Internet, email or other communications cannot be guaranteed. Consequently, we are not responsible for the security of any information transmitted via the Internet or the Services. Should you elect Services involving email communications with patients, you represent to WebMD Care that you have the rights to use the patients’ email and share with us for the purpose of sending communications.

  1. GENERAL

This Agreement contains the final and entire agreement regarding your use of the Services and supersedes all previous and contemporaneous oral or written agreements. The failure by either party to enforce any right or provision of this Agreement will not constitute a waiver of that provision or of any other provision of this Agreement. If any provision of this Agreement is determined to be invalid or unenforceable by a court, such provision will be deemed severable and the remainder of this Agreement will remain in full force and effect. You may not assign this Agreement without the prior written consent of WebMD Care. WebMD Care will not be liable for any damage, delay, or failure to perform resulting directly or indirectly from a force majeure event. This Agreement will be binding on, and will inure to the benefit of, the parties and their respective successor and permitted assigns. Both parties agree that this Agreement, as well as any and all claims arising from this Agreement will be governed by and construed in accordance with the laws of the State of California, without reference to its conflicts of law rules, and the parties irrevocably submit to the exclusive jurisdiction and venue of the courts of Los Angeles County, California and the Central District Court of California, respectively. The parties are independent contractors and this Agreement does not create an agency, partnership or joint venture. This Agreement may be executed in multiple counterparts, each of which will constitute an original and all of which taken together will constitute one and the same Agreement. The counterparts of this Agreement may be executed and delivered by electronic means, and such electronic means shall be deemed original signatures for purposes of this Agreement.

  1. NOTICES

All notices and other communications required or permitted to be given by WebMD Care to you under this Agreement will be deemed to be properly given on the date when sent by email to the email address for you last recorded by WebMD Care, or sent by postal mail or private courier to the postal address for you last recorded by WebMD Care. All notices and other communications required or permitted to be given by you to WebMD Care under this Agreement will be deemed to be properly given on the date when sent by postal mail or private courier to 909 N. Pacific Coast Highway, 11th Floor, El Segundo, CA 90245, Attention: Legal Department, with a copy sent to [email protected]

Business Associate Agreement (“BAA”) 

This Business Associate Agreement (“BAA”), is entered into by and between MH Sub I, LLC, (“Business Associate”) and you (“Healthcare Provider”), (each a “Party” and collectively the “Parties”), who have entered into a Service Agreement (“Agreement”) with Business Associate (“the Services”). 

Whereas the use and disclosure of certain health-related information, the electronic transmission of certain health-related information, and the security of certain health-related information is regulated by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations widely known thereunder, as amended and supplemented by the HITECH Act, Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§ 17921-17954, and its implementing regulations, as each is amended from time to time (collectively referred to as “HIPAA”). 

Whereas Healthcare Provider, from time to time, discloses Protected Health Information (“PHI”), as defined in this BAA, and Business Associate, from time to time, uses, creates and/or maintains PHI, and/or electronically transmits PHI; and both Parties are committed to complying with HIPAA and the Parties agree to enter this mutually acceptable BAA as necessary to so comply.  

This BAA hereby amends and is incorporated into any underlying Agreement between Healthcare Provider and Business Associate. With the exception of the terms and conditions set forth in this BAA, all other terms and conditions of the Agreement shall remain unaltered and in full force and effect. To the extent that the provisions of this BAA conflict with those of an underlying Agreement, the provisions of this BAA shall control. Capitalized terms used but not otherwise defined herein shall have the same meaning as those terms defined in the Privacy Rule and Security Rule.

 

If in the provision of Services to Healthcare Provider, Business Associate representatives may receive or have access to PHI that is created and/or maintained by Healthcare Provider, Business Associate and Healthcare Provider shall be bound by the following terms:

 

1. Permitted Uses and Disclosures

  1. Use and Disclosure. Business Associate may use and disclose PHI, if in the course of performing Services for or on behalf of Healthcare Provider or as required or permitted by law, or court process. “Protected Health Information” or “PHI” shall have the meaning given to it under the Privacy Rule, but shall be limited to the information created, accessed, transmitted or maintained by Business Associate for or on behalf of Healthcare Provider. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D and E, as amended and in effect.
  2. Compliance with Privacy Rule and Security Rule.  Business Associate shall not use or disclose PHI received from Healthcare Provider in any manner that would constitute a violation of the Privacy Rule or Security Rule, as defined below, if used by Healthcare Provider, except that Business Associate may: (i) use or disclose PHI for Business Associate’s proper management and administration; (ii) to carry out any of its legal responsibilities; (iii) provide data aggregation services related only to Healthcare Provider’s Operations; and (iv) de-identify any and all PHI provided that the de-identification conforms to the requirements of 45 C.F.R. §164.514.  Any permitted disclosure of PHI to a third party must be either required by law or subject to reasonable assurances from the third party to whom the information is disclosed that: (1) it shall be held confidentially, and be used or further disclosed only as required by law or the purpose for which it was disclosed to that third party; and (2) the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. “Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subparts A and C, as amended and in effect.
  3. Services.  Except as otherwise limited by this BAA, Business Associate may use or disclose the PHI necessary to perform the Services.

 

2. Business Associate Obligations. Business Associate shall agree to the following:

  1. Appropriate Safeguards. Business Associate shall comply with the requirements of the Security Rule that apply to HIPAA business associates including, but not limited to, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information.  “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information that Business Associate creates, accesses, maintains or transmits for or on behalf of Healthcare Provider.
  2. Agents and Subcontractors. Business Associate shall require all of its agents and subcontractors that create, receive, maintain, or transmit Healthcare Provider’s PHI on behalf of Business Associate to agree, in writing, to the same restrictions, terms and conditions that apply to Business Associate through this BAA.
  3. Reporting.
  1. Business Associate shall report to Healthcare Provider any Security Incident, Breach of Unsecured PHI, and any access, use or disclosure of PHI that is not permitted by this BAA of which Business Associate becomes aware.
  2. To the extent that any such reportable occurrence involves a Breach of Unsecured PHI, Business Associate shall provide notice to Healthcare Provider in accordance with the requirements of 45 C.F.R. § 164.410, but in no event more than seven (7) business days following Discovery of the occurrence. Such notification shall include, to the extent possible, the following information: (1) the identity of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during the Breach; and (2) any particular information regarding the Breach that Healthcare Provider would need to include in its notification to the individual, the media and/or the Secretary of the U.S. Department of Health and Human Services (“Secretary”), as applicable, including, without limitation, a non-privileged description of the Breach, the date of the Breach and its discovery, the types of Unsecured PHI involved and a description of Business Associate’s investigation, mitigation and prevention efforts.
  3. For purposes of the above subsection (ii), the terms “Breach,” and “Unsecured PHI” shall have the same meaning given those terms under 45 C.F.R. § 164.402. 
  4. The Parties agree that this section satisfies any reporting required by Business Associate of attempted but Unsuccessful Security Incidents (as defined herein) for which the Parties agree no additional report shall be required. For purposes of this BAA, “Unsuccessful Security Incidents” include but are not limited to activity such as “pings” and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any other attempts to penetrate such computer networks or systems that do not result in unauthorized access, use or disclosure of Electronic Protected Health Information.  
  1. Access to Internal Practices. At the request of Healthcare Provider or the Secretary, Business Associate shall make its internal practices, books and records (including policies and procedures) relating to the use and/or disclosure of PHI available to the Secretary for purposes of the Secretary determining Healthcare Provider’s and Business Associate’s compliance with HIPAA.
  2. Access to PHI. Only to the extent Business Associate agrees to maintain PHI in a Designated Record Set on behalf of Healthcare Provider, provide access to such PHI to Healthcare Provider within fifteen (15) business days of receipt of a written request by Healthcare Provider, in order for Healthcare Provider to meet its obligations under the Privacy Rule at 45 C.F.R. § 164.524. If an Individual submits a request for access directly to Business Associate, Business Associate shall notify Healthcare Provider after receiving such request. Healthcare Provider shall be responsible for responding to such requests. 
  3. Amendments to PHI. Only to the extent Business Associate agrees to maintain PHI in a Designated Record Set on behalf of Healthcare Provider, provide access to such PHI to Healthcare Provider, within fifteen (15) business days of receipt of a written request by Healthcare Provider, in order for Healthcare Provider to meet its obligations under 45 C.F.R. § 164.526. If an Individual requests an amendment of PHI directly from Business Associate, Business Associate shall notify Healthcare Provider after receiving such request. Healthcare Provider shall be responsible for responding to such requests. Any denial of amendment of PHI maintained by Business Associate shall be the responsibility of Healthcare Provider.  
  4. Accounting of Disclosures. To the extent applicable, agree to document disclosures of PHI and information related to such disclosures as would be required for Healthcare Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Privacy Rule at 45 C.F.R. § 164.528.  Business Associate shall provide Healthcare Provider with such documentation within fifteen (15) business days of receipt of a written request from Healthcare Provider. If an Individual submits a request for an accounting of disclosures of PHI directly to Business Associate, Business Associate shall notify Healthcare Provider of such request and provide Healthcare Provider the aforementioned documentation. Healthcare Provider shall be responsible for responding to such requests.  
  5. Minimum Necessary. Business Associate shall use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure in accordance with 45 C.F.R. §164.502(b).
  6. Healthcare Provider’s Privacy Rule Obligations. To the extent Business Associate is to carry out one or more of Healthcare Provider’s obligation(s) under the Privacy Rule, Business Associate shall comply with the requirements of HIPAA that apply to Healthcare Provider in the performance of such obligation(s).

3. Healthcare Provider Obligations. Healthcare Provider agrees to:

  1. obtain any consent, authorization or permission that may be required by HIPAA or any other applicable federal, state or local laws and/or regulations prior to furnishing Business Associate the Protected Health Information pertaining to an Individual; 
  2. notify Business Associate of any limitations in the notice of privacy practices of Healthcare Provider under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI;
  3. not furnish Business Associate Protected Health Information that is subject to any arrangements permitted or required of the Healthcare Provider, including but not limited to, arrangements agreed to by Healthcare Provider under 45 C.F.R. § 164.522 that may impact in any manner the use and/or disclosure of Protected Health Information by the Business Associate under this BAA and the Agreement;
  4. notify Business Associate of any changes in, or revocation of, the permission provided to Healthcare Provider by an Individual to use or disclose his or her PHI pursuant to 45 C.F.R. §164.508, to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
  5. Inform Business Associate of any amendments to PHI that Healthcare Provider has agreed to under 45 C.F.R. §164.526 that relate to PHI upon which Business Associate relies to perform the Services and that would not otherwise be known to Business Associate.
  6. not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Healthcare Provider; and
  7. be responsible for notifying Individuals, Media, and the Secretary of a Breach of PHI by Healthcare Provider or Business Associate in accordance with the Privacy Rule. 

4. LIMITATION OF LIABILITY; INDEMNIFICATION. 

  1. NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. 
  2. Business Associate and Healthcare Provider will indemnify and hold harmless the other Party and any of its affiliates, officers, directors, employees or agents from and against any third party claim, cause of action, liability, damage, cost or expense, including attorneys’ fees and court or proceeding costs, caused by indemnitor’s material breach of this BAA.  Notwithstanding the foregoing, Business Associate’s indemnification obligations under this BAA shall not extend to indirect, consequential or punitive damages or any costs or damages that are not directly caused by Business Associate’s breach of this BAA, including but not limited to: (i) any actual or perceived costs or damages by Healthcare Provider resulting from Healthcare Provider’s provision to Business Associate of more than the Minimum Necessary amount of PHI than Business Associate required to perform services pursuant to the Agreement; and (ii) any actual or perceived reputational harm or loss of future revenues suffered by Healthcare Provider.  Furthermore, each Party’s aggregate liability under this BAA shall not exceed the amounts paid by Healthcare Provider during the period of twelve (12) months prior to the event giving rise to the claim.

 

5. Term and Termination

  1. The term of this BAA shall be effective as of the Effective Date and shall continue in effect until all PHI is destroyed or returned to Healthcare Provider.  If it is infeasible to return or destroy all PHI, the protections of this BAA are extended to such information in accordance with the termination provisions in this Section.  Any other provision of this BAA notwithstanding, if Healthcare Provider determines that Business Associate has breached a material term of this BAA, Healthcare Provider shall provide Business Associate with a reasonable opportunity to cure the breach or may terminate the Agreement if cure is not feasible. Any other provision of this BAA notwithstanding, if Business Associate knows of a pattern of activity or practice of Healthcare Provider that constitutes a material breach or violation of this BAA, Business Associate shall provide Healthcare Provider with a reasonable opportunity to cure the breach or may terminate the Agreement if cure is not feasible.
  2. Except as provided herein, upon termination of the Agreement or this BAA, Business Associate shall return or destroy all PHI and retain no copies of such PHI in any format, if it is feasible to do so. With regard to any PHI that is not returned or destroyed at the termination of the Agreement or this BAA, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains such PHI.  In addition, Business Associate shall maintain the PHI in accordance with the records retention requirements under the Privacy Rule and Security Rule. Upon termination of this BAA, the services set forth in the Agreement involving the use or disclosure of PHI shall similarly terminate.

 

6. Agreement. This BAA constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements between the Parties, whether oral or written, with respect to the subject matter of this BAA. Any ambiguity in this BAA shall be resolved to permit Healthcare Provider to comply with HIPAA. This BAA may be amended only in writing signed by Healthcare Provider and Business Associate. The parties agree to take such action to amend this BAA as is necessary to comply with the requirements of HIPAA. This BAA and the rights and obligations of the parties hereunder shall in all respects be governed by, and construed in accordance with, the laws of the State of California, including all matters of construction, validity and performance. Each party irrevocably submits to the exclusive jurisdiction of the state and federal courts residing in Los Angeles County, California and the Central District Court of California, respectively arising out of any disputes of this BAA. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. Any provisions of this BAA that by their terms are intended to survive, shall survive the termination of this BAA. Business Associate and Healthcare Provider are and shall remain independent contractors throughout the term.  Nothing in this BAA shall be construed to constitute Business Associate and Healthcare Provider as partners, joint venturers, agents or anything other than independent contractors. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. This BAA shall be binding upon the Parties and their successors and permitted assigns.