Data Privacy and Data protection
This Agreement is made effective on [insert date], by and between BDS Digital Health Solutions GmbH, a company organized and operating under the laws of Germany, with its principal place of business at [insert address], (hereinafter “the Company”), and [Patient Name], residing at [insert address], (hereinafter “the Patient”), as well as a healthcare provider.
WHEREAS, the Company offers a telemedicine service called MedKitDoc, and the Patient has expressed an interest in using said service; and,
WHEREAS, it is the intent of all parties to ensure that the use of MedKitDoc is in compliance with all relevant state and federal laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
1 Definitions, Information Collected, Product Classification
1.1 In this Agreement, certain terms with initial capital letters are defined in this section or elsewhere in the Agreement as the context requires.
1.2 The Company may collect and process the following categories of Protected Health Information (PHI): health information, demographic information, contact information, device and usage information.
1.3a A “Healthcare Provider” is defined as any licensed or certified professional, including but not limited to, physicians, nurse practitioners, physician assistants, therapists, counselors, and other medical professionals who provide healthcare services to patients. This term also extends to entities such as hospitals, clinics, nursing homes, pharmacies, medical laboratories, and any other entity or individual that delivers healthcare services and engages with MedKitDoc for the purpose of providing or facilitating such services.
1.3b Healthcare Providers must be appropriately licensed, registered, or certified under the laws and regulations of their respective jurisdiction to practice their profession and must abide by all relevant professional standards and codes of conduct.
1.3c The Healthcare Provider’s use of the MedKitDoc platform must be within the scope of their license, certification, or registration and must comply with all applicable laws and regulations.
1.3d Any references to “Healthcare Provider” in this Agreement shall be interpreted in accordance with this definition.
1.4a A “Patient” refers to an individual who is registered with and utilizes the services provided by MedKitDoc to seek and receive healthcare services from Healthcare Providers via the MedKitDoc platform.
1.4b A Patient could be receiving healthcare services directly or acting on behalf of another individual, such as a minor or someone under their legal guardianship, in which case, the term “Patient” also refers to that individual.
1.4c Patients must provide accurate, complete, and timely information about their health status, medical history, and other relevant information as may be necessary for the effective delivery of healthcare services through the MedKitDoc platform.
1.4d The term “Patient” also includes the user of the MedKitDoc platform who may not be seeking medical services for themselves but for individuals under their care or supervision, as long as such use is in accordance with all applicable laws and regulations and the terms of this Agreement.
1.4e Any references to “Patient” in this Agreement shall be interpreted in accordance with this definition.
1.5 Product Classification
1.5a Pursuant to the comprehensive evaluation undertaken by the Company, MedKitDoc does not constitute a medical product under the jurisdiction of the U.S. Food and Drug Administration (FDA) regulation.
1.5b In undertaking the classification assessment, the Company meticulously examined the parameters set forth within Section 321(h)(1), Section 360j(o)(1), Section 360j(o)(2), and Section 360j(o)(3) of the Food, Drug, and Cosmetic Act (FD&C Act).
1.5.c After thorough applicability review of the aforementioned provisions, paired with an exhaustive analysis of analogous software solutions available within the United States marketplace, the Company has conclusively determined that MedKitDoc does not fall within the FDA’s regulatory scope.
1.5.d The conclusion of this assessment asserts that MedKitDoc aligns with the delineated functions outlined within Appendix A of the FD&C Act, specifically those referencing software functions that are not deemed to be medical devices, as MedKitDoc’s primary functions revolve around the transfer and storage of data.
1.5.e The company’s position is further reinforced by extensive competitive analysis, corroborating the assertion that MedKitDoc does not warrant FDA regulation.
1.5.f The users of MedKitDoc, both Healthcare Providers and Patients, are hereby notified of this classification and acknowledge that the Company has made this determination to the best of its knowledge and belief after careful review. However, users should be aware that regulatory circumstances can change, and the responsibility for remaining compliant with any changes lies with the user.
1.5.g The Company hereby declares that the MedKitDoc’s classification assessment, which identifies it as a non-medical product under the FDA regulation, is available for review and inspection at the Company’s principal place of business.
1.5.h Healthcare Providers or Patients wishing to inspect the classification assessment may do so upon a written request and subsequent approval from the Company. This inspection should occur within the Company’s standard business hours, adhering to all local regulations and the Company’s security and confidentiality protocols.
1.5.i Prior to the inspection, the requesting Healthcare Provider or Patient shall enter into a Non-Disclosure Agreement (“NDA”) with the Company. This NDA aims to protect all proprietary, confidential, and sensitive information that may be accessed or disclosed during the inspection.
1.5.j The Company maintains the right to reject any inspection request if it is deemed unreasonable, disruptive to the Company’s regular operations, or potentially infringing on the Company’s security, confidentiality policies, or any other legal obligations.
1.5.k All persons conducting an inspection must comply with the terms of the NDA, and are legally obliged to maintain confidentiality regarding all obtained information during the inspection.
1.5.l By using MedKitDoc, both Healthcare Providers and Patients acknowledge and agree to these conditions for any inspection of the classification assessment.
2 Children’s Privacy
2.1 The Services provided by the Company are not intended for use by individuals under the age of 18. The Company does not knowingly collect or solicit Protected Health Information (PHI) from individuals under 18.
2.2 Both Healthcare Providers and Patients agree and affirm that they will not knowingly provide or facilitate the provision of MedKitDoc services to individuals under the age of 18. If it is found that services have been provided to an individual under the age of 18, the Patient or Healthcare Provider involved will be solely responsible for any legal or financial repercussions that may arise as a result.
2.3 The Company will not bear any legal liability for breaches of this clause by the Patient or the Healthcare Provider. It is the responsibility of both the Patient and the Healthcare Provider to ensure that they comply with this requirement.
3 Obligations and Activities of the Company
3.1 Use and Disclosure. The Company will not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law.
3.2 Safeguards. The Company will use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. These include, but are not limited to, encryption, pseudonymization, and access controls.
3.3 Mitigation. The Company will mitigate, to the extent practicable, any harmful effect that is known to the Company of a use or disclosure of Protected Health Information by the Company in violation of the requirements of this Agreement.
3.4 Breach Notification. In case of a breach of unsecured PHI, the Company will notify the Patient without unreasonable delay and in any event within 60 days following the discovery of a breach.
3.5 Data Retention and Destruction. PHI will be retained as required by law. After such period, PHI will be destroyed in a manner ensuring that it cannot be reconstructed.
4 Permitted Uses and Disclosures by the Company
4.1 The Company may use or disclose Protected Health Information on behalf of, or to provide services to, the Patient as specified in the Service Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by the Patient.
4.2 The Company may use AWS and Twilio, as subcontractors, for the purposes of data processing and data storage, ensuring that these subcontractors are also compliant with the relevant laws and regulations, including HIPAA.
4.3 The Company shall not be held liable for non-compliance with changes in healthcare regulations or laws during the period required for adjustment and implementation of such changes.
4.4 The Company shall not be held liable for non-compliance with healthcare regulations or laws by their subcontractors.
5 Provisions for the Patient’s Privacy Rights
5.1 Access. The Company will provide access, at the request of the Patient, to Protected Health Information in a Designated Record Set, to the Patient or, as directed by the Patient, to an Individual in order to meet the requirements under Privacy Rule.
5.2 Amendment. The Company will make any amendment(s) to Protected Health Information in a Designated Record Set that the Patient directs or agrees to pursuant to the Privacy Rule at the request of the Patient.
5.3 Disclosure Accounting. The Company will provide to the Patient information collected in accordance with this Agreement, to permit the Patient to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule.
5.4 Restrictions. The Patient has the right to request restrictions on certain uses and disclosures of Protected Health Information.
5.5 Alternative Communication. The Patient has the right to request to receive communications of PHI by alternative means or at alternative locations.
6 User Responsibilities, Limitations and Liability
6.1 User Responsibilities & User Error
6.1.a As a User, the Patient is responsible for providing fully operational mobile devices, including microphones and camera, and ensuring the operability of all devices connected via Bluetooth to their mobile phone or tablet. The effectiveness of MedKitDoc is contingent upon the functionality and compatibility of these devices.
6.1.b The Company disclaims any liability for errors made by Users in transmitting, interpreting, or utilizing health information through MedKitDoc. This includes, but is not limited to, errors made while entering health data or misunderstanding communications between the Patient and the healthcare provider.
6.2 Technology, Third-Party Device Data & Data Transmission
6.2.a The Company is not responsible for the collection, processing, or transmission of information captured by third-party devices, such as medical devices monitoring heart or lung sounds. The responsibility for the correctness and comprehensiveness of the captured information lies solely with the manufacturer of these devices.
6.2.b The Company is not responsible for the transmission of data between the Patient’s mobile devices and the healthcare provider. Any interruption, distortion, or loss of data during transmission is beyond the Company’s control and liability.
6.2.c The Company shall not be held liable for any damages or issues arising from system outages, technological glitches, or failures that may affect the delivery of the MedKitDoc services, including but not limited to, downtime due to maintenance, upgrades, or unforeseen technical issues.
6.2.d The Company shall not be held liable if certain services are unavailable due to reasons outside its control, including but not limited to, the unavailability of a specific healthcare provider.
6.3 Information, Access and data breaches
6.3.a The Company disclaims any liability for the accuracy, completeness, or usefulness of third-party content or resources made available through MedKitDoc, including but not limited to, educational articles, links to other websites, etc.
6.3.b The Company shall not be held liable for unauthorized access to a User’s personal health information, provided the Company has adhered to standard security protocols and applicable laws and regulations concerning data protection.
6.4 Medical Evaluation, (Mis-)diagnosis, Decision Making, Limitations, Healthcare Provider
6.4.a Healthcare providers are obliged to consider other medical indications and factors to make a comprehensive medical judgment. In the event of any doubt regarding the transmitted data, the healthcare provider is required to verify this data through additional measurements. The judgment and diagnosis made by the healthcare provider are solely their responsibility.
6.4.b The Company shall not be held liable for cases where the limitations of telemedicine result in misdiagnosis or incorrect treatment, as long as it’s not due to negligence from the Company’s part.
6.4.c The Company shall not be held legally responsible for any diagnosis made by the healthcare provider based on the use of MedKitDoc. Any claims relating to incorrect or incomplete diagnoses must be raised by the Patient against the healthcare provider directly. The Company carries no legal liability for the professional medical judgments and opinions of healthcare providers using its platform.
6.4.d The Company disclaims any liability related to the quality of services, decisions, or actions made by healthcare providers using its platform. The Company acts solely as an intermediary between healthcare providers and patients.
6.5 Agreement Acceptance
By using MedKitDoc, the Patient acknowledges and agrees to the terms set forth in this Agreement, especially the liability clauses. Any changes to this Agreement will be communicated, and continued use of our services indicates the Patient’s acceptance of any revisions. If the Patient disagrees with any part of this Agreement, they should discontinue the use of MedKitDoc.
7 Responsibility of Healthcare Providers
7.1 As a Healthcare Provider utilizing the MedKitDoc platform, you acknowledge and agree that you bear the sole responsibility for all actions, decisions, diagnoses, and treatment plans you develop and communicate in relation to the patients you serve through MedKitDoc. MedKitDoc is a technological platform designed to facilitate telemedicine services and does not provide any form of medical advice.
7.2 BDS Digital Health Solutions GmbH, the provider of MedKitDoc, carries no legal liability for your actions, your professional medical judgment, or the medical advice you provide. This includes, but is not limited to, instances of breach of contract, negligence, product liability, misrepresentation, data breaches, violation of regulatory standards, and loss of earnings related to your use of MedKitDoc.
7.3 You are solely accountable for the healthcare services you provide, and any legal issues or claims related to your provision of healthcare services should be directed to you or your professional liability insurer. This provision emphasizes the importance of adhering to the highest standards of patient care, and compliance with all applicable medical and professional laws and regulations. If you have any questions regarding this responsibility, you are encouraged to seek independent legal counsel.
8 Emergency Medical Situations
MedKitDoc is not intended for use in emergency situations. The Company shall not be held liable if a User inappropriately relies on MedKitDoc for an emergency medical situation.
9 Technical Support and Limitation of Liability
9.1 The Company provides technical support for the MedKitDoc services during the support hours stated within the application. In cases where no specific hours are stated, the Company shall provide a response to any reported technical issues within twenty-four (24) hours of receiving the report.
9.2 The Company does not guarantee a fixed solution time for resolving technical issues unless explicitly defined in a separate, contracted Service Level Agreement between the Patient or Healthcare Provider and the Company.
9.3 Upon experiencing a technical issue with the MedKitDoc services, the Patient and the Healthcare Provider agree to immediately cease any ongoing diagnostic activities on the platform until the issue is resolved.
9.4 The Company shall not be liable for any damages, losses or harms occurring as a result of the continued use of the MedKitDoc services after a technical issue has been reported to the Company. The Patient and the Healthcare Provider bear full responsibility for any outcomes arising from their decision to use the MedKitDoc services with the knowledge of the reported technical issue.
10 Accuracy of Information and Misuse of Services
10.1 Both the Patient and the Healthcare Provider agree and warrant that all information they provide for the purpose of registration and access to MedKitDoc services will be accurate, complete, and current. Any attempt to provide false or misleading information, or to impersonate another person, will be a violation of this Agreement.
10.2 The Company shall not be legally responsible or liable for any consequences arising out of the Patient’s or Healthcare Provider’s provision of false or misleading information during registration or at any point thereafter. This includes, but is not limited to, any legal or financial repercussions, losses, damages, costs, expenses, or liabilities.
10.3 The Patient and the Healthcare Provider agree to use MedKitDoc services in compliance with all the terms and conditions set forth in this Agreement, including our Privacy Policy. Any misuse or unauthorized use of MedKitDoc services will be considered a violation of this Agreement.
10.4 The Company reserves the right to suspend or terminate the Patient’s or Healthcare Provider’s access to the MedKitDoc services in the event of a violation of this clause, or any other clause in this Agreement.
11 Force Majeure
The Company shall not be held liable or responsible to the Patient or Healthcare Provider, nor be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement, when and to the extent such failure or delay is caused by or results from acts beyond the Company’s reasonable control, including, without limitation: acts of God; flood, fire, earthquake or explosion; war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot or other civil unrest; government order or law; actions, embargoes or blockades in effect on or after the date of this Agreement; action by any governmental authority; national or regional emergency; strikes, labor stoppages or slowdowns or other industrial disturbances; and shortage of adequate power or transportation facilities.
12 Limitation of Damages
To the extent permitted by applicable law, and notwithstanding any contrary provision of this Agreement, the total liability of the Company, its affiliates, officers, employees, agents, suppliers, and licensors, relating to the services, will be limited to an amount no greater than ten thousand US dollars ($10,000). The existence of more than one claim will not enlarge or extend this limit. The Parties acknowledge that these limitations on potential liabilities were an essential element in setting consideration under this Agreement.
Furthermore, in no event shall the Company, its affiliates, officers, employees, agents, suppliers, and licensors, be liable to anyone for any indirect, punitive, special, exemplary, incidental, consequential or other damages of any type or kind (including personal injury, loss of data, revenue, profits, use or other economic advantage) arising out of, or in any way connected with this service, including but not limited to the use or inability to use the service, or for any content obtained from or through the service, any interruption, inaccuracy, error or omission, regardless of cause, even if the party from which damages are being sought or such party’s licensors have been previously advised of the possibility of such damages.
13 Breach of the Agreement & Claims
13.1 In the event of any breach of this Agreement by the Patient or the Healthcare Provider, whether such breach is willful or otherwise, the Company reserves the right to enforce its rights and remedies under this Agreement. This includes the right to assert claims for damages and other appropriate relief.
13.2 The Company may enforce its rights and remedies under this Agreement in the jurisdiction in which the Company is based, and also in the jurisdiction in which the Patient or Healthcare Provider is based, or in any other jurisdiction as permitted by applicable laws and regulations.
13.3 This right extends to and includes the right to bring and enforce such claims in any competent courts, tribunals, or similar judicial or quasi-judicial bodies in such jurisdictions. The Patient and the Healthcare Provider agree to submit to the jurisdiction of such bodies in relation to any such claims or proceedings.
14 International Data Transfers
The Company complies with the relevant data transfer frameworks such as the EU-U.S. Privacy Shield Framework for any international transfers of PHI.
15 Term and Termination
15.1 Term. The Term of this Agreement shall be effective as of the date first above written, and shall terminate on the date on which all obligations of the parties have been met unless otherwise terminated as provided in this Section.
15.2 Termination for Cause. Either party may terminate this Agreement if it determines that the other party has violated a material term of the Agreement.
15.3 Unplanned Termination. In the event of an unplanned termination of this Agreement by the Patient or the Healthcare Provider, the terminating party will be liable for any fees, costs, or charges incurred through to the end of the standard notice period, as stipulated in the Company’s pricing policy at the time of termination. This includes but is not limited to subscription fees, service charges, and any other costs associated with the use of the MedKitDoc services.
16 Indemnification
16.1 To the fullest extent permitted by applicable law, both the Patient and Healthcare Provider agree to indemnify, defend, and hold harmless the Company, its officers, directors, employees, and agents from and against any and all claims, damages, obligations, losses, liabilities, costs or debts, and expenses (including but not limited to attorney’s fees) arising from:
(a) their use of and access to the MedKitDoc services;
(b) their violation of any term of this Agreement;
(c) their violation of any third-party right, including without limitation any copyright, property, or privacy right;
(d) any claim that their use caused damage to a third party; and
(e) any breach of any representations, warranties, and covenants made by them in this Agreement.
16.2 This indemnification obligation will survive the termination of this Agreement and their use of the MedKitDoc services.
17 Miscellaneous
17.1 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.
17.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
17.3 Contact Information. If the Patient has any questions or complaints regarding this Agreement, they may contact [Company’s designated contact point and contact information].
17.4 Changes to the Agreement. The Company reserves the right to change the terms of this Agreement and to make new provisions effective for all PHI that it maintains. The Patient will be notified of any substantial changes.
17.5 Survival. The respective rights and obligations of Company under this Agreement shall survive any termination of this Agreement as necessary for the intended preservation of such rights and obligations.
18 Exclusion of California Jurisdiction and California Residents
18.1 California Jurisdiction
18.1a Notwithstanding anything else in this Agreement, it is expressly agreed by all Parties that the use of MedKitDoc services within the jurisdiction of the state of California is not permitted. This Agreement shall not be governed by and construed in accordance with the laws of the state of California.
18.1b Both the Patient and the Healthcare Provider expressly agree to refrain from using MedKitDoc services while located within the jurisdiction of the state of California. They further agree to not initiate any proceedings or actions relating to this Agreement or MedKitDoc services in any court located within the state of California.
18.1c In the event that the Patient or the Healthcare Provider breaches this clause, they shall bear all responsibility and liability arising out of or in connection with such breach, and shall indemnify and hold the Company harmless from and against all claims, damages, liabilities, losses, costs, and expenses, including attorneys’ fees, arising out of or in connection with such breach.
18.2 California Residents
18.2.a Notwithstanding any provision in this Agreement, the Company does not offer the MedKitDoc services to residents of the state of California, USA. Residents of California are expressly prohibited from downloading, installing, or using the MedKitDoc application.
18.2.b If a resident of California breaches this agreement by using MedKitDoc, they do so at their own risk and are entirely responsible for any resulting consequences. The Company will not be held liable for any damages, claims, or actions arising out of such unauthorized use.
18.2.c Furthermore, it is explicitly stated that such unauthorized use shall not be governed by or subject to any laws of the state of California, including but not limited to the California Consumer Privacy Act (CCPA). The CCPA, or any other California-specific laws or regulations, are not applicable to the MedKitDoc application or any services provided by the Company.
18.2.d The breach of this section may result in termination of the Agreement, prohibition from further use of the MedKitDoc services, and potential legal action.
18.2.e By using MedKitDoc, both Healthcare Providers and Patients represent and warrant that they are not residents of California and agree to comply with this provision.
19 Geographic Limitation
19.1 The Parties understand and agree that the version of MedKitDoc services downloaded and used within the United States is intended for use solely within the geographic boundaries of the United States and is not designed or intended for use outside of this jurisdiction.
19.2 Specifically, both the Patient and the Healthcare Provider expressly agree to refrain from using the U.S. version of MedKitDoc services while located within the jurisdiction of Europe or any other territories outside of the United States. They acknowledge that different versions of the MedKitDoc services may exist for different territories and that use of the U.S. version outside the United States may violate local laws and regulations, including but not limited to data protection and privacy laws.
19.3 In the event of a breach of this clause by the Patient or the Healthcare Provider, all responsibility and liability arising out of or in connection with such breach shall rest solely with the party in breach, who will indemnify and hold the Company harmless against any and all claims, damages, liabilities, losses, costs, and expenses, including attorneys’ fees, arising out of or in connection with such breach.
20 Governing Law
This Agreement will be governed by and construed under the laws of Germany, notwithstanding any conflicts of law principles. Any disputes arising from this agreement shall be resolved in the competent courts of Germany.
If the Patient or the Healthcare Provider requires any more information or has any questions about this part of the Agreement, please feel free to contact us at via “info@medkitdoc.de”.
Feel free to contact us via our contact form