Mentalyc Inc.
Address: 2261 Market Street #4569, San Francisco, CA 94114 ("Mentalyc" herein)
Company
The organization identified and entered into Mentalyc’s systems by its representative and set forth on the final page of this agreement ("Company" herein)
Recitals:
Company is a HIPAA Covered Entity or Business Associate.
Company and Mentalyc will engage in a business relationship in which Mentalyc provides certain Services to Company.
In this relationship, Mentalyc may receive, use, maintain, disclose, or otherwise process PHI as a Business Associate for or on behalf of the Company.
1. Definitions
Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a party. Control is defined as an economic or voting interest of at least 50% or the power to direct or cause the direction of management and set policies.
HIPAA Laws: Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health ("HITECH") Act, including Privacy Rule and Security Rule as modified, supplemented, and amended.
PHI: As defined in 45 C.F.R. § 160.103 of HIPAA, PHI includes protected health information that is received or created by Mentalyc on behalf of Company through the use of Services.
Security Measures: Administrative, physical, and technical safeguards, including documentation requirements specified in the Security Rule.
Services: Unified communications or other services provided by Mentalyc to Company where Mentalyc creates, receives, maintains, or transmits PHI.
2. Permitted Uses and Disclosures of PHI
2.1. Performance of the Agreement for Mentalyc Services
Mentalyc shall not use or disclose PHI other than as permitted by this agreement or as required by law.
Mentalyc may use or disclose PHI to perform services for or on behalf of Company, provided such use or disclosure would not violate HIPAA Laws if done by Company.
2.2. Management, Administration, and Legal Responsibilities
Mentalyc may use and disclose PHI for management, administration, and legal responsibilities if:
(a) Required by Law; or
(b) Mentalyc obtains reasonable assurances from the person to whom PHI is disclosed that it will be held confidentially and used or disclosed only as required by law.
3. Responsibilities with Respect to PHI
3.1. Mentalyc’s Responsibilities
3.1.1. Limitations on Use, Disclosure, and Sale
Mentalyc will only use the minimum necessary PHI for proper management and will not engage in the sale of PHI.
3.1.2. Safeguards
Mentalyc shall use reasonable safeguards to prevent inappropriate use and disclosure of PHI and comply with applicable requirements of the Security Rule.
3.1.3. Subcontractors
Mentalyc may use subcontractors to fulfill obligations, provided they agree in writing to:
(a) Similar restrictions and conditions as Mentalyc regarding PHI.
(b) Appropriate safeguards.
(c) Compliance with Security Rule requirements.
3.1.4. Reporting to Company
Mentalyc shall report:
(a) Any unauthorized use or disclosure of PHI.
(b) Any Security Incident (with exceptions for Unsuccessful Security Incidents).
(c) Any Breach of Company's PHI within ten (10) business days.
3.1.5. Unsuccessful Security Incidents
Unsuccessful Security Incidents include pings, port scans, unsuccessful login attempts, etc., that do not result in unauthorized access.
3.1.6. Disclosures to the Secretary
Mentalyc shall make records available to Company or the Secretary for determining compliance with HIPAA Laws.
3.1.7. Access and Amendment
Services do not include access or maintenance of a Designated Record Set. Company shall directly perform such actions.
3.1.8. Accounting of Disclosures
Mentalyc shall make available information about disclosures to enable Company to make requested accountings.
3.1.9. Privacy and Security Rule Compliance
Mentalyc shall comply with the Privacy and Security Rules with respect to PHI.
3.2. Company’s Responsibilities
3.2.1. No Impermissible Requests
Company shall not request Mentalyc to use or disclose PHI in a manner impermissible under HIPAA Laws.
3.2.2. Contact Information for Notices
Company agrees that notices may be provided electronically and must ensure current contact information.
3.2.3. Safeguards and Appropriate Use of PHI
Company shall implement privacy and security safeguards and is responsible for ensuring PHI is legally disclosed to recipients.
3.2.4. Communicating Changes to Mentalyc
Company shall notify Mentalyc of changes in permission regarding the use or disclosure of PHI.
3.2.5. Communicating Restrictions to Mentalyc
Company shall notify Mentalyc of any agreed restriction to the use or disclosure of PHI.
3.2.6. Communicating Restrictions in Notices of Privacy Practices
Company shall notify Mentalyc of any limitations in privacy practices that may affect the use or disclosure of PHI.
4. Term and Termination
4.1. Term
The term begins on the date of acceptance and terminates upon termination of all services requiring a business associate agreement under HIPAA Laws.
4.2. Termination for Breach
4.2.1. Termination for Breach by Company
Company may:
(a) Allow Mentalyc to cure the breach.
(b) Immediately terminate if a material breach cannot be cured.
(c) Report the violation to the Secretary if termination is infeasible.
4.2.2. Termination for Breach by Mentalyc
Mentalyc may:
(a) Terminate the agreement.
(b) Report the problem to the Secretary if termination is not feasible.
5. Post-Termination Obligations
5.1. Return, Destruction, or Retention of PHI
Upon termination, Mentalyc shall return or destroy all PHI unless it is necessary to retain for management or legal responsibilities.
5.2. Notice When Return or Destruction is Infeasible
Mentalyc shall notify Company if PHI cannot be returned or destroyed and extend protections to such PHI.
6. Limitation of Liability
Mentalyc's total liability is limited to ten thousand dollars ($10,000) for all damages arising from a breach of this agreement.
7. Notices
Notices must be delivered in writing via electronic mail to specified addresses for both Mentalyc and Company.
8. Miscellaneous
8.1. No Agency Relationship
This agreement does not create an agency relationship; each party is an independent contractor.
8.2. No Third-Party Rights or Remedies
This agreement does not confer enforceable rights upon any person other than Mentalyc and Company.
8.3. References
References to Privacy or Security Rule sections mean those currently in effect.
8.4. Assignment
No assignment is allowed without prior consent, except to an affiliate or successor by merger.
8.5. Amendments; Waiver
Amendments must be in writing. No waiver is effective unless in writing.
8.6. Ambiguity
Any ambiguity will be resolved to comply with HIPAA Laws.
8.7. Merger; Conflicts
This agreement is the final and complete expression of the parties' agreement.
8.8. Severability
If any provision is deemed invalid, the remaining provisions remain valid.
8.9. Governing Law
The laws of the State of Delaware govern all matters arising out of or relating to this agreement.
8.10. Electronic and Digital Signatures
This agreement may be signed electronically and is as binding as a handwritten signature.
9. Data Ownership
Company Rights: Company retains all right, title, and interest in and to the raw Data.
License Granted to Mentalyc: Mentalyc is granted a non-exclusive license to use such Data solely for the purpose of providing the Services, including the development of anonymized datasets for training and improving AI models, algorithms, and other technologies.
Mentalyc Ownership:
Mentalyc exclusively owns all rights, titles, and interests in and to any databases created from such anonymized datasets and uses these databases to enhance our Services.
Mentalyc exclusively owns all rights, titles, and interests in and to any applications, technologies, products, or improvements developed using anonymized Data, whether or not provided to Company as part of the Services. This includes, but is not limited to, artificial intelligence models and algorithms derived from the anonymized use of Data.