Terms and Conditions

Notice to User: The following Terms and Conditions of Use (“Terms”) are provided for general
informational purposes and do not constitute legal advice. Health‑care regulations change
over time and vary by jurisdiction. Before publishing these Terms for your product, you should
consult qualified legal counsel to tailor the document to your specific business, technical
architecture and applicable law.

1. Acceptance of Terms
   These Terms govern your access to and use of [Company Name]’s websites, mobile
   applications and related services (collectively, the “Service”). By accessing or using the Service
   you agree to be bound by these Terms, our Privacy Policy and Notice of Privacy Practices. If
   you do not agree, do not use the Service. You represent that you are at least 18 years old, legally
   competent and have the authority to enter into these Terms on behalf of yourself or any entity
   you represent.
2. HIPAA Compliance and Protected Health Information
   2.1 Our Commitment to Protecting Health Information
   The Health Insurance Portability and Accountability Act (“HIPAA”) requires covered entities
   and their business associates to protect the confidentiality, integrity and availability of
   protected health information (PHI). Where the Service collects, stores, processes or transmits
   PHI, we implement administrative, physical and technical safeguards consistent with the
   HIPAA Privacy, Security, Breach Notification and Enforcement Rules. Examples include:
   ● Encryption: PHI is encrypted at rest and in transit using industry‑standard methods
   (e.g., AES‑256 and TLS 1.2 or higher).
   ● Access Controls and Authentication: Access to PHI is role‑based and restricted to
   authorized personnel only. We use strong authentication mechanisms (e.g., complex
   passwords, multi‑factor authentication and session timeouts). User identities are
   linked to unique accounts and credentials.
   ● Audit Trails: All access to and actions involving PHI are logged in an immutable audit
   trail. Logs record login attempts, data access, modifications and administrative
   actions, and are monitored for suspicious activity.
   ● Risk Assessments and Security Reviews: We perform periodic risk assessments and
   vulnerability scans to identify and address potential threats, in accordance with
   HIPAA’s requirements. Backups and disaster recovery plans are in place to recover PHI
   securely and quickly in the event of a failure.
   ● Business Associate Agreements (BAAs): When we engage vendors who may have
   access to PHI (e.g., hosting providers or analytics tools), we execute Business Associate
   Agreements requiring them to implement safeguards consistent with HIPAA.
   ● Notice of Privacy Practices: If we are a covered entity, we will post our Notice of
   Privacy Practices on our website and provide it electronically. The notice describes
   how PHI may be used, your rights and how to exercise them.
   2.2 User Responsibilities and Restrictions
   You agree to use the Service in a manner consistent with HIPAA. In particular you:
3. Provide Accurate Information: You agree that all registration and health information
   you submit is truthful, complete and is your own information or that of a person for
   whom you are authorized to act.
4. Maintain Confidentiality: You are responsible for maintaining the confidentiality of
   your login credentials, devices and authentication factors. Immediately notify us if you
   suspect unauthorized access to your account or loss of any authentication token.
   Practitioners are legally responsible for securing hard tokens and passwords used to
   sign prescriptions.
5. Limit PHI Disclosure: You will not upload, store or transmit PHI through the Service
   unless it is necessary for the provision of health‑care services. You will not disclose
   PHI about another individual without that person’s authorization.
6. Training and Compliance: If you are part of a covered entity or business associate
   workforce, you affirm that you have received appropriate HIPAA training on the uses
   and disclosures of PHI and security awareness.
7. Prohibited Activities: You may not use the Service to send PHI via insecure channels
   (e.g., unencrypted e‑mail or SMS), to harvest or misappropriate data, to attempt to
   breach security or to engage in any activity that violates HIPAA.
8. DEA Compliance and Electronic Prescriptions for Controlled Substances (EPCS)
   3.1 Overview
   If the Service allows authorized practitioners to create or transmit electronic prescriptions for
   controlled substances, the Service complies with the U.S. Drug Enforcement Administration’s
   (DEA) regulations, including 21 CFR Part 1311(Requirements for Electronic Orders and
   Prescriptions). Key requirements include linking practitioner accounts to DEA registration
   numbers, using logical access controls and multi‑factor authentication, maintaining audit
   trails and undergoing third‑party audits.
   3.2 System Obligations
   ● DEA Registration Linkage: The prescription module links each practitioner by name
   to at least one DEA registration number. Practitioners exempt from registration are
   linked to an institutional DEA registration and internal code number as required.
   ● Logical Access Controls and Separation of Duties: The system enforces role‑based
   access and requires at least two individuals to set or change permissions for signing
   controlled‑substance prescriptions. Only users linked to an appropriate DEA
   registration can be assigned the role of registrant.
   ● Multi‑Factor Authentication: To sign controlled‑substance prescriptions,
   practitioners must use two factors (e.g., password plus cryptographic token or
   biometric). The Service supports FIPS 140‑2 validated hardware tokens or biometric
   authentication.
   ● Prescription Information and Review: Before signing, the system displays the
   prescription date, patient name, drug name, dosage and directions, number of refills,
   practitioner name, address and DEA number. The practitioner must confirm that each
   prescription is ready for signing; the system prevents modifications to DEA elements
   after this confirmation.
   ● Audit Trails: The system records all events related to prescription creation, signing,
   transmission, alteration and revocation in a tamper‑evident audit trail and retains logs
   in an immutable format. Security incident reports are generated and must be reviewed
   promptly; potential breaches must be reported to the DEA within one business day.
   ● Electronic Transmission: Controlled‑substance prescriptions are transmitted
   electronically in their entirety, with digital signatures and appropriate encryption.
   Duplicate transmission is prohibited; printed copies, if generated, are marked “Copy
   Only – Not Valid for Dispensing” and must note any prior failed electronic
   transmission.
   ● Third‑Party Audits: Our EPCS application undergoes certification by a DEA‑approved
   auditing firm and periodic re‑certification. Practitioners and pharmacies must ensure
   they use only certified EPCS applications.
   3.3 Practitioner Responsibilities
   Practitioners who issue electronic prescriptions for controlled substances through the Service
   acknowledge and agree that:
9. Compliance with Legitimate Medical Practice: You are legally responsible for
   ensuring prescriptions are issued in the ordinary course of professional practice and
   for a legitimate medical purpose. You must secure hard tokens and passwords, respond
   promptly to lost or compromised tokens, manage failed transmissions and revoke
   access if non‑compliance occurs.
10. Credentialing: You must hold a current DEA registration, be authorized to prescribe
    the schedules of controlled substances involved, and, where applicable, maintain an
    active Surescripts Provider Identifier.
11. Identity Proofing: Before using the Service’s EPCS features, you must complete
    identity proofing by a federally approved Credential Service Provider or Certification
    Authority.
12. Auditing and Monitoring: You must review audit logs, incident reports and
    transmission failures promptly. If a potential security incident occurs, you must
    cooperate with investigations and notify the DEA where required.
13. Service Content and Intellectual Property
    All content provided through the Service, including text, graphics, logos, interfaces, software
    code and compilation of content, is our property or the property of our licensors and protected
    by intellectual‑property laws. You may not reproduce, modify, distribute, sell or lease any part
    of the Service except as permitted by these Terms or by law.
14. User Conduct and Prohibited Uses
    You agree not to:
15. Use the Service for any unlawful purpose, including but not limited to activities that
    violate HIPAA, the Controlled Substances Act, 21 CFR Part 1311, or any other applicable
    federal or state law.
16. Attempt to circumvent or defeat any security or authentication measures.
17. Interfere with or disrupt the integrity or performance of the Service.
18. Use any robot, spider, scraper or other automated means to access the Service for any
    purpose without our express written permission.
19. Post or transmit any material that is defamatory, obscene, libelous, or that infringes or
    misappropriates another’s intellectual‑property rights.
20. Impersonate any person or entity, or misrepresent your affiliation with a person or
    entity.
21. Disclaimers
    ● Not Medical Advice: The Service may facilitate communication with healthcare
    providers and allow transmission of health information or prescriptions. However, the
    Service itself does not provide medical diagnosis or treatment. Consult a qualified
    healthcare professional for any medical concerns. We do not control or guarantee the
    accuracy of information provided by users or third‑party practitioners.
    ● No Warranty: The Service is provided on an “as is” and “as available” basis without
    warranties of any kind, express or implied. We do not warrant that the Service will
    meet your requirements, be uninterrupted, timely, secure or error‑free.
    ● Compliance Disclaimer: While we strive to comply with HIPAA, DEA and other
    applicable laws, we do not warrant that use of the Service will guarantee compliance
    with all regulatory requirements. You are responsible for understanding and
    complying with the laws and regulations that apply to your use of the Service.
22. Limitation of Liability
    To the fullest extent permitted by law, [Company Name] and its affiliates, directors, officers,
    employees and agents will not be liable for any indirect, incidental, special, consequential or
    punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or
    any loss of data, goodwill or other intangible losses, resulting from (a) your access to or use of
    or inability to access or use the Service; (b) any conduct or content of any third party on the
    Service; (c) any content obtained from the Service; or (d) unauthorized access, use or alteration
    of your transmissions or content. Our total liability for any claim related to the Service will not
    exceed the amount you paid, if any, to use the Service during the twelve (12) months preceding
    the claim.
23. Indemnification
    You agree to indemnify, defend and hold harmless [Company Name], its affiliates and their
    respective officers, directors, employees and agents from and against all claims, liabilities,
    damages, losses, costs and expenses, including reasonable attorneys’ fees, arising out of or
    relating to your (a) use of the Service, (b) violation of these Terms or any law or regulation, (c)
    infringement or misappropriation of any intellectual‑property or other right of any person or
    entity, or (d) negligent or wrongful acts or omissions.
24. Suspension and Termination
    We may suspend or terminate your access to the Service at any time for any reason, including
    if we reasonably believe you have violated these Terms, engaged in fraudulent or illegal
    activity, or pose a risk of harm. Upon termination, your right to use the Service will
    immediately cease, and provisions of these Terms which by their nature should survive
    termination shall survive, including sections on HIPAA compliance, DEA compliance,
    limitations of liability and indemnification.
25. Modifications to the Terms
    We may modify these Terms at any time. If we make material changes, we will provide notice
    (e.g., via the Service or e‑mail) and update the “Last Updated” date at the top of these Terms.
    Your continued use of the Service after such changes constitutes your acceptance of the
    updated Terms.
26. Governing Law and Dispute Resolution
    These Terms shall be governed by and construed in accordance with the laws of the
    jurisdiction in which [Company Name] is incorporated, without regard to its conflict‑of‑law
    provisions.
    You and [Company Name] agree to resolve any dispute arising out of or relating to these
    Terms or the Service exclusively through final and binding arbitration administered by a
    recognized arbitration body, except that either party may seek equitable relief in court for
    infringement or misuse of intellectual property rights or for breaches of confidentiality
    obligations. The arbitration will be conducted in the county (or equivalent administrative
    division) where [Company Name] is headquartered unless the parties agree otherwise.
27. Contact Information
    If you have any questions about these Terms, HIPAA compliance, DEA compliance or your
    rights and obligations, please contact us at:
    [Company Name]
    Address: [Company Address]
    Phone: [Phone Number]
    E‑mail: [Contact E‑mail]
28. Entire Agreement
    These Terms constitute the entire agreement between you and [Company Name] regarding
    the Service and supersede all prior agreements, understandings or communications. If any
    provision of these Terms is found unenforceable, the remaining provisions will remain in full
    force and effect.