This document is an agreement between NoteZap Incorporated ("NoteZap") and a customer ("Customer") who agrees to its terms. It is an addendum to the Terms of Use and only applies to Covered Services. The agreement will be effective from the date that the customer electronically accepts it. The BAA will work in conjunction with the Terms of Use to regulate the obligations of each party with regards to Protected Health Information, as defined in the agreement.

By using our product, you confirm and guarantee that (i) you possess complete legal power to commit Customer to this BAA, (ii) you have comprehended and grasped the contents of this BAA, and (iii) you accept, on behalf of Customer, the provisions outlined in this BAA.

In this document: 

"Business Associate" has the meaning specified by HIPAA. 

"Breach" has the meaning specified by HIPAA. "Covered Entity" has the meaning specified by HIPAA. 

"Covered Services" refers to the products and/or services offered by NoteZap. 

"Designated Record Set" has the meaning specified by HIPAA. 

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, along with its related rules and regulations, as amended. 

"HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, which was enacted as part of the American Recovery & Reinvestment Act and includes its related regulations, as amended. 

"Protected Health Information" or "PHI" has the meaning specified by HIPAA and is limited to PHI within Customer Data that NoteZap can access through the Covered Services as part of Customer's authorized use of the Covered Services. 

"Required by Law" has the meaning specified by HIPAA. 

"Security Incident" has the meaning specified by HIPAA. 

"Services Agreement(s)" refers to the written agreement(s) between NoteZap and the Customer for the provision of Covered Services, which may be in the form of online terms of service.

This BAA is only applicable if the Customer is operating as a Covered Entity or Business Associate and is creating, receiving, maintaining, or transmitting PHI through the use of a Covered Service, and if NoteZap is deemed to be a Business Associate or Subcontractor under HIPAA as a result of this. The Customer recognizes that this BAA does not apply to (a) any other NoteZap product, service, or feature that is not considered a Covered Service; or (b) any PHI that the Customer creates, receives, maintains, or transmits outside of the Covered Services, including the use of offline or on-premise storage tools or third-party applications.

Unless explicitly stated otherwise in this BAA, NoteZap may only use and disclose PHI in the following circumstances: (i) as allowed or required by the Terms of Use or this BAA, or (ii) as required by law. 

NoteZap may use and disclose PHI for the purpose of managing and administering its operations and fulfilling its legal responsibilities. However, such disclosure may only occur if (i) required by law or (ii) NoteZap receives written assurances from the person receiving the PHI that it will be kept confidential, only used for the intended purpose, and that NoteZap will be informed of any Security Incident or Breach.

The Customer must not request that NoteZap or the Covered Services use or disclose PHI in any way that would be considered impermissible under HIPAA if done by the Customer (assuming they are a Covered Entity) or by the Covered Entity for which the Customer is a Business Associate (unless specifically permitted under HIPAA for a Business Associate). The Customer acknowledges that the Customer is solely responsible for ensuring that they and their End Users utilize the Covered Services in compliance with HIPAA and HITECH.

Both NoteZap and the Customer are required to utilize appropriate safeguards to prevent unauthorized use or disclosure of PHI as required by HIPAA in relation to the Covered Services.

NoteZap will promptly notify Customer of (i) any Security Incident of which NoteZap becomes aware, subject to Section 6(c); and (ii) any Breach that NoteZap discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps NoteZap recommends Customer take to address the Breach.

NoteZap will provide any relevant notifications to the email address provided by the Customer, or via direct communication with the Customer.

NoteZap may periodically experience unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction of information, or interference with the normal operation of NoteZap's systems and the Covered Services. The Customer acknowledges and agrees that, even if such events constitute a Security Incident, NoteZap is not obligated to provide any notification under this BAA regarding such unsuccessful attempts.

NoteZap is responsible for ensuring that any Subcontractors it employs and who require access to PHI on behalf of NoteZap are subject to written obligations that offer reasonable levels of protection for PHI. If NoteZap utilizes Subcontractors in fulfilling its obligations under this BAA, NoteZap will remain responsible for their performance as if it was performed by NoteZap.

The Customer acknowledges that they are solely responsible for the form and content of PHI maintained within the Covered Services, including whether such PHI is maintained in a Designated Record Set within the Covered Services. NoteZap will provide the Customer with access to their PHI through the Covered Services so that the Customer may fulfill its obligations under HIPAA regarding Individuals' rights of access and amendment. However, NoteZap has no further obligations to the Customer or any Individuals concerning the rights afforded to Individuals by HIPAA in relation to Designated Record Sets, including the right of access or amendment of PHI. The Customer is responsible for managing their use of the Covered Services to effectively respond to such individual requests.

NoteZap will document any disclosures of PHI made by NoteZap and provide an accounting of such disclosures to the Customer, as required of a Business Associate under HIPAA and in compliance with the requirements that apply to a Business Associate under HIPAA.

If legally required and subject to all applicable legal privileges, NoteZap will provide its internal practices, books, and records relating to the use and disclosure of PHI received from the Customer, or created or received by NoteZap on behalf of the Customer, to the Secretary of the U.S. Department of Health and Human Services (the "Secretary") for the purpose of the Secretary assessing compliance with this BAA.

This BAA will end upon conclusion or termination of all Services Agreements under which the customer has access to a Covered Service.

If the Services Agreements are terminated, NoteZap will either return or destroy all PHI received from the Customer or created or received by NoteZap on behalf of the Customer. However, if returning or destroying such PHI is not feasible, NoteZap will extend the protections of this BAA to the PHI that is not returned or destroyed.

In case of any conflict between this BAA and the remaining terms of the Services Agreement(s), this BAA will take precedence. Unless explicitly modified or amended under this BAA, the terms of the Services Agreement(s) will continue to be fully effective.

Contact Us

If you have any questions or concerns about our Business Associate Agreement or practices, please contact us at:

NoteZap Incorporated

12221 S 900 E

Draper, Utah 84020

USA

Email: legal@notezap.com