.png)
1.1 You consent to enter into this Patient Data Use Agreement (PDUA or Agreement), by and between yourself (Patient) and zennya, Inc. (Patient Data Manager, or PDM), to authorizes PDM, on Patient’s behalf, to request, acquire, receive, aggregate, maintain, curate, secure, share, and delete, with Patient’s permission as granted pursuant to this Agreement, Patient’s complete, longitudinal digital health record (or any portions of the health record designated by the Patient). The parties are hereinafter referred collectively as the “Parties” and individually as a “Party.”
2.1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, provides individuals with a right of access to inspect and obtain a copy of protected health information from their medical records maintained by their healthcare providers [see 45 CFR 164.524(a)(1)]. Under this right of access, pursuant to 45 CFR 164.524(c)(3)(iii), individuals can request, in a signed writing identifying where and to whom, that their personal health information be provided to third parties on the patients’ behalf.[^1] Using this right of access, an individual can use a third-party patient data manager to aggregate a complete, longitudinal record and maintain it in a way to provide secure access to accurate, reliable personal health data.
2.2 Patient wishes to collect personal health data from a variety of providers and sources, including non-clinical sources and patient-generated sources; store that data in one complete, longitudinal record; and exert control over the sharing of and access to such health information.
2.3 PDM has the capacity to aggregate, maintain, and secure personal health data in a way that enables it to be: regularly updated; protected; compartmentalized; shared in whole or in part with the Patient’s authorization; and maintained free of unauthorized changes or interference that could render the data untrustworthy.
2.4 Patient seeks to exert the right of access provided to Patient by 45 CFR § 164.524 and related HHS Office for Civil Rights guidance to regularly access personal health information maintained by healthcare providers in designated record sets and to direct providers to transmit Patient’s personal health information to PDM on Patient’s behalf.
2.5 As Patient wishes to have a complete, longitudinal health record under his or her full control and maintained on his or her behalf by PDM, Patient and PDM agree to the following terms:
2.6 The Parties hereby adhere to the provisions of Republic Act 10173, otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (collectively, “DPA”), recognizing the importance of appropriate privacy protections for data subjects.
3.1 Patient: Patient is an individual who seeks to aggregate personal health data from disparate healthcare providers and sources, including data generated by him or herself.
3.2 Personal Information: refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
3.3 Sensitive Personal Information: refers to personal information:
3.4 Personal Data: refers to both personal information, sensitive personal information, and privileged information disclosed by the Sharing Party to the Receiving Party pursuant to the Service Agreement;
3.5 Processing: refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
3.6 Data subject: refers to an individual whose personal, sensitive personal, or privileged information is processed;
3.7 Security incident: is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
3.8 Personal data breach: refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
3.9 Personal information controller: refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
3.10 Personal information processor: refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
3.11 Receiving Party: refers to such party that, as a personal information controller, receives personal information from the other party pursuant to this Agreement.
3.12 Sharing Party: refers to such party that, as a personal information controller, discloses or transfers personal information to the other party pursuant to this Agreement.
3.13 Technical, physical, and organizational security measures: means those measures aimed at protecting Personal Information transmitted, stored, or otherwise processed against improper, unauthorized, accidental or unlawful processing, destruction or loss, disposal, alteration, disclosure, or access, and against all other unauthorized and unlawful forms of processing.
3.14 Patient Data Manager (PDM): PDM is a third-party entity with whom Patient enters into this PDUA for the purposes of requesting, acquiring, receiving, aggregating, incorporating, maintaining, curating, and securing Patient’s complete, longitudinal digital health record. Examples of entities who could act as PDMs are healthcare providers, health data systems, health insurers, and third-party mobile medical application entities.
3.15 Patient Health Record (PHR): PHR is Patient’s aggregated, longitudinal health data that PDM maintains on the patient’s behalf pursuant to this Agreement. The PHR does not replace healthcare providers’ medical records systems, does not relieve any reporting responsibilities healthcare providers have under federal, state, or local law, and does not provide an alternative method for providers’ required maintenance of medical records. Should PDM also be Patient’s healthcare provider, the PHR shall not be comingled with the provider/PDM’s electronic health record system.
3.16 Patient Data Receipt (PDR): An electronic computable set of structured data sent or provided to Patient or Patient’s designated PDM at the conclusion of each health encounter or episode of care for inclusion in the Patient’s PHR.
3.17 Protected Health Information (PHI): PHI is defined in this agreement as it is defined by HIPAA [45 CFR 160.103].
3.18 Standing Data Release (SDR): A release through which Patient exercises right of access to personal health information maintained at a healthcare provider on an ongoing, automatic basis and requests Patient’s PHI be transmitted to Patient’s PDM for curation in Patient’s PHR.
4.1 Patient shall be responsible for completing and submitting a Standing Data Release (SDR) to each healthcare provider from whom Patient seeks access to personal health information. PDM may facilitate the SDR process, as feasible.
4.2 The SDR complies with the Department of Health and Human Services’ Office of Civil Rights’ requirements for the release of personal health information from healthcare providers to third parties on the behalf of patients or patient representatives who are requesting access to personal health information. The SDR enables the Patient to authorize continual updates to Patient’s PHR and provides instructions to healthcare providers on enabling automatic updates in the form of a Patient Data Receipt in electronic health record systems.
4.3 Patient understands that healthcare providers cannot transmit PHI to a third party such as PDM without the authorization of Patient or Patient’s authorized representative. Patient also understands that once Patient submits the SDR to a healthcare provider, HIPAA provides the healthcare provider up to 30 days to complete the initial request and the right to seek a further 30-day extension.
5.1 Patient shall have complete authority and control over Patient’s PHR and all of the data contained within it, regardless of the source of the information. Patient accordingly may direct PDM to share all or part of Patient’s PHR with another entity or individual, including but not limited to a healthcare provider or family member.
5.2 Patient may revoke a third party’s previously-granted PHR access. PDM shall immediately implement any such revocation (within one business day). Patient understands that data shared prior to revocation of access often cannot be removed from related records kept by a third party, such as when information from the PHR has been incorporated into a medical record maintained by a healthcare provider who treated Patient.
5.3. Patient shall have the ability and authority to add notes and comments to the information contained in the PHR. Such annotations shall be clearly distinguished from the original text of any health data provided by healthcare providers to maintain data integrity and provenance.
6.1. Patient may authorize PDM to share some or all of Patient’s PHR with individuals and entities that Patient identifies. PDM shall not share data without Patient’s explicit permission.
6.2 PDM shall establish a process for Patient to request access for an identified individual or entity and to specify the type of access such individual or entity may have (e.g., full access, access to all except Patient-generated health data, access to medication information only, access to payer data, etc.).
6.3 PDM cannot guarantee that such designated parties will review the information that Patient chooses to share.
6.4. Patient may revoke this authorization at any time by notifying the PDM by online form, in writing, by telephone, or via other processes that PDM establishes. PDM shall not limit Patient to one method of notification but shall offer at least three means of revoking authorization. PDM shall implement Patient’s revocation immediately and shall indicate in the PHR when the revocation has been so implemented.
6.5 Emergency Access. Patient may grant permission in advance to the PDM to share Patient’s PHR in the case of an emergency during which Patient may not be able to authorize such sharing. Emergency sharing designations and permissions may be established and updated at any time, and may be limited to specific information of particular importance during emergency treatment when Patient is otherwise incapacitated.
7.1. PDM shall aggregate Patient’s health data from each of the healthcare providers with whom Patient has executed SDRs into one cohesive, complete, longitudinal compilation of health data. Information can include but is not limited to medical records (including diagnostic imaging files such as X-rays or MRIs, lab results, and genomic sequencing data), billing records, and claims-related information. PDM shall resolve conflicting health data, as feasible [and pursuant to Patient instruction and/or service tier etc.].
7.2 PDM shall enable the incorporation of Patient-generated health data (PGHD) from fitness trackers, wearables, remote health monitors, and other non-clinically-derived information into Patient’s PHR. Such information will be clearly delineated as PGHD.
7.3. PDM shall enable the incorporation of subjective assessments by the patient of their health outcomes into the PHR (i.e., patient reported outcomes (PROs)). Such information will be clearly delineated as PRO.
7.4. PDM shall ensure that its system can accept and integrate updates (Patient Data Receipts) from healthcare provider EHRs on an ongoing basis. If SDRs are in place, Patient Data Receipts shall be automatically transmitted from provider EHRs to the PHR at the conclusion of each of Patient’s health visits or health encounters.
8.1. PDM shall maintain a record or log of active SDRs and activity within the Patient’s PHR, including updates and disclosures, and shall provide a mechanism by which Patient can ask for additional information about any documented disclosure. Disclosures shall indicate what data was provided, to whom, on what date and time, and the SDR associated with the healthcare provider.
8.2. PDM shall maintain log entries for a minimum of 7 years from the date of access. Patient retains the right to print or otherwise save the log or information about specific entries at any time.
9.1. PDM shall not use or further disclose Patient’s PHR, either in whole or in part, other than as permitted by this Agreement and as authorized by Patient.
9.2. PDM shall use appropriate safeguards to prevent any use or disclosure of Patient’s PHR, either in whole or in part, other than as specified in this Agreement and as authorized by Patient. To the extent that PDM receives, maintains, or transmits PHR, PDM shall use appropriate administrative, physical, and technical safeguards that comply with those required by the HIPAA Security Rule and that reasonably and appropriately protect the confidentiality, integrity, and availability of PHR, regardless of whether PDM is a Covered Entity as defined by HIPAA.
9.3. PDM shall comply with any applicable state and local security and privacy laws to the extent that they are more protective of Patient’s privacy than the HIPAA Privacy Rule and the HIPAA Security Rule, regardless of whether PDM is a Covered Entity as defined by HIPAA. If PDM is not a Covered Entity, other federal laws and regulations may apply (e.g., Federal Trade Commission regulations pertaining to health data held by third-party entities not impacted by HIPAA). If PDM offers access to the PHR in a mobile application, Food & Drug Administration rules may also apply. PDM is responsible for ensuring compliance with all applicable law and regulation.
9.4. Patient shall not share personal login and authentication information for PHR access with anyone. Patient may designate Patient Representative(s) who may access Patient’s PHR in Patient’s stead, but Patient Representative(s) shall maintain his or her own login and authentication information.
10.1. The PHR is an aggregation of Patient’s digital health data from various sources, both clinical and non-clinical. PDM may provide various means of PHR access to the Patient, including through mobile applications accessible on a smartphone, smart speaker, or other such electronic device. In such an instance, PDM shall determine whether any such applications meet the Food and Drug Administration’s (FDA) definition of a mobile medical application and shall adhere to any additional requirements and guidelines set out by the FDA.
11.1. Patient’s PHR maintained by PDM is separate and independent from medical records that healthcare providers are required by law to maintain for each patient. Healthcare providers may incorporate information from the PHR into their medical records if the Patient grants them access to the PHR, but the existence of the PHR does not supplant their medical records systems, any reporting responsibilities healthcare providers have under federal, state, or local law, or provide an alternative method for their required maintenance of medical records.
Each Party shall respect the following rights accorded to data subjects by the Data Privacy Act of 2012:
12.1 Right to be informed. Data subjects have the right to be informed whether Personal Information pertaining to them shall be, are being, or have been processed, including the existence of automated decision-making and profiling. This Agreement may be accessed by the Data Subject upon written request submitted to any of the Parties.
12.2 Right to object. Data subjects have the right to object to the processing of their Personal Information, including processing for direct marketing, automated processing or profiling. They may withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject.
12.3 Right to access. Data subjects have the right to request access to any of their personal data, subject to certain restrictions.
12.4 Right to rectification. Data subjects have the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
12.5 Right to erasure or blocking. Data subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.
12.6 Right to damages. Data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Information, taking into account any violation of the rights and freedoms of the data subject.
12.7 Right to lodge a complaint with the National Privacy Commission.
13.1 The PDM shall be accountable for the Shared Data under its control and custody, including Shared Data that it transferred to a third party for processing. It shall use technical, physical, and organizational security measures to protect the shared data. It shall use contractual or other reasonable means to provide a comparable level of protection while the Shared Data are being processed by a third party. Subject to Section 13.5 hereof, all such transfers by the Receiving Party to a third party shall be compliant with the DPA, its IRR, and other issuances of the Commission. Such compliance shall be covered by the appropriate agreements.
13.2 The PDM shall only process the Shared Data in accordance with Section 14 hereof. This shall be without prejudice to the processing of the receiving Party of such data under a separate contract or agreement with the data subjects.
13.3 The PDM shall notify the NPC and the data subjects of any Personal Data Breach involving the Shared Data pursuant to the requirements of the DPA, including Circular 16-03, as may be amended from time to time. The Receiving Party shall send a written report to the Sharing Party in every event of a suspected personal data breach involving the Shared Data upon knowledge of, or when there is reasonable belief by the Receiving Party that a data breach has occurred.
13.4 The PDM shall cooperate with any remediation that the Patient, in its discretion, determines it necessary in order to:
13.4.1 Address any applicable reporting requirements; and
13.4.2 Mitigate any effects of such unauthorized use, processing, or disclosure of the Shared Data, including measures necessary to restore goodwill with stakeholders.
13.5 The PDM shall not disclose the Shared Data to the third parties outside of those already authorized under this Agreement without prior written approval of the Patient except as is required by a regulatory authority of applicable law, rule, or regulation, and provided that the Receiving Party shall:
13.5.1 Promptly notify the Sharing Party in writing of such requirement;
13.5.2 Use its best efforts to limit the nature and scope of the required disclosure; and
13.5.3 Follow all reasonable instructions of the Patient with respect to such disclosure.
13.6 The PDM shall immediately notify the Patient in writing of any inquiry, communication, or complaint received by the Receiving Party from:
13.6.1 Any person relating to the Shared Data about such person that was processed by the Receiving Party pursuant to this Agreement; or
13.6.2 Any regulatory authority, relating to the processing by the Receiving Party of any Personal Information or any portion of the Shared Data, and provide all reasonable assistance to the Sharing Party in responding to any such inquiry, communication, or complaint.
13.7 Further processing of the Shared Data, i.e. beyond the purposes set forth in Section 14, shall adhere to the data privacy principles laid down in the DPA, its IRR, and other issuances of the Commission. With respect to such further processing, the Receiving Party shall be responsible for obtaining the consent of the data subjects.
14.1. This Agreement shall begin on the Effective Date set upon Patient acceptance of the agreement, and recorded digitally, and shall continue indefinitely until terminated by either party.
14.2. Breach of any of the terms of this Agreement may result in immediate termination of the Agreement in some circumstances (e.g., malicious actions, such as attempts to breach security measures, actions that cause substantial harm due to negligence or malfeasance). If the breach results from a mistake or negligence that can be easily remedied without substantial harm to the non-breaching party, the breaching party shall notify the non- breaching party within three (3) business days and take corrective action within a reasonable timeframe as agreed upon by the parties to address the breach. If action is not taken to remedy the breach in a reasonable timeframe, the Agreement shall be terminated. The non-breaching party retains all rights to pursue claims for breach of contract pursuant to the laws of the state/Commonwealth of [e.g., Massachusetts] and any and all other remedies provided pursuant to federal, state, and local law, including HIPAA and Federal Trade Commission regulations.
14.3. Upon termination by either party, revocations of active SDRs shall be generated by the PDM and submitted to all entities providing data to the PHR on an automatic basis. PDM shall disable the ability of Patient’s PHR to receive updates no later than five (5) business days of submitting revocation notices.
a. Patient understands that SDRs are not transferable to other PDMs and that new forms will need to be completed and submitted to healthcare providers pursuant to the new PDM’s policies to authorize automatic updates to the PHR maintained by a new PDM.
14.4. Patient may terminate this Agreement at any time with written notice to PDM. Upon notice of Patient’s desire to terminate the Agreement, PDM shall provide Patient the ability to transfer Patient’s PHR and related access logs to another patient data manager of Patient’s choosing, to be provided a copy of the PHR for Patient’s personal storage, and/or to destroy the PHR data and related access logs. PDM shall provide Patient thirty (30) days to make a decision about disposition of the PHR. Should Patient opt to transfer PHR to another patient data manager, PDM shall assist Patient with the form(s) and process needed to authorize the transfer. PDM shall ensure that the transfer may be effected electronically if Patient so elects and shall be performed expediently and no later than 30 days after Patient notifies PDM of its disposition decision, without undue burden or unreasonable cost.
14.4.1. PDM shall, to the best of its ability, confirm successful transfer of Patient’s PHR to a new patient data manager, or the date, time, and method of destruction of Patient’s PHR data and access logs, as applicable.
14.5. PDM may terminate this Agreement with 60 days’ notice to Patient and shall require acknowledgement from Patient within five (5) days of such notice to ensure Patient is aware of the impending termination. PDM shall provide Patient with the option to transfer PHR to another patient data manager, to be provided a copy of the PHR for Patient’s personal storage, or to destroy the PHR data.
14.5.1. PDM shall, to the best of its ability, confirm successful transfer of Patient’s PHR to a new patient data manager, or the date, time, and method of destruction of Patient’s PHR data and access logs, as applicable.
14.6. In the event of Patient’s death, PDM shall follow the specific instructions Patient provided at initiation of the PHR. Data will be destroyed or donated to a data repository named by Patient. Patient may request a copy be provided to Patient’s named beneficiary prior to disposition.
14.7. Patient understands and acknowledges that PDM shall not keep a copy of Patient’s PHR once an agreement has been terminated, the patient has selected the method of disposition or transfer of the PHR, and the PDM has successfully disposed of or transferred the data. In the event that PDM is the terminating party, Patient shall have one year from the date of termination to determine the method of disposition or transfer. If disposition or transfer does not occur within that year, PDM shall then destroy the data.
A. This Agreement may be updated or amended due to changes in law, regulations, policies, or for other reasons. Parties to this Agreement will be alerted to any such updates or amendments a minimum of 30 days prior to implementation.
B. Neither party shall assign this Agreement without the written consent of the other.
California. This Agreement and all acts and transactions pursuant hereto and the rights and obligations of the parties hereto shall be governed, construed and interpreted in accordance with the laws of the State of California, without giving effect to principles of conflicts of law.