i You may not distribute or allow access to the Nth Technology EHR FHIR API to anyone other than, if
applicable, the Entity on whose behalf you entered into this Agreement.
Security Measures and Protected Health Information (PHI)
a YOU ATTEST THAT YOU ARE AUTHORIZED TO ACCESS THE PHI YOU ARE REQUESTING THROUGH THE
SYSTEM, AND YOU AGREE TO HANDLE AND PROCESS SUCH INFORMATION ACCORDING TO ANY AND
ALL APPLICABLE LAWS. If you are a Developer, you agree to maintain suitable facilities, management,
operational, and physical controls to protect PHI and any Codes consistent with the security and
privacy controls imposed by HIPAA, HITECH, and any other federal, state, and local laws, where
applicable, and to treat all Codes with no less care and protection than that afforded to Protected
Health Information. You acknowledge and agree that you shall use the System only as and to the
extent permitted by applicable law, including any applicable import or export laws, and only for
applications related to the secure access to health information over the Internet, in a manner
compliant with the security and privacy rules of HIPAA, HITECH, and any other applicable law or
regulation. You acknowledge and agree that Company is not a Covered Entity. You agree that you will
not intentionally submit to Company or otherwise share with Company any Protected Health
Information and will not provide Company with access to any Protected Health Information except as
required for you to Use the System. You acknowledge and agree that Company only acts as a conduit
to transfer Protected Health Information or any other data between you and a Data Holder.
b You acknowledge that the System is a data transport tool and is not intended to serve as a medical
record, and that it is your sole responsibility to establish policies and procedures that ensure that the
content of any data accessed through the System is incorporated into a patient's medical record, when
applicable. You agree that it is your sole responsibility to provide or obtain any and all necessary
consents and to fulfill any and all obligations that are required by HIPAA, HITECH, or other
governmental statute or regulation prior to use, disclosure, or transmission of any Protected Health
Information or other data accessed through the System. You agree that Company has no obligation to
archive or otherwise store any PHI or other data transferred through the System. You acknowledge
that the data you request may not be accessible through the System when (i) you are denied access by
Data Holder to any or all of the data requested or the Data Holder does not respond to your request
for any reason, (ii) your request or the data provided by a Data Holder is not in a format recognized by
the System, (iii) your request would cause transfer size or frequency to exceed the allowable maximum
permitted by Company, (iv) the Codes you use to access the System are invalid, (v) this Agreement
terminates, or (vi) for any other reason. You acknowledge that Company does not control the content
of data accessed through the System, that data accessed through the System may contain software
viruses or other malicious content, that it is your sole responsibility to protect your computer system
from viruses, and that the Company has no responsibility to protect your computer system from
viruses or other malware. You agree that Company, in its sole discretion, reserves the right not to
enable Software or System for any particular Developer or User, should we determine, in our sole
discretion, that Use by the Developer or User is a threat to Company’s systems or negatively impacts
the Use of the System by other Users.
c The network, operating system and software of your web servers, databases, and computer systems
(collectively, “Your Systems”) must be properly configured to securely operate your Application. Your
Application must use reasonable security measures to protect your users’ information. You must not
architect or select Your Systems in a manner to avoid the foregoing obligation. Your Systems shall use
supported versions of operating systems and databases for which patches are actively deployed and
shall be updated with security patches based on industry accepted standards and criticality. All critical
patches shall be applied within 30 days of release.
d You must promptly report any security deficiencies in, or intrusions to, your Systems to Nth
Technology in writing via email to support@nthtechnology.com. You will work