Effective January 24, 2022
The purpose of this Builder Security Policy (“Policy”) is to provide a common set of security requirements for all Builders who use the Builder Services to access and build Applications upon the Zus Platform, including for Builders which are Covered Entities or Business Associates covered by HIPAA and Builders which are not (i.e., Non-Covered Entities). Both you and Zus each acknowledge that protecting the security and integrity of the Builder Services and Zus Platform and your own Application and information systems require coordination of certain security-related obligations between Zus and our Builders. Accordingly, you also acknowledge that we have a responsibility to require you, and our other Builders, to meet certain minimum standards for information security for the good of all users of the Zus Platform.
This Policy applies to all Builder Services and Builders who use them under the Builder Terms, and this Policy is incorporated into the Builder Terms. This Policy may be updated or amended from time to time in accordance with provisions of the Builder Terms.
- General. Capitalized terms used but not defined in this Policy or the Builder Terms will have the meanings set forth in HIPAA or other Applicable Law.
- Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent, where this Policy incorporates definitions or standard from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in these Builder Terms, which includes both PHI and PII (not covered by HIPAA).
- Policy Definitions. The following definitions will apply for purposes of this Policy.
“Access Attempts” means unauthorized probes, scans, “pings”, and other activities which may or may not indicate threats, whose sources may be difficult or impossible to identify whose motives are generally unknown, and which do not result in access to the Builder Services, your Application or information systems, or to any Unsecured Patient Data.
“Breach” means a Breach of Unsecured Patient Data as defined in 45 CFR 164.402 as well as any Unauthorized Use or Disclosure of Patient Data or related information to the extent that applicable state law requires such Unauthorized Use or Disclosure to be reported to a state agency or disclosed to the individuals who are the subject of such information.
“Security Incident” has the definition set forth in 45 CFR 164.304 with respect to the Builder Services and your information systems, but for purposes of this Policy does not include an Access Attempt.
“Unauthorized Use or Disclosure” means any access, use or disclosure of Patient Data that is not permitted by the Builder Terms, the BAA, this Policy or Applicable Law.
B. Security of the Builder Services
- Zus BAA. At a minimum, we will comply with all the information security obligations which are applicable under the Zus BAA with regard to protection of PHI, including applicable provisions of the HIPAA Security Rule.
- Additional Safeguards. We may implement or require information security safeguards which we deem appropriate, including safeguards that include requirements or conditions for you to access and use the Builder Services (“Additional Safeguards”). These Additional Safeguards will not be less stringent than Applicable Law (including HIPAA) but may create obligations or responsibilities on you beyond minimum requirements of Applicable Law where we believe necessary to protect the Zus Platform and the Builder Services and create a safe environment for all Participants in the Zus Network.
- Your Remedies. If you reasonably determine that we have materially failed to comply with our obligations in this Section III(A), and that such failures create a material vulnerability affecting your information systems, you will promptly notify us of your determination and you may suspend or limit access or connectivity between the Builder Services and your information systems. Any such failures by us will be a curable breach under Section 9 of the Builder Terms. Upon receipt of any notice by you under this section, we will use our best efforts to come into compliance with our obligations under this Section A within the applicable cure period.
C. Builder Security Responsibilities
- Minimum Security Requirements. You will comply at all times with the following requirements, which are based upon and consistent with the standards required by the HIPAA Security Rule, even if you not you are a HIPAA Covered Entity or Business Associate, in building and managing your Application and information systems, administering access to your Application or the Builder Services by your users. You specifically agree that you will comply with the following practices:
a. User Clearance.You will maintain and follow policies and procedures for providing for reasonable and appropriate determination of the access privileges of Your Users.
b. User Authorization. You will maintain and follow policies and procedures for authorizing, suspending, and terminating the authorization of Your Users to access the Builder Services or otherwise access, use or disclose information through the Builder Services.
c. User Access Limitations; Minimum Necessary. You will maintain and follow policies and procedures requiring Your Users to limit their access to and use of the Builder Services or Your Application, as applicable, and any information available through the Builder Services in accordance with the HIPAA Minimum Necessary Standard, to the extent applicable, and the limitations and requirements of all other Applicable Law.
d. Acceptable Use Management. You will maintain and enforce appropriate acceptable use policies which are substantially consistent with the Zus Acceptable Use Policy in connection with your use of the Builder Services, your Application, information systems, workstations, and devices whereby Your Users access the Builder Services or any information from the Builder Services.
e. Access Controls. You will maintain appropriate administrative, physical and technical access control safeguards in accordance with the HIPAA Security Rule, or other industry best practices which are no less stringent than the HIPAA Security Rule if you are not a HIPAA Covered Entity or Business Associate, which are designed to prevent access by anyone other than Your Users to the Builder Services or any information from the Builder Services and to detect and respond to any such unauthorized activity.
f. Workstation and Device Management. You will maintain and follow policies and procedures for the authorization, secure operation, and disposal of all of the devices which you permit Your Users to use in order to access the Builder Services (each, an “Authorized Device”). We may, in our discretion, limit or prohibit the use of certain devices as Authorized Devices upon notice to you or by an update to the Builder Terms or this Policy.
g. User Training. You will conduct, and you will require all of Your Users to undergo, privacy and security training in accordance with the requirements of all Applicable Law, the Builder Terms, the Zus BAA, and Zus Policies.
h. Sanctions for Violations. You will apply sanctions and disciplinary procedures for Your Users or any other person subject to your authority for accessing or using the Builder Services in violation of Applicable Law, the Builder Terms, the Zus BAA, or Zus Policies.
i. Audit Trails. You will maintain audit logs for your transmission of all Patient Data (including both PHI and PII) to or from the Builder Services.
j. Software Management. You will maintain and enforce policies and procedures related to patch management and change management for hardware and software included in your Application and your information systems which access, or which may be used to access, the Builder Services or any information from the Builder Services.
k. Malware Protection. You will maintain up-to-date anti-virus and anti-malware software on all applicable components of your Application or information systems with access, or which may be used to access, the Builder Services or any information from the Builder Services.
l. Additional Safeguards. You will employ such Additional Safeguards that we may identify and require as described in Section III(A)(2) of this Policy.
- Zus Remedies. If we determine that your failure to comply with this Section III(B) creates a material vulnerability potentially affecting the confidentiality, integrity or availability of (i) the Builder Services or Zus Platform, (ii) our or your information systems, (iii) any Patient Data, we will promptly notify you of our determination and we may, in our reasonable discretion, suspend or limit your access to or use of the Builder Services by your Application, information systems, or Authorized Devices, or by some or all of Your Users. Any such failure will be considered a curable breach under Section 9 of the Builder Terms. Upon receipt of a notice by us under these provisions, you will use your best efforts to come into compliance with the provisions of this Section III(B) within the applicable cure period. After you demonstrate to our reasonable satisfaction that you are in such compliance, we will discontinue your suspension or limitation of access to or use of the Builder Services. If you fail to take the action necessary to demonstrate such compliance to our reasonable satisfaction, we may proceed to terminate the Builder Terms and your access to or use of the Builder Services under Section 9 of the Builder Terms.
D. Mutual Responsibilities for Security Incidents and Breaches
a. Our Responsibility. We will monitor all activity, or ensure that activity is monitored, in (i) the Builder Services and Zus Platform, and (ii) any information system or facilities that we use to host, operate or manage the Builder Services or Zus Platform.
b. Your Responsibility. You will monitor all activity, or ensure that activity is monitored, in (i) your Application or information systems, (ii) Authorized Devices, and (iii) facilities where you may access the Builder Services or any information from the Builder Services.
a. Zus Investigations. We will investigate any Unauthorized Use or Disclosure of your Patient Data and any Security Incident which may affect or have affected the Builder Services or any of your Patient Data promptly upon receiving notice form you or otherwise becoming aware of such an event. We will document the results of each such investigation.
b. Your Investigations. You will investigate any Unauthorized Use or Disclosure of your Patient Data received from the Builder Services and any Security Incident which may affect or have affected the Builder Services or any Patient Data received from the Builder Services promptly upon receiving notice form us or your otherwise becoming aware of such an event. You will document the results of each such investigation.
c. Breach Determination. If we determine that an Unauthorized Disclosure of PHI constitutes a Breach, we will promptly notify you of this determination; provided that you will be responsible for making your own determination regarding whether the event constitutes a Breach upon receipt of the information we provide to you.
d. Cooperation. Each Party will reasonably cooperate with the other Party in their performance of investigations and determinations under this Policy, and in identifying and implementing measures to mitigate the harmful effects of any event and to prevent events of the same or similar type to the extent practicable.
- Reporting & Notifications.
a. Notice of Ongoing Access Attempts. You and Zus acknowledge and agree that Access Attempts fall under HIPAA’s definition of a Security Event but that our reporting and your review of information about Access Attempts would be materially burdensome to both parties without reducing risks to information systems or PHI of either Party.
b. Zus Reporting Requirement. We will require our employees and any applicable subcontractors to report to us any Security Incident (not including Access Attempts) any Unauthorized or Disclosures of PHI of which they become aware. We will report to you any Security Incident (not including Access Attempts) or Breach which affects your PHI within 5 business days of our determination or within the time period(s) set forth in the Zus BAA, whichever is shorter.
c. Your Reporting Requirement. You will require Your Uses, your employees, and any subcontractors to report to you any Security Incident (not including Access Attempts) and Unauthorized Uses or Disclosures of PHI of which they become aware. You will report to us any Security Incident (not including Access Attempts) or Breach involving the Builder Services or Patient Data which comes from the Zus Platform within 5 business days of your becoming aware of such events.
d. Breach Notifications. You and Zus each acknowledge and agree that, as between you and Zus, you have the more direct relationship with the Patient who is the subject of the Patient Data used and disclosed through the Builder Services and Zus Platform. Accordingly, you will be responsible for providing notification of Breaches to the affected individuals, applicable regulatory authorities, and the media where required by law or elected by you. Any notification by you to affected individuals, regulatory authorities, or media shall be deemed a notification as well by Zus, and you will identify Zus as a notifying party in the notification, except to the extent that Zus may otherwise direct you in writing. In the event that you elect not to or fail to timely notify potentially affected individuals, regulatory authorities, or media as provided above, and we reasonably determine that it may be required by law to give such a notification, we may give the notification at our discretion.
e. Other Law Enforcement Notification. In case of any ambiguity, either you or Zus may notify appropriate law enforcement agencies in the event that you or we reasonably believe that an Unauthorized Use or Disclosure of PHI is the result of criminal activity.