FlowSure Health Terms & Conditions
Comprehensive Terms of Use with Enhanced Privacy, HIPAA, and State-Law Compliance for Healthcare Services
Agreement Overview
FlowSure Health — Terms & Use & Enhanced Privacy / HIPAA + State-Law Addendum Effective Date: [Insert effective date] These Terms & Conditions ("Terms") and the Privacy / HIPAA / State-Law Addendum (together, the "Agreement") govern the access, use, and provision of the services ("Services") by FlowSure Health to the Client (hospital, health system, or covered entity). If you do not agree with any part of this Agreement, you may not access or use the Services.
Enhanced Definitions
In addition to commonly used definitions (e.g. PHI, Covered Entity, Business Associate), the following enhanced definitions apply:
Sensitive Health Data
Any health-related data (beyond standard PHI) that receives elevated protection under state privacy laws, including but not limited to: reproductive health (abortion, contraception, pregnancy, infertility, miscarriage), gender-affirming care, genetic or biometric data, mental health diagnosis / treatment, substance abuse, sexual health, sexually transmitted infections, or other categories designated as sensitive under applicable state privacy or health law.
Consumer Health Data (CHD)
Health or wellness data that may not be strictly PHI under HIPAA but is regulated under state consumer privacy statutes (for example, data collected from mobile apps, devices, or health-adjacent systems).
Data Classification Standards
De-identified Data
"De-identified Data" means data stripped of direct and indirect identifiers so that re-identification is not reasonably possible, in conformity with the most stringent legal standard (e.g. HIPAA safe harbor, expert determination, and any stricter state anonymization rules).
Aggregate / Statistical Data
"Aggregate / Statistical Data" means summary or statistical compilations derived from PHI or CHD such that no individual is identifiable—even by combination—under the strictest re-identification risk standard.
Role Terminology
"Controller / Processor / Operator / Regulated Entity" shall be used to mirror terminology in state consumer privacy statutes. FlowSure Health may act as a Controller or Processor (or equivalent) for CHD and as Business Associate for PHI.
Scope of Services & Role Relationships
2.1 Services
FlowSure Health will perform automation, integration, workflow management, preauthorization / authorization interactions, document exchange, validation, monitoring, reporting, and related tasks as set forth in a Statement of Work or Order.
2.2 Role Allocation
- To the extent FlowSure handles PHI on behalf of the Client (a covered entity or business associate), the HIPAA Addendum (Section 4) governs.
- To the extent FlowSure collects or processes CHD (or Sensitive Health Data) not exclusively covered by HIPAA, FlowSure shall act as a Controller / Processor (or equivalent) under state privacy law and comply with applicable obligations (consent, opt-out, deletion, portability, etc.).
- For overlapping regimes, the most stringent requirement (HIPAA or state law) governs.
Client Obligations & Representations
2.3 Client's Obligations & Representations
The Client must:
Legal Consents
Provide all legally required consents, authorizations, or notices to individuals to permit FlowSure's use and disclosure of PHI / CHD / Sensitive Health Data.
Data Minimization
Limit disclosures to the minimum necessary data elements for performance of the Services under the strictest standard.
Data Segmentation
Assist with segmentation or marking of sensitive data elements to prevent improper sharing or processing.
Compliance Alignment
Ensure its contractual, notice, and policy obligations align with supporting FlowSure's compliance under all jurisdictions served.
Regulatory Reporting
Promptly report to FlowSure any legal or regulatory demand, restriction, or order relating to data processed under this Agreement.
Privacy, Security & Data Protection
3.1 General Principles
Privacy by Design & Default
FlowSure shall embed privacy protections into all system designs and defaults (i.e. default minimally privileged, encryption, segmentation, data minimization).
Data Minimization & Purpose Limitation
FlowSure may only collect, use, store, or disclose data that is strictly necessary to fulfill the Services, and only for explicitly defined purposes.
Segregation / Partitioning
Sensitive Health Data must be logically and physically segmented from other data flows.
Individual Rights & Transparency
Transparency & Individual Rights. To the maximum extent required under federal and state law:
- Right of access / inspection / copy
- Right of correction / amendment
- Right of deletion / erasure
- Right of portability / data export
- Right to object or opt-out of certain processing / sale / profiling
- Right to withdraw consent
- Right to appeal denials
Additional Requirements
- Accountability & Auditability. Maintain logs, records of processing, risk assessments, privacy impact assessments, and compliance evidence.
- Data Retention & Disposal. FlowSure shall retain data only as long as necessary for the Services, then securely destroy or de-identify. If retention is required by law, oldest permissible deletion shall occur first.
- Cross-Border Controls & Jurisdictional Safeguards. If any data is processed or stored outside a U.S. jurisdiction, FlowSure must implement appropriate safeguards (e.g. strong encryption, contractual controls, compliance with U.S. law, and legal ability to resist improper foreign access).
- Third-Party / Subcontractor Controls. FlowSure may only engage subcontractors after conducting due diligence. All subcontractors must be bound by contract to comply with equivalent obligations and audit rights.
HIPAA / HITECH Addendum
3.2 HIPAA / HITECH Addendum (Maximum Standard)
FlowSure agrees to the following, in addition to general provisions above:
01
Safeguards
Implementation of administrative, physical, technical safeguards consistent with HIPAA Security Rule and any state security laws (e.g. encryption in transit and at rest, least privilege, periodic vulnerability assessment, intrusion detection, multifactor authentication).
02
Minimum Necessary
FlowSure shall limit use or disclosure of PHI to the minimum necessary to perform the Service.
03
Segmentation & Filtering
Where possible, FlowSure should support segmentation or flagging of PHI subsets (particularly Sensitive Health Data) so that downstream systems can apply more restrictive controls.
04
Access, Amendment & Accounting
Upon request, FlowSure shall support individual access, amendment, and accounting of disclosures in accordance with HIPAA and state augmenting laws.
Breach Notification & Data Management
Breach Notification
FlowSure shall notify Client without unreasonable delay (and in no event later than 60 days) after it becomes aware of a breach of unsecured PHI, including details sufficient for client to meet its regulatory obligations.
Return / Destruction
Upon termination or expiration, FlowSure shall either return or securely destroy all PHI (or de-identify) and certify such destruction if requested.
Audit / Inspection Rights
Client and its agents may audit FlowSure's compliance (with reasonable notice and scope limits).
Penalties & Sanctions
FlowSure shall be liable for penalties, fines, or damages arising from its failure to comply with HIPAA obligations, subject to the limitations in this Agreement.
State & Consumer Privacy Laws
3.3 State & Consumer Privacy / Sensitive Data Laws
To comply with the strictest regimes across U.S. states, FlowSure will embed the following additional measures:
Strictest Consent Requirements
For Sensitive Health Data or CHD, require explicit, informed, affirmative consent before collection, use, or disclosure (unless another lawful basis is stronger in a given jurisdiction).
No Sale Without Consent
FlowSure will not "sell" or "distribute" data for marketing or profiling without explicit opt-in where required by state law.
Geofencing Restrictions
In jurisdictions that restrict geofencing (e.g. Washington's My Health My Data Act), FlowSure shall disable geofencing or location-based targeting relating to Sensitive Health Data.
Enhanced Data Protection Measures
State-Specific Barriers
State-Specific Barriers on Reproductive / Gender-Affirming Data Transfers. Where state laws restrict cross-state sharing of reproductive or gender-affirming health data, FlowSure shall refrain from transferring or disclosing such data without explicit patient consent and legal review.
Enhanced De-identification
Enhanced De-identification / Aggregation Standards. Use the strictest de-identification standard applicable (HIPAA, state, or expert method) before using data for analytics, benchmarking, or training.
Jurisdiction Compliance & Legal Exposure
Local Jurisdiction Compliance
FlowSure shall monitor and comply with applicable state health privacy laws (e.g. California CMIA, Texas Medical Records Privacy Act, Washington My Health My Data) and comply with whichever is stricter.
Private Right of Action
Private Right of Action & Penalty Exposure. In states where individuals may sue over privacy violations (e.g. under consumer privacy statutes), FlowSure accepts that risk and will indemnify the Client where such suits arise from FlowSure's data processing.
License, Use & Intellectual Property
Client License
FlowSure grants the Client a nonexclusive, nontransferable license to use software, APIs, and deliverables internally, solely for Client's operations.
FlowSure Ownership
FlowSure retains ownership of its proprietary algorithms, models, tools, and system architecture.
Data Insights
FlowSure may, under strict privacy constraints (only with de-identified / aggregate data), use derived insights, patterns, or models for improvement, so long as no client or individual can be re-identified.
Representations, Warranties & Disclaimers
5.1 Mutual Representations
Each party has authority to enter this Agreement and will comply with all applicable laws in performance.
5.2 Client Representations
Client represents (i) that it has obtained all authorizations, consents, or legal basis to disclose data to FlowSure; (ii) that the data requested is accurate and sufficient for FlowSure's performance; (iii) that it will provide reasonable assistance to FlowSure in compliance matters.
5.3 FlowSure Warranties
FlowSure warrants that it will (i) comply with this Agreement including the highest applicable legal standards; (ii) implement security and privacy measures consistent with the strictest applicable regime; (iii) use reasonable care in performing Services.
5.4 Disclaimer
Except as expressly stated, FlowSure disclaims all other warranties, including implied warranties of merchantability or fitness.
Indemnification & Liability
Client Indemnification
6.1 Client Indemnification. Client shall defend, indemnify, and hold harmless FlowSure and its affiliates against claims arising from (a) Client's failure to obtain necessary consents or authorizations; (b) inappropriate use of the Services beyond permitted scope; (c) Client's breach of representations.
FlowSure Indemnification
6.2 FlowSure Indemnification. FlowSure shall defend, indemnify, and hold harmless Client from claims, penalties, or liabilities arising from FlowSure's breach of its privacy, security, or data handling obligations under this Agreement, including under HIPAA or state consumer privacy statutes.
Limitation of Liability
6.3 Limitation of Liability (Subject to Modification). Except for damages arising from willful misconduct, gross negligence, breach of data privacy / security obligations, or indemnifiable matters, neither party shall be liable for indirect, incidental, consequential, punitive, or special damages. In no event shall either party's aggregate liability exceed the total fees paid by Client in the prior 12 months (or another agreed cap).
Termination & Survival
7.1 Term
This Agreement begins on the Effective Date and continues until terminated by either party per the terms.
7.2 Termination for Cause
Either party may terminate upon a material breach (including of any privacy or security obligation) if the other fails to cure within 30 days of written notice.
7.3 Effect of Termination
Upon termination:
- FlowSure shall cease using PHI / CHD except to the extent necessary for safe transition.
- FlowSure shall return or securely destroy (or de-identify) all data and certify destruction or de-identification.
- Surviving obligations (indemnities, confidentiality, data obligations, audits) shall continue in force.
Confidentiality
Each party shall maintain in confidence all nonpublic information disclosed under this Agreement (including all data, systems, protocols, models, business processes). Disclosure only as required to perform obligations or as required by law (with notice to the other party unless legally prohibited).
Notices, Enforcement & Compliance
9.1 Governing Law & Venue
To address state-law variation, the governing law shall be that of the jurisdiction specified by the Client's primary place of operations; but the stricter state law obligations still govern as to data of individuals in stricter states.
9.2 Amendments
FlowSure may update these Terms (with 60 days' advanced notice). New versions become effective unless Client objects in writing within 30 days.
9.3 Severability
If any part is held invalid by a court, the remainder stays in effect under the strictest interpretation compatible with intent.
9.4 Assignment
Neither party may assign without consent, except to a successor in interest in merger, acquisition, or sale of business.
9.5 Notices
Notices are to be sent in writing to designated contacts; complaints or privacy breach notices may be sent to legal@flowsurehealth.com.
9.6 Third-Party Rights
Only the parties to this Agreement have rights hereunder, except where expressly stated.