HOYT

Disclaimer:

 WE PROVIDE THE SITE AND THE CONTENT TO YOU “AS IS” AND “AS AVAILABLE.” WE TRY TO KEEP THE SITE UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK. TO THE FULLEST EXTENT PERMISSIBLE BY LAW, AND TO THE EXTENT THAT APPLICABLE LAW PERMITS THE DISCLAIMER OF EXPRESS OR IMPLIED WARRANTIES, WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY OF TITLE, NON-INFRINGEMENT, ACCURACY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR WARRANTIES THAT MAY ARISE FROM COURSE OF DEALING OR COURSE OF PERFORMANCE OR USAGE OF TRADE. WE DO NOT GUARANTEE THAT THE SITE WILL ALWAYS BE SAFE, SECURE, OR ERROR-FREE, OR THAT THE SITE WILL ALWAYS FUNCTION WITHOUT DISRUPTIONS, DELAYS, OR IMPERFECTIONS. WE ARE NOT RESPONSIBLE FOR THE ACTIONS OR INFORMATION OF THIRD PARTIES, AND YOU RELEASE US FROM ANY CLAIMS AND DAMAGES, KNOWN AND UNKNOWN, ARISING OUT OF OR IN ANY WAY CONNECTED WITH ANY CLAIM YOU HAVE AGAINST ANY SUCH THIRD PARTIES.

WE MAKE NO REPRESENTATIONS WHATSOEVER ABOUT THE QUALITY OR QUALIFICATION OF ANY EXPERT YOU MAY ENCOUNTER AS A RESULT OF YOUR PARTICIPATION IN HEALTH ON YOUR TIME.  EXPERTS ARE NOT CREDENTIALED OR REVIEWED BY HEALTH ON YOUR TIME, AND THEIR QUALIFICATIONS (if any) LISTED HEREIN MERELY ARE A RECITATION OF THE SAME PROVIDED BY THE EXPERT. 

• Consumers and Experts will be required to give a 10 minute grace period for start of meeting.
• If the Consumer is late, the expert will not be required to extend the original visit time.
• If the Expert is late they will be expected to extend the original visit time.

• If an Expert does not show for the scheduled visit within 10 minutes of the scheduled start time, the consumer must email HOYT at support@healthonyourtime.com before the end time of the scheduled visit to request a refund. HOYT will then investigate the event.
• If a consumer no shows for the scheduled visit they are not entitled to a refund.

• Any reschedule or cancellation will occur between the Expert and the Consumer outside of the HOYT platform. If the time of your initially scheduled visit is changed via communication with the Expert, HOYT will not honor the late or no show and refund policies.

Last Modified: 10/1/2020 

Acceptance of the Terms of Use

These terms of use are entered into by and between You and Health on Your Time, LLC (“Company,” “we,” or “us”). The following terms and conditions, together with any documents they expressly incorporate by reference (collectively, “Terms of Use”), govern your access to and use of www.healthyonyourtime.com, including any content, functionality, and services offered on or through www.healthyonyourtime.com (the “Website”), whether as a guest or a registered user.

Please read the Terms of Use carefully before you start to use the Website. By using the Website, you accept and agree to be bound and abide by these Terms of Use and our Privacy Policy, found at https://www.healthonyourtime.com/privacy-policy/, incorporated herein by reference. If you do not want to agree to these Terms of Use or the Privacy Policy, you must not access or use the Website. 

This Website is offered and available to users who are 18 years of age or older and reside in the United States or any of its territories or possessions.  By using this Website, you represent and warrant that you are of legal age to form a binding contract with the Company and meet all of the foregoing eligibility requirements. If you do not meet all of these requirements, you must not access or use the Website. 

Changes to the Terms of Use

We may revise and update these Terms of Use from time to time in our sole discretion. All changes are effective immediately when we post them, and apply to all access to and use of the Website thereafter.  However, any changes to the dispute resolution provisions set out in Governing Law and Jurisdiction will not apply to any disputes for which the parties have actual notice on or before the date the change is posted on the Website. 

Your continued use of the Website following the posting of revised Terms of Use means that you accept and agree to the changes. You are expected to check this page frequently so you are aware of any changes, as they are binding on you. 

Accessing the Website and Account Security

We reserve the right to withdraw or amend this Website, and any service or material we provide on the Website, in our sole discretion without notice.  We will not be liable if for any reason all or any part of the Website is unavailable at any time or for any period.  From time to time, we may restrict access to some parts of the Website, or the entire Website, to users, including registered users.

You are responsible for both:

• Making all arrangements necessary for you to have access to the Website.
• Ensuring that all persons who access the Website through your internet connection are aware of these Terms of Use and comply with them.

To access the Website or some of the resources it offers, you may be asked to provide certain registration details or other information.  It is a condition of your use of the Website that all the information you provide on the Website is correct, current, and complete.  You agree that all information you provide to register with this Website or otherwise, including, but not limited to, through the use of any interactive features on the Website, is governed by our Privacy Policy (https://www.healthonyourtime.com/privacy-policy/), and you consent to all actions we take with respect to your information consistent with our Privacy Policy.

If you choose, or are provided with, a user name, password, or any other piece of information as part of our security procedures, you must treat such information as confidential, and you must not disclose it to any other person or entity.  You also acknowledge that your account is personal to you and agree not to provide any other person with access to this Website or portions of it using your user name, password, or other security information.  You agree to notify us immediately of any unauthorized access to or use of your user name or password or any other breach of security.  You also agree to ensure that you exit from your account at the end of each session.  You should use particular caution when accessing your account from a public or shared computer so that others are not able to view or record your password or other personal information.

We have the right to disable any user name, password, or other identifier, whether chosen by you or provided by us, at any time in our sole discretion for any or no reason, including if, in our opinion, you have violated any provision of these Terms of Use.

Intellectual Property Rights

The Website and its entire contents, features, and functionality (including but not limited to all information, software, text, displays, images, video, and audio, and the design, selection, and arrangement thereof) are owned by the Company, its licensors, or other providers of such material and are protected by United States and international copyright, trademark, patent, trade secret, and other intellectual property or proprietary rights laws.

These Terms of Use permit you to use the Website for your personal, non-commercial use only. You must not reproduce, distribute, modify, create derivative works of, publicly display, publicly perform, republish, download, store, or transmit any of the material on our Website, except as follows:

• Your computer may temporarily store copies of such materials in RAM incidental to your accessing and viewing those materials.
• You may store files that are automatically cached by your Web browser for display enhancement purposes.
• You may print or download one copy of a reasonable number of pages of the Website for your own personal, non-commercial use and not for further reproduction, publication, or distribution.
• If we provide desktop, mobile, or other applications for download, you may download a single copy to your computer or mobile device solely for your own personal, non-commercial use, provided you agree to be bound by our end user license agreement for such applications.

You must not:

• Modify copies of any materials from this site.
• Use any illustrations, photographs, video or audio sequences, or any graphics separately from the accompanying text.
• Delete or alter any copyright, trademark, or other proprietary rights notices from copies of materials from this site.

You must not access or use for any commercial purposes any part of the Website or any services or materials available through the Website. 

If you print, copy, modify, download, or otherwise use or provide any other person with access to any part of the Website in breach of the Terms of Use, your right to use the Website will stop immediately and you must, at our option, return or destroy any copies of the materials you have made.  No right, title, or interest in or to the Website or any content on the Website is transferred to you, and all rights not expressly granted are reserved by the Company.  Any use of the Website not expressly permitted by these Terms of Use is a breach of these Terms of Use and may violate copyright, trademark, and other laws.

Trademarks

The Company name, the terms HOYT™, and all related names, logos, product and service names, designs, and slogans are trademarks of the Company or its affiliates or licensors. You must not use such marks without the prior written permission of the Company. All other names, logos, product and service names, designs, and slogans on this Website are the trademarks of their respective owners.

Prohibited Uses

You may use the Website only for lawful purposes and in accordance with these Terms of Use. You agree not to use the Website:

• In any way that violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries). 
• For the purpose of exploiting, harming, or attempting to exploit or harm minors in any way by exposing them to inappropriate content, asking for personally identifiable information, or otherwise.
• To send, knowingly receive, upload, download, use, or re-use any material that does not comply with the Content Standards set out in these Terms of Use.
• To transmit, or procure the sending of, any advertising or promotional material without our prior written consent, including any “junk mail,” “chain letter,” “spam,” or any other similar solicitation.
• To impersonate or attempt to impersonate the Company, a Company employee, another user, or any other person or entity (including, without limitation, by using email addresses or screen names associated with any of the foregoing).
• To engage in any other conduct that restricts or inhibits anyone’s use or enjoyment of the Website, or which, as determined by us, may harm the Company or users of the Website, or expose them to liability.

Additionally, you agree not to:

• Use the Website in any manner that could disable, overburden, damage, or impair the site or interfere with any other party’s use of the Website, including their ability to engage in real time activities through the Website.
• Use any robot, spider, or other automatic device, process, or means to access the Website for any purpose, including monitoring or copying any of the material on the Website.
• Use any manual process to monitor or copy any of the material on the Website, or for any other purpose not expressly authorized in these Terms of Use, without our prior written consent.
• Use any device, software, or routine that interferes with the proper working of the Website.
• Introduce any viruses, Trojan horses, worms, logic bombs, or other material that is malicious or technologically harmful.
• Attempt to gain unauthorized access to, interfere with, damage, or disrupt any parts of the Website, the server on which the Website is stored, or any server, computer, or database connected to the Website. 
• Attack the Website via a denial-of-service attack or a distributed denial-of-service attack.
• Otherwise attempt to interfere with the proper working of the Website.

User Contributions

The Website may contain message boards, chat rooms, personal web pages or profiles, forums, bulletin boards, and other interactive features (collectively, “Interactive Services”) that allow users to post, submit, publish, display, or transmit to other users or other persons (hereinafter, “post”) content or materials (collectively, “User Contributions”) on or through the Website.

All User Contributions must comply with the Content Standards set out in these Terms of Use.

Any User Contribution you post to the site will be considered non-confidential and non-proprietary. By providing any User Contribution on the Website, you grant us and our affiliates and service providers, and each of their and our respective licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose to third parties any such material for any purpose. 

You represent and warrant that: 

• You own or control all rights in and to the User Contributions and have the right to grant the license granted above to us and our affiliates and service providers, and each of their and our respective licensees, successors, and assigns.
• All of your User Contributions do and will comply with these Terms of Use. 

You understand and acknowledge that you are responsible for any User Contributions you submit or contribute, and you, not the Company, have full responsibility for such content, including its legality, reliability, accuracy, and appropriateness.

We are not responsible or liable to any third party for the content or accuracy of any User Contributions posted by you or any other user of the Website. 

Monitoring and Enforcement; Termination

We have the right to:

• Remove or refuse to post any User Contributions for any or no reason in our sole discretion.
• Take any action with respect to any User Contribution that we deem necessary or appropriate in our sole discretion, including if we believe that such User Contribution violates the Terms of Use, including the Content Standards, infringes any intellectual property right or other right of any person or entity, threatens the personal safety of users of the Website or the public, or could create liability for the Company.
• Disclose your identity or other information about you to any third party who claims that material posted by you violates their rights, including their intellectual property rights or their right to privacy.
• Take appropriate legal action, including without limitation, referral to law enforcement, for any illegal or unauthorized use of the Website. 
• Terminate or suspend your access to all or part of the Website for any or no reason, including without limitation, any violation of these Terms of Use.

Without limiting the foregoing, we have the right to cooperate fully with any law enforcement authorities or court order requesting or directing us to disclose the identity or other information of anyone posting any materials on or through the Website. YOU WAIVE AND HOLD HARMLESS THE COMPANY AND ITS AFFILIATES, LICENSEES, AND SERVICE PROVIDERS FROM ANY CLAIMS RESULTING FROM ANY ACTION TAKEN BY ANY OF THE FOREGOING PARTIES DURING, OR TAKEN AS A CONSEQUENCE OF, INVESTIGATIONS BY EITHER SUCH PARTIES OR LAW ENFORCEMENT AUTHORITIES.

However, we cannot review material before it is posted on the Website, and cannot ensure prompt removal of objectionable material after it has been posted.  Accordingly, we assume no liability for any action or inaction regarding transmissions, communications, or content provided by any user or third party. We have no liability or responsibility to anyone for performance or nonperformance of the activities described in this section. 

Content Standards

These content standards apply to any and all User Contributions and use of Interactive Services. User Contributions must in their entirety comply with all applicable federal, state, local, and international laws and regulations. Without limiting the foregoing, User Contributions must not:

• Contain any material that is defamatory, obscene, indecent, abusive, offensive, harassing, violent, hateful, inflammatory, or otherwise objectionable.
• Promote sexually explicit or pornographic material, violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation, or age.
• Infringe any patent, trademark, trade secret, copyright, or other intellectual property or other rights of any other person.
• Violate the legal rights (including the rights of publicity and privacy) of others or contain any material that could give rise to any civil or criminal liability under applicable laws or regulations or that otherwise may be in conflict with these Terms of Use and our Privacy Policy (https://www.healthonyourtime.com/privacy-policy/).
• Be likely to deceive any person.
• Promote any illegal activity, or advocate, promote, or assist any unlawful act.
• Cause annoyance, inconvenience, or needless anxiety or be likely to upset, embarrass, alarm, or annoy any other person.
• Impersonate any person, or misrepresent your identity or affiliation with any person or organization. 
• Involve commercial activities or sales, such as contests, sweepstakes, and other sales promotions, barter, or advertising.
• Give the impression that they emanate from or are endorsed by us or any other person or entity, if this is not the case.

Copyright Policy

Reporting Claims of Copyright Infringement

We take claims of copyright infringement seriously.  We will respond to notices of alleged copyright infringement that comply with applicable law.  If you believe any materials accessible on or from this Website infringe your copyright, you may request removal of those materials (or access to them) from the Website by submitting written notification to our copyright agent designated below.  In accordance with the Online Copyright Infringement Liability Limitation Act of the Digital Millennium Copyright Act (17 U.S.C. § 512) (“DMCA”), the written notice (the “DMCA Notice”) must include substantially the following:

• Your physical or electronic signature.
• Identification of the copyrighted work you believe to have been infringed or, if the claim involves multiple works on the Website, a representative list of such works.
• Identification of the material you believe to be infringing in a sufficiently precise manner to allow us to locate that material.
• Adequate information by which we can contact you (including your name, postal address, telephone number, and, if available, email address).
• A statement that you have a good faith belief that use of the copyrighted material is not authorized by the copyright owner, its agent, or the law.
• A statement that the information in the written notice is accurate.
• A statement, under penalty of perjury, that you are authorized to act on behalf of the copyright owner.

Our designated copyright agent to receive DMCA Notices is:

If you fail to comply with all of the requirements of Section 512(c)(3) of the DMCA, your DMCA Notice may not be effective.

Please be aware that if you knowingly materially misrepresent that material or activity on the Website is infringing your copyright, you may be held liable for damages (including costs and attorneys’ fees) under Section 512(f) of the DMCA.

Counter Notification Procedures

If you believe that material you posted on the Website was removed or access to it was disabled by mistake or misidentification, you may file a counter notification with us (a “Counter Notice”) by submitting written notification to our copyright agent designated above. Pursuant to the DMCA, the Counter Notice must include substantially the following:

• Your physical or electronic signature.
• An identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access disabled. 
• Adequate information by which we can contact you (including your name, postal address, telephone number, and, if available, email address).
• A statement under penalty of perjury by you that you have a good faith belief that the material identified above was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled.
• A statement that you will consent to the jurisdiction of the Federal District Court for the judicial district in which your address is located (or if you reside outside the United States for any judicial district in which the Website may be found) and that you will accept service from the person (or an agent of that person) who provided the Website with the complaint at issue.

The DMCA allows us to restore the removed content if the party filing the original DMCA Notice does not file a court action against you within ten business days of receiving the copy of your Counter Notice.

Please be aware that if you knowingly materially misrepresent that material or activity on the Website was removed or disabled by mistake or misidentification, you may be held liable for damages (including costs and attorneys’ fees) under Section 512(f) of the DMCA.

Repeat Infringers

It is Company policy in appropriate circumstances to disable and/or terminate the accounts of users who are repeat infringers.

Reliance on Information Posted

The information presented on or through the Website is made available solely for general information purposes. We do not warrant the accuracy, completeness, or usefulness of this information. Any reliance you place on such information is strictly at your own risk. We disclaim all liability and responsibility arising from any reliance placed on such materials by you or any other visitor to the Website, or by anyone who may be informed of any of its contents.

This Website may include content provided by third parties, including materials provided by other users, bloggers, and third-party licensors, syndicators, aggregators, and/or reporting services. All statements and/or opinions expressed in these materials, and all articles and responses to questions and other content, other than the content provided by the Company, are solely the opinions and the responsibility of the person or entity providing those materials. These materials do not necessarily reflect the opinion of the Company. We are not responsible, or liable to you or any third party, for the content or accuracy of any materials provided by any third parties.

Changes to the Website

We may update the content on this Website from time to time, but its content is not necessarily complete or up-to-date. Any of the material on the Website may be out of date at any given time, and we are under no obligation to update such material. 

Information About You and Your Visits to the Website

All information we collect on this Website is subject to our Privacy Policy (https://www.healthonyourtime.com/privacy-policy/). By using the Website, you consent to all actions taken by us with respect to your information in compliance with the Privacy Policy. 

Online Purchases and Other Terms and Conditions

All purchases through our site or other transactions for the sale of services or information formed through the Website, or resulting from visits made by you, are governed by our Terms of Sale (https://www.healthonyourtime.com/privacy-policy/), which are hereby incorporated into these Terms of Use.

Additional terms and conditions may also apply to specific portions, services, or features of the Website. All such additional terms and conditions are hereby incorporated by this reference into these Terms of Use.

Linking to the Website and Social Media Features

You may link to our homepage, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it, but you must not establish a link in such a way as to suggest any form of association, approval, or endorsement on our part. 

This Website may provide certain social media features that enable you to:

• Link from your own or certain third-party websites to certain content on this Website.
• Send emails or other communications with certain content, or links to certain content, on this Website.
• Cause limited portions of content on this Website to be displayed or appear to be displayed on your own or certain third-party websites.

You may use these features solely as they are provided by us, and solely with respect to the content they are displayed with, and otherwise in accordance with any additional terms and conditions we provide with respect to such features. Subject to the foregoing, you must not:

• Establish a link from any website that is not owned by you.
• Cause the Website or portions of it to be displayed on, or appear to be displayed by, any other site, for example, framing, deep linking, or in-line linking.
• Link to any part of the Website other than the homepage.
• Otherwise take any action with respect to the materials on this Website that is inconsistent with any other provision of these Terms of Use.

The website from which you are linking, or on which you make certain content accessible, must comply in all respects with the Content Standards set out in these Terms of Use.

You agree to cooperate with us in causing any unauthorized framing or linking immediately to stop. We reserve the right to withdraw linking permission without notice.

We may disable all or any social media features and any links at any time without notice in our discretion. 

Links from the Website

If the Website contains links to other sites and resources provided by third parties, these links are provided for your convenience only. This includes links contained in advertisements, including banner advertisements and sponsored links. We have no control over the contents of those sites or resources, and accept no responsibility for them or for any loss or damage that may arise from your use of them. If you decide to access any of the third-party websites linked to this Website, you do so entirely at your own risk and subject to the terms and conditions of use for such websites.

Geographic Restrictions

The owner of the Website is based in the State of Delaware in the United States. We provide this Website for use only by persons located in the United States. We make no claims that the Website or any of its content is accessible or appropriate outside of the United States. Access to the Website may not be legal by certain persons or in certain countries. If you access the Website from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.

Disclaimer of Warranties

You understand that we cannot and do not guarantee or warrant that files available for downloading from the internet or the Website will be free of viruses or other destructive code. You are responsible for implementing sufficient procedures and checkpoints to satisfy your particular requirements for anti-virus protection and accuracy of data input and output, and for maintaining a means external to our site for any reconstruction of any lost data. TO THE FULLEST EXTENT PROVIDED BY LAW, WE WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DISTRIBUTED DENIAL-OF-SERVICE ATTACK, VIRUSES, OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER PROGRAMS, DATA, OR OTHER PROPRIETARY MATERIAL DUE TO YOUR USE OF THE WEBSITE OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE OR TO YOUR DOWNLOADING OF ANY MATERIAL POSTED ON IT, OR ON ANY WEBSITE LINKED TO IT.

YOUR USE OF THE WEBSITE, ITS CONTENT, AND ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE IS AT YOUR OWN RISK. THE WEBSITE, ITS CONTENT, AND ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. NEITHER THE COMPANY NOR ANY PERSON ASSOCIATED WITH THE COMPANY MAKES ANY WARRANTY OR REPRESENTATION WITH RESPECT TO THE COMPLETENESS, SECURITY, RELIABILITY, QUALITY, ACCURACY, OR AVAILABILITY OF THE WEBSITE. WITHOUT LIMITING THE FOREGOING, NEITHER THE COMPANY NOR ANYONE ASSOCIATED WITH THE COMPANY REPRESENTS OR WARRANTS THAT THE WEBSITE, ITS CONTENT, OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE WILL BE ACCURATE, RELIABLE, ERROR-FREE, OR UNINTERRUPTED, THAT DEFECTS WILL BE CORRECTED, THAT OUR SITE OR THE SERVER THAT MAKES IT AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT THE WEBSITE OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE WILL OTHERWISE MEET YOUR NEEDS OR EXPECTATIONS. 

TO THE FULLEST EXTENT PROVIDED BY LAW, THE COMPANY HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR PARTICULAR PURPOSE.

THE FOREGOING DOES NOT AFFECT ANY WARRANTIES THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

Limitation on Liability

TO THE FULLEST EXTENT PROVIDED BY LAW, IN NO EVENT WILL THE COMPANY, ITS AFFILIATES, OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS, OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE WEBSITE, ANY WEBSITES LINKED TO IT, ANY CONTENT ON THE WEBSITE OR SUCH OTHER WEBSITES, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT, OR OTHERWISE, EVEN IF FORESEEABLE. 

THE FOREGOING DOES NOT AFFECT ANY LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

Indemnification

You agree to defend, indemnify, and hold harmless the Company, its affiliates, licensors, and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors, and assigns from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses, or fees (including reasonable attorneys’ fees) arising out of or relating to your violation of these Terms of Use or your use of the Website, including, but not limited to, your User Contributions, any use of the Website’s content, services, and products other than as expressly authorized in these Terms of Use, or your use of any information obtained from the Website.

Governing Law and Jurisdiction

All matters relating to the Website and these Terms of Use, and any dispute or claim arising therefrom or related thereto (in each case, including non-contractual disputes or claims), shall be governed by and construed in accordance with the internal laws of the State of Delaware without giving effect to any choice or conflict of law provision or rule (whether of the State of Delaware or any other jurisdiction).

Except as set forth herein, any legal suit, action, or proceeding arising out of, or related to, these Terms of Use or the Website shall be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware, although we retain the right to bring any suit, action, or proceeding against you for breach of these Terms of Use in your country of residence or any other relevant country. You waive any and all objections to the exercise of jurisdiction over you by such courts and to venue in such courts.

Arbitration

At Company’s sole discretion, it may require You to submit any disputes arising from these Terms of Use or use of the Website, including disputes arising from or concerning their interpretation, violation, invalidity, non-performance, or termination, to final and binding arbitration under the Rules of Arbitration of the American Arbitration Association applying Delaware law.

Limitation on Time to File Claims

ANY CAUSE OF ACTION OR CLAIM YOU MAY HAVE ARISING OUT OF OR RELATING TO THESE TERMS OF USE OR THE WEBSITE MUST BE COMMENCED WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES; OTHERWISE, SUCH CAUSE OF ACTION OR CLAIM IS PERMANENTLY BARRED.

Waiver and Severability

No waiver by the Company of any term or condition set out in these Terms of Use shall be deemed a further or continuing waiver of such term or condition or a waiver of any other term or condition, and any failure of the Company to assert a right or provision under these Terms of Use shall not constitute a waiver of such right or provision.

If any provision of these Terms of Use is held by a court or other tribunal of competent jurisdiction to be invalid, illegal, or unenforceable for any reason, such provision shall be eliminated or limited to the minimum extent such that the remaining provisions of the Terms of Use will continue in full force and effect. 

Entire Agreement

The Terms of Use, our Privacy Policy, and Terms of Sale constitute the sole and entire agreement between you and Health on Your Time, LLC regarding the Website and supersede all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, regarding the Website. 

Your Comments and Concerns

This website is operated by Health on Your Time, LLC.

All notices of copyright infringement claims should be sent to the copyright agent designated in our Copyright Policy in the manner and by the means set out therein.

All other feedback, comments, requests for technical support, and other communications relating to the Website should be directed to: support@healthonyourtime.com

Health on Your Time Website Privacy Policy

Last modified: 1/20/2021

Introduction

Health on Your Time, LLC (“Company” or “We”) respects your privacy and we are committed to protecting it through our compliance with this policy.

This policy describes the types of information we may collect from you or that you may provide when you visit the website www.healthonyourtime.com (our “Website”) and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies to information we collect:

• On this Website.
• In email, text, and other electronic messages between you and this Website.
• Through mobile and desktop applications you download from this Website, which provide dedicated non-browser-based interaction between you and this Website.
• When you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this policy.

It does not apply to information collected by:

• Us offline or through any other means, including on any other website operated by Company or any third party; or 
• Any third party, including through any application or content (including advertising) that may link to or be accessible from or on the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates. 

Children Under the Age of 16

Our Website is not intended for children under 16 years of age. No one under age 16 may provide any information to or on the Website. We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information on this Website or through any of its features, register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use.  If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at support@healthonyourtime.com.

California residents under 16 years of age may have additional rights regarding the collection and sale of their personal information. Please see Your California Privacy Rights for more information.

Information We Collect About You and How We Collect It

We collect several types of information from and about users of our Website, including information:

• By which you may be personally identified, such as name, postal address, e-mail address, telephone number, social security number (“personal information”);
• About your internet connection, the equipment you use to access our Website, and usage details.

We collect this information:

• Directly from you when you provide it to us.
• Automatically as you navigate through the site. Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, and other tracking technologies.
• From third parties, for example, our business partners.

Information You Provide to Us  

The information we collect on or through our Website may include:

• Information that you provide by filling in forms on our Website. This includes information provided at the time of registering to use our Website, subscribing to our service, posting material, or requesting further services. We may also ask you for information when you report a problem with our Website.
• Records and copies of your correspondence (including email addresses), if you contact us.
• Your responses to surveys that we might ask you to complete for research purposes.
• Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
• Your search queries on the Website.

You also may provide information to be published or displayed (hereinafter, “posted”) on public areas of the Website, or transmitted to other users of the Website or third parties (collectively, “User Contributions”). Your User Contributions are posted on and transmitted to others at your own risk. Although you may set certain privacy settings for such information by logging into your account profile, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

Information We Collect Through Automatic Data Collection Technologies  

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
• Information about your computer and internet connection, including your IP address, operating system, and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). For information on how we respond to web browser signals and other mechanisms that enable consumers to exercise choice about behavioral tracking please reference Privacy Notice for California Residents.

The information we collect automatically may include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize our Website according to your individual interests.
• Speed up your searches.
• Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website. 

• Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies. For information about managing your privacy and security settings for Flash cookies, see Choices About How We Use and Disclose Your Information.

• Web Beacons. Pages of our the Website and our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity). 

Third-Party Use of Cookies and Other Tracking Technologies

Some content or applications, including advertisements, on the Website are served by third-parties, including advertisers, ad networks and servers, content providers, and application providers.  These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content. 

We do not control these third parties’ tracking technologies or how they may be used.  If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.  For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

• To present our Website and its contents to you.
• To provide you with information, products, or services that you request from us.
• To fulfill any other purpose for which you provide it.
• To provide you with notices about your account, including expiration and renewal notices.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
• To notify you about changes to our Website or any products or services we offer or provide though it.
• To allow you to participate in interactive features on our Website.
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.

We may also use your information to contact you about our own and third-parties’ goods and services that may be of interest to you. If you do not want us to use your information in this way, please [check the relevant box located on the form on which we collect your data (the [order form/registration form])/adjust your user preferences in your account profile.] For more information, see Choices About How We Use and Disclose Your Information.

We may use the information we have collected from you to enable us to display advertisements to our advertisers’ target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

Disclosure of Your Information

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction. 

We may disclose personal information that we collect or you provide as described in this privacy policy:

• To our subsidiaries and affiliates.
• To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Health on Your Time, LLC’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Health on Your Time, LLC about our Website users is among the assets transferred.
• To third parties to market their products or services to you if you have not opted out of these disclosures.  We contractually require these third parties to keep personal information confidential and use it only for the purposes for which we disclose it to them. For more information, see Choices About How We Use and Disclose Your Information].
• To fulfill the purpose for which you provide it.
• For any other purpose disclosed by us when you provide the information.
• With your consent.

We may also disclose your personal information:

• To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• To enforce or apply our terms of use (https://www.healthonyourtime.com/privacy-policy/) or terms of sale (https://www.healthonyourtime.com/privacy-policy/) and other agreements, including for billing and collection purposes.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Health on Your Time, LLC, our customers, or others.  This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information: 

• Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.

• Disclosure of Your Information for Third-Party Advertising. If you do not want us to share your personal information with unaffiliated or non-agent third parties for promotional purposes, you can opt-out by [checking the relevant box located on the form on which we collect your data (the [order form/registration form])/[OTHER OPT-OUT METHOD]]. You can also always opt-out by logging into the Website and adjusting your user preferences in your account profile, checking or unchecking the relevant boxes or by sending us an email with your request to [EMAIL ADDRESS].
• Promotional Offers from the Company.  If you do not wish to have your contact information used by the Company to promote our own or third parties’ products or services, you can opt-out by [[checking the relevant box located on the form on which we collect your data (the [order form/registration form])/[OTHER OPT-OUT METHOD]] or at any other time by] [logging into the Website and adjusting your user preferences in your account profile by checking or unchecking the relevant boxes or by] sending us an email stating your request to [EMAIL ADDRESS]. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions. This opt out does not apply to information provided to the Company as a result of a product purchase, warranty registration, product service experience or other transactions.

We do not control third parties’ collection or use of your information to serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s website.

California residents may have additional personal information rights and choices. Please see Your California Privacy Rights for more information.

Accessing and Correcting Your Information

You can review and change your personal information by logging into the Website and visiting your account profile page. 

If you delete your User Contributions from the Website, copies of your User Contributions may remain viewable in cached and archived pages, or might have been copied or stored by other Website users.  Proper access and use of information provided on the Website, including User Contributions, is governed by our terms of use (https://www.healthonyourtime.com/privacy-policy/).

California residents may have additional personal information rights and choices. Please see Your California Privacy Rights for more information.

Your California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit https://www.healthonyourtime.com/privacy-policy/

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to support@healthonyourtime.com.

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.  All information you provide to us is stored on our secure servers behind firewalls.  Any payment transactions will be encrypted. 

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.  We urge you to be careful about giving out information in public areas of the Website like message boards. The information you share in public areas may be viewed by any user of the Website.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website. 

Changes to Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we treat our users’ personal information, we will notify you by email to the email address specified in your account or through a notice on the Website home page.  The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

Contact Information

To ask questions or comment about this privacy policy and our privacy practices, contact us at: support@healthonyourtime.com

To register a complaint or concern, please email us at support@healthonyourtime.com

Health on Your Time Privacy Notice for California Residents

Effective Date: 10/1/2020

Last Reviewed on: 

This Privacy Notice for California Residents supplements the information contained in Health on Your Time’s https://www.healthonyourtime.com/privacy-policy/ and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this Notice. 

Information We Collect

Our Website collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”). Personal information does not include:

• Publicly available information from government records.
• Deidentified or aggregated consumer information.
• Information excluded from the CCPA’s scope, like:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

In particular, our Website has collected the following categories of personal information from its consumers within the last twelve (12) months: 

Our Website obtains the categories of personal information listed above from the following categories of sources:

• Directly from you. For example, from forms you complete or products and services you purchase.
• Indirectly from you. For example, from observing your actions on our Website.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following purposes: 

• To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns. 
• To provide, support, personalize, and develop our Website, products, and services.
• To create, maintain, customize, and secure your account with us.
• To process your requests, purchases, transactions, and payments and prevent transactional fraud.
• To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
• To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
• To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
• For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your personal information or as otherwise set forth in the CCPA.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. The CCPA prohibits third parties who purchase the personal information we hold from reselling it unless you have received explicit notice and an opportunity to opt-out of further sales.

We share your personal information with the following categories of third parties: 

• Service providers.
• Data aggregators.
• Third-party advertising companies

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose: 

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category C: Protected classification characteristics under California / federal law.

Category D: Commercial information.

We disclose your personal information for a business purpose to the following categories of third parties: 

• Service providers.
• Third-party advertising companies

Sales of Personal Information 

In the preceding twelve (12) months, Company has not sold any users personal information.  

Your Rights and Choices 

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and 
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained. 

Deletion Request Rights 

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. 

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to: 

1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debug products to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
8. Comply with a legal obligation.
9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either: 

• Emailing us at support@healthonyourtime.com
• Visiting https://www.healthonyourtime.com

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. 

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:
  • first and last name
  • billing address
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

Making a verifiable consumer request does not require you to create an account with us. 

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. 

For instructions on exercising sale opt-out rights, see Personal Information Sales Opt-Out and Opt-In Rights.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. 

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. 

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to support@healthonyourtime.com

Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which Health on Your Time, LLC collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Website: https://www.healthonyourtime.com

Email: support@healthonyourtime.com

Health on Your Time Information Security Policy

1. Introduction: Policy Foundation and Regulatory Compliance. This Information Security Policy (Policy) promotes an effective balance between information security practices and business needs. The Policy helps Health on Your Time, LLC (“HOYT”) meet our legal obligations and our customers’ and clients’ expectations. From time to time, HOYT may implement different levels of security controls for different information assets, based on risk and other considerations. 

You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or other designated HOYT resource before taking any actions that create information security risks or otherwise deviating from this Policy’s requirements. HOYT may treat any failure to seek and follow such guidance as a violation of this Policy. 

This Policy is Confidential Information.  Do not share this Policy outside HOYT unless authorized by the Information Security Coordinator. You may share this Policy with an approved contractor that has access to HOYT’s information or systems under a non-disclosure agreement or other agreement that addresses confidentiality (see Section 7, Service Providers: Risks and Governance).

Our customers, clients, employees, and others rely on us to protect their information. An information security breach or cyber incident could severely damage our credibility. Security events can also cause loss of business and other harm to HOYT.  Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, and any others accessing or using our information assets.  It is part of everyone’s job.

1. Guiding Principles. HOYT follows these guiding principles when developing and implementing information security controls:
   1.  HOYT strives to protect the confidentiality, integrity, and availability of its information assets and those of its customers and clients.
   2. We will comply with applicable privacy and data protection laws.
   3. We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk. 
   4. We will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned functions. 
   5. Recognizing that an astute workforce is the best line of defense, we will provide security training opportunities and expert resources to help individuals understand and meet their information security obligations.
2. Scope. This Policy applies across the entire HOYT enterprise. 

This Policy states HOYT’s information security policy.  In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states.  In some situations, the Information Security Coordinator, IT, or another HOYT resource takes or avoids the stated actions.

From time to time, HOYT may approve and make available more detailed or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues.  Those additional policies, procedures, standards, and processes are extensions to this Policy.  You must comply with them, where applicable, unless you obtain an approved exception.

1. Resources. No single document can cover all the possible information security issues you may face.  Balancing our need to protect HOYT’s information assets with getting work done can also be challenging.  Many effective administrative, physical, and technical safeguards are available.  Do not make assumptions about the cost or time required to implement them.  Ask for help. 

You must seek guidance before taking any actions that create information security risks.  Contact your manager or HOYT’s information security officer.

1. For questions about this Policy or technical information security issues contact: jbillica@healthonyourtime.com; or
2. For guidance regarding legal obligations contact:  Rupp Baase Pfalzgraf Cunningham, LLC 1600 Liberty Building Buffalo, NY 14202, 716-854-3400. 

1. No Expectation of Privacy and Monitoring. Except where applicable law provides otherwise, you should have no expectation of privacy when using HOYT’s network or systems, including, but not limited to, transmitting and storing files, data, and messages. 

To enforce compliance with HOYT’s policies and protect HOYT’s interests, HOYT reserves the right to monitor any use of its network and systems to the extent permitted by applicable law.  By using HOYT’s systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media.

1. Regulatory Compliance. Various information security laws, regulations, and industry standards apply to HOYT and the data we handle.  HOYT is committed to complying with applicable laws, regulations, and standards. Our customers and clients expect nothing less from us. 

This section lists the obligations that you are the most likely to encounter. Do not assume that these are the only laws that may apply. To identify specific obligations, you must seek guidance from Legal and the Information Security Coordinator when collecting, creating, or using new or different types of information.

1. Personal Information: Data Protection and Breach Notification Laws. Various laws protect individuals’ personal information, such as government-assigned numbers, financial account information, and other sensitive data.  Many jurisdictions have enacted breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information for HOYT’s employees, customers, clients, business partners, and others. 
2. The New York SHIELD Act.  The New York SHIELD Act (N.Y. Gen. Bus. § 899-aa; 899-bb) requires all businesses that have a New York residents personal information to safeguard that personal information by implementing reasonable administrative, technical, and physical safeguards. 

1. Responsibilities: Security Organization, Authority, and Obligations.  HOYT and its leadership recognize the need for a strong information security program.
   1. Information Security Coordinator.  HOYT has designated Joshua Billica to be its Information Security Coordinator and accountable for all aspects of its information security program.
   2. Policy Authority and Maintenance.  HOYT has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as he or she may deem necessary and appropriate.
   3. Policy Review.  On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging stakeholders such as individual business units, Human Resources, Legal, and other HOYT organizations, as appropriate.
   4. Exceptions.  HOYT recognizes that specific business needs and local situations may occasionally call for an exception to this Policy.  Exception requests must be made in writing.  The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.

Do not assume that the Information Security Coordinator will approve an exception simply because he or she has previously approved a similar exception. Each non-compliant situation requires a review of the specific facts and risks to HOYT’s information assets and those of our customers and clients. 

To request an exception, contact the information security coordinator Joshua Billica.

1. Workforce Obligation to Comply.  Employees and contractors are obligated to comply with all aspects of this Policy that apply to them.  This Policy is not intended to restrict communications or actions protected or required by applicable law. 

HOYT may treat any attempt to bypass or circumvent security controls as a violation of this Policy.  For example, sharing passwords, deactivating anti-virus software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4, Exceptions. 

HOYT takes steps to help employees and contractors understand this Policy. You are responsible for your own actions and compliance with this Policy. You should question and report any situation to your manager or the Information Security Coordinator that appears to violate this Policy or creates any undue information security risk. 

1. Sanctions.  Any violation of this Policy may result in disciplinary action or other sanctions.  Sanctions may include (suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law.  If HOYT suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved. 
2. Acknowledgment.  All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process.  Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator.  Material changes to this Policy may require additional acknowledgment.  HOYT will retain acknowledgment records.
3. Training.  HOYT recognizes that an astute workforce is the best line of defense. We will provide security training opportunities and expert resources to help employees and contractors understand their obligations under this Policy and avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire.  All workforce members must complete information security training on at least an annual basis.  Managers must ensure that their employees complete all required training.

HOYT may deem failure to participate in required training a violation of this Policy.  HOYT will retain attendance records and copies of security training materials delivered.

1. Data: Information Classification and Risk-Based Controls.  HOYT has established a three-tier classification scheme to protect information according to risk levels.  The information classification scheme allows HOYT to select appropriate security controls and balance protection needs with costs and business efficiencies. 

All HOYT information is classified as (from least to most sensitive): (1) Public Information, (2) Confidential Information, or (3) Highly Confidential Information.

Unless it is marked otherwise or clearly intended to be Public Information, treat all HOYT, and customer and client information, as if it is at least Confidential Information, regardless of its source or form, including electronic, paper, verbal, or other information. 

You must apply security controls appropriate for the assigned information classification level to all information you store, transmit, or otherwise handle. Use classification level markings, where feasible. 

1. Public Information. Public Information is information that HOYT has made available to the general public.  Information received from another party (including a customer and client) that is covered under a current, signed non-disclosure agreement must not be classified or treated as Public Information.
   1. Public Information Examples. Some Public Information examples include, but are not limited to: 
      1. press releases;
      2. HOYT marketing materials;
      3. job announcements; and
      4. any information that HOYT makes available on its publicly-accessible website. 

Do not assume that any information you obtain from HOYT’s internal network or systems is publicly available.  For example, draft marketing materials are typically Confidential Information until their release.  Consider all information to be at least Confidential Information, and not available for public disclosure without authorization, until you verify it is Public Information.

1. Confidential Information. Confidential Information is information that may cause harm to HOYT, its customers and clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available.  Harms may relate to an individual’s privacy, HOYT’s marketplace position or that of its customers and clients, or legal or regulatory liabilities. 

Mark Confidential Information to denote its status when technically feasible. Applications or databases that contain Confidential Information may be marked with an initial banner shown upon system access. 

You must have authorization to disclose Confidential Information to an external party. Seek guidance from your manager or Legal prior to disclosing Confidential Information and verify that an appropriate non-disclosure or other agreement is in effect.

1. Confidential Information Examples. Some Confidential Information examples include, but are not limited to:
   1. HOYT financial data, customer and client lists, revenue forecasts, program or project plans, and intellectual property;
   2. customer-provided and client-provided data, information, and intellectual property;
   3. customer and client contracts and contracts with other external parties, including vendors;
   4. communications or records regarding internal HOYT matters and assets, including operational details and audits;
   5.  HOYT policies, procedures, standards, and processes (for example, this Policy is Confidential Information and should not be shared without authorization from the Information Security Coordinator);
   6. any information designated as “confidential” or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;
   7. information regarding employees (see also, Section 3.3, Highly Confidential Information, regarding personal information);
   8. any summaries, reports, or other documents that contain Confidential Information; and
   9. drafts, summaries, or other working versions of any of the above.
2. Safeguards. You must protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks, including (but not necessarily limited to):
   1. Authentication.  Electronically stored Confidential Information must only be accessible to an individual after logging in to HOYT’s network.
   2. Discussions.  Only discuss Confidential Information in non-public places, or if a discussion in a public place is absolutely necessary, take reasonable steps to avoid being overheard.
   3. Copying/Printing/Faxing/Scanning. Only scan, make copies, and distribute Confidential Information to the extent necessary or allowed under any applicable non-disclosure agreement or other applicable agreement. Take reasonable steps to ensure that others who do not have a business need to know do not view the information. 

When faxing Confidential Information, use a cover sheet that informs the recipient that the information is HOYT’s Confidential Information.  Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Confidential Information.

1. Encryption.  You should encrypt Confidential Information when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices. Consider encrypting Confidential Information when transmitting or transporting it externally, based on specific risks. Seek assistance from your manager or email Joshua Billica at jbillica@healthonyourtime.com, if needed.
2. Mailing.  Use a service that requires a signature for receipt of the information when sending Confidential Information outside HOYT. When sending Confidential Information inside HOYT, use a sealed security envelope marked “Confidential Information.”
3. Meeting Rooms.  You should only share Confidential Information in physically secured meeting rooms. Erase or remove any Confidential Information that you write on a whiteboard or other presentation tool upon the meeting’s conclusion.
4. Need to know.  Only access, share, or include Confidential Information in documents, presentations, or other resources when there is a business need to know. 
5. Physical Security.  Only house systems that contain Confidential Information or store Confidential Information in paper or other forms in physically secured areas.

1. Highly Confidential Information.  Highly Confidential Information is information that may cause serious and potentially irreparable harm to HOYT, its customers and clients, employees, or other entities or individuals if disclosed or used in an unauthorized manner.  Highly Confidential Information is a subset of Confidential Information that requires additional protection. 

Mark Highly Confidential Information to denote its status when technically feasible. Applications or databases that contain Highly Confidential Information may be marked with an initial banner shown upon system access. 

You may not remove Highly Confidential Information from HOYT’s environment without authorization.

You must have authorization to disclose Highly Confidential Information to an external party.  Seek guidance from Legal and the Information Security Coordinator prior to disclosing Highly Confidential Information externally to ensure HOYT meets its legal obligations. 

1. Highly Confidential Information Examples. Some Highly Confidential Information examples include, but are not limited to:
   1. personal information for employees, customers and clients, business partners, or others; and
   2. sensitive HOYT business information, such as budgets, financial results, or strategic plans.
2. Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, including (but not necessarily limited to):
   1. Authentication.  Electronically stored Highly Confidential Information must only be accessible to an individual after logging in to HOYT’s network and with specific authorization.
   2. Discussions.  Only discuss Highly Confidential Information in non-public places.
   3. Copying/Printing/Faxing/Scanning.  Do not scan, copy, or distribute Highly Confidential Information unless absolutely necessary.  Take reasonable steps to ensure that others who do not have a specific business need to know do not view the information. 

When faxing Highly Confidential Information, use a cover sheet that informs the recipient that the information is HOYT’s Highly Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Highly Confidential Information.

1. Encryption.  You must encrypt Highly Confidential Information when transmitting it, whether externally or internally, or when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices such as USB drives. You should also encrypt Highly Confidential Information when storing it on a server, database, or other stationary device. 
2. Mailing.  Do not mail Highly Confidential Information unless absolutely necessary. Use a service that requires a signature for receipt of the information when sending Highly Confidential Information outside HOYT.  When sending Highly Confidential Information inside HOYT, use a sealed security envelope marked “Highly Confidential Information.”  If you use electronic media to mail Highly Confidential Information, you must encrypt and password protect it.
3. Meeting Rooms.  You must only share Highly Confidential Information in physically secured meeting rooms.  Erase any Highly Confidential Information that you write on a whiteboard or other presentation tool upon the meeting’s conclusion.
4. Need to know.  Only access, share, or include Highly Confidential Information in documents, presentations, or other resources when there is a specific business need to know. 
5. Network Segmentation. You may only make Highly Confidential Information available to areas of HOYT’s network where there is a specific business need. Highly Confidential Information must be segmented from the rest of HOYT’s network using controls such as firewalls, access control lists, or other security mechanisms. 
6. Physical Security.  Only house systems that contain Highly Confidential Information or store Highly Confidential Information in paper or other forms in physically secured areas, accessible only to those with a specific business need to know. 

1. People: Roles, Access Control, and Acceptable Use.  People are the best defense in information security. They are also the weakest link.  HOYT grants access to its systems and data based on business roles.  HOYT places limits on how you may use and interact with its information assets. These restrictions help lower risks and protect you and HOYT. 
   1. Roles.  Business roles and role-based access are based on the individual’s relationship with HOYT and assigned activities.
      1. Employees.  Human Resources provides employee screening. HOYT may require employees who handle Highly Confidential Information to undergo additional background screening and testing where permitted by applicable laws. 

Supervising managers may request access for their employees only to those HOYT systems and data required to meet business needs. 

1. External Parties.  HOYT grants systems access to approved external parties, such as contractors, vendors, service providers, business partners, or others with a demonstrated business need that cannot be reasonably met through other means (see Section 7, Service Providers: Risks and Governance).  HOYT may support different access levels for different business situations. 

1. Identity and Access Management.  HOYT uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. 
   1. Unique User Accounts.  HOYT assigns unique user accounts and passwords to individuals, using their primary ID.  You must not share your account or password with others. If system or other administrative accounts cannot be uniquely assigned to specific individuals, use mediated access, audit logs, or other technical controls to provide individual accountability. 
   2. Add, Change, Terminate Access.  HOYT restricts access to specific resources to those with a business need to know.  Responsible managers should direct requests to add or change access levels to IT.  System and application administrators must periodically review user accounts and access levels to confirm that a legitimate business need for the access still exists. 

When an employee leaves the business, Human Resources must immediately notify IT.  IT will timely deactivate the individual’s account(s).  For external parties, the sponsoring employee must notify IT when there is no longer a business need for access to support timely account termination.  Managers should seek guidance from Human Resources and the Information Security Coordinator regarding access for employees on extended leaves.

1. Authorization Levels and Least Privilege. Proper authorization levels ensure that HOYT only grants individuals the privileges they need to perform their assigned activities and no more.  Known as least privilege access, this method minimizes risks. Least privilege applies to user and administrative access.  You must not grant administrative privileges unless there is a specific business need and limit them to the extent feasible.
2. Role-Based Access Controls.  Use role-based access control methods whenever feasible to assign authorization levels according to business functions, rather than uniquely for each individual. This method supports the least privilege approach by standardizing access. It also simplifies periodic access reviews.

1. Acceptable Use Policy.  HOYT provides employees and others with network resources and systems to support its business requirements and functions.  This section limits how you may use HOYT’s information assets and explains the steps you must take to protect them.

If you have any questions regarding acceptable use of HOYT’s resources, please discuss them with your manager or contact the Information Security Coordinator for additional guidance.

1. General Use of Information Technology Resources.  HOYT provides network resources and systems for business purposes. Any incidental non-business use of HOYT’s resources must be for personal purposes only.  Do not use HOYT’s resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with HOYT. 

Do not use HOYT’s resources in a manner that negatively impacts your job performance or impairs others’ abilities to do their jobs.  HOYT’s network and systems are subject to monitoring (see Section 1.4, No Expectation of Privacy and Monitoring).

Do not use HOYT’s network or systems for activities that may be deemed illegal under applicable law.  If HOYT suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved. 

1. Prohibited Activities.  HOYT prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:
   1. hacking, spoofing, or launching denial of service attacks; 
   2. gaining or attempting to gain unauthorized access to others’ networks or systems; 
   3. sending fraudulent email messages; 
   4. distributing or attempting to distribute malicious software (malware); 
   5. spying or attempting to install spyware or other unauthorized monitoring or surveillance tools; 
   6. committing criminal acts such as terrorism, fraud, or identity theft; 
   7. downloading, storing, or distributing child pornography or other obscene materials;
   8. downloading, storing, or distributing materials in violation of another’s copyright;
   9. creating undue security risks or negatively impacting the performance of HOYT’s network and systems;
   10. causing embarrassment, loss of reputation, or other harm to HOYT;
   11. uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;
   12. distributing joke, chain letter, commercial solicitations, or hoax emails or other messages (spamming);
   13. disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others;
   14. using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities; and
   15. installing or distributing unlicensed or pirated software.

1. Desktop, Laptop, and End-User Controls. You may only access HOYT’s network using approved end-user devices that support our current minimum information security standards.  Standards for end-user devices may include protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions.  HOYT-owned machines may be configured to automatically receive upgrades.  You may be denied remote access using non-HOYT owned devices that do not meet current standards. 

Use your own HOYT-provided account(s) to access HOYT’s network and systems, unless you have been specifically authorized to use a device-specific, administrative, or other account (see Section 4.2, Identity and Access Management).

Screen saver passwords, also known as “workstation timeouts” or “lock screens,” secure Confidential Information by protecting active computer sessions when you step away. Locking screen savers must activate after a maximum inactivity time of 15 minutes.  If you handle Highly Confidential Information, lock your screen any time you leave it unattended. 

1. Information Handling and Storage.  You must properly handle, store, and securely dispose of HOYT’s information in accordance with HOYT’s policies and procedures.  You are responsible for any Confidential or Highly Confidential Information that you access or store.  Do not allow others to view, access, or otherwise use any Confidential or Highly Confidential Information you control unless they have a specific business need to know.

Store files or other data critical to HOYT’s operations on regularly maintained (backed up) servers or other storage resources.  Do not store business critical data only on end user devices such as desktops, laptops, smartphones, or other mobile devices.

Physically secure any media containing HOYT’s information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, USB drives), or other media.  You must store media containing Confidential or Highly Confidential Information in a locked area when not in use.

Shred or otherwise destroy paper that contains Confidential or Highly Confidential Information prior to disposal.  Return all electronic, magnetic, or optical media to IT for secure disposal when it is no longer required to meet business needs.

1. Internet Use: Email, Messaging, Social Media, and Cloud Computing.  The internet offers a variety of services that HOYT employees and contractors depend on to work effectively. However, some technologies create undue risks to HOYT’s assets. Some uses are not appropriate in the workplace. 

HOYT may block or limit access to particular services, websites, or other internet-based functions according to risks and business value.  Recognize that inappropriate or offensive websites may still be reachable and do not access them using HOYT resources.  

1. General Internet Use. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) to business purposes or as otherwise permitted by this Policy. Internet use must comply with this Policy. 

Do not use internet-based remote access services to access HOYT’s network or systems, including desktop computers. If you need remote access, use HOYT-provided or authorized software (see Section 4.3(f), Remote Access).

1. Email and Social Media. Do not disclose Confidential or Highly Confidential Information to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages (see Section 3, Data: Information Classification and Risk-Based Controls).  Do not make postings or send messages that speak for HOYT or imply that you speak for HOYT unless you have been authorized to do so.

Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake.  Email signatures should be professional, appropriate for your business role, and not unreasonably long or complex. 

Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content.  Attackers frequently use these methods to transport viruses and other malware.  Be cautious, even if messages appear to come from someone you know, since attackers can easily falsify (spoof) email senders.  HOYT may block some attachments or emails, based on risk. 

Do not respond to an email or other message that requests Confidential or Highly Confidential Information unless you have separately verified and are certain of its origin and purpose.  Even then, always protect Confidential or Highly Confidential Information as described in Section 3, Data: Information Classification and Risk-Based Controls. 

If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact IT immediately and before interacting with the message. Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.

1. Cloud Computing.  HOYT may use internet-based, outsourced services for some computing and data storage activities based on business needs.  Cloud computing services store data and provide services in internet-accessible data centers that may be located almost anywhere.  Cloud services vary significantly in their service levels and security measures. 

While cloud services may offer an attractive cost model, they also present significant risks. Using them may also affect HOYT’s ability to comply with some laws. Before using any cloud computing services to collect, create, store, or otherwise manage HOYT’s Confidential or Highly Confidential Information, you must obtain approval from Legal and the Information Security Coordinator (see Section 7, Service Providers: Risk and Governance). 

This Policy applies to any document sharing or other internet-based services, if HOYT Confidential or Highly Confidential Information is stored.

1. Mobile Devices and Bring Your Own Device to Work. Mobile devices, including laptops, smartphones, and tablet computers, can provide substantial productivity benefits.  Mobile storage devices may simplify information exchange and support business needs.  However, all these mobile devices also present significant risks to HOYT’s information assets, so you must take appropriate steps to protect them.  

 HOYT may permit employees and others to use their own equipment to connect to its network and systems.  If you choose to do so, you agree that your use of those devices is subject to this Policy and any additional policies, procedures, standards, and processes HOYT implements.  HOYT may require you to install specific security controls on your device (for example, device management software, access controls, encryption, remote wiping in case your device is lost or stolen, or other security controls). 

You must allow IT (or another HOYT resource) to review your device and remove any HOYT data, if your relationship with HOYT terminates, you change devices or services, or in other similar situations.  You must also promptly provide HOYT with access to your device when requested for HOYT’s legitimate business purposes, including any security incident or investigation.

Use encryption, other protection strategies (for example, device management software, access controls, remote wiping in case your device is lost or stolen, or other security controls), or both on any mobile device that contains Confidential or Highly Confidential Information.  Mobile devices, including those that provide access to HOYT email, must be protected using a password or other approved authentication method. 

Physically secure any mobile devices you use to access or store HOYT information.  Never leave laptops or other devices unattended unless locked or otherwise secured. Do not leave mobile devices or the bags containing them visible in a parked car or check them as baggage on airlines or other public transportation.

Do not connect a mobile device containing HOYT information to any unsecured network without an up-to-date firewall configured (or other security controls in place). Unsecured networks include home networks, hotel networks, open or for-pay wireless hotspots, convention networks, or any other network that HOYT has not approved or does not control.

1. Remote Access. If you have a business need to access HOYT’s network and systems from home, while traveling, or at another location, HOYT may grant you remote access. 

Use two-factor authentication to access HOYT’s network remotely.  Configure remote access capabilities to limit access to only those assets and functions the Information Security Coordinator approves.  You may only use HOYT-provided means for remote access (for example, VPN connections, dial-up modems, HOYT portal).  Do not install or setup any other remote connections, including remote desktop software, without the Information Security Coordinator’s authorization. 

Remote access connections should timeout (be disconnected) after a maximum of one hour of inactivity.  HOYT does not permit split tunneling or other mechanisms that bridge unsecure networks with HOYT’s network. 

1. External Network Connections.  Some business situations may require creating a secure connection from HOYT’s network to an external party’s network (extranet).  Examples include working extensively with customer or client systems, outsourcing, or partnering with another organization for an extended period.  Extranet connections allow the organizations to share information and technical resources in a secure manner by connecting the two networks at their respective perimeters.

The Information Security Coordinator must review and approve all extranets and any other external connections to HOYT’s network before implementation. A signed business agreement between the two organizations must accompany any extranet connection.  Limit connectivity to only those assets required to perform the specified functions.  HOYT monitors extranet connections and may deactivate them if unusual or inappropriate traffic is detected. 

1. Wireless Network Connections.  Do not connect any wireless access points, routers, or other similar devices to HOYT’s network unless the Information Security Coordinator has reviewed and approved them. 

Secure and maintain approved wireless network (WiFi) connections according to current HOYT technical and physical security standards.  Do not connect wireless access points (WAPs) directly to HOYT’s trusted network without going through a firewall or other protective controls. Deactivate WAPs when they are not in use, including during non-business hours. 

Only transmit, receive, or make available Highly Confidential Information through WiFi connections using appropriate protective controls, including encryption.  If you have questions regarding appropriate WiFi security measures to take when handling Highly Confidential Information, contact the Information Security Coordinator. 

End-user devices that access wireless networks, such as laptops, must have personal firewalls installed and maintained according to current HOYT standards.  Deactivate your computer’s wireless networking interface when it is not in use.

1. Information Assets: Protecting and Managing HOYT’s Information Technology Environment.  This section describes key safeguards that HOYT uses to protect and manage its information technology (IT) environment.  You must support their use to the extent that they apply to you. 
   1. Protecting Information Assets.  Install and configure HOYT-owned computers according to current technical standards and procedures, including anti-virus software, other standard security controls, and approved operating system version and software patches.  HOYT supports preventive controls to avoid unauthorized activities or access to data, based on risk levels.  HOYT supports detective controls to timely discover unauthorized activities or access to data, including continuous system monitoring and event management. 

Configure user accounts to require strong passwords. To protect against password guessing and other brute force attacks, HOYT will deactivate user accounts after five failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility.

Secure remote access points and require two-factor authentication. Encrypt authentication credentials during transmission across any network, either internal or external.

1. Passwords and User Credentials.  Select strong passwords and protect all user credentials, including passwords, tokens, badges, smart cards, or other means of identification and authentication.  Implement password rules so that users select and use strong passwords.  Automate password rule enforcement to the extent technically feasible.

Several techniques can help you create a strong password. Substituting numbers for words is common. For example, you can use the numerals two or four with capitalization and symbols to create a memorable phrase. Another way to create an easy-to-remember strong password is to think of a sentence and use the first letter of each word as a password.

Treat passwords as Highly Confidential Information. You may be required to change your password periodically according to current HOYT standards.  Change your password immediately and report the incident (see Section 6.1, Incident Reporting) if you have reason to believe that it has been compromised. 

1. Password Protection. Protect your passwords at all times by:
   1. Not disclosing your passwords to anyone, including anyone who claims to be from IT;
   2. Not sharing your passwords with others (including co-workers, managers, customers, clients, or family);
   3. Not writing down your passwords or otherwise recording them in an unsecure manner;
   4. Not using save password features for applications, unless provided or authorized by HOYT;
   5. Not using the same password for different systems or accounts, except where single sign on features are automated; and
   6. Not reusing passwords.

IT procedures and technical standards define additional steps to protect passwords for administrative or device-specific accounts. 

1. Perimeter Controls. Perimeter controls secure HOYT’s network against external attacks.  Use firewalls, configured according to current technical standards and procedures, to separate HOYT’s trusted network from the internet or internet-facing environments. 

 HOYT may implement additional perimeter controls including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or various forms of network monitoring according to risks.  Do not create internet connections outside perimeter controls.

1. Data and Network Segmentation.  HOYT may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks.  Segment Highly Confidential Information from the rest of HOYT’s network, to the extent technically feasible and reasonable (see Section 3.3, Highly Confidential Information).  Do not alter network segmentation plans without approval from the Information Security Coordinator.
2. Encryption.  HOYT uses encryption to protect Confidential and Highly Confidential Information according to risks. Encryption may be applied to stored data (data-at-rest) and transmitted data (data-in-transit).  Encrypting personal information may lower HOYT’s liability in the event of a data breach. 

Only use generally accepted encryption algorithms and products approved by the Information Security Coordinator. Periodically review encryption products and algorithms for any known risks. 

1. Encryption Key Management.  Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, proper key management is critical.  Select encryption keys to maximize protection levels, to the extent feasible and reasonable.  Treat them as Highly Confidential Information. 

Ensure that keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups.  Track access to keys.  Keys should never be known or available to only a single individual.  Change encryption keys on a periodic basis according to risks.

1. Data and Media Disposal. When HOYT retires or otherwise removes computing, network, or office equipment (such as copiers or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.

Simply deleting files or reformatting disks is not sufficient to prevent data recovery.  Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards.

1. Log Management and Retention.  HOYT logs system and user activities on network, computing, or other information assets according to risks.  Security controls or other network elements may also produce logs. 

Secure log data and files to prevent tampering and retain them according to HOYT’s policies and procedures.  Regularly review logs, using automated means where feasible, to identify any anomalous activities that may indicate a security incident.

1. Physical (Environmental) Security.  HOYT uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. You must comply with HOYT’s current physical security policies and procedures, and: 
   1. position computer screens where information on the screens cannot be seen by unauthorized parties;
   2. not display Confidential and Highly Confidential Information on a computer screen where unauthorized individuals can view it;
   3. log off or shut down your workstation when leaving for an extended period or at the end of your work day;
   4. house servers or other computing or network elements (other than end-user equipment) in secure data centers or other areas approved by the Information Security Coordinator;
   5. not run network cabling through unsecured areas unless it is carrying only Public Information or otherwise protected data, such as encrypted data;
   6. deactivate network ports that are not in use; and
   7. store end-user devices that are not in use for an extended period in a secure area or securely dispose of them (see Section 5.1(e), Data and Media Disposal).

1. Managing Information Assets. IT manages IT operations and related activities at HOYT. 

Only HOYT-supplied or approved software, hardware, and information systems, whether procured or developed, may be installed in HOYT’s IT environment or connected to HOYT’s network. 

IT must approve and manage all changes to HOYT’s production IT environment to avoid unexpected business impacts.  Direct questions regarding IT operations to jbillica@healthonyourtime.com.  Development environments must comply with this Policy and current IT standards to minimize information security risks. 

1. Procurement. Only IT, or those authorized by IT, may procure information assets for use in or connection to HOYT’s network.  This Policy applies whether software or other assets are purchased, open source, or made available to HOYT at no cost. Seek guidance from the Information Security Coordinator early in the software development process to identify and manage information security risks before implementation.  Before using cloud computing services to access, store, or manage Confidential or Highly Confidential Information, you must obtain authorization from Legal and the Information Security Coordinator (see Section 4.3(e)(iii), Cloud Computing).
2. Asset Management.  Track and document all information assets, including hardware, software, and other equipment, using HOYT’s asset management system(s). This inventory tracking should include operating system levels and all installed software and software versions to support vulnerability identification and mitigation (see Section 9.2, Vulnerability Management).  Update the asset inventory as assets are removed from the business. Confidential or Highly Confidential Information must have an assigned data owner who is responsible for tracking its location, uses, and any disclosures.  Properly dispose of all data and media to help avoid a breach of Confidential or Highly Confidential Information (see Section 5.1(e), Data and Media Disposal).
3. Authorized Environments and Authorities.  Only authorized IT personnel, or other project personnel approved by IT, may install and connect hardware or software in HOYT’s IT environment.  Do not convert end-user computers to servers or other shared resources without assistance from IT.  Limit administrative or privileged systems access to those individuals with a business need to know.  IT must distribute administrative access and information regarding administrative processes to more than one individual to minimize risks. 

Internet connections and internet-facing environments present significant information security risks to HOYT.  The Information Security Coordinator must approve any new or changed internet connections or internet-facing environments.

1. Change Management.  IT maintains a change management process to minimize business impact or disruptions when changes are made in HOYT’s production IT environment. Change requests must be accompanied by an action plan that includes assigned roles and responsibilities, implementation milestones, testing procedures, and a rollback plan, if the change fails. 

Implement and maintain a change management process to track identified problems, fixes, and releases during software development.  Design these processes to include code archiving (versioning) tools so that earlier versions can be recovered and rebuilt, if necessary.

1. Incident Reporting and Response. The Information Security Coordinator maintains a security incident reporting and response process that ensures management notifications are made based on the seriousness of the incident.  The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken. 

1. Incident Reporting.  Immediately notify Joshua Billica at jbillica@healthonyourtime.com if you discover a security incident or suspect a breach in HOYT’s information security controls.  HOYT maintains various forms of monitoring and surveillance to detect security incidents, but you may be the first to become aware of a problem.  Early detection and response can mitigate damages and minimize further risk to HOYT. 

Treat any information regarding security incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.

1. Security Incident Examples. Security incidents vary widely and include physical and technical issues. Some examples of security incidents that you should report include, but are not limited to:
   1. loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, or other means of identification and authentication);
   2. suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-virus software or personal firewalls;
   3. loss or theft of any device that contains HOYT’s information (other than Public Information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;
   4. suspected entry (hacking) into HOYT’s network or systems by unauthorized persons;
   5. any breach or suspected breach of Confidential or Highly Confidential Information;
   6. any attempt by any person to obtain passwords or other Confidential or Highly Confidential Information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and
   7. any other any situation that appears to violate this Policy or otherwise create undue risks to HOYT’s information assets. 
2. Compromised Devices. If you become aware of a compromised computer or other device: 
   1. immediately deactivate (unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and 
   2. immediately notify Joshua Billica at jbillica@healthonyourtime.com 

1. Event Management. The Information Security Coordinator defines and maintains a security incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.
2. Breach Notification. Applicable law may require HOYT to report security incidents that result in the exposure or loss of certain kinds of information, or that affect certain services or infrastructure, to various authorities, affected individuals or organizations whose data was compromised, or both.  Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Regulatory Compliance). The Information Security Coordinator’s incident response plan includes a step to review all incidents for any required breach notifications. Coordinate all external notifications with Legal and the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.

1. Service Providers: Risks and Governance. The Information Security Coordinator maintains a service provider governance program to oversee service providers that interact with HOYT’s systems or Confidential or Highly Confidential Information.  The service provider governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy. 
   1. Service Provider Approval Required.  Obtain approval from Legal and the Information Security Coordinator before engaging a service provider to perform functions that involve access to HOYT’s systems or Confidential or Highly Confidential Information.
   2. Contract Obligations. Service providers that access HOYT’s systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures.  HOYT may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.
2. Risk and Compliance Management.  HOYT supports an ongoing risk management action cycle to (1) enforce this Policy; (2) identify information security risks; (3) develop procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly. 
   1. Risk Assessment and Analysis.  HOYT maintains a risk assessment program to identify information security risks across its IT environment, including application software, databases, operating systems, servers, and other equipment, such as network components.  The Information Security Coordinator coordinates risk assessment activities that may take several forms, including analyses, audits, reviews, scans, and penetration testing.  Do not take any actions to avoid, impact, or otherwise impede risk assessments. 

Only the Information Security Coordinator is authorized to coordinate risk assessments.  Seek approval from Legal and the Information Security Coordinator prior to engaging in any risk assessment activities or disclosing any assessment reports outside HOYT.

1. Remediation and Mitigation Plans.  The Information Security Coordinator maintains and oversees remediation and mitigation plans to address risk assessment findings according to risk levels. 
2. Vulnerability Management.  Manufacturers, security researchers, and others regularly identify security vulnerabilities in hardware, software, and other equipment.  In most cases, the manufacturer or developer provides a patch or other fix to remediate the vulnerability.  In some situations, the vulnerability cannot be fully remediated, but configurations can be changed or other steps taken to mitigate the risk created. 

The Information Security Coordinator maintains a process to identify and track applicable vulnerabilities, scan devices for current patch status, and advise system administrators. Schedule any necessary updates using standard change management processes (see Section 5.2(d), Change Management) and according to risk level. Make all HOYT-owned devices available to IT for timely patching and related activities. 

1. Compliance Management.  HOYT maintains compliance management processes to enforce this Policy.  If compliance management processes indicate that you may have acted contrary to this Policy, you may be contacted by the Information Security Coordinator to explain.  In some cases, the Information Security Coordinator may contact your supervising manager or Human Resources to resolve the issue. 

1. Effective Date. This Information Security Policy is effective as of 01/01/2021.
   1. Revision History.  Original publication: 01/01/2021

Appendix

ADDITIONAL POLICIES, PROCESSES, PROCEDURES, AND STANDARDS:

1. Health on Your Time Written Information Security Program (WISP)
2. Health on Your Time Cyber Incident Response Plan (IRP)

SAMPLE ACKNOWLEDGMENT FORM

ACKNOWLEDGMENT

Acknowledgment of Receipt and Review

I, ________________________ (employee name), acknowledge that on ______________________ (date), I received and read a copy of HOYT’s Information Security Policy, dated [VERSION DATE] and understand that it is my responsibility to be familiar with and abide by its terms.  I understand that the information in this Policy is intended to help HOYT’s employees to work together effectively to manage information security risks as part of their assigned job responsibilities.  This Policy is not promissory and does not set terms or conditions of employment or create an employment contract.

Health On Your Time, LLC

Agreements, Acknowledgments and Consents

The following Agreements, Acknowledgments and Consents are being obtained on behalf of your selected Expert.

Requests to Communicate by e-mail:

• I request that the following agreements, acknowledgments, and consents be communicated to my selected Expert by e-mail. 

• Consent for Treatment (see below)

• • • Authorization to Obtain, Use and Disclose Health Information (see below)

• I request my Expert communicate any necessary scheduling links or requests for alternative dates and times to me by e-mail.

• I understand that e-mail communication is not secure and that confidentiality of these agreements, acknowledgment and links may not be secure.  

Consent for Treatment 

• I authorize my selected Expert, and associated agents, to provide or administer telehealth, defined as the practice of healthcare delivery, diagnosis, consultation, treatment, data transfer, and/or education using two-way interactive audio, video, or data communications from a distant site. 

• I understand that audio, photographs, video recordings, digital or other images may be recorded to document my care and I consent to this. I understand these will be stored in a secure manner that will protect my privacy and that they will be kept for durations required by law.

• I understand that there are certain limitations to virtual interactions (i.e. phone or video) that may limit the ability of my selected Expert to fully evaluate, manage or resolve my  medical questions or conditions. I understand that it is my responsibility to receive approval from my primary care doctor or other specialist provider before implementing any guidance, recommendations, diagnostic evaluations or treatments proposed by my selected Expert. 

• I understand that I have the right to refuse any guidance, recommendations, diagnostic evaluations, or treatments proposed by my selected Expert.

Authorization to Obtain, Use and Disclose Health Information: 

• I consent that my selected Expert may use and disclose protected health information that I disclose or authorize him/her to obtain during course of our interactions to other individuals that I designate as part of my health care team. 

• This authorization includes information relating to Alcohol and Drug Treatment

• This authorization includes information relating to Mental Health Treatment

• This authorization includes information relating to HIV/AIDS related Treatment 

• I have the right to revoke this authorization at any time by verbal or written means with my selected Expert. I understand that I may revoke this authorization except to the extent that action has already been taken based on this authorization. 

Notice of Privacy Practice

• I acknowledge receipt of the Notice of Privacy Practice which can be accessed on the profile of the Expert that I have selected.

Expert Enrollment Agreement

This Expert Enrollment Agreement (“Agreement”), made effective as of enrollment at www.healthonyourtime.com (the “Effective Date”) by the enrolling expert (the “Expert”) and Health on Your Time, LLC, a Delaware limited liability company with offices at 73 Arrowood Lane, Orchard Park, New York 14127 (“HOYT”) (Expert and HOYT are sometimes collectively referred to herein as the “Parties” and individually as a “Party”).

WHEREAS, the Expert offers its services to customers on the HOYT platform (the “Customer” or “Customers”) and may receive, create, maintain, use, or disclose personal information, including but not limited to highly sensitive personal information, personal information, or protected health information,  in connection with the functions, activities, and services that the Expert performs.

NOW THEREFORE, in view of the premises and in consideration of the agreements and mutual covenants contained herein, the Parties, intending to be legally bound, hereby agree as follows: 

1. Definitions. Capitalized terms used herein shall have the meanings set forth in this Section 1.

“Authorized Employees” means Expert’s employees who have a need to know or otherwise access Personal Information to enable Expert to perform its obligations under this Agreement.

“Highly Sensitive Personal Information” means an (i) individual’s government‑issued identification number (including Social Security number, driver’s license number, or state-issued identification number); (ii) financial account number, credit card number, debit card number, or credit report information, with or without any required security code, access code, personal identification number, or password that would permit access to an individual’s financial account; or (iii) biometric, genetic, health, medical, or medical insurance data.

“Personal Information” means information provided to Expert by or at the direction of Customer, information which is created, maintained, or obtained by Expert on behalf of Customer, or information to which access was provided to Expert by or at the direction of Customer, in the course of Expert’s performance of its services to Customer that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, user identification and account access credentials or passwords, financial account numbers, credit report information, student information, biometric, health, genetic, medical, or medical insurance data, answers to security questions, and other personal identifiers), in case of both subclauses (i) and (ii), including, without limitation, all Highly Sensitive Personal Information. Customer’s business contact information is not by itself deemed to be Personal Information.

“Protected Health Information” and/or “PHI” means “protected health information” as defined in the HIPAA Rules and, unless the context clearly requires otherwise, each such term means “protected health information”, as defined in the HIPAA Rules, that is created, received, maintained, or transmitted by Expert.

“Security Incident” means (i) any act or omission that compromises either the security, confidentiality, or integrity of Personal Information or PHI or the physical, technical, administrative, or organizational safeguards put in place by Expert, or by HOYT should Expert have access to HOYT’s systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information or PHI, or (ii) receipt of a complaint in relation to the privacy and data security practices of Expert or a breach or alleged breach of this Agreement relating to such privacy and data security practices.  Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information or PHI.

2. Standard of Care.  
   • Expert acknowledges and agrees that, in the course of its engagement by Customer, Expert may create, receive, maintain, or have access to Personal Information or PHI. Expert shall comply with the terms and conditions set forth in this Agreement in its creation, collection, receipt, transmission, storage, disposal, use, and disclosure of such Personal Information and/or PHI and be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information and/or PHI under its control or in its possession by all Authorized Employees.  

• In recognition of the foregoing, Expert agrees and covenants that it shall:
  • keep and maintain all Personal Information and PHI in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, or disclosure;

• not create, collect, receive, access, or use Personal Information and/or PHI in violation of law;

• use and disclose Personal Information and/or PHI solely and exclusively for the purposes for which the Personal Information and/or PHI, or access to it, is provided pursuant to the terms and conditions of this Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Information for Expert’s own purposes or for the benefit of anyone other than Customer, in each case, without Customer’s prior written consent; and

• not, directly or indirectly, disclose Personal Information and/or PHI to any person other than its Authorized Employees, including any, subcontractors, agents, service providers, or auditors (an “Unauthorized Third Party”), without Customer’s prior written consent unless and to the extent required by Government Authorities or as otherwise, to the extent expressly required, by applicable law , in which case, Expert shall (A) use best efforts and to the extent permitted by applicable law notify Customer before such disclosure or as soon thereafter as reasonably possible; (B) be responsible for and remain liable to Customer for the actions and omissions of such Unauthorized Third Party concerning the treatment of such Personal Information as if they were Expert’s own actions and omissions; and (C) require the Unauthorized Third Party that has access to Personal Information and/or PHI to execute a written agreement agreeing to comply with the terms and conditions of this Agreement.

3. Information Security.  
   • Expert represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Information and/or PHI does and will comply with all applicable federal and state privacy and data protection laws, as well as all other applicable regulations and directives.

• Expert shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed at least annually.

• Without limiting Expert’s obligations under Section 3(a), Expert shall implement administrative, physical, and technical safeguards to protect Personal Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Personal Information and/or PHI is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with applicable federal and state data protection and privacy laws, as well as the terms and conditions of this Agreement.

If, in the course of its engagement by Customer, Expert has access to or will collect, access, use, store, process, dispose of, or disclose credit, debit, or other payment cardholder information, Expert shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at Expert’s sole cost and expense.

• At a minimum, Expert’s safeguards for the protection of Personal Information and/or PHI shall include: (i) limiting access of Personal Information and/or PHI to Authorized Employees; (ii) securing business facilities, data centers, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, application, database, and platform security; (iv) securing information transmission, storage, and disposal; (v) implementing authentication and access controls within media, applications, operating systems, and equipment; (vi) encrypting Highly Sensitive Personal Information stored on any media; (vii) encrypting Highly Sensitive Personal Information transmitted over public or wireless networks; (viii) strictly segregating Personal Information and/or PHI from information of Expert or its other customers so that Personal Information and/or PHI is not commingled with any other types of information; (ix) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at Expert’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (x) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and (xi) providing appropriate privacy and information security training to Expert’s employees.

• During the term of each Authorized Employee’s employment by Expert, Expert shall at all times cause such Authorized Employees to abide strictly by Expert’s obligations under this Agreement. Expert further agrees that it shall maintain a disciplinary process to address any unauthorized access, use, or disclosure of Personal Information and/or PHI by any of Expert’s officers, partners, principals, employees, agents, or contractors.  Upon HOYT’s written request, Expert shall promptly identify for HOYT in writing all Authorized Employees as of the date of such request.

4. Security Incident Procedures.  
   • Expert shall:
     • provide HOYT with the name and contact information for an employee of Expert who shall serve as HOYT’s primary security contact and shall be available to assist HOYT twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Incident;

• notify HOYT of a Security Incident as soon as practicable, but no later than twenty-four (24) hours after Expert becomes aware of it; and

• notify HOYT of any Security Incident by emailing HOYT at support@healthonyourtime.com, with a copy by email to Expert’s primary business contact within HOYT.

• Immediately following Expert’s notification to Customer of a Security Incident, the parties shall coordinate with each other to investigate the Security Incident. Expert agrees to fully cooperate with HOYT in HOYT’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing HOYT with physical access to the facilities and operations affected; (iii) facilitating interviews with Expert’s employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law, regulation, industry standards, or as otherwise required by HOYT.

• Expert shall at its own expense use best efforts to immediately contain and remedy any Security Incident and prevent any further Security Incident, including, but not limited to taking any and all action necessary to comply with applicable privacy rights, laws, regulations, and standards. Expert shall reimburse HOYT for all actual costs incurred by HOYT in responding to, and mitigating damages caused by, any Security Incident, including all costs of notice and/or remediation pursuant to Section 4(d).

• Expert agrees that it shall not inform any third party of any Security Incident without first obtaining HOYT’s prior written consent, other than to inform a complainant that the matter has been forwarded to HOYT’s legal counsel. Further, Expert agrees that HOYT shall have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or otherwise in HOYT’s discretion; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.

• Expert agrees to maintain and preserve all documents, records, and other data related to any Security Incident.

• Expert agrees to fully cooperate at its own expense with HOYT in any litigation, investigation, or other action deemed necessary by HOYT to protect its rights relating to the use, disclosure, protection, and maintenance of Personal Information and/or PHI.

In the event of any Security Incident, Expert shall promptly use its best efforts to prevent a recurrence of any such Security Incident.

5. Oversight of Security Compliance. Upon HOYT’s written request, to confirm Expert’s compliance with this Agreement, as well as any applicable laws, regulations, and industry standards, Expert grants HOYT or, upon HOYT’s election, a third party on HOYT’s behalf, permission to perform an assessment, audit, examination, or review of all controls in Expert’s physical and/or technical environment in relation to all Personal Information and/or PHI being handled and/or services being provided to HOYT pursuant to this Agreement.  Expert shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information and/or PHI for HOYT pursuant to this Agreement. In addition, upon HOYT’s written request, Expert shall provide HOYT with the results of any audit by or on behalf of Expert performed that assesses the effectiveness of Expert’s information security program as relevant to the security and confidentiality of Personal Information and/or PHI shared during the course of this Agreement.

6. Return or Destruction of Personal Information. At any time during the term of this Agreement at HOYT’s written request or upon the termination or expiration of this Agreement for any reason, Expert shall, and shall instruct all Authorized Employees to, promptly return to HOYT all copies, whether in written, electronic, or other form or media, of Personal Information and/or PHI in its possession or the possession of such Authorized Employees, or securely dispose of all such copies, and certify in writing to HOYT that such Personal Information and/or PHI has been returned to HOYT or disposed of securely.  Expert shall comply with all reasonable directions provided by HOYT with respect to the return or disposal of Personal Information and/or PHI.

7. Equitable Relief. Expert acknowledges that any breach of its covenants or obligations set forth in this Agreement or the Expert’s standard policies and procedures, a copy of which have been provided to HOYT may cause HOYT irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, HOYT is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance, and any other relief that may be available from any court, in addition to any other remedy to which HOYT may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in this Agreement to the contrary.

8. Material Breach. Expert’s failure to comply with any of the provisions of this Agreement is a material breach of this Agreement.  In such event, HOYT may terminate the Agreement effective immediately upon written notice to the Expert without further liability or obligation to Expert.

9. Indemnification. Expert shall defend, indemnify, and hold harmless HOYT and its subsidiaries, affiliates, and its respective officers, directors, employees, agents, successors, and permitted assigns (each, a “HOYT Indemnitee”) from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against any HOYT Indemnitee arising out of or resulting from Expert’s failure to comply with any of its obligations under this Agreement.

10. Representations and Warranties. Expert represents and warrants to HOYT that:
    • the execution, delivery, and performance of this Agreement by Expert will not violate, conflict with, require consent under, or result in any breach or default under (i) any applicable law or regulation, or (ii) with or without notice or lapse of time or both, the provisions of any contract or agreement to which Expert is a party;

• Expert has obtained all licenses, authorizations, approvals, consents, or permits required by applicable laws (including the rules and regulations of all authorities having jurisdiction over the provision of the services provided to Customers on the HOYT platform) to conduct its business generally and to perform its obligations under this Agreement;

• Expert has all of the requisite resources, skill, experience, and qualifications to perform all of the services provided to Customers on the HOYT platform and the services under this Agreement in a professional and workmanlike manner, in accordance with industry best standards for similar services; and

• Expert maintains malpractice insurance with minimum limits of liability of such malpractice insurance in the amount of One Million U.S. Dollars ($1,000,000.00) per occurrence.

11. Limitation of Liability.
    • No Consequential or Indirect Damages. IN NO EVENT SHALL HOYT OR ANY OF ITS REPRESENTATIVES BE LIABLE UNDER THIS AGREEMENT TO EXPERT OR ANY THIRD PARTY FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR ENHANCED DAMAGES, LOST PROFITS OR REVENUES, OR DIMINUTION IN VALUE, ARISING OUT OF, RELATING TO, OR IN CONNECTION WITH ANY BREACH OF THIS AGREEMENT, REGARDLESS OF (A) WHETHER SUCH DAMAGES WERE FORESEEABLE, (B) WHETHER OR NOT HOYT WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND (C) THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT, OR OTHERWISE) UPON WHICH THE CLAIM IS BASED.

• Maximum Liability. IN NO EVENT SHALL HOYT’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EXCEED THE FEES RECOVERED BY HOYT FROM EXPERT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

HIPAA Business Associate Agreement

This Business Associate Agreement (“Agreement”), made effective as of enrollment at www.healthonyourtime.com (the “Effective Date”) by the enrolling expert (the “Expert”) and Health on Your Time, LLC, a Delaware limited liability company with offices at 73 Arrowood Lane, Orchard Park, New York 14127 (“HOYT”) (Expert and HOYT are sometimes collectively referred to herein as the “Parties” and individually as a “Party”).

WHEREAS, HOYT is a web-based platform connecting consumers to healthcare experts.  HOYT may or may not be considered a “covered entity” for the purposes of the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); 

WHEREAS, the Expert is engaged in and offers its services to customers on the HOYT platform (the “Customer” or “Customers”) and may receive, create, maintain, use, or disclose protected health information,  in connection with the functions, activities, and services that the Expert performs; and

NOW THEREFORE, in view of the foregoing premises and in consideration of the agreements and mutual covenants contained herein, the Parties, intending to be legally bound, hereby agree as follows:

1. Definitions; Intent of Parties.
   • For the the purposes of this Agreement, the following capitalized terms shall have the meanings given to them below:
     • “HHS” means the United States Department of Health and Human Services.
     • “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH.
     • “HIPAA Rules” means the Privacy, Security, Breach Notification and Enforcement Rules issued by HHS and set forth at 45 CFR Part 160 and Part 164.
     • “HITECH” means the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009.
     • “Minimum Necessary Policies” means those policies of EMS that establish policies and procedures relating to the “minimum necessary” standards under the HIPAA Rules.
     • “PHI” and “Protected Health Information” each means “protected health information,” as defined in the HIPAA Rules and, unless the context clearly requires otherwise, each such term means “protected health information”, as defined in the HIPAA Rules, that is received by Vendor from EMS or created, received, maintained, or transmitted by Vendor on behalf of EMS.
     • “Privacy Rule” means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.
   • Additional Defined Terms. For the purposes of this Agreement, the following capitalized terms shall have the meanings ascribed to them in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Limited Data Set, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
   • Intent of Parties. The HIPAA Rules require business associates to enter into a contract that meets specific regulatory requirements as a condition to the business associates’ disclosing PHI to each other, or otherwise allowing one business associate to create, receive, maintain, or transmit PHI on behalf of another business associate.  The Parties intend that this Agreement will serve as the required contract. 
2. General Obligations Of Exper
   • Expert agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
   • Expert agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.
   • Expert agrees to mitigate, to the extent practicable, any harmful effect that is known to Expert as a result of a use or disclosure of PHI by Expert in violation of this Agreement’s requirements or that would otherwise cause a Breach of Unsecured PHI.
   • The Expert agrees to the following breach notification requirements:
     • Expert shall immediately report to HOYT when any Breach of Unsecured PHI not provided for by the Agreement of which it becomes aware.  Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Expert to have been, accessed, acquired, or disclosed in connection with such Breach.  In addition, Expert shall provide any additional information reasonably requested by HOYT for purposes of investigating the Breach and any other available information that HOYT is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.  Expert’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
     • Expert agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, in violation of this Agreement to individuals, the media (as defined under the HITECH Act), the Secretary, and/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by HOYT of the content of such notification.
     • In the event of Expert’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Expert bears the burden of demonstrating that notice as required under this Section was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
   • Expert agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Expert agree to the same restrictions, conditions, and requirements that apply to the Expert with respect to such information.
   • Expert agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy HOYT’s obligations under 45 C.F.R. § 164.524.
     • Expert agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.
     • Expert agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
   • Expert agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by HOYT pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy HOYT’s obligations under 45 C.F.R. § 164.526.
   • Expert agrees to maintain and make available the information required to provide an accounting of disclosures to the individual as necessary to satisfy HOYT’s obligations under 45 C.F.R. § 164.528.
   • Expert agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from HOYT, or created or received by the Expert on behalf of HOYT, available to HOYT (or the Secretary) for the purpose of HOYT or the Secretary determining compliance with the Privacy Rule (as defined in Section 8).
   • To the extent that the Expert is to carry out one or more of HOYT’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Expert agrees to comply with the requirements of Subpart E that apply to HOYT in the performance of such obligation(s).
   • Expert agrees to account for the following disclosures:
     • Expert agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for HOYT to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
     • Expert agrees to provide to HOYT, or to an individual at HOYT’s request, information collected in accordance with this Section 2(k)(ii), to permit HOYT to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
     • Expert agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Expert made on behalf of HOYT only during the three years prior to the date on which the accounting is requested.
     • In the case of an EHR that the Expert acquired on behalf of HOYT as of January 1, 2009, paragraph (iii) above shall apply to disclosures with respect to PHI made by the Expert from such EHR on or after January 1, 2014. In the case of an EHR that the Expert acquires on behalf of HOYT after January 1, 2009, paragraph (iii) above shall apply to disclosures with respect to PHI made by the Expert from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.
   • Expert agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
   • Expert acknowledges that, effective on the Effective Date of this Agreement, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this Agreement and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
3. Permitted Uses and Disclosures By Expert.
   • General Uses and Disclosures. Expert agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this Agreement, the Privacy Rule, or Security Rule (as defined in Section 5) and only in connection with providing services to HOYT and/or the Customer; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by HOYT. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.
   • Expert may use or disclose PHI as Required By Law.
   • Expert agrees to make uses and disclosures and requests for PHI consistent with HOYT’s Minimum Necessary policies and procedures.
   • Expert may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the HOYT.
4. Obligations of HOYT.
   • HOYT shall:
     • Provide Expert with the Notice of Privacy Practices that HOYT produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Expert’s use or disclosure of PHI.
     • Notify Expert of any restriction to the use or disclosure of PHI that HOYT has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Experts use or disclosure of PHI under this
     • Notify Expert of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect the Expert’s permitted or required uses and disclosures of PHI under this Agreement.
   • HOYT shall not request Expert to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by HOYT, except as provided under Section 3 of this Agreement.
5. Compliance with Security Rule.
   • Effective April 20, 2005, Expert shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this Agreement shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
   • In accordance with the Security Rule, Expert agrees to:
     • Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of HOYT as required by the Security Rule. Expert acknowledges that, effective on the Effective Date of this Agreement, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Expert in the same manner that such requirements apply to HOYT, and (b) Expert shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;
     • Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
     • Report to HOYT any Security Incident of which it becomes aware.

6. Indemnification. Expert shall indemnify, defend, and hold harmless HOYT and HOYT’s affiliates (“Indemnified Parties”), from and against any and all losses, expense, damage, or injury (including, without limitation, all costs and reasonable attorneys’ fees) that the Indemnified Parties may sustain as a result of, or arising out of (a) a breach of this Agreement by Expert or its agents or Subcontractors, including but not limited to any unauthorized use, disclosure, or breach of PHI, (b) Expert’s failure to notify any and all parties required to receive notification of any Breach of Unsecured PHI pursuant to Section 2(d), or (c) any negligence or wrongful acts or omissions by Expert or its agents or Subcontractors, including without limitations, failure to perform Expert’s obligations under this Agreement, the Privacy Rule, or the Security Rule.

Notwithstanding the foregoing, nothing in this Section shall limit any rights any of the Indemnified Parties may have to additional remedies under other Agreements with Expert or under applicable law for any acts or omissions of Expert or its agents or Subcontractors.

7. Term And Termination.
   • This Agreement shall be in effect as of the Effective Date provided above, and shall terminate on the earlier of the date that:
     • Either party terminates for cause as authorized under Section 7(b).
     • All of the PHI received from HOYT, or created or received by Expert on behalf of HOYT, is destroyed or returned to HOYT. If it is not feasible to return or destroy PHI, protections are extended in accordance with Section 7(c).
   • Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the Agreement. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed five (5) days from the notification of the breach, or if a material term of the Agreement has been breached and a cure is not possible, the non-breaching party may terminate this Agreement, upon written notice to the other party.
   • Upon termination of this Agreement for any reason, the parties agree that: Expert shall return to HOYT or, if agreed to by HOYT, destroy all PHI received from HOYT, or created, maintained, or received by the Expert on behalf of HOYT, that the Expert still maintains in any form. The PHI shall be returned in a format that is reasonably expected to preserve its accessibility and usability.  Expert shall retain no copies of the PHI.
8. Miscellaneous.
   • The parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules, and any other applicable law.
   • The respective rights and obligations of Expert under Section 6 and Section 7 of this Agreement shall survive the termination of this Agreement.
   • This Agreement shall be interpreted in the following manner:
     • Any ambiguity shall be resolved in favor of a meaning that permits HOYT to comply with the HIPAA Rules.
     • Any inconsistency between the Agreement’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.
     • Any provision of this Agreement that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
   • This Agreement constitutes the entire agreement between the parties related to the subject matter of this Agreement, except to the extent that the other agreements between Expert and HOYT impose more stringent requirements related to the use and protection of PHI upon HOYT. This Agreement supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written.  This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both parties.  If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
   • This Agreement will be binding on the successors and assigns of HOYT and the Expert. However, this Agreement may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.
   • This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
   • Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state of New York.