Healthcare Services Supplement

Last updated June 2026

Overview

This Healthcare Services Supplement ("Supplement") applies to Nemedic Healthcare Products that are designed for healthcare organizations and may process Protected Health Information ("PHI"). This Supplement is incorporated into and forms part of Nemedic's Terms of Service and Privacy Policy.

In the event of a conflict between this Supplement and a fully executed Business Associate Agreement ("BAA"), the BAA will control with respect to the processing of PHI.

1. Scope

The Healthcare Products are designed to support healthcare operations, patient communications, scheduling, workflow automation, documentation, and related administrative functions. Use of the Healthcare Products may involve the creation, receipt, maintenance, or transmission of PHI.

All provisions of Nemedic's Terms of Service and Privacy Policy remain applicable except to the extent expressly modified by this Supplement or a signed BAA.

2. HIPAA Compliance and Business Associate Relationship

When a customer is a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and uses the Healthcare Products to process PHI:

  • The customer remains the Covered Entity or Business Associate responsible for determining the lawful collection, use, and disclosure of PHI.
  • Nemedic acts as a Business Associate and processes PHI solely to provide and support the Healthcare Products and as otherwise permitted by applicable law and the parties' BAA.
  • PHI processing is governed by the terms of the applicable BAA and applicable HIPAA requirements.

Organizations requiring HIPAA-compliant services must execute a Business Associate Agreement with Nemedic before transmitting PHI through the Healthcare Products.

3. Privacy and Security Safeguards

Nemedic maintains administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of PHI in accordance with applicable HIPAA requirements.

These safeguards include, as appropriate:

  • Encryption and secure transmission technologies;
  • Access controls and authentication measures designed to limit PHI access to authorized personnel and systems;
  • Security monitoring, logging, and incident-response procedures;
  • Workforce training and security awareness programs;
  • Vendor and subcontractor management processes; and
  • Ongoing evaluation and improvement of security controls.

Nemedic requires subcontractors that may access PHI on its behalf to be subject to contractual obligations that provide protections consistent with applicable HIPAA requirements.

4. AI Services and Subprocessors

Certain Healthcare Product features utilize artificial intelligence, document-processing, communication, cloud-hosting, and other technology providers that support the delivery of the Services.

Where PHI is processed through such providers:

  • The providers operate as subcontractors or subprocessors engaged by Nemedic;
  • Nemedic requires such providers to maintain contractual obligations appropriate to the services provided;
  • PHI is processed solely for purposes of delivering, maintaining, securing, and improving the Healthcare Products as permitted by applicable agreements and law; and
  • Nemedic does not authorize subprocessors to use customer PHI for independent marketing purposes.

Information regarding material subprocessors may be made available upon request or through applicable customer agreements.

5. Important Healthcare Disclaimer

The Healthcare Products are technology tools intended to assist healthcare organizations with operational, administrative, and communication workflows.

Nemedic does not provide medical advice, diagnosis, treatment, or clinical decision-making services. Any content generated by artificial intelligence or automation features is provided for informational and operational purposes only and may contain errors, omissions, or outdated information.

Healthcare professionals remain solely responsible for:

  • Clinical decision-making;
  • Patient care and treatment decisions;
  • Medical documentation accuracy;
  • Regulatory compliance; and
  • Independent review and verification of any AI-generated content before reliance or use.

The Healthcare Products are not a substitute for professional medical judgment.

6. Patient Communications and Messaging Compliance

Customers using the Healthcare Products to send SMS, RCS, voice, email, or other patient communications are responsible for ensuring compliance with all applicable laws and regulations, including HIPAA, the Telephone Consumer Protection Act ("TCPA"), state privacy laws, carrier requirements, and applicable healthcare communication rules.

Customers are responsible for:

  • Obtaining and maintaining all required patient consents, authorizations, and permissions;
  • Determining whether communications qualify as treatment, healthcare operations, marketing, or other regulated communications;
  • Honoring applicable opt-out requests and communication preferences;
  • Maintaining accurate recipient information; and
  • Ensuring communications comply with applicable legal and regulatory requirements.

Nemedic does not sell patient phone numbers, messaging consent records, or similar patient contact information to third parties for their own marketing purposes.

7. Customer Responsibilities

Customers are responsible for:

  • Obtaining all required patient notices, consents, authorizations, and permissions;
  • Maintaining the accuracy and legality of information submitted to the Healthcare Products;
  • Configuring user access controls and permissions appropriately;
  • Promptly removing access for users who no longer require access;
  • Using the Healthcare Products in compliance with HIPAA and other applicable laws; and
  • Refraining from submitting PHI to publicly accessible features or services not intended for PHI.

Customers retain responsibility for determining whether information entered into the Healthcare Products constitutes PHI and whether applicable legal restrictions apply to its use.

8. Marketing, Analytics, and Advertising Services

Certain marketing, advertising, analytics, audience measurement, attribution, conversion-tracking, and related services offered by Nemedic may operate outside the scope of HIPAA-regulated services and outside the scope of any applicable BAA.

Customers are solely responsible for determining whether their use of any marketing, advertising, analytics, attribution, or conversion-tracking technologies complies with applicable law and regulatory guidance.

Nemedic does not knowingly disclose PHI to advertising or marketing platforms in connection with such services. Customers should not direct Nemedic to transmit PHI through advertising, analytics, attribution, or conversion-tracking technologies.

Additional terms governing marketing and analytics services may be provided in separate agreements or documentation.

Customers independently determine whether any advertising, analytics, attribution, conversion-tracking, audience-measurement, or similar technologies comply with applicable law. Nemedic acts solely as a technology provider implementing customer-directed configurations and does not determine whether a particular implementation complies with HIPAA, state privacy laws, FTC requirements, or advertising-platform policies.

8A. De-Identified Operational Analytics and Commercial Intelligence

Customer acknowledges and agrees that Nemedic may create, develop, analyze, aggregate, anonymize, de-identify, transform, benchmark, model, and commercialize operational, performance, utilization, workflow, specialty, provider, physician, practice-management, scheduling, revenue, marketing, and business intelligence information derived from Customer's use of the Healthcare Products.

Such information may be used by Nemedic for:

  • Benchmarking;
  • Market intelligence;
  • Industry analytics;
  • Commercial analytics products;
  • Research;
  • Product development;
  • Service improvement;
  • Predictive modeling;
  • Artificial intelligence and machine learning;
  • Operational intelligence; and
  • Third-party reporting and licensing activities.

Nemedic may provide such de-identified or aggregated information, reports, benchmarks, analyses, insights, and intelligence products to third parties, including healthcare organizations, consultants, investors, researchers, pharmaceutical companies, medical device manufacturers, payors, and other commercial entities.

Nemedic shall not disclose Protected Health Information through such activities and shall implement reasonable measures designed to prevent patient identification.

Customer acknowledges and agrees that Nemedic owns all resulting de-identified datasets, benchmarks, analytical outputs, scoring systems, models, market intelligence products, and derivative analytical works generated through such activities.

9. Incident Response and Breach Notification

Nemedic maintains incident-response procedures designed to identify, investigate, mitigate, and respond to security incidents affecting customer data.

Where required by applicable law or a BAA, Nemedic will provide notice of reportable breaches or security incidents in accordance with applicable contractual and legal requirements.

10. Warranties

Nemedic makes no representations or warranties regarding the accuracy, completeness, reliability, legality, or fitness for a particular purpose of any AI-generated output. Customers are solely responsible for reviewing, validating, and approving all AI-generated content before use.

11. Customer Data Responsibility

Customers are solely responsible for determining what information they submit to the Services, whether such information constitutes PHI, and whether applicable laws permit the collection, use, disclosure, or transmission of such information.

Nemedic does not provide legal, regulatory, privacy, compliance, reimbursement, or risk-management advice. Customers should consult their own legal, compliance, and healthcare advisors regarding applicable requirements.

13. Customer Indemnification

Customers agree to defend, indemnify, and hold harmless Nemedic from claims, investigations, penalties, or liabilities arising from:

  • Customer's violation of HIPAA, TCPA, or applicable privacy laws;
  • Failure to obtain required patient authorizations, notices, or consents;
  • Customer-directed use of messaging, marketing, advertising, analytics, or tracking technologies; or
  • Customer content submitted to the Services.

14. Security Warranty

While Nemedic maintains security safeguards designed to protect customer information, no system can be guaranteed to be completely secure. Nemedic does not warrant that the Services will be uninterrupted, error-free, or immune from cyberattacks, unauthorized access, or other security events.

15. Subprocessor Flexibility

Nemedic may engage, replace, or update subprocessors, cloud providers, hosting providers, communication providers, and other service providers used to deliver the Healthcare Products, provided Nemedic remains responsible for maintaining appropriate contractual protections where required by applicable law.

16. Availability / Force Majeure

Nemedic shall not be liable for delays, interruptions, or failures resulting from events beyond its reasonable control, including cyberattacks, internet outages, telecommunications failures, cloud-service disruptions, acts of government, labor disputes, natural disasters, or other force majeure events.

17. Provision for Emergencies

The Healthcare Products are not intended for emergency communications, emergency response, or life-critical monitoring. Customers should not rely on the Services for urgent medical situations, and patients should be directed to call 911 or contact emergency services when appropriate.

18. Contact Information

For questions regarding HIPAA compliance, Business Associate Agreements, privacy, or security matters, please contact:

Nemedic, Inc.
Email: security@nemedic.com