General Terms of Service
The main terms that apply to all Imani Health users, accounts, services and platform features.
Medical Practitioner Agreement
Terms for doctors, nurses, pharmacists, laboratory scientists and other healthcare professionals.
Data Processing Agreement
Data-processing terms for organisations that use Imani Health to manage patient or operational data.
Healthcare Organisation Terms
1. Purpose and Scope
These Healthcare Organisation Terms apply to any Healthcare Organisation that registers for, purchases, accesses or uses Imani Health's Platform, including the Hospital Management System, Electronic Medical Records, telehealth administration, AI Scribe, pharmacy dashboard, laboratory workflows, corporate plans, HMO workflows, analytics, billing, provider marketplace and related enterprise services.
These terms supplement the General Terms of Service. If an organisation uses the Platform under an order form, invoice, enterprise agreement, statement of work or subscription plan, that document also applies.
2. Organisation Registration and Authority to Bind
A person registering an organisation, accepting these terms, signing an order form, adding payment details, creating an organisation workspace or inviting staff represents and warrants that they:
- are authorised to act for the organisation;
- have authority to bind the organisation to these terms and any applicable order form;
- have provided accurate corporate, facility, professional, regulatory and billing information;
- will maintain current contact, ownership, administrator and billing information;
- will not register an organisation for fraudulent, unlawful or unauthorised purposes.
Imani may request proof of authority, board approval, management approval, CAC documents, facility registration, tax information, licence information, ownership information or other verification materials. Imani may refuse, suspend or terminate an organisation account if authority or verification cannot be confirmed.
3. Organisation Verification
The organisation must provide accurate verification information where requested, including, as applicable:
- CAC registration documents;
- facility licence or approval;
- Medical Director information;
- MDCN, NMCN, PCN, MLSCN, Radiographers Registration Board or other professional registration details;
- pharmacy, laboratory, diagnostic, HMO, insurance, NGO or government approvals;
- tax identification and billing information;
- ownership, management and authorised signatory details;
- physical facility address, branches and service locations.
The organisation must promptly notify Imani of licence expiry, suspension, disciplinary action, ownership change, branch change, regulatory investigation or other material change affecting lawful use of the Platform.
4. Organisation Account Ownership
The organisation owns the organisation workspace, staff access decisions, organisation-created patient records and organisation configuration, subject to Imani's ownership of the Platform and intellectual property.
Imani owns the software, code, templates, workflows, database architecture, platform designs, AI configurations, documentation, product improvements and general platform analytics.
The organisation's Primary Administrator is the person initially designated by the organisation or otherwise verified by Imani. If the Primary Administrator leaves the organisation, becomes unavailable or is disputed, Imani may require written authority, board resolution, management letter, court order or other evidence before transferring workspace control.
5. Organisation Administrators
The organisation is responsible for designating and managing administrators. Administrator roles may include:
- Primary Administrator: overall workspace control and authority;
- Super Administrator: broad operational access;
- Department Administrator: department-specific control;
- Billing Administrator: subscription, invoice and payment access;
- Clinical Administrator: clinical workflow configuration;
- Compliance Administrator: audit, logs, privacy and compliance functions.
Administrators must use access only for authorised organisation purposes. The organisation is responsible for administrator actions, permissions, misconfigurations and failure to remove access when no longer appropriate.
6. Staff Accounts and User Management
The organisation may invite, create, approve, suspend, deactivate or remove staff accounts according to Platform functionality and applicable plan limits.
The organisation is responsible for ensuring that staff accounts are issued only to authorised personnel, including employees, contractors, locums, interns, volunteers, visiting professionals or agents who have legitimate work-related reasons to access the Platform.
Each staff user must have unique credentials. Shared accounts are prohibited unless expressly permitted by Imani for a limited operational purpose. The organisation must promptly deactivate accounts when staff leave, change roles, lose professional registration, are suspended, or no longer require access.
7. Role-Based Access Control
The organisation must configure and maintain role-based access controls appropriate to each staff member's duties. Roles may include doctors, nurses, receptionists, pharmacists, laboratory users, billing users, ward users, records users, claims users, administrators and custom roles.
The organisation must apply the principle of least privilege. Access should be limited to the minimum information and functionality necessary for the user's role.
Imani may provide default roles, but the organisation remains responsible for reviewing whether those roles are appropriate for its operations, regulatory duties and patient confidentiality obligations.
8. Patient Data Responsibilities
The organisation is responsible for the lawfulness, accuracy, integrity and clinical appropriateness of patient information created, uploaded, modified, accessed or shared by the organisation or its users.
The organisation must:
- obtain patient consent or establish another lawful basis where required;
- provide required privacy notices to patients where the organisation is responsible for doing so;
- ensure that patient data is collected for lawful healthcare purposes;
- maintain confidentiality of patient information;
- use patient data only for treatment, payment, healthcare operations, legal compliance or other lawful purposes;
- correct inaccurate information where appropriate;
- prevent unauthorised access, disclosure, alteration or deletion;
- respond to patient access, correction, deletion, portability or objection requests where legally required;
- preserve records required for continuity of care, medico-legal obligations, regulatory compliance and dispute resolution.
9. Data Controller and Data Processor Roles
For patient records and organisation-managed user data entered into the Platform by or on behalf of the organisation, the organisation is generally the Data Controller and Imani is generally the Data Processor, unless the applicable facts or written agreement state otherwise.
Where Imani directly provides patient-facing services, manages its own patient relationship, determines independent purposes of processing, runs its own payment, fraud prevention, security, analytics, support or legal compliance activities, Imani may act as an independent Data Controller for those purposes.
The Data Processing Agreement governs processing performed by Imani on behalf of the organisation.
10. Electronic Medical Records Ownership and Control
Medical Records reflect patient health information and clinical documentation. Subject to applicable law:
- patients have rights in relation to their health information;
- the organisation controls clinical records created by its authorised users in the course of care;
- Imani hosts, secures, processes and transmits Medical Records through the Platform;
- Imani does not sell identifiable Medical Records;
- Imani may process Medical Records only as permitted by applicable terms, the DPA, patient consent, organisation instructions, legal obligations, security needs and applicable law.
The organisation is responsible for determining clinical record retention requirements, documentation standards, correction policies and release-of-information procedures for records under its control.
11. Medical Record Retention, Legal Holds and Archiving
The organisation must retain Medical Records for the period required by applicable healthcare, professional, insurance, tax, audit, litigation and data protection obligations.
Imani may retain records in accordance with the Privacy Policy, DPA, order form, backup schedule, legal obligations, professional recordkeeping obligations, patient-safety requirements, fraud prevention and dispute resolution needs.
If the organisation becomes subject to a legal hold, regulatory investigation, patient complaint, professional complaint, litigation or audit, the organisation must preserve relevant records and notify Imani if Platform support is needed.
12. Subscription Billing and Enterprise Fees
The organisation must pay all fees stated in the applicable plan, invoice, order form or written agreement. Fees may include:
- base HMS or EMR subscription fees;
- per staff user fees;
- per AI Scribe or AI feature fees;
- per doctor, nurse, pharmacist, laboratory user, billing user or administrative user fees;
- per department fees;
- per ward fees;
- per bed fees;
- per facility or branch fees;
- pharmacy, laboratory, radiology, claims, telehealth, analytics, API or mobile app module fees;
- implementation, configuration, training, migration, support, customisation or integration fees;
- SMS, email, video, storage, payment, verification or other usage-based fees;
- taxes, bank charges, payment processor charges and regulatory charges.
Unless an order form states otherwise, fees are non-refundable once the applicable billing period begins. Late payments may result in interest, access restrictions, suspension, downgrade, data export restrictions until payment, or termination after reasonable notice.
13. Plan Limits, Add-Ons and Usage
The organisation may receive a base allocation of certain countable items, such as staff users, AI Scribe seats, departments, wards, beds or branches, as stated in its plan. Additional usage beyond included limits may trigger additional fees.
Imani may monitor usage for billing, security, capacity planning and compliance. The organisation must not create duplicate accounts, manipulate roles, share credentials or misclassify users to avoid fees.
14. Security Obligations of the Organisation
The organisation must implement reasonable administrative, technical and physical safeguards to protect Platform access and patient information, including:
- secure devices and networks;
- strong passwords and MFA where available;
- staff training on confidentiality and system use;
- prompt removal of former staff access;
- malware protection and device hygiene;
- internal incident reporting procedures;
- privacy and confidentiality policies;
- appropriate workspace role configuration;
- secure physical environments for reception, ward, pharmacy, laboratory and billing access;
- restrictions on screenshots, downloads, printing and exports where necessary.
The organisation must notify Imani without undue delay of any suspected unauthorised access, credential compromise, patient-data breach, ransomware event, accidental disclosure, staff misuse or security incident affecting the Platform.
Facility Offline Mode Responsibilities
If the Organisation uses facility offline mode, the Organisation is responsible for providing, securing and maintaining the local facility server, authorised devices, local network, physical environment, power backup and access controls unless a separate signed agreement states that Imani will manage some or all of those items.
The Organisation must ensure that each local facility server is registered only for the correct facility or organisation, is not shared with unrelated organisations, and is configured using Imani-approved facility credentials, secrets and sync settings. The Organisation must not tamper with sync payloads, facility identifiers, mapping records, audit logs, device configuration, or other technical controls used to protect and reconcile offline data.
The Organisation must keep offline-mode devices and local servers reasonably protected through physical security, operating system updates, antivirus or endpoint protection where appropriate, secure Wi-Fi or LAN controls, encrypted storage where supported, and prompt removal of access for staff who leave, are suspended or no longer require access.
The Organisation is responsible for reviewing synchronisation status, resolving or escalating sync conflicts, reconciling local and cloud records after outages, and reporting suspected loss, theft, unauthorised access, corruption or compromise of any local offline data without undue delay.
15. Imani Security Measures
Imani will maintain reasonable technical and organisational measures designed to protect Platform data, which may include encryption, access controls, backups, logging, monitoring, secure hosting, vulnerability management, support controls and incident response processes.
No system is completely secure. The organisation remains responsible for its own systems, devices, networks, users, policies and instructions.
16. Data Export and Portability
Subject to payment of outstanding fees, technical feasibility, legal restrictions and patient-safety requirements, the organisation may request export of organisation-controlled data, including:
- patient demographic records;
- appointments;
- clinical notes;
- prescriptions;
- laboratory orders and results;
- invoices and payment records;
- staff lists and roles;
- audit logs where available;
- reports and analytics;
- supported FHIR, CSV, PDF or other export formats where available.
Imani may charge reasonable fees for complex exports, custom formats, migration support, after-hours support, legacy backups or large-volume extraction unless included in the applicable plan.
17. Service Availability, Support and Maintenance
Imani will use commercially reasonable efforts to maintain Platform availability. Scheduled maintenance may occur with notice where practical. Emergency maintenance may occur without prior notice where necessary for security, compliance, stability or patient safety.
Support levels, response times, uptime targets, escalation channels and dedicated account management apply only if stated in an order form or support schedule.
The organisation is responsible for local internet connectivity, user devices, electricity, internal workflows, local printers, scanners, clinical equipment and third-party integrations not controlled by Imani.
Offline Support and Synchronisation
Facility offline mode is a continuity feature, not a full disaster-recovery guarantee. Imani may provide scripts, installers, monitoring tools, documentation, admin controls and support guidance to help the Organisation operate and reconnect a local facility server. Support may require access to diagnostic logs, sync event status, conflict reports, version information, configuration screenshots or network information.
Where sync conflicts occur, the Organisation may be required to choose whether the cloud record, local record or a manually reconciled record should prevail. Imani is not responsible for clinical, billing or operational decisions made from stale, incomplete or unsynchronised local information where the Organisation failed to follow downtime, reconciliation or verification procedures.
18. AI Governance for Organisations
If the organisation uses AI Features, it must implement reasonable AI governance controls. At a minimum, the organisation must ensure that:
- AI outputs are reviewed by qualified humans before clinical reliance;
- AI is not used as the sole basis for diagnosis, prescribing, treatment, denial of care or emergency decisions;
- clinicians correct inaccurate or incomplete AI-generated notes before finalisation;
- staff understand AI limitations and appropriate use;
- patients receive notice or consent where required;
- AI outputs are not used for discriminatory, unlawful or unsafe purposes;
- sensitive data is entered into AI Features only where permitted by Platform configuration and applicable law.
The organisation remains responsible for clinical decisions and documentation approved by its users.
19. Organisation Acceptable Use
The organisation and its users must not:
- create fake patients, fake consultations, fake claims or fraudulent records;
- upload false licences or verification documents;
- access patients without a lawful care, administrative, billing or compliance reason;
- share credentials between staff;
- bypass billing limits or plan restrictions;
- use the Platform for unlawful surveillance of staff or patients;
- scrape, reverse engineer or copy the Platform;
- interfere with audit logs, billing systems, role controls or security controls;
- upload malicious code or compromise Platform integrity;
- use Imani to support unlicensed practice, illegal prescriptions, fraudulent insurance claims or unlawful medical activity.
20. Clinical Responsibility and Liability Allocation
Imani provides technology infrastructure. The organisation provides healthcare services.
The organisation is solely responsible for:
- clinical assessment, diagnosis and treatment;
- patient consent and clinical communication;
- prescriptions and medication decisions;
- laboratory interpretation and diagnostic decisions;
- triage, escalation and referral decisions;
- medical negligence, malpractice or professional misconduct by its staff;
- compliance with facility licensing and professional regulation;
- patient complaints arising from care provided by the organisation;
- ensuring that only qualified personnel perform regulated activities.
Imani is not liable for clinical negligence, misdiagnosis, improper treatment, prescription errors, failure to escalate, failure to follow professional standards or unlawful healthcare services provided by the organisation or its users.
21. Healthcare Regulatory Compliance
The organisation must comply with all applicable laws, regulations, codes, standards and professional obligations, including those relating to:
- healthcare facility licensing;
- medical, nursing, pharmacy, laboratory, radiology and allied health professional regulation;
- telemedicine and telehealth practice;
- patient confidentiality;
- prescriptions and controlled medicines;
- laboratory and diagnostic services;
- HMO, insurance, claims and NHIA-related requirements;
- taxation, accounting and invoicing;
- anti-bribery, anti-corruption and anti-fraud rules;
- Data Protection Laws;
- Ministry of Health, state health authority and other regulator requirements.
22. Audit Rights and Compliance Reviews
Imani may review organisation use of the Platform to protect patients, prevent fraud, enforce terms, verify licences, investigate complaints, secure the Platform, comply with law, validate billing or respond to regulator requests.
Where appropriate, Imani may request documents, logs, explanations, licence updates, staff lists, billing records, consent evidence or security information. Imani may suspend access where it reasonably believes continued access creates patient-safety, legal, security, regulatory or financial risk.
The organisation may audit Imani's data processing compliance as described in the DPA, subject to reasonable confidentiality, security and operational restrictions.
23. Confidentiality
Each party must protect the other party's confidential information using at least reasonable care. Confidential information includes non-public business, technical, pricing, product, security, patient, financial, operational, integration and legal information.
Confidentiality obligations do not apply to information that is publicly available through no breach, already known without restriction, independently developed, lawfully received from a third party, or required to be disclosed by law.
24. Data Sharing, Referrals and Interoperability
The Platform may support data sharing with providers, pharmacies, laboratories, HMOs, insurers, claims processors, government systems, APIs and other third parties. The organisation is responsible for ensuring that such sharing is lawful, necessary, secure and properly authorised.
Where interoperability standards such as FHIR or HL7 are supported, Imani will provide them as technically available and as stated in the applicable plan or order form. The organisation remains responsible for validating receiving systems, mapping accuracy and clinical use of transferred data.
25. Implementation, Training and Change Management
Implementation scope, timelines, data migration, training, configuration, integrations, onboarding and support responsibilities must be stated in an order form or statement of work where applicable.
The organisation must provide timely access to authorised personnel, accurate workflow information, sample data, required approvals, devices, internet access, payment information and management support needed for implementation.
Delays caused by the organisation may affect timelines, fees and go-live dates.
26. Termination and Offboarding
Either party may terminate according to the applicable order form or written agreement. Imani may suspend or terminate access for material breach, non-payment, failed verification, security risk, patient-safety risk, unlawful activity, misuse of data or regulatory concern.
Upon termination:
- the organisation must stop using the Platform except for any permitted export or wind-down access;
- outstanding fees become due;
- Imani may provide a reasonable export period if technically and legally feasible;
- Imani may retain data as required for backup, legal, regulatory, security, audit, financial or medical record purposes;
- access for staff users may be disabled;
- the organisation remains responsible for maintaining continuity of care and preserving required records.
Offline Data on Termination
On termination, suspension, offboarding or deactivation of the Organisation's access, the Organisation must stop using facility offline mode, prevent further local access, and follow Imani's instructions for final synchronisation, export, retention, return or deletion of local offline data. Imani may disable facility registration, revoke sync credentials, reject new sync events, or require evidence that local copies have been securely deleted or retained only where legally required.
27. Post-Termination Data Export and Deletion
Unless an order form states otherwise, the organisation may request export of organisation-controlled data within 30 days after termination, subject to payment of outstanding fees and legal limitations.
After the export period, Imani may delete, archive or anonymise data according to the DPA, Privacy Policy, backup schedule, retention rules and legal obligations.
Backup copies may remain in encrypted backup systems for a limited period before automatic overwrite or secure deletion.
28. Indemnity by Organisation
The organisation will indemnify Imani and its affiliates against claims, losses, liabilities, damages, penalties, costs and expenses arising from:
- clinical services provided by the organisation or its users;
- professional negligence or malpractice;
- unauthorised access to patient data by organisation users;
- inaccurate, unlawful or fraudulent records;
- failure to obtain consent or provide notices;
- breach of Data Protection Laws caused by organisation instructions or misuse;
- unpaid fees, chargebacks or billing disputes caused by the organisation;
- unlicensed practice, false credentials or regulatory breaches;
- claims by patients, employees, regulators or third parties arising from organisation conduct.
29. Limitation of Liability
Unless a signed agreement states otherwise, Imani's aggregate liability to the organisation will not exceed the fees paid by the organisation for the affected enterprise service during the three months before the event giving rise to the claim.
Imani will not be liable for indirect, consequential, special, incidental, punitive or exemplary damages, loss of profits, loss of revenue, reputational harm, loss of goodwill, business interruption or clinical malpractice, to the maximum extent permitted by law.
30. Order Forms and Amendments
Commercial details are governed by order forms, invoices, quotations, statements of work or online plan selections. Any amendment must be accepted by authorised representatives or through an approved online workflow.
---