Business Associate Agreement
HIPAA business associate terms governing Archpoint Labs' handling of PHI for customer claim workflows.
1. Purpose and Relationship
This BAA is entered into between Archpoint Labs ("Business Associate") and Customer ("Covered Entity" or "Hybrid Entity") and supplements the Archpoint Claims Terms of Service. It governs Archpoint Labs' handling of Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and its implementing regulations.
Archpoint Labs acknowledges that in providing claim automation and billing workflow services, it may create, receive, maintain, or transmit PHI on behalf of Customer, and agrees to comply with the applicable requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule as they apply to Business Associates.
2. Permitted Uses and Disclosures
Archpoint Labs may use and disclose PHI only as follows:
- As necessary to provide the claim automation and billing workflow services described in the Terms of Service and Automation Authorization;
- As permitted or required by this BAA;
- As directed in writing by Customer, provided such use or disclosure would not violate HIPAA if made by Customer; or
- As required by law, including for reporting to public health authorities or in response to lawful legal process.
Archpoint Labs will not use or disclose PHI in a manner that would violate HIPAA if done by Customer, and will not use PHI for any purpose other than providing services under this agreement.
3. Safeguards
Archpoint Labs will implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI ("ePHI") that it creates, receives, maintains, or transmits on behalf of Customer, in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).
Such safeguards include, but are not limited to: access controls limiting PHI access to authorized personnel, audit logging of access and actions involving PHI, encryption of ePHI in transit and at rest where appropriate, and procedures for responding to security incidents.
4. Incident and Breach Reporting
Archpoint Labs will report to Customer, without unreasonable delay, any use or disclosure of PHI not permitted by this BAA of which it becomes aware, including breaches of unsecured PHI as defined under 45 CFR § 164.402, and any security incidents involving ePHI.
Reports will include, to the extent reasonably available: a description of what occurred, the types of PHI involved, identification of affected individuals, steps taken to mitigate harm, and steps taken to prevent recurrence. The parties' final written agreement will specify the notification timeline and format consistent with applicable law.
5. Individual Rights
To the extent Archpoint Labs maintains PHI in a designated record set, Archpoint Labs will make such PHI available to Customer to enable Customer to fulfill its obligations to provide individuals with access to, or amendments of, their PHI as required under 45 CFR §§ 164.524 and 164.526.
Archpoint Labs will also make available to Customer the information necessary to provide an accounting of disclosures as required under 45 CFR § 164.528.
6. Subcontractors
Archpoint Labs will ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Archpoint Labs in connection with services provided to Customer are bound by written obligations that provide substantially the same protections as those required of Archpoint Labs under this BAA and applicable HIPAA regulations.
7. Term and Termination
This BAA remains in effect for the duration of the parties' service relationship. Upon termination, Archpoint Labs will, if feasible, return or destroy all PHI received from or created on behalf of Customer. If return or destruction is not feasible, Archpoint Labs will extend the protections of this BAA to such PHI and limit further use or disclosure to those purposes that make return or destruction infeasible, for as long as Archpoint Labs retains the PHI.
8. Compliance with Law
The parties acknowledge that HIPAA regulations may be amended from time to time. This BAA shall be interpreted to comply with applicable law as amended. If any provision of this BAA conflicts with applicable law, the parties agree to work in good faith to amend this BAA to bring it into compliance.