Privacy Policy 

Last Updated June 2024

A. PURPOSE
The purpose of the ArcHouse Privacy Policy (“Policy”) is to provide important protections for privacy of Patients or Users whose PHI is stored in the ArcHouse Platform and to detail the conditions and requirements for access to such data when using the ArcHouse Products. This Policy applies to all Providers and Your Users and is incorporated into the Platform Terms of Service (“Platform Terms”). This Policy may be updated or amended from time to time in accordance with provisions of the Platform Terms.

B. POLICY

  1. DEFINITIONS
    1. General. Capitalized terms used but not defined in this Policy or the Platform Terms will have the meanings set forth in HIPAA or other Applicable Laws.
    2. Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent across all types of Patient Data, where this Policy incorporates definitions from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in these Platform Terms.
    3. Policy Definitions:
      Authorized Activities” means Treatment Activities, Payment Activities, and Health Care Operations Activities, as defined in the Policy.
      Designated Record Set”, as set forth in 45 CFR 154.501 of the HIPAA Privacy Rule, means (1) A group of records maintained by or a for a Covered Entity that is: (i) the medical records and billing records about the individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a Health Plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals. For purposes of this definition the term record means any item, collection or grouping of information that includes Patient Data and is maintained, collected, used or disseminated by or for a Covered Entity.
      Health Care” means care, services, or supplies related to the health of an individual; Health Care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other term in the accordance with a prescription, as defined at 45 CFR 160.103.
      Health Care Operations Activities” means any of the following activities of a Covered Entity to the extent they relate to covered functions: (1) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines (providing that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities); patient safety activities; population-based activities relating to improving health or reducing healthcare costs, protocol development, case management and care coordination, contacting of Health Care Providers and Patients with information about treatment alternatives; and related functions that do not include treatment; (2) reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) except where excluded under and consistent with the requirements of HIPAA, underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for Health Care; (4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity; including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) business management and general administrative activities of the entity, including but not limited to management activities relating to implementation and compliance of HIPAA; customer service, including provision of data analyses for policy holders, plan sponsors, or other customers (provided that PHI is not disclosed to such policy holder, plan sponsor or customer); resolution of internal grievances; the sale, transfer, merger or consolidation of all or part of the Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity, and due diligence related to such activity; and consistent with the applicable provisions of HIPAA, creating de-identified health information or a limited data set, and fundraising for the benefit of the Covered Entity; as defined in 45 CFR 164.501.
      Health Care Provider” means a facility-based provider of services, a provider of medical or health services under Medicare or Medicaid, and any other person or organization who furnishes, bills or is paid for Health Care in the normal course of business, as defined in 45 CFR 160.103.
      Information Blocking” has the same meaning as the term is defined in the ONC Cures Rules at 45 CFR Part 171.
      Patient Relationship” has the meaning set forth in Section B(2)(a)(2) of this Policy.
      Payment Activities” mean activities of (A) a Health Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; (B) a Health Care Provider or Health Plan to obtain or provide reimbursement for the provision of Health care, including (but not limited to) the following: determinations of eligibility or coverage and adjudication or subrogation of health benefit claims; risk adjusting amounts due based on enrollee health status and demographic characteristics; billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing; review of Health Care services with respect to medical necessity, coverage under a health plan, appropriateness of car, or justification of charges; utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; as defined at 45 CFR 164.501.
      Permitted Access Requirements” mean the criteria set forth in Section B(2)(a)(1) below.
      Treatment Activities” mean the provision, coordination, or management of Health Care and related services by one or more Health Care Providers, including the coordination or management of health care by a Health Care Provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one Health Care Provider to another, as defined in 45 CFR 164.501.
      USCDI” means the United States Core Data for Interoperability developed, published and maintained by the ONC under the Cures Rules.
  2. USE & ACCESS OF PATIENT DATA
    1. When we permit access to Patient Data.
      1. Permitted Access Requirements. We will only enable access to Patient Data through the ArcHouse Products or the ArcHouse Platform to a Provider that meets the following Permitted Access Requirements: (i) the Provider has successfully completed our Verification Process, (ii) the Provider has a Patient Relationship (defined below) with the Patient for which it is requesting access to Patient Data, (iii) the Provider accesses the Patient Data only for Authorized Activities, and (iv) the Provider is currently satisfying all of its obligations under ArcHouse Policies and the Platform Terms (collectively, “Permitted Access Requirements”).
      2. Patient Relationship. No Provider may access Patient Data in the ArcHouse Platform for a particular patient unless it provides ArcHouse documentation of an established and active patient relationship for that patient (“Patient Relationship”). ArcHouse supports the following methods for documenting that Provider has a Patient Relationship with a Patient:
        1. You make an assertion to ArcHouse that you have a Patient Relationship with the Patient. When you make this assertion, you are making a legally binding representation to us that you have a Patient Relationship, and ArcHouse is relying on this representation to give you the requested access to the Patient Data. ArcHouse will cooperate with regulators or other legal authorities to the fullest possible extent under Applicable Law if you falsely or fraudulently assert a Patient Relationship.
    2. We only permit use of Patient Data for Authorized Activities. We only permit Providers who meet Permitted Access Requirements to use or disclose Patient Data through the ArcHouse Products or ArcHouse Platform for Authorized Activities.
    3. When we permit access to Patient Data through ArcHouse Interoperability Products. As mentioned in Section A(3)(d) of the Terms of Service, ArcHouse Interoperability Products are subject to specific additional restrictions. These products are exclusively for “Treatment Activities” as defined in 45 CFR 164.501. You may only access information pertaining to individuals with whom You have a treatment relationship.