Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service and constitutes a legally binding agreement between you ("Customer," "Covered Entity," "you," or "your") and AveeCare LLC ("AveeCare," "Processor," "Business Associate," "we," "us," or "our").

This DPA governs the processing of personal data, including Protected Health Information (PHI), in connection with your use of our home care management platform and related services (the "Services").

This DPA incorporates the Business Associate provisions required by HIPAA and applies to all personal data processing activities undertaken by AveeCare on behalf of Customer.

2. Definitions

For purposes of this DPA, the following definitions apply:

• "Business Associate" has the meaning given in HIPAA and refers to AveeCare when processing PHI on behalf of Customer.
• "Covered Entity" has the meaning given in HIPAA and refers to Customer when Customer is a healthcare provider, health plan, or healthcare clearinghouse.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, including the Privacy Rule, Security Rule, and Breach Notification Rule.
• "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "PHI" or "Protected Health Information" has the meaning given in HIPAA and includes all individually identifiable health information transmitted or maintained by AveeCare on behalf of Customer.
• "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or destruction.
• "Security Incident" means any unauthorized access, acquisition, use, or disclosure of PHI, or any security incident involving the confidentiality, integrity, or availability of PHI.
• "Subprocessor" means any third party engaged by AveeCare to process personal data on behalf of Customer.
• "Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction as specified in HIPAA guidance.

3. Relationship of the Parties

3.1 HIPAA Designation

Customer is a HIPAA Covered Entity or Business Associate. AveeCare is a Business Associate of Customer. This DPA constitutes the Business Associate Agreement required under HIPAA.

3.2 Data Controller and Processor

For purposes of general data protection principles, Customer is the data controller and determines the purposes and means of processing personal data. AveeCare is the data processor and processes personal data only on behalf of and according to Customer's documented instructions.

4. Permitted Uses and Disclosures of PHI

4.1 Permitted Uses

AveeCare may use and disclose PHI only as follows:

• Service Performance: To perform functions, activities, or services on behalf of Customer as specified in the Terms of Service
• Proper Management: For AveeCare's proper management and administration
• Legal Obligations: To carry out legal responsibilities of AveeCare
• Data Aggregation: To provide data aggregation services relating to Customer's healthcare operations
• De-Identification: To de-identify PHI in accordance with HIPAA standards

4.2 Prohibited Uses

AveeCare shall NOT:

• Use or disclose PHI in any manner that would violate HIPAA if done by Customer
• Use or disclose PHI for marketing purposes without Customer's authorization
• Sell PHI as prohibited by HIPAA
• Use PHI for underwriting purposes
• Use or disclose PHI in a manner inconsistent with Customer's minimum necessary policies

4.3 Customer Instructions

Customer instructs AveeCare to process PHI for the purposes described in the Terms of Service and this DPA. AveeCare shall not process PHI for any other purpose unless required by applicable law. If required by law to process PHI for another purpose, AveeCare will inform Customer before processing (unless prohibited by law).

5. Obligations of AveeCare

5.1 Safeguards

AveeCare shall implement and maintain:

• Administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI
• Security measures required by the HIPAA Security Rule
• Policies and procedures to comply with HIPAA requirements applicable to Business Associates
• Encryption of PHI at rest using AES-256 or equivalent
• Encryption of PHI in transit using TLS 1.2 or higher
• Access controls limiting PHI access to authorized personnel
• Audit logging of all PHI access and modifications

5.2 Mitigation

AveeCare shall mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of this DPA.

5.3 Reporting

AveeCare shall report to Customer:

• Security Incidents: Any Security Incident of which AveeCare becomes aware, without unreasonable delay and in no case later than 5 business days after discovery
• Breaches: Any Breach of Unsecured PHI of which AveeCare becomes aware, without unreasonable delay and in no case later than 60 days after discovery
• Unauthorized Use: Any use or disclosure of PHI not provided for by this DPA of which AveeCare becomes aware

Reports shall include, to the extent known: identification of affected individuals, description of the incident, types of PHI involved, steps taken to investigate and mitigate, and contact information for further inquiries.

5.4 Subcontractors

• AveeCare shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of AveeCare agrees to the same restrictions and conditions that apply to AveeCare under this DPA
• AveeCare shall enter into a written agreement with each such subcontractor
• AveeCare shall remain responsible for any acts or omissions of its subcontractors
• Customer authorizes AveeCare to engage subcontractors listed in our documentation; AveeCare will provide notice of any new subcontractors that process PHI

5.5 Access to PHI

Within 10 business days of a written request from Customer, AveeCare shall make available PHI in a Designated Record Set for purposes of Customer fulfilling its obligations under HIPAA to provide individuals with access to their PHI.

5.6 Amendment of PHI

Within 10 business days of a written request from Customer, AveeCare shall make amendments to PHI in a Designated Record Set as directed by Customer for purposes of Customer fulfilling its obligations under HIPAA.

5.7 Accounting of Disclosures

AveeCare shall document disclosures of PHI and information related to such disclosures as required for Customer to provide an accounting of disclosures. AveeCare shall provide such information within 30 days of a written request from Customer.

5.8 HHS Access

AveeCare shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer's and AveeCare's compliance with HIPAA.

5.9 Audit Rights

Upon reasonable notice and during regular business hours, Customer may audit AveeCare's compliance with this DPA. AveeCare shall provide reasonable cooperation with such audits. Customer may also review third-party audit reports (such as SOC 2 reports) as an alternative to on-site audits.

6. Obligations of Customer

Customer agrees to:

• Obtain any necessary consents and authorizations for AveeCare's processing of PHI
• Provide only accurate and current information to AveeCare
• Not request AveeCare to process PHI in a manner that would violate HIPAA
• Maintain appropriate safeguards for PHI in Customer's control
• Comply with Customer's own HIPAA obligations
• Notify AveeCare of any restrictions on use or disclosure of PHI agreed to with individuals
• Notify AveeCare of any changes in authorization to use or disclose PHI
• Properly configure access controls and user permissions within the Services
• Train Customer's workforce on proper use of the Services
• Promptly notify AveeCare of any suspected security incidents

7. Categories of Data Processed

7.1 Categories of Personal Data

AveeCare processes the following categories of personal data:

• Identity Data: Names, dates of birth, Social Security Numbers, government ID numbers, photographs
• Contact Data: Addresses, phone numbers, email addresses, emergency contacts
• Financial Data: Payment information, billing addresses, insurance information
• Employment Data: Job titles, credentials, certifications, work schedules, training records
• Health Data: Medical history, diagnoses, medications, allergies, care plans, clinical notes
• Location Data: GPS coordinates for visit verification and documentation
• Usage Data: System logs, access records, feature usage

7.2 Categories of Data Subjects

• Patients receiving home care, home healthcare, hospice, or disability care services
• Caregivers and healthcare providers
• Agency administrators and staff
• Authorized family members and representatives

7.3 Processing Activities

• Storage and retrieval of patient records and care documentation
• Scheduling and calendar management
• Visit verification and location data collection
• Communication and messaging services
• Report generation and analytics
• AI-assisted features including form generation and natural language queries
• Billing preparation and claims support

7.4 AI Processing and Customer Obligations

When Customer uses AI-powered features that process PHI or personal data, Customer acknowledges and agrees to the following additional obligations:

7.5 Mandatory Disclosures for AI Processing

As a material condition of using AI features under this DPA, Customer agrees to:

• Update Privacy Notices: Include disclosure of AI processing in Customer's Notice of Privacy Practices and any other required privacy disclosures.
• Notify Data Subjects: Inform patients, clients, caregivers, and other data subjects whose personal data or PHI may be processed by AI features about such processing, including: (a) that AI tools are used; (b) the purposes of AI processing; (c) any associated risks; and (d) their rights regarding such processing.
• Notify Workforce: Inform all workforce members who use or are affected by AI features about: (a) the existence of AI features; (b) Customer's policies for appropriate use; (c) prohibited activities; and (d) consequences of policy violations.
• Obtain Required Consents: Obtain any consents or authorizations required by applicable law or Customer's policies for AI processing of personal data or PHI.
• Document Compliance: Maintain documentation demonstrating compliance with these notification and consent requirements.

7.6 Liability for AI Processing

8. Data Retention and Deletion

8.1 Retention Period

AveeCare retains data according to the following schedule:

• PHI and Clinical Records: Retained for the duration of the service agreement. Upon termination, PHI is returned or destroyed in accordance with Section 8.2 and the Business Associate Agreement, after a ninety (90) calendar day post-termination retention period to allow for data export.
• HIPAA Compliance Documentation: Audit logs, access records, disclosure accountings, disposal records, and other documentation required by the HIPAA Security Rule and Privacy Rule are retained for a minimum of six (6) years from the date of creation or last effective date, per 45 CFR 164.316(b)(2)(i) and 45 CFR 164.530(j), regardless of service agreement termination.
• Financial Records: Invoices, billing records, payroll entries, and insurance claims are retained for seven (7) years as required by tax and accounting regulations.
• Such longer period as required by applicable law or regulations, or
• Such period as specified in Customer's instructions

Customer is solely responsible for exporting and retaining its own copies of PHI to meet applicable state medical record retention requirements before the post-termination retention period expires.

8.2 Return or Destruction

Upon termination of the service agreement:

• AveeCare shall retain Customer's PHI for ninety (90) calendar days following termination to allow for data export
• At Customer's election, AveeCare shall return PHI to Customer in a standard electronic format, or destroy PHI using secure destruction methods that render it unreadable
• After the ninety (90) day retention period, PHI will be securely destroyed unless return or destruction is infeasible
• If return or destruction is infeasible, AveeCare shall extend the protections of this DPA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible
• AveeCare shall certify destruction in writing upon request
• AveeCare will retain HIPAA compliance documentation (audit logs, disposal records, disclosure accountings) for six (6) years regardless of PHI destruction

8.3 Data Export

Customer may export data from the Services at any time during the subscription period. Upon termination, Customer has thirty (30) days to request a data export, and AveeCare will retain data for ninety (90) calendar days following termination to facilitate export. After this retention period, data deletion procedures will begin for PHI, while compliance documentation will be retained per Section 8.1.

9. Security Measures

AveeCare implements the following security measures to protect personal data and PHI:

9.1 Technical Measures

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Multi-factor authentication support
• Role-based access controls
• Automatic session timeout
• Unique user identification
• Audit logging and monitoring
• Intrusion detection and prevention systems
• DDoS protection
• Regular vulnerability scanning and penetration testing
• Secure software development lifecycle

9.2 Organizational Measures

• Designated Security Officer and Privacy Officer
• Written security policies and procedures
• Workforce training on privacy and security
• Background checks for personnel with data access
• Confidentiality agreements for all employees
• Access limited to authorized personnel on need-to-know basis
• Incident response procedures
• Business continuity and disaster recovery plans

9.3 Physical Measures

• AWS data centers with SOC 2 Type II certification
• Physical access controls and 24/7 security
• Environmental controls and redundant systems
• Automatic backups with encryption
• Geographically distributed infrastructure

10. Data Location and Transfers

AveeCare stores and processes all data within the United States. Our infrastructure is hosted on Amazon Web Services data centers located in the United States.

AveeCare does not transfer PHI outside of the United States unless required to provide the Services and appropriate safeguards are in place.

11. Breach Notification

11.1 Notification Timing

AveeCare shall notify Customer of any Breach of Unsecured PHI:

• Without unreasonable delay after discovery
• In no case later than 60 days after discovery
• Preliminary notification within 5 business days for significant breaches

11.2 Notification Content

Breach notification shall include:

• Identification of each individual whose PHI was or may have been accessed, acquired, used, or disclosed
• Brief description of what happened, including date of breach and date of discovery
• Description of the types of PHI involved (diagnoses, medications, SSN, etc.)
• Steps AveeCare is taking to investigate, mitigate harm, and prevent future breaches
• Contact information for AveeCare's security team

11.3 Cooperation

AveeCare shall cooperate with Customer in investigating the breach and fulfilling Customer's breach notification obligations to affected individuals, HHS, and media (if applicable).

12. Term and Termination

12.1 Term

This DPA remains in effect for the duration of Customer's use of the Services and for so long as AveeCare retains any PHI.

12.2 Termination for Cause

Either party may terminate this DPA and the underlying service agreement if the other party materially breaches this DPA and fails to cure such breach within 30 days of written notice.

12.3 Effect of Termination

Upon termination, AveeCare's obligations under this DPA shall survive with respect to any PHI that AveeCare retains, including the obligations regarding return or destruction of PHI.

13. General Provisions

13.1 Regulatory Changes

If changes in HIPAA or other applicable law affect the terms of this DPA, the parties shall negotiate in good faith to amend this DPA as necessary to comply with such changes.

13.2 Interpretation

Any ambiguity in this DPA shall be interpreted to permit compliance with HIPAA. Where this DPA conflicts with the Terms of Service, this DPA shall control with respect to PHI processing.

13.3 No Third-Party Beneficiaries

This DPA is between Customer and AveeCare and does not create any rights for third parties, except as specifically provided herein regarding individual rights under HIPAA.

13.4 Governing Law

This DPA shall be governed by the laws of the State of Arizona and applicable federal law, including HIPAA.

13.5 Amendments

This DPA may be amended only by written agreement signed by both parties, except that AveeCare may update this DPA to reflect changes in law or our practices with notice to Customer.

13.6 Entire Agreement

This DPA, together with the Terms of Service, constitutes the entire agreement between the parties regarding the processing of personal data and PHI and supersedes all prior agreements on this subject.

14. Contact Information

For questions about this Data Processing Agreement:

15. Related Documents

Please also review our other legal documents:

• Privacy Policy
• Terms of Service
• Cookie Policy
• HIPAA Compliance