Security Policy

Last Updated June 2024

‍

A. PURPOSE
The purpose of this Platform Security Policy (“Policy”) is to provide a common set of security requirements for all Providers who use the ArcHouse Products and ArcHouse Platform.  Both you and ArcHouse each acknowledge that protecting the security and integrity of the ArcHouse Products, the ArcHouse Platform, and information systems requires coordination of certain security-related obligations between ArcHouse and its Providers. Accordingly, you also acknowledge that we have a responsibility to require you and other Providers to meet certain minimum standards for information security for the good of all Users of the ArcHouse Platform.

This Policy applies to all Providers and is incorporated into the Platform Terms of Service (“Platform Terms”). This Policy may be updated or amended from time to time in accordance with provisions of the Platform Terms.

B. POLICY

2. Definitions
   1. General. Capitalized terms used but not defined in this Policy or the Platform Terms will have the meanings set forth in HIPAA or other Applicable Law.
   2. Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent, where this Policy incorporates definitions from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in these Platform Terms.
   3. Policy Definitions. The following definitions will apply for purposes of this Policy.
      “Access Attempts” means unauthorized probes, scans, “pings”, and other activities which may or may not indicate threats, whose sources may be difficult or impossible to identify whose motives are generally unknown, and which do not result in access to the ArcHouse Products, your information systems, or to any Unsecured Patient Data.
      “Breach” means a Breach of Unsecured Patient Data as defined in 45 CFR 164.402 as well as any Unauthorized Use or Disclosure of Patient Data or related information to the extent that Applicable Law requires such Unauthorized Use or Disclosure to be reported to a state agency or disclosed to the individuals who are the subject of such information.
      “Security Incident” has the definition set forth in 45 CFR 164.304 with respect to the ArcHouse Products and your information systems, but for purposes of this Policy does not include an Access Attempt.
      “Unauthorized Use or Disclosure” means any access, use or disclosure of Patient Data that is not permitted by the Platform Terms, the BAA, this Policy or Applicable Law.
3. Security of the ArcHouse Products
   1. ArcHouse BAA. At a minimum, we will comply with all the information security obligations which are applicable under the ArcHouse BAA with regard to protection of PHI, including applicable provisions of the HIPAA Security Rule.
   2. Additional Safeguards. We may implement or require information security safeguards which we deem appropriate, including safeguards that include requirements or conditions for you to use the ArcHouse Products and access the ArcHouse Platform and ArcHouse Interoperability Products (“Additional Safeguards”). These Additional Safeguards will not be less stringent than Applicable Law (including HIPAA) but may create obligations or responsibilities on you beyond minimum requirements of Applicable Law where we believe necessary to protect the ArcHouse Products and the ArcHouse Platform and create a safe environment for all Patients and Providers.
   3. Your Remedies. If you reasonably determine that we have materially failed to comply with our obligations in this Section, and that such failures create a material vulnerability affecting your information systems, you will promptly notify us of your determination and you may suspend or limit access or connectivity between the ArcHouse Products and your information systems. Any such failures by us will be a curable breach under Section 10 of the Platform Terms.  Upon receipt of any notice by you under this Section, we will use our best efforts to come into compliance with our obligations under this Section within the applicable cure period.
4. Provider Security Responsibilities
   1. Minimum Security Requirements. You will comply at all times with the following requirements, which are based upon and consistent with the standards required by the HIPAA Security Rule, in managing your Provider Account and information systems, and ArcHouse Products by Your Users.  You specifically agree that you will comply with the following practices:
      User Clearance. You will maintain and follow policies and procedures for determining reasonable and appropriate access privileges of Your Users.
      User Authorization. You will maintain and follow policies and procedures for authorizing, suspending, and terminating the authorization of Your Users to access the ArcHouse Products and ArcHouse Platform or otherwise access, use, or disclose information through the ArcHouse Products and ArcHouse Interoperability Products.
      User Access Limitations; Minimum Necessary. You will maintain and follow policies and procedures requiring Your Users to limit their access to and use of the ArcHouse Products, ArcHouse Platform, or your Application, as applicable, and any information available through the ArcHouse Products and ArcHouse Interoperability Products in accordance with the HIPAA Minimum Necessary Standard, to the extent applicable, and any other Applicable Law.
      Access Controls. You will maintain appropriate administrative, physical and technical access control safeguards in accordance with the HIPAA Security Rule.
      Workstation and Device Management. You will maintain and follow policies and procedures for the authorization, secure operation, and disposal of all of the devices which you permit Your Users to use in order to access the ArcHouse Products or the ArcHouse Platform (each, an “Authorized Device”).  We may, in our discretion, limit or prohibit the use of certain devices as Authorized Devices upon notice to you.
      User Training. You will conduct, and you will require all of Your Users to undergo, privacy and security training in accordance with the requirements of all Applicable Law, the ArcHouse BAA, and ArcHouse Policies.
      Sanctions for Violations. You will apply sanctions and disciplinary procedures for Your Users or any other person subject to your authority for accessing or using the ArcHouse Products, the ArcHouse Platform or the ArcHouse Interoperability Products in violation of Applicable Law, the Platform Terms, the ArcHouse BAA, or ArcHouse Policies.
      Malware Protection. You will maintain up-to-date anti-virus and anti-malware software on all applicable components of your Application and information systems with access, or which may be used to access, the ArcHouse Products or the ArcHouse Platform or any information from the ArcHouse Products.
      Additional Safeguards. You will employ such Additional Safeguards that we may identify and require as described in Section B(2)(b) of this Policy.
   2. ArcHouse Remedies. If we determine that you have failed to comply with this Policy, we may suspend or limit your access to or use of the ArcHouse Products in accordance with Section 10(d) of the Platform Terms.  Upon receipt of a notice by us of any suspension, you will use your best efforts to come into compliance within the applicable cure period.
5. Mutual Responsibilities for Security Incidents and Breaches
   1. Monitoring.
      Our Responsibility. We will monitor all activity, or ensure that activity is monitored, in (i) the ArcHouse Products and ArcHouse Platform, and (ii) any information system or facilities that we use to host, operate or manage the ArcHouse Products or ArcHouse Platform.
      Your Responsibility. You will monitor all activity, or ensure that activity is monitored, in (i) your Provider Account or information systems, (ii) Authorized Devices, and (iii) facilities where you may access the ArcHouse Products or ArcHouse Platform or any information from the ArcHouse Products.
   2. Investigations.
      ArcHouse Investigations. We will investigate any Unauthorized Use or Disclosure of your Patient Data and any Security Incident which may affect or have affected the ArcHouse Products or any of your Patient Data promptly upon receiving notice form you or otherwise becoming aware of such an event.  We will document the results of each such investigation.
      Your Investigations. You will investigate any Unauthorized Use or Disclosure of your Patient Data received from the ArcHouse Products and any Security Incident which may affect or have affected the ArcHouse Products or ArcHouse Platform or any Patient Data received from the ArcHouse Products promptly upon receiving notice form us or your otherwise becoming aware of such an event.  You will document the results of each such investigation.
      Breach Determination. If we determine that an Unauthorized Disclosure of PHI constitutes a Breach, we will promptly notify you of this determination; provided that you will be responsible for making your own determination regarding whether the event constitutes a Breach upon receipt of the information we provide to you.
      Cooperation. Each Party will reasonably cooperate with the other Party in their performance of investigations and determinations under this Policy, and in identifying and implementing measures to mitigate the harmful effects of any event and to prevent events of the same or similar type to the extent practicable.
   3. Reporting & Notifications.
      Notice of Ongoing Access Attempts. ArcHouse will not provide you notice of ongoing Access Attempts. You and ArcHouse acknowledge and agree that Access Attempts fall under HIPAA’s definition of a Security Event but that our reporting and your review of information about Access Attempts would be materially burdensome to both parties without reducing risks to information systems or PHI of either Party.
      ArcHouse Reporting Requirement. We will require our employees and any applicable subcontractors to report to us any Security Incident (not including Access Attempts) any Unauthorized or Disclosures of PHI of which they become aware. We will report to you any Security Incident (not including Access Attempts) or Breach which affects your PHI within 5 business days of our determination or within the time period(s) set forth in the ArcHouse BAA, whichever is shorter.
      Your Reporting Requirement. You will require Your Users, your employees, and any subcontractors to report to you any Security Incident (not including Access Attempts) and Unauthorized Uses or Disclosures of PHI of which they become aware. You will report to us any Security Incident (not including Access Attempts) or Breach involving the ArcHouse Products or Patient Data which comes from the ArcHouse Platform within 5 business days of your becoming aware of such events.
      Breach Notifications. You and ArcHouse each acknowledge and agree that, as between you and ArcHouse, you have the more direct relationship with the Patient who is the subject of the Patient Data used and disclosed through the ArcHouse Products and ArcHouse Platform. Accordingly, you will be responsible for providing notification of Breaches to the affected individuals, applicable regulatory authorities, and the media where required by Applicable Law or elected by you.  Any notification by you to affected individuals, regulatory authorities, or media shall be deemed a notification as well by ArcHouse, and you will identify ArcHouse as a notifying party in the notification, except to the extent that ArcHouse may otherwise direct you in writing.  In the event that you elect not to or fail to timely notify potentially affected individuals, regulatory authorities, or media as provided above, and we reasonably determine that it may be required by Applicable Law to give such a notification, we may give the notification at our discretion.
      Other Law Enforcement Notification. In case of any ambiguity, either you or ArcHouse may notify appropriate law enforcement agencies in the event that you or we reasonably believe that an Unauthorized Use or Disclosure of PHI is the result of criminal activity.‍
   4. Third-Party Security Audit. Upon written request, ArcHouse will provide to Provider a summary of its annual third-party security audit.