HIPAA Policy — Acare Solution LLC

⬡

HIPAA Compliant by Design

Acare Solution LLC is committed to the privacy and security of Protected Health Information (PHI). All client engagements involving healthcare data are governed by this policy and executed under a formal Business Associate Agreement (BAA).

// Section 01

Overview & Applicability

This HIPAA Policy describes how Acare Solution LLC ("Business Associate," "we," "us," or "our") handles Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) in the course of providing technology services to Covered Entities and other Business Associates as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Website Notice: This marketing website (acare-solution.com) does not collect, process, store, or transmit any PHI or ePHI. This policy applies exclusively to client service engagements where Acare Solution LLC accesses or handles healthcare data on behalf of a Covered Entity under a signed BAA.

// Section 02

Business Associate Agreement (BAA)

Before accessing, processing, or storing any PHI on behalf of a Covered Entity, Acare Solution LLC requires execution of a Business Associate Agreement (BAA) that complies with 45 CFR § 164.504(e).

The BAA governs:

The permitted uses and disclosures of PHI by Acare Solution LLC
Obligations to safeguard PHI using appropriate administrative, physical, and technical measures
Requirements for reporting breaches, security incidents, and unauthorized disclosures
Client rights to access, amend, and receive an accounting of PHI disclosures
Return or destruction of PHI upon contract termination

No healthcare data work will commence without a fully executed BAA. Contact us at hello@acare-solution.com to initiate the BAA process.

// Section 03

Permitted Uses & Disclosures of PHI

Acare Solution LLC will only use or disclose PHI as permitted or required by the applicable BAA and HIPAA regulations, including:

Performing services specified in the client service agreement
As required by law (e.g., responding to valid legal processes)
For the proper management and administration of Acare Solution LLC, if required by law or if appropriate protections are in place
To report violations of law to appropriate authorities

Acare Solution LLC will not use or disclose PHI in any manner that would violate HIPAA's Privacy Rule if done directly by the Covered Entity, except as expressly permitted by the BAA.

// Section 04

Safeguards — Administrative, Physical & Technical

Acare Solution LLC implements and maintains reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).

⚙

Administrative

Security risk analysis, workforce training, access management policies, and incident response procedures.

⬛

Physical

Facility access controls, workstation security policies, and device/media controls for systems handling ePHI.

⬡

Technical

Encryption in transit and at rest, audit logging, automatic session timeouts, and role-based access controls.

// Section 05

Subcontractors & Third-Party Vendors

Acare Solution LLC ensures that any subcontractors or agents who create, receive, maintain, or transmit PHI on our behalf agree to the same restrictions and conditions that apply to us under the applicable BAA, in accordance with 45 CFR § 164.504(e)(2)(ii)(D).

All subcontractors with PHI access are required to execute a BAA with Acare Solution LLC
We perform due diligence on subcontractors' HIPAA compliance posture before engagement
Cloud service providers used for PHI workloads are evaluated for HIPAA compliance and BAA availability

// Section 06

Breach Notification

In the event of a breach of unsecured PHI, Acare Solution LLC will comply with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and the applicable BAA, including:

Notifying the affected Covered Entity of any breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery
Providing all information reasonably available to enable the Covered Entity to fulfill its own breach notification obligations to individuals and HHS
Documenting the breach, its scope, and all response actions taken

Security Incident Reporting: If you believe there has been a security incident or unauthorized access to PHI involving Acare Solution LLC systems, please contact us immediately at hello@acare-solution.com with the subject line "SECURITY INCIDENT."

// Section 07

Individual Rights

To the extent Acare Solution LLC maintains PHI in a Designated Record Set, we will cooperate with Covered Entities to support the following individual rights under HIPAA's Privacy Rule:

Right of Access: Providing PHI to Covered Entities so they can fulfill individual access requests
Right to Amendment: Amending PHI in our systems as directed by the Covered Entity
Accounting of Disclosures: Documenting and providing information about disclosures made on behalf of the Covered Entity
Restrictions: Applying restrictions on PHI use/disclosure as agreed upon with the Covered Entity

// Section 08

Minimum Necessary Standard

Acare Solution LLC applies the Minimum Necessary Standard to all uses and disclosures of PHI. This means we access, use, or disclose only the minimum amount of PHI reasonably necessary to accomplish the intended purpose of the service engagement.

Access controls are role-based and scoped so that team members only access PHI required to perform their specific job functions within a given engagement.

// Section 09

Data Retention & Destruction

Upon termination or expiration of a service agreement, Acare Solution LLC will:

Return all PHI to the Covered Entity in an agreed-upon format, or
Destroy all PHI and certify in writing that destruction has been completed in a manner that renders PHI unreadable and unrecoverable
If return or destruction is infeasible, extend the protections of the BAA to the retained PHI and limit further use/disclosure to purposes that make return or destruction infeasible

PHI is never retained beyond the scope of the engagement without explicit written authorization from the Covered Entity.

// Section 10

Workforce Training & Compliance

All Acare Solution LLC workforce members who have access to PHI receive HIPAA training appropriate to their role. Training covers:

HIPAA Privacy and Security Rule requirements
Identifying and handling PHI appropriately
Recognizing and reporting potential security incidents and breaches
Sanctions for non-compliance with HIPAA policies

We conduct periodic risk assessments and update our security policies in response to changes in our environment, services, or regulatory requirements.

// Section 11

No Professional Legal Advice

This HIPAA Policy is provided for informational purposes and describes Acare Solution LLC's internal approach to HIPAA compliance. It does not constitute legal advice. Covered Entities and Business Associates should consult qualified healthcare compliance counsel regarding their specific HIPAA obligations. HIPAA compliance is a shared responsibility between all parties to a BAA.

// Section 12

Contact & BAA Requests

For HIPAA-related inquiries, BAA requests, security incident reports, or compliance questions, contact us:

Company: Acare Solution LLC
HIPAA Contact: hello@acare-solution.com
Subject Line for BAA Requests: "BAA REQUEST — [Your Organization]"
Subject Line for Security Incidents: "SECURITY INCIDENT"
Website: acare-solution.com

We will respond to all HIPAA-related inquiries within 3 business days.