Healthcare Compliance

Business Associate Agreement

HIPAA & HITECH Addendum | Document Ref: VC-BAA-26H

This Business Associate Agreement ("BAA") complements and is incorporated into the Vance & Cole Master Service Agreement (MSA).

It applies exclusively to Covered Entities utilizing our offshore Healthcare Revenue Cycle Management (RCM) or specialized medical billing divisions, wherein the routing or processing of Protected Health Information (PHI) is required.

1. Obligations under HIPAA & HITECH

Velmer Digital LLC (dba "Vance & Cole"), acting as the Business Associate, agrees to not use or disclose Protected Health Information (PHI) other than as permitted or required by this Agreement, the underlying MSA, or as strictly required by United States federal law.

We implement rigorous administrative, physical, and technical safeguards in our APAC processing hubs that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that we create, receive, maintain, or transmit on behalf of the Covered Entity.

2. Physical Securitization & Clean-Room Architecture

To prevent unauthorized access, our RCM and Medical Billing divisions operate strictly within heavily guarded zones utilizing physical clean-room protocols:

  • Mandatory biometric access verification (thumbprint and facial recognition) at all facility ingress points.
  • Confiscation of all personal electronic devices, cellular phones, smartwatches, and recording equipment prior to entering the production floor.
  • Disablement of all USB ports, printing capabilities, and local data storage on workstation hardware.

These rigid physical and digital safeguards ensure that offshore operations strictly mirror or exceed US onshore HIPAA compliance infrastructure requirements.

3. Incident Reporting & Breach Notification

Mandatory Notification Protocol

In accordance with the HITECH breach notification rule, Velmer Digital LLC will notify the Covered Entity without unreasonable delay - and in no case later than sixty (60) calendar days - upon discovery of any formal breach of unsecured PHI.

4. Subcontractors & Agents

Business Associate agrees to ensure that any subcontractors or proprietary agents that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

5. Return or Destruction of PHI

Upon termination, cancellation, expiration, or other conclusion of the underlying Master Service Agreement, Business Associate shall, if feasible, return or securely destroy all PHI received from Covered Entity. Because Vance & Cole operates fundamentally on Zero-Retention policies utilizing client-hosted Virtual Desktop Infrastructure (VDI), no PHI is actively warehoused on Business Associate's local servers. Any residual transit data shall be purged using DoD 5220.22-M wiping standards.

End of Document