Version: 1.0 | Effective Date: March 1, 2026
"Covered Entity" refers to the home care agency or organization subscribing to EVVidence. "Business Associate" refers to Arcadia Inc., operating as EVVidence. "Protected Health Information (PHI)" has the meaning given under HIPAA (45 CFR 160.103).
EVVidence agrees to: (a) not use or disclose PHI other than as permitted by this Agreement or as required by law; (b) implement appropriate safeguards to prevent unauthorized use or disclosure; (c) report any unauthorized use or disclosure; (d) ensure subcontractors agree to the same restrictions.
EVVidence may use PHI solely for: providing electronic visit verification services, generating compliance reports, managing service records, and as required by law.
EVVidence implements: encryption of PHI at rest and in transit, role-based access controls, audit logging of all PHI access, automatic session timeouts, rate limiting, and regular security assessments.
EVVidence will notify the Covered Entity of any breach of unsecured PHI without unreasonable delay and in no case later than 72 hours after discovery. Written follow-up with details required by 45 CFR 164.410 will be provided within 60 days of discovery.
EVVidence will make PHI available to the Covered Entity to fulfill obligations under the HIPAA Privacy Rule regarding individual access, amendment, and accounting of disclosures.
Upon termination, EVVidence will return or destroy all PHI, retaining no copies except as required by law. PHI de-identification occurs 60 days after account termination. Agencies are responsible for exporting records needed to meet state and federal retention requirements (typically 5-10 years) before account closure.
This Agreement is effective for the duration of the service subscription and survives termination with respect to PHI retained as permitted herein.