HR Best Practices dba ACA Managed Services (“ACA Managed Services”, or the “Company”, “We”, “Us”, “Our”) is committed to secure and trustworthy Internet commerce and the individual’s right to privacy. This Privacy Statement describes ACA Managed Services information practices. ACA Managed Services provides services through owned domains including: ACAmanagedServices.com, Smart1095.com, ACAIRSbestPractices.com and HRBestPractices.com.
Disclosure of Information
We do not share, sell, rent or lease your personally identifiable information to third parties for their promotional purposes or as otherwise outlined in the policy. We may disclose your personally identifiable information to certain third party vendors (e.g., data storage facilities, payment processors, email service providers) used by ACA Managed Services to assist us in providing the ACA Managed Services services, to the extent necessary to enable such vendors to provide such assistance. These third parties are prohibited from using your personally identifiable information for any other purposes.
- We reserve the right to disclose your personally identifiable information if we reasonably believe we are required to do so by law, regulation or other government authority and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process served on our website.
Use of Information
We and our third party affiliates may use your contact information and unique identifier (such as a user name and password) to provide access to ACA Managed Services services available on our website and to contact you when reasonably necessary. We may also use any information you have provided as reasonably necessary to administer or provide customer support for the website and the ACA Managed Services service. We use the information submitted by you to send you correspondence and other information that may interest you and to respond to your correspondence. If, for any reason, you would like to be removed from our email list, you can send us an email info@ACAmanagedservices.com.
Based upon the personally identifiable information you provide us, we and / or our third party affiliates may send you a welcoming email to verify your username and password. We will also communicate with you in response to your inquiries, to provide the services you request, to manage your account, and to help us improve our customer support and service to you overall. We will communicate with you by email or telephone, in accordance with your wishes. We will send you strictly service-related announcements on rare occasions when it is necessary to do so. For instance, if our service is temporarily suspended for maintenance, we might send you an email. Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account. Out of respect for your privacy, we provide you a way to unsubscribe by contacting us at info@ACAManagedServices.com.
Finally, if you use the ACA Managed Services service, we will store the data you upload onto our servers. All your data is encrypted and / or password protected at rest. ACA Managed Services may access your account, to respond to service or technical problems or as stated in this Agreement. You, not ACA Managed Services, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and copyright of all data transferred to ACA Managed Services. Furthermore, ACA Managed Services shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any data.
Updating Your Information and Transferring Data
SECTION WILL BE UPDATED SOON
IF YOUR HAVE QUESTIONS PLEASE CONTACT firstname.lastname@example.org
The security of your personal information and our Customers’ information is important to us. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Website, please contact us.
Personal and Business Information is used for payment processing, customer relationship management (CRM), data storage, payment gateways, billing services, subscription management, and other business services. ACA Managed Services uses the following companies for the aforementioned business services. Provided below are links to their respective privacy policies:
- Hosted HIPAA environment
Links to Third Party Websites
Our Policy Toward Children
If you have any questions about this Statement, please email us at info@ACAManagedServices.com, or you may contact us at the following:
ACA Managed Services
795 Franklin Avenue Suite IGCPA
Franklin Lakes, NJ 07417
Statement regarding HIPAA, Business Associate Agreement, and Privacy Practices
If you are a Covered Entity that is subject to HIPAA, ACA Managed Services will enter into a Business Associate Agreement (see below) with you upon your signing up of our service(s). Covered Entities are required to enter into a Business Associate Agreement with Business Associates that include the following assurances.
BUSINESS ASSOCIATE AGREEMENT for HIPAA and HITECH COMPLIANCE
If you are a Covered Entity that is subject to HIPAA, ACA Managed Services will enter into this Business Associate Agreement with you upon your signing up of our service(s).
- Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), including the HIPAA Rules (as defined below), and the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”).
- Covered Entity and ACA Managed Services.com have entered into the ACA Managed Services.com Services Agreement pursuant to which ACA Managed Services.com will provide certain services to Covered Entity (the “Services Agreement” or “Master Services Agreement”) and, pursuant to the Services Agreement, ACA Managed Services.com may receive, maintain and have access to Electronic Protected Health Information (as defined below) in fulfilling its responsibilities under that Agreement.
- As a service provider to Covered Entity as described above, ACA Managed Services.com may be considered a “Business Associate” of Covered Entity as defined in the HIPAA Rules. The HIPAA Rules include the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule” at 45 CFR Part 160 and Part 164, Subparts A and E), the Standards for Security of Electronic Protected Health Information (the “Security Rule” at 45 CFR Parts 160 and 164, Subpart C), Breach Notification for Unsecured Protected Health Information (the “Breach Notification Rule” at 45 CFR Parts 160 and 164), and the Enforcement Rules at 45 CFR Part 160, Subparts C-E, as each of the foregoing may be amended or supplemented.
- ACA Managed Services.com and Covered Entity are both committed to complying with the HIPAA Rules, and acknowledge that each has certain obligations to maintain the privacy and security of PHI.
THEREFORE, the parties, in consideration of the mutual agreements herein contained and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, agree to the following terms and conditions covering how each party’s obligations to maintain the privacy and security of PHI will be satisfied
Capitalized terms used, but not otherwise defined, in this BAA have the meanings ascribed to them in HIPAA, including in the HIPAA Rules, and the HITECH Act, as in effect or as amended from time to time. “Protected Health Information” or “PHI” has the same meaning as the term “protected health information” as defined in 45 CFR 164.103, and any amendments thereto, limited to the information Business Associate has access to, receives from, and maintains for or on behalf of Covered Entity. PHI includes Electronic Protected Health Information. “Electronic Protected Health Information” or “EPHI” means the subset of PHI that is transmitted by electronic media or maintained in electronic media. Business Associate acknowledges and agrees that all Protected Health Information is subject to this BAA.
- Business Associate Agrees to use or disclose any Protected Health Information solely: (A) for meeting its obligations as set forth in the Services Agreement, or (B) as Required By Law.
- Upon termination of this BAA, the Services Agreement, or upon request of Covered Entity, whichever occurs first, if feasible, to return or destroy all Protected Health Information received from Covered Entity that Business Associate still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, to extend the protections of this BAA to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible; and ii. to ensure that its agents (including subcontractors) to whom it provides Protected Health Information agree to the same restrictions and conditions that apply to Business Associate with respect to such Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business.
Associate to breach the terms of this BAA.
- Notwithstanding the prohibitions set forth in this BAA, Business Associate may use and disclose Protected Health Information if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met:
- Business Associate obtains reasonable assurances from the person to whom the Information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the Information has been breached.
- Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this BAA. The Secretary of Health and Human Services will have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Rules. Business Associate will report to Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this BAA of which it becomes aware.
III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE.
- Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Services Agreement or as Required By Law.
- Business Associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI that Business Associate creates, receives, maintains or transmits on behalf of the Covered Entity. Said safeguards shall include, without limitation:
- encryption of EPHI stored or transmitted by Business Associate;
- implementation of secure access controls, including physical locks, firewalls, and secure passwords;
- adoption and implementation of contingency planning policies and procedures, including data backup and disaster recovery plans; and
- periodic security training for its employees.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA.
- Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware.
- Business Associate agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
- Business Associate will promptly report to Covered Entity any unauthorized acquisition, access, use, or disclosure of Protected Health Information in violation of the HIPAA Rules or other applicable law, or in violation of the terms of this BAA. Such report will be made as soon as reasonably possible but in no event later than ten business days after discovery by Business Associate of such breach. Each report of a breach will include, to the extent possible, the following information: (i) a description of the facts pertaining to the breach, including without limitation, the date of the breach and the date of discovery of the breach, (ii) a description of the Protected Health Information involved in the breach, (iii) the names of the individuals who committed or were involved in the breach, (iv) the names of the unauthorized individuals or entities to whom Protected Health Information has been disclosed, (v) a description of the action taken or proposed by the Business Associate to mitigate the financial, reputational or other harm to the individual who is the subject of the breach, and (vi) provide such other information as Covered Entity may reasonably request including, without limitation, the information, data and documentation required by Covered Entity to timely comply with the HITECH Act and the regulations promulgated thereunder, including the Breach Notification Rule.
- Business Associate agrees to comply with the administrative requirements imposed on it, in its capacity as a business associate, by HIPAA, HIPAA Regulations, HITECH, and the Breach Notification Regulations thereunder.
IV. OBLIGATIONS OF CUSTOMER AS COVERED ENTITY.
- Covered Entity will not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
- Covered Entity will notify Business Associate in writing of any limitation in its notice of privacy practices adopted in accordance with the Privacy Rules, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity will provide Business Associate with written notice of any revocations, amendments or restrictions in Covered Entity’s use or disclosure of Protected Health Information if such changes affect Business Associate’s permitted or required uses and disclosure of Protected Health Information under this BAA or the Services Agreement.
V. AVAILABILITY OF PROTECTED HEALTH INFORMATION.
- Covered Entity acknowledges and agrees that Business Associate, due to the nature of the technology utilized by Business Associate, has no access, direct or indirect, to the Protected Health Information supplied by Covered Entity to Business Associate.
- The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make Protected Health Information available (i) to the extent and in the manner required by Section 164.524 of the Privacy Rule, (ii) for amendment or incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the Privacy Rule, or (iii) for purposes of accounting of disclosures, as required by Section 164.528 of the Privacy Rule. Rather, Covered Entity will be solely responsible for compliance with each of the foregoing.
Termination of Covered Entity’s business relationship with Business Associate shall be under the terms set forth in the Services Agreement, incorporated herein by reference. Notwithstanding anything in this BAA or in the Services Agreement to the contrary, Covered Entity has the right to terminate this BAA immediately if Covered Entity determines that Business Associate has violated any of its material terms.
By reference, this BAA incorporates, but does not supersede or replace, the Services Agreement.
This BAA may be amended or modified only in a writing signed by the parties. Neither party may assign its respective rights or obligations under this BAA without the prior written consent of the other party. None of the provisions of this BAA are intended to create, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this BAA and the Services Agreement. This BAA will be governed by the laws of the State of New Jersey. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions will be deemed a waiver of performance of any continuing or other obligation, or will prohibit enforcement of any obligation, on any other occasion. The parties agree that, in the event that the Services Agreement contains provisions relating to the use or disclosure of Protected Health Information which are more restrictive than the provisions of this BAA, the provisions of the more restrictive documentation will control. The provisions of this BAA are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information.
In the event that any provision of this BAA is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this BAA will remain in full force and effect. In addition, in the event a party believes in good faith that any provision of this BAA fails to comply with the then-current requirements of the Privacy Rule, such party will notify the other party in writing, For a period of up to 30 days, the parties will enter into good faith negotiations to amend the terms of this BAA, if necessary to bring it into compliance, to incorporate same. If, after such 30-day period, the BAA fails to comply with the Privacy Rule, then either party has the right to terminate it, together with the Services Agreement, upon written notice to the other party.