Business Associate Agreement
1. Parties and effective date
This Business Associate Agreement (the "Agreement") is entered into between Archer Health, Inc. ("Business Associate" or "Archer"), a Delaware corporation with its principal office at 222 Hidden Creek Circle, Ridgeland, MS 39157, and the entity submitting claims data through the Archer Health website (the "Covered Entity" or "Submitter"). The Agreement is effective on the date the Submitter clicks the "I agree to Archer's Business Associate Agreement" checkbox on the claims-data submission form on archerhealth.com.
2. Definitions
Capitalized terms used but not defined in this Agreement have the meanings given to them under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, and the regulations promulgated thereunder at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules"). "Protected Health Information" or "PHI" has the meaning given at 45 CFR 160.103.
3. Permitted uses and disclosures
Archer may use and disclose PHI received from the Submitter only for the following purposes:
- Performing the claims analysis the Submitter has requested, including running the data through Archer's claims-analysis system to produce a feasibility memo.
- Internal review of the resulting analysis by Archer personnel for quality control and improvement of the analysis methodology.
- Communicating the resulting analysis back to the Submitter (or to a designated representative the Submitter has authorized) by email or other secure channel.
- Aggregated, de-identified analysis to inform Archer's clinical and economic models, provided no individual or employer remains identifiable.
- Required uses or disclosures, including responding to subpoenas, court orders, or government investigations as required by law.
Archer will not use or disclose PHI for marketing, sale, or any purpose other than those listed above. Archer will not use the submitted PHI to train or fine-tune any artificial intelligence model beyond the per-submission analysis itself.
4. Safeguards
Archer will implement appropriate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C) to prevent the use or disclosure of PHI other than as permitted by this Agreement. Specifically:
- Files submitted through the form are encrypted at rest in a private cloud storage bucket with access limited to authenticated Archer personnel.
- Submissions are transmitted over HTTPS / TLS 1.2 or higher.
- Access to the analysis platform is limited to authenticated administrators with role-based access control.
- The third-party AI model that generates the analysis (Anthropic Claude) operates under Anthropic's enterprise zero-retention terms — submitted data is not retained by Anthropic for training or any other purpose beyond the immediate request.
5. Reporting and breach notification
Archer will report to the Submitter, without unreasonable delay and in any event within thirty (30) calendar days of discovery, any use or disclosure of PHI not permitted by this Agreement, including any Breach of Unsecured PHI as defined in 45 CFR 164.402. The report will include, to the extent known, the identity of each individual whose PHI was the subject of the breach, the nature of the unpermitted use or disclosure, and the steps Archer has taken to mitigate harm.
6. Subcontractors
Archer will obtain written assurance from any subcontractor that receives PHI from Archer in the course of performing the analysis that the subcontractor will protect the PHI in a manner consistent with this Agreement and the HIPAA Rules. Current subcontractors material to the claims-analysis service are Supabase, Inc. (cloud storage and database), Anthropic PBC (analysis model), and Resend, Inc. (transactional email delivery), each of whom Archer represents has executed a Business Associate Agreement with Archer.
7. Minimum necessary
Archer will request, use, and disclose only the minimum PHI necessary to accomplish the purposes for which Submitter has provided the data. Submitter is encouraged — but not required — to redact or de-identify data before submission to limit the scope of PHI shared.
8. Submitter's representations
By checking the BAA acceptance checkbox on the submission form, the Submitter represents and warrants that:
- The Submitter is either a Covered Entity under HIPAA or has the lawful authority to share the submitted data on behalf of a Covered Entity.
- The Submitter has obtained any necessary authorizations from individuals whose PHI is included in the submission, or has determined that no individual authorization is required under the HIPAA Rules.
- The submission complies with the Submitter's own applicable Notice of Privacy Practices and any contractual restrictions on the data.
9. Termination and return of PHI
Either party may terminate this Agreement on thirty (30) days written notice. Upon termination, Archer will, at the Submitter's election, either return or destroy all PHI received under this Agreement that Archer maintains in any form. If return or destruction is not feasible for a portion of the PHI, Archer will continue to extend the protections of this Agreement to that portion for as long as Archer retains it.
10. Governing law
This Agreement is governed by the laws of the State of Mississippi, without regard to its conflict-of-laws principles, except to the extent preempted by federal law including HIPAA.
11. Entire agreement; amendments
This Agreement is the complete and exclusive statement of the parties' agreement on the matters addressed herein. Archer may amend this Agreement to comply with changes in HIPAA or related law; the amended version will be posted at this URL with a revised "Last updated" date. Continued submission of data after an amendment constitutes acceptance of the amended terms.
Contact
Questions about this Agreement, requests for a counter-signed copy, or
notices required under this Agreement should be directed to:
Cole Hawkins, CEO
Archer Health, Inc.
222 Hidden Creek Circle, Ridgeland, MS 39157
[email protected]