This Data Protection & Confidentiality Agreement ("Agreement") is entered into as of [Effective Date] by and between [Law Firm Legal Name] ("Firm") and MedFetch AI LLC, an Idaho limited liability company ("Service Provider"). Each is a "Party." This Agreement supplements, and is governed by, the Master Services Agreement between the Parties.
Recitals
A. The Firm represents individual clients ("Clients") in personal-injury, workers'-compensation, disability, or similar matters.
B. At the Firm's request and pursuant to each Client's written authorization / right of access, Service Provider retrieves, aggregates, and provides AI-assisted summaries of that Client's medical records ("Protected Information").
C. Because the records are obtained through the Client's own authorization and no Covered Entity engages Service Provider, this engagement may fall outside HIPAA. The Parties nonetheless agree to protect the Protected Information to standards equivalent to the HIPAA Security Rule and to comply with applicable privacy laws.
1. Scope & Source of Authority
1.1 Service Provider accesses a Client's records only pursuant to that Client's valid authorization and only as needed to perform the services the Firm requests.
1.2 Service Provider is an independent contractor providing services requested by the Firm. Service Provider is not the Firm's agent, and nothing in this Agreement creates an agency, partnership, joint venture, or fiduciary relationship between the Parties. Service Provider does not independently determine the purposes of processing beyond performing the services the Firm requests.
2. Permitted Use
2.1 Service Provider shall use and disclose Protected Information only to perform the services for the Firm, as directed by the Firm, or as required by law.
2.2 Service Provider shall not sell Protected Information, use it for advertising, or use it to train third-party artificial-intelligence models. The services may include automated and AI-assisted extraction, classification, indexing, chronology creation, summarization, and document analysis of the Protected Information, and the Firm authorizes Service Provider to use automated and AI-assisted technologies to perform these functions. All such processing occurs within HIPAA-eligible cloud infrastructure and AI environments that contractually prohibit model training on the Firm's or Clients' data.
2.3 Service Provider may create de-identified or aggregated data in accordance with the de-identification standard at 45 CFR 164.514(a)-(c). As between the Parties, such de-identified and aggregated data is owned by Service Provider, and Service Provider may use and disclose it for analytics, benchmarking, service operation and improvement, model evaluation, research, and other lawful business purposes, provided that it does not identify, and is not used to re-identify, any Client or individual.
3. Safeguards (HIPAA-equivalent)
3.1 Service Provider shall maintain administrative, physical, and technical safeguards equivalent to the HIPAA Security Rule (45 CFR Part 164, Subpart C), including: encryption in transit (TLS 1.2+) and at rest; unique-user access controls with least privilege; multi-factor authentication on privileged accounts; server-side audit logging of access to Protected Information; and minimum-necessary handling.
3.2 Service Provider shall not store Protected Information outside its secured, access-controlled infrastructure, and shall not transmit it through non-secured channels.
4. Confidentiality
4.1 Service Provider shall hold Protected Information in strict confidence and limit access to personnel and subcontractors with a need to know for the permitted purpose.
5. Subprocessors (flow-down)
5.1 Service Provider may use subcontractors and subprocessors (including cloud-hosting, database, storage, backup, OCR, AI/machine-learning, and email-delivery providers) to provide the services, provided each that accesses Protected Information is bound in writing to protections at least as restrictive as those in this Agreement, including the breach-notification obligations in Section 6.
6. Incident & Breach Notification
6.1 Service Provider shall notify the Firm of any unauthorized access, use, or disclosure of Protected Information, or any Security Incident, without unreasonable delay and no later than five (5) business days after discovery, with the nature of the incident, the information involved, and remediation taken.
6.2 For purposes of this Agreement, "Security Incident" does not include, and Service Provider has no obligation to report, trivial or routine events that do not result in unauthorized access to, acquisition of, or disclosure of Protected Information - including unsuccessful log-in attempts, pings, port scans, probes, broadcast attacks, denied or blocked access attempts, and routine firewall or intrusion-prevention events.
6.3 The Parties acknowledge that the FTC Health Breach Notification Rule and applicable state breach-notification laws may apply. Service Provider shall, without unreasonable delay, provide the Firm the information reasonably necessary for the Firm to evaluate and satisfy any notification obligations. As between the Parties, the Firm is responsible for determining whether notification to its Clients or other consumers is required and for making any such notifications, and Service Provider shall reasonably cooperate; Service Provider remains responsible for any notifications the law requires it to make.
7. Individual (Client) Rights
7.1 The Client is the subject of, and source of authority for, the Protected Information. Service Provider shall reasonably cooperate with the Firm to honor a Client's request to access, correct, or delete the Protected Information Service Provider holds, to the extent required by applicable law and consistent with litigation-hold, evidentiary-preservation, and professional-responsibility obligations.
8. Records & Audit
8.1 Service Provider shall maintain records of its processing and safeguards and, on the Firm's reasonable request, make a summary available to demonstrate compliance with this Agreement.
9. Return or Destruction
9.1 On termination, or on the Firm's request, Service Provider shall return or securely destroy the Protected Information it holds for the relevant Client(s) and retain no copies, except where retention is reasonably necessary for legal, regulatory, audit, dispute-resolution, litigation-hold, backup, security, or recordkeeping purposes, or where return or destruction is infeasible. Where Protected Information is retained under this Section, the protections of this Agreement continue to apply for so long as it is retained, and Service Provider shall limit further use and disclosure to the purposes that require retention or that make return or destruction infeasible.
10. Term & Termination
10.1 This Agreement is effective on the Effective Date and continues for the duration of the engagement and until all Protected Information is returned or destroyed.
10.2 Termination rights are governed by the MSA; in addition, either Party may terminate this Agreement for the other's material breach of its privacy or security obligations not cured within thirty (30) days of written notice.
11. Compliance with Law
11.1 Service Provider shall comply with applicable federal and state privacy and data-security laws, including Section 5 of the FTC Act, the FTC Health Breach Notification Rule, and applicable state laws, in handling the Protected Information.
12. Preservation of Privilege
12.1 The Parties intend that disclosure of information to Service Provider in connection with the services shall not waive the attorney-client privilege, the work-product doctrine, or any other applicable privilege or protection. Service Provider shall treat all such information as privileged and confidential, limit access as provided in this Agreement, and reasonably cooperate with the Firm to preserve such privileges and protections.
13. Relationship to the Master Services Agreement
13.1 This Agreement supplements the Master Services Agreement between the Parties (the "MSA"), which is incorporated by reference. The MSA governs all commercial terms, including fees, customer warranties (including the Firm's warranty that it holds valid authorizations for each Client's records), intellectual property, disclaimers, limitation of liability, indemnification, insurance, dispute resolution, venue, and governing law. Except as expressly modified by this Agreement, the MSA remains in full force and effect, including its limitation of liability, which applies to claims under this Agreement except to the extent prohibited by law. If there is a conflict, this Agreement controls on matters of data protection, confidentiality, and security; the MSA controls on all other matters.
14. Miscellaneous
14.1 No third-party beneficiaries. This Agreement is for the sole benefit of the Parties. There are no third-party beneficiaries.
14.2 Survival. Obligations that by their nature survive termination - including Sections 2, 4, 6, 7, 9, 12, and 13 - survive.
14.3 Amendment. The Parties shall amend this Agreement as necessary to comply with changes in applicable law.
Signatures
------------------------ ------------------------------------- Firm Service Provider [Law Firm Legal Name] MedFetch AI LLC By: __________________ By: __________________ Name: ________________ Name: Dr. Dax Sirucek Title: _______________ Title: Owner / Authorized Signatory Date: ________________ Date: ________________ ------------------------ -------------------------------------