Home
> Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Valiant Lifecare Medical Solutions (VLMS)
Last Updated: November 29, 2025

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the service engagement or commercial agreement (“Agreement”) between:

Client (“Controller”)
and
Valiant Lifecare Medical Solutions (VLMS) (“Processor”)

This DPA governs how VLMS processes, stores, secures, or otherwise handles Personal Data, Protected Health Information (PHI), or any sensitive data on behalf of the Client.

This DPA ensures that both parties maintain appropriate privacy, security, and compliance practices consistent with applicable data-protection laws, including—but not limited to—HIPAA, GLBA, ISO/IEC 27001, ISO 9001:2015, and relevant U.S. state or international frameworks.

2. Definitions

“Personal Data”

Any information relating to an identified or identifiable natural person.

“PHI (Protected Health Information)”

Any individually identifiable health information processed by VLMS on behalf of the Client in accordance with HIPAA.

“Processing / Process”

Any operation performed on data, including collection, storage, use, retrieval, disclosure, transmission, or deletion.

“Controller”

The Client — the party that determines the purpose and means of processing data.

“Processor”

VLMS — the party processing data on behalf of the Controller.

“Sub-Processor”

Any third party engaged by VLMS to assist in processing.

3. Scope of Data Processing

VLMS will process Personal Data and PHI solely for the purpose of delivering contracted services, which may include:

  • Revenue Cycle Management

  • Medical Coding & HIM Services

  • Risk Adjustment

  • Quality Measurement & HEDIS

  • Analytics & Reporting

  • Clinical Abstraction

  • Chart Retrieval

  • Operational Support Services

VLMS will not process data for any secondary or unauthorized purpose.

4. Responsibilities of VLMS (Processor)

VLMS agrees to:

4.1 Process Data Only on Documented Instructions

VLMS will process data strictly according to the Client’s written instructions, including service agreements, statements of work, and documented workflows.

4.2 Maintain Confidentiality

All employees, contractors, and authorized personnel are bound by:

  • Confidentiality agreements

  • Access restrictions

  • HIPAA awareness and training

  • Data-handling policies

4.3 Implement Security & Safeguards

VLMS maintains an enterprise-grade Information Security Management System and applies:

  • Encryption (in transit & at rest)

  • Role-based access

  • Network & endpoint security

  • Multi-factor authentication

  • Activity logging & audit trails

  • Regular penetration testing

  • Secure infrastructure hosting

  • PHI-safe environments

VLMS is certified under ISO 27001:2013 and ISO 9001:2015 and is HIPAA-aligned.

4.4 Assist with Legal & Regulatory Obligations

VLMS will support the Client with:

  • Access requests (if applicable)

  • Amendments & corrections

  • Data retention & deletion

  • Audit support

  • Documentation requests

4.5 Notify Client of Security Incidents

VLMS will:

  • Notify the Client without undue delay if it becomes aware of unauthorized access, breach, or security incident involving Client data.

  • Provide a detailed incident report, remediation steps, and ongoing updates.

5. Responsibilities of the Client (Controller)

The Client agrees to:

  • Provide lawful, accurate, and authorized instructions for data processing.

  • Ensure they have the right to transfer or provide Personal Data or PHI to VLMS.

  • Maintain responsibility for determining purpose and legality of data processing.

  • Maintain their own administrative, technical, and physical safeguards.

VLMS is not responsible for issues arising from Client-side systems or unauthorized sharing of data by Client personnel.

6. Sub-Processors

VLMS may engage vetted Sub-Processors (e.g., cloud hosting, secure communication tools, analytics systems) to support service delivery.

VLMS will ensure Sub-Processors:

  • Meet security and compliance standards equal to those in this DPA.

  • Are subject to confidentiality and data-protection obligations.

VLMS will provide a list of Sub-Processors upon request.

7. Cross-Border Data Transfer

If data must be transferred across borders for processing:

  • Transfers will follow applicable legal safeguards

  • VLMS will ensure adequate protection (contractual, technical, organizational measures)

  • Data will remain encrypted and access-controlled regardless of geography

VLMS does not transfer data without Client authorization.

8. Data Retention & Deletion

VLMS retains data only for the duration necessary to provide services or as required by:

  • Legal obligations

  • Financial records

  • Contractual requirements

Upon termination of services or written request from the Client, VLMS will:

  • Securely delete or return data

  • Provide certification of deletion

  • Retain no copies except where legally required

9. Audit Rights

Upon reasonable notice, Clients may:

  • Request documentation demonstrating compliance

  • Request security policies, certifications, or audit summaries

  • Conduct a remote audit or engage a third-party auditor (subject to confidentiality)

On-site audits may be scheduled under mutually agreeable terms.

10. Data Breach Notification

In the event of a confirmed breach involving Client data, VLMS will:

  1. Notify the Client promptly

  2. Provide details of the incident

  3. Identify affected data

  4. Describe mitigation actions

  5. Support Client-led reporting obligations (if applicable)

VLMS maintains strict breach-response procedures consistent with HIPAA and ISO 27001 requirements.

11. Confidentiality

All data processed by VLMS is confidential.
VLMS will not disclose Client data to third parties except:

  • When directed in writing by the Client

  • When legally required

  • When necessary to fulfill contractual service delivery

Even in such cases, only minimal required data will be shared.

12. Limitation of Liability

VLMS’s liability arising from this DPA will follow the limitations set forth in the primary Agreement.
Neither party shall be liable for indirect, incidental, or consequential damages except as required by law.

13. Term of the DPA

This DPA remains in effect for:

  • The lifespan of the service Agreement

  • Any period where VLMS retains Client data

  • Until all data has been returned or destroyed

14. Governing Law

This DPA shall be governed by the laws and regulatory frameworks applicable to the Client’s operational region, unless otherwise specified in the primary Agreement.

15. Contact Information

For any questions related to this DPA, please contact:

Valiant Lifecare Medical Solutions (VLMS)
📧 privacy@vlms-global.com
📧 compliance@vlms-global.com
📧 support@vlms-global.com