Version: 10 June 2025
Compliancy Group Terms of Service – Audit Response Program (ARP)
This Terms of Service (“TOS”) for the Compliancy Group Audit Response Program (“ARP”) is entered into between Compliancy Group, LLC (“Licensor”) and the entity receiving Audit Response Program Services (“Licensee”) or
(“Client”), each a “Party” and together, the “Parties”.
SECTION 1: SCOPE OF SERVICES
Upon payment of applicable fees and execution of this Agreement, Licensee’s subscription to Compliancy Group’s Audit Response Program (ARP) becomes effective. Details of the ARP are annexed as Schedule 1.
SECTION 2: ELIGIBILITY AND TERM
To be eligible for the Audit Response Program, Licensee must have a subscription license to the Compliancy Group Application Services (“main subscription license”) and must be current in payment. The ARP service will auto-renew with the main subscription license. If Licensee’s main subscription license is cancelled or terminated, Licensee is no longer eligible for the Audit Response Program and it will be cancelled or terminated on the same date as the main subscription license.
SECTION 3: INCORPORATION BY REFERENCE
This TOS incorporates by reference the Compliancy Group Terms of Use (TOU), as set forth at https://compliancy-group.com/terms-of-use/. To the extent a provision(s) of this TOS conflicts with a provision(s) of the TOU, the provision(s) of this TOS shall prevail.
SECTION 4: NO CONSULTING, LEGAL, AUDITING, OR INSURANCE SERVICES
The Audit Response Program (ARP) does not comprise or contain consulting, legal, or auditing services. Services provided by Licensor as part of the ARP are not, nor should they be construed as, legal services, legal advice, or any other professional services or advice. The ARP does not constitute or provide for HIPAA breach or violation remediation services. The ARP is not an insurance product or service.
SECTION 5: NO OUTCOME GUARANTEED
Licensee use of the Audit Response Program does not guarantee a particular outcome or result.
SECTION 6: ACCURACY OF INFORMATION
Licensor is not responsible for the accuracy of information submitted or entered into The Guard by Licensee, or for the accuracy of any information Client submits to the Office for Civil Rights (OCR) of the Department of Health and Human Services under the ARP, and makes no representation that any such information is accurate.
SECTION 7: NO SUPPLYING OF TRADE SECRETS OR OTHER PROPRIETARY INFORMATION
Licensee may not request that Licensor provide information that is proprietary or that constitutes a trade secret.
SECTION 8: MENTION OF LICENSOR; REPRESENTATIONS
Licensee may not misrepresent the nature or scope of the Audit Response Program, or services performed by Licensor thereunder, to OCR or to any third-party.
SECTION 9: ARP LIMITATIONS
The ARP only covers documentation and information stored in or generated by The Guard. Compliancy Group does not create or assist Client with creating or supplying Client with other information.
The Audit Response Program is limited to HIPAA OCR investigations and HIPAA Corrective Action Plans, and may not be used for any investigation, audit, request for information, or corrective action plan under any other law or by any other entity.
Schedule 1: Audit Response Program
Compliancy Group’s Audit Response Program assists clients who have received an Initial Data Request (IDR) or Corrective Action Plan (CAP) from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) related to HIPAA compliance. IDRs and CAPs, and OCR follow-ups (collectively, “OCR inquiries”) made under these for additional information, may require the Client to furnish HIPAA compliance documentation.
Client is responsible for requesting IDR and CAP ARP assistance. Requests should be made by clients by emailing Compliancy Group Support at [email protected]. Please note that due to the typically tight turnaround time between an IDR/CAP and the corresponding IDR’s/CAP’s deadline for submission, it’s critical that Client submits the request as soon as possible, ideally leaving Compliancy Group a minimum of six business days to assist with the creation of an ARP deliverable. In the event that Client solicits ARP support with fewer than six business days’ notice, Compliancy Group reserves the right to request a surcharge – or rush fee – to accommodate the extreme timeline. While CG will make best efforts to accommodate shortened timelines, any failure to meet timelines shorter than six business days – even in the event where a surcharge is imposed – will not be a breach of Compliancy Group’s responsibilities under these terms of service. If Compliancy Group is unable to meet a shortened timeline for which a surcharge has been charged, Compliancy Group will refund the amount of the surcharge.
Compliancy Group will review the request. If the request meets the eligibility and criteria for the ARP as set forth in this TOS, Compliancy Group and Client will discuss the scope of services. Compliancy Group requires reasonable notice of deadlines. Compliancy Group also requests that clients supply copies of the IDR or CAP before Compliancy Group’s work begins.
If Client requests that Compliancy Group retrieve information or generate reports from Client’s Guard account for Client response to an OCR inquiry, Compliancy Group will use commercially reasonable efforts to provide information from The Guard that Client deems responsive to the inquiry, in a mutually agreed-upon format, to Client.
Alternatively, if Client requests that Compliancy Group assist the Client with determining how to access or generate the information for itself using The Guard’s reporting features and other functionality, Compliancy Group will provide commercially reasonable assistance.
Client is responsible for submitting information to OCR, for adhering to applicable OCR deadlines, and for keeping Compliancy Group informed of OCR deadlines associated with ARP requests.
Compliancy Group cannot advise Client as to whether particular information Client requests that Compliancy Group retrieves or assists Client with retrieving from The Guard is legally sufficient or responsive to OCR inquiries.
It is recommended that clients who purchase the ARP also purchase the Risk Assessment Module add-on. Completing the programs in the risk assessment module would allow Client to submit additional evidence of compliance that may be conducive to effectively fulfilling OCR requests.
