arrow_back All legal documents

Business Associate Agreement (BAA)

FluentWorks, Inc. and Customer

Version v1.0Last updated —Effective on acceptance

At a glance

  • Required if you use Fluent with patient health information (PHI).
  • Describes how PHI is safeguarded and how incidents are handled.
  • You can download a copy after acceptance.

Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into as of the date last signed by the parties (the “Effective Date”) between FluentWorks, Inc. (“Fluent,” “Business Associate,” “we,” “our,” or “us”) and the customer identified on the signature page hereto (“Customer,” “you,” or “your”). Fluent and Customer may individually be referred to as a “party” and collectively as the “parties.”

Recitals

A. Customer is either a “covered entity” or “business associate,” as those terms are defined under HIPAA. In that capacity, Customer is required to comply with HIPAA requirements regarding the confidentiality, privacy, and security of Protected Health Information.

B. Business Associate provides the Services to Customer pursuant to a Master Services Agreement between the parties (the “MSA”). In connection with the Services, the parties anticipate that Business Associate may from time to time create, receive, maintain, or transmit Protected Health Information for or on behalf of Customer. By creating, receiving, maintaining, or transmitting Protected Health Information in its provision of Services, Business Associate shall become a “business associate” or “subcontractor” of Customer (as applicable) under HIPAA and will therefore have obligations regarding the confidentiality, privacy, and security of such Protected Health Information.

C. HIPAA by default. This BAA applies to the Services provided under the MSA by default. If Customer determines that it will not create, receive, maintain, or transmit PHI through the Services, Customer may request in writing that the parties execute an express written amendment or addendum stating that this BAA will not apply (a “Non-PHI Confirmation”). Absent a mutually executed Non-PHI Confirmation, this BAA remains in effect.

1. Definitions

For purposes of this BAA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA, the MSA, or applicable law.

“HIPAA”
means the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder.
“HITECH Act”
means the security and privacy provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act.
“Protected Health Information” or “PHI”
is any information, whether oral or recorded in any form or medium, that is created, received, maintained, or transmitted by Business Associate for or on behalf of Customer, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present, or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present, or future payment for health care.
“Secretary”
shall refer to the Secretary of the U.S. Department of Health and Human Services.
“Unsecured PHI”
shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.

2. Business Associate Obligations

2.1 Use and Disclosure of PHI

Business Associate warrants that it, its agents, and its subcontractors:

  • shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the MSA;
  • shall not use or disclose PHI other than as permitted or required by this BAA, the MSA, or required by law;
  • shall not use or disclose PHI in any manner that would violate applicable federal and state laws or would violate such laws if used or disclosed in such manner by Customer; and
  • shall only use and disclose the minimum necessary PHI for its specific purposes. Customer agrees that Business Associate may rely on Customer’s instructions to determine if uses and disclosures meet this minimum necessary requirement.

2.2 Management and Administration

Subject to the restrictions set forth throughout this BAA, Business Associate may use PHI if necessary for (i) the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of Business Associate.

2.3 Disclosures for Management and Administration

Subject to the restrictions set forth in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that:

  1. disclosures are required by law; or
  2. Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed, and the person or entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

2.4 Safeguards

Business Associate shall employ appropriate administrative, technical, and physical safeguards to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA or the MSA. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA or the MSA.

2.5 Audits and Records

Business Associate shall, in accordance with HIPAA, make available to the Secretary Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer for purposes of determining Customer’s compliance with its obligations under HIPAA.

3. Individuals’ Rights to Their PHI

3.1 Access (45 C.F.R. § 164.524)

To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer (or the relevant “covered entity” where Customer acts as a “business associate”) to respond to a request by an Individual for access to PHI, Business Associate shall, within ten (10) business days upon receipt of written request by Customer, make available to Customer such PHI.

If any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days of the request.

Customer is responsible for determining whether to grant or deny access and for responding to Individuals. Business Associate will make no such determinations.

3.2 Amendment (45 C.F.R. § 164.526)

To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer (or the relevant “covered entity” where Customer acts as a “business associate”) to respond to a request by an Individual for an amendment to PHI, Business Associate shall, within ten (10) business days upon receipt of a written request by Customer, make available to Customer such PHI.

If any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days of the request.

Customer will be responsible for determining whether to grant or deny amendment and for responding to Individuals. Business Associate will make no such determinations.

Within ten (10) business days of receipt of a request from Customer to amend an Individual’s PHI in the Designated Record Set, Business Associate shall incorporate, or make available PHI for Customer to incorporate, any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required.

3.3 Accounting of Disclosures (45 C.F.R. § 164.528)

In order to allow Customer (or the relevant “covered entity” where Customer acts as a “business associate”) to respond to a request by an Individual for an accounting of disclosures, Business Associate shall, within ten (10) business days of a written request by Customer, make available to Customer such information as is reasonably necessary for Customer to prepare an accounting.

If any Individual requests an accounting directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days of the request.

Customer will be responsible for preparing and delivering any accounting to the Individual. Business Associate shall implement an appropriate recordkeeping process to enable it to comply with the requirements of this BAA.

4. Subcontractors and Subprocessors

Business Associate shall obtain and maintain a written agreement with each subcontractor, agent, or subprocessor that has or will have access to PHI, which is received from, or created or received by, Business Associate for or on behalf of Customer, pursuant to which agreement such party agrees to be bound by the same types of restrictions, terms, and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.

Subprocessor list. A current list of Business Associate subprocessors is maintained at the FluentWorks Trust Center and may be updated from time to time.

5. Security Breach and Reporting Obligations

5.1 Security Breach (Unsecured PHI)

In the event of any verified incident of unauthorized or accidental disclosure of or access to any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Customer (“Security Breach”), Business Associate shall promptly report such Security Breach to Customer, but in no event later than ten (10) business days after the date the Security Breach is discovered.

Notice of a Security Breach shall include, to the extent such information is known to Business Associate:

  1. identification of each Individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed;
  2. the date of the Security Breach, if known, and the date of discovery;
  3. the scope of the Security Breach; and
  4. Business Associate’s response to the Security Breach, including mitigation steps.

5.2 Improper Use/Disclosure Not Constituting a Security Breach

In the event of a use or disclosure of PHI that is improper under this BAA but does not constitute a Security Breach, Business Associate shall report such use or disclosure to Customer within ten (10) business days after the date on which Business Associate becomes aware of such use or disclosure.

5.3 Unsuccessful Attempts

The parties acknowledge that unsuccessful Security Breaches (e.g., pings and other broadcast attacks on a firewall, denial-of-service attacks, port scans, unsuccessful login attempts) occur within the normal course of business and the parties stipulate and agree that this paragraph constitutes notice by Business Associate to Customer for such unsuccessful Security Breaches.

6. Customer Obligations

Customer shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal or state laws if such use or disclosure were made by Customer.

Customer shall comply with all applicable laws and regulations pertaining to PHI Customer sends, or directs to be sent, to Business Associate.

6.1 No Biometric PHI in Services

Customer agrees that it will not store or otherwise process through the Services any PHI that includes sensitive biometric information (e.g., fingerprints, iris scans, retina scans, and facial recognition imaging).

Clarification. The Services may support device-level biometric authentication features (e.g., Face ID / fingerprint unlock) that are controlled by the Customer’s device operating system. Business Associate does not require Customers to provide biometric identifiers to Business Associate and does not store or process biometric identifiers as PHI within the Services.

7. Required Notifications

Customer shall notify Business Associate of:

  • any limitation in any applicable notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI;
  • any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate’s use or disclosure of PHI; and
  • any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI.

8. Term and Termination

8.1 Term

This BAA is effective as of the Effective Date and shall terminate upon termination of the MSA in accordance with its terms, except that the provisions of this BAA shall continue to apply to PHI until all PHI is returned or destroyed in accordance with this BAA, or the protections are extended as described below.

8.2 Termination for Material Breach

Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the MSA affected by the material breach. Where cure is not possible, the non-breaching party shall, if feasible, terminate this BAA and the affected portion(s) of the MSA.

8.3 Return or Destruction of PHI

Upon termination of this BAA for any reason, Business Associate shall:

  1. If feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by, Business Associate for or on behalf of Customer that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or
  2. If not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section shall survive termination of this BAA.

9. General

Amendment. If HIPAA or the HITECH Act is amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall cooperate in good faith to amend this BAA to the extent necessary to comply.

Interpretation. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.

Limitation of Liability. The parties agree and acknowledge that the limitation of liability provisions contained under the MSA shall apply and govern each party’s performance under this BAA.

Conflicting Terms. In the event that any terms of this BAA conflict with any terms of the MSA, the terms of this BAA shall govern and control over the conflicting term. All other nonconflicting terms of the MSA shall remain valid and enforceable.