Facebook Twitter Instagram
Try For Free
Login

Business Associate Agreement (BAA)

Business Associate Agreement

“This Business Associate Agreement (“BAA”) becomes effective on the date a Covered Entity creates an account for use of eTherapyFiles, which is an electronic health record (“EHR”) system owned and operated by Providers Care Billing LLC (the “Effective Date”). This BAA is entered into by and between Providers Care Billing LLC (“Business Associate”) and the customer entity agreeing to this BAA (“Covered Entity”). This BAA forms part of, and is incorporated into, the eTherapyFiles Terms of Service or other governing service agreement between the parties (the “Service Agreement”).

Background and Purpose

  1. Covered Entity is a “covered entity” as defined under 45 C.F.R. § 160.103.
  2. Business Associate provides software and related services through the eTherapyfiles platform.
  3. In performing such services, Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity.
  4. The parties intend to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and all applicable regulations and guidance issued by the U.S. Department of Health and Human Services.

This BAA is intended to satisfy the requirements of 45 C.F.R. §§ 164.308, 164.314, 164.502(e), and 164.504(e).

Definitions

Terms used but not otherwise defined in this BAA shall have the meanings set forth in HIPAA and its implementing regulations.

  • Breach: As defined in 45 C.F.R. § 164.402.
  • Designated Record Set: As defined in 45 C.F.R. § 164.501.
  • Electronic Protected Health Information (“ePHI”): As defined in 45 C.F.R. § 160.103.
  • Individual: As defined in 45 C.F.R. § 160.103.
  • Privacy Rule: 45 C.F.R. Parts 160 and 164, Subparts A and E.
  • Security Rule: 45 C.F.R. Parts 160 and 164, Subparts A and C.
  • Unsecured PHI: As defined in 45 C.F.R. § 164.402.

Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely to:

  1. Provide, operate, maintain, and support the eTherapyfiles platform in accordance with the Service Agreement.
  2. Perform internal management, administrative, and legal responsibilities;
  3. Comply with applicable legal obligations;
  4. Provide data aggregation services related to Covered Entity’s healthcare operations;
  5. Create de-identified information in compliance with 45 C.F.R. § 164.514, which may be used for lawful purposes.

Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if performed by Covered Entity.

Safeguards and Compliance Obligations

Business Associate agrees to:

  1. Implement appropriate administrative, physical, and technical safeguards to protect PHI and ePHI;
  2. Comply with applicable provisions of the HIPAA Privacy Rule, Security Rule, and HITECH Act;
  3. Limit uses and disclosures of PHI to the minimum necessary to perform its obligations;
  4. Ensure that any subcontractors who handle PHI agree in writing to equivalent HIPAA protections.

Reporting and Incident Response

  1. Business Associate shall notify Covered Entity without unreasonable delay, and no later than fifteen (15) business days, after discovering any:
    • Unauthorized use or disclosure of PHI.
    • Security Incident; or
    • Breach of Unsecured PHI.
  2. Such notice shall include available details regarding the nature of the incident, affected individuals, types of PHI involved, mitigation steps, and corrective actions taken.
  3. Business Associate shall cooperate with Covered Entity in investigating and responding to any such event.

Routine unsuccessful security events (e.g., failed login attempts or port scans) do not require individual notice.

Individual Rights

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall:

  1. Provide access to PHI as required under 45 C.F.R. § 164.524;
  2. Make amendments to PHI as directed under 45 C.F.R. § 164.526;
  3. Provide an accounting of disclosures as required under 45 C.F.R. § 164.528.

If Business Associate receives a request directly from an Individual, it will direct the Individual to Covered Entity.

Obligations of Covered Entity

Covered Entity agrees to:

  1. Provide Business Associate with notice of any applicable privacy restrictions or authorizations;
  2. Not request Business Associate to use or disclose PHI in violation of HIPAA;
  3. Limit PHI disclosures to the minimum necessary for services.

Term and Termination

  1. This BAA shall remain in effect for the duration of the Service Agreement.
  2. Either party may terminate this BAA upon written notice if the other party materially breaches this BAA and fails to cure within thirty (30) days.
  3. Upon termination, Business Associate shall return or destroy all PHI, unless infeasible, in which case protections under this BAA shall continue to apply.

Miscellaneous

  • Regulatory Changes: This BAA shall automatically adjust to comply with future HIPAA amendments.
  • Interpretation: Any ambiguity shall be resolved to permit HIPAA compliance.
  • Independent Contractors: The parties are independent contractors.
  • No Third-Party Beneficiaries: No third party shall have rights under this BAA.
  • Governing Law: Governed by the law specified in the Service Agreement.
  • Survival: Obligations relating to PHI survive termination.

Notices

Notices to Business Associate shall be sent to either mail

Providers Care Billing LLC

eTherapyFiles (E.H.R Section)
Attn: Compliance Officer
1901 N Roselle Rd, Ste 820AB

Schaumburg, IL 60195 Or Email to Support@etherapyfiles.com

All notices to Covered Entity shall be by email at the email address provided upon account creation. Each party may change its address for receiving notices during the term of this BAA by providing written notice to the other party.