HIPAA requires a Business Associate Agreement (BAA) before Dexzyle handles protected health information on your behalf. When you sign up, you accept this agreement electronically as part of onboarding — nothing extra to do. If your compliance team needs a signed copy on file, download the version below already executed by Dexzyle, complete your organization's details and signature, and return it to support@dexzyle.com.
This Business Associate Agreement ("Agreement") is entered into as of ____________________ (the "Effective Date") by and between:
Covered Entity: ____________________________________________ ("Covered Entity"), with a principal place of business at ____________________________________________; and
Business Associate: Dexzyle Communication LLC, a Colorado limited liability company ("Business Associate"), with a principal place of business in Denver, Colorado.
Covered Entity and Business Associate are each a "Party" and together the "Parties."
Covered Entity wishes to engage Business Associate to provide secure healthcare communication and related services (the "Services"), and in connection with the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity. The Parties enter into this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (the "HIPAA Rules").
Capitalized terms used but not otherwise defined in this Agreement have the meanings given to them in the HIPAA Rules, including "Breach," "Data Aggregation," "Designated Record Set," "Disclosure," "Electronic Protected Health Information" ("ePHI"), "Individual," "Minimum Necessary," "Protected Health Information," "Required by Law," "Secretary," "Security Incident," "Subcontractor," "Unsecured Protected Health Information," and "Use."
2.1 Business Associate may Use or Disclose PHI only as necessary to perform the Services described in the underlying services agreement between the Parties, as permitted by this Agreement, or as Required by Law.
2.2 Business Associate may Use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities.
2.3 Business Associate may Disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that the Disclosure is Required by Law, or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
2.4 Business Associate may provide Data Aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5 Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c), and de-identified information is no longer subject to this Agreement.
2.6 Business Associate shall make reasonable efforts to Use, Disclose, and request only the Minimum Necessary PHI to accomplish the intended purpose.
3.1 Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, and shall comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
3.2 Reporting. Business Associate shall report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, any Security Incident of which it becomes aware, and any Breach of Unsecured PHI as required by 45 C.F.R. § 164.410. Business Associate shall provide notice of a Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) days after discovery, including, to the extent possible, the identification of each Individual affected and any other information required for Covered Entity to meet its notification obligations under 45 C.F.R. § 164.404.
3.3 Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as restrictive as those that apply to Business Associate under this Agreement.
3.4 Access. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity as necessary for Covered Entity to respond to Individuals' requests for access under 45 C.F.R. § 164.524.
3.5 Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and incorporate any amendments as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.
3.6 Accounting of Disclosures. Business Associate shall maintain and make available to Covered Entity the information required to provide an accounting of Disclosures to an Individual as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.528.
3.7 Obligations Performed on Behalf of Covered Entity. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
3.8 Availability to the Secretary. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining compliance with the HIPAA Rules.
4.1 Covered Entity shall notify Business Associate of any limitation in Covered Entity's notice of privacy practices, any changes in or revocation of permission by an Individual to Use or Disclose PHI, and any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by, in each case to the extent such limitation, change, revocation, or restriction may affect Business Associate's Use or Disclosure of PHI.
4.2 Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as permitted under Section 2 of this Agreement.
5.1 Term. This Agreement is effective as of the Effective Date and shall terminate when all PHI provided to Business Associate, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if return or destruction is infeasible, protections are extended to such PHI in accordance with Section 5.3.
5.2 Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach within thirty (30) days, and may terminate this Agreement and the underlying services agreement if Business Associate does not cure the breach within that period. Business Associate may likewise terminate this Agreement if Covered Entity materially breaches this Agreement and fails to cure within thirty (30) days of written notice.
5.3 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form, and shall retain no copies. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. This Section shall survive termination.
6.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
6.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as required for compliance with the HIPAA Rules and other applicable law.
6.3 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
6.4 No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer any rights, remedies, obligations, or liabilities upon any person other than the Parties and their respective successors and assigns.
6.5 Relationship to Services Agreement. In the event of a conflict between this Agreement and the underlying services agreement with respect to PHI, this Agreement controls.
6.6 Governing Law. This Agreement shall be governed by the laws of the State of Colorado, except to the extent preempted by federal law.
Covered Entity
Organization: ____________________________________________
Signature: ____________________________________________
Name: ____________________________________________
Title: ____________________________________________
Date: ____________________
Business Associate — Dexzyle Communication LLC
Signature: ____________________________________________
Name: ____________________________________________
Title: ____________________________________________
Date: ____________________