Business Associate Agreement

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as defined in the HIPAA Rules (45 CFR Parts 160 and 164).

• Protected Health Information (PHI): Individually identifiable health information transmitted by or maintained in electronic media or any other form or medium.
• Electronic Protected Health Information (ePHI): PHI that is transmitted by or maintained in electronic media.
• HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules as codified at 45 CFR Parts 160 and 164.
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations.

2. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA or as required by law.
• Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, including compliance with the HIPAA Security Rule.
• Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any security incident or breach of unsecured PHI.
• Ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this BAA.
• Make available PHI in accordance with the individual's right of access under 45 CFR 164.524.
• Make available PHI for amendment and incorporate any amendments to PHI as directed by Covered Entity.
• Maintain and make available information required for Covered Entity to provide an accounting of disclosures.
• Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

• As necessary to perform services under the underlying service agreement, including claim scrubbing, billing management, reporting, and related healthcare operations.
• As required by law.
• For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that PHI will be held confidentially.

Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted under this Section.

4. Breach Notification

Business Associate shall report to Covered Entity any breach of unsecured PHI without unreasonable delay and in no case later than 30 calendar days after discovery of the breach. The notification shall include, to the extent possible: the nature of the breach, the types of PHI involved, the individuals affected, the steps taken to mitigate harm, and the corrective actions planned.

5. Term and Termination

This BAA shall be effective as of the date of execution and shall terminate when all PHI is destroyed or returned to Covered Entity, or if return or destruction is not feasible, protections are extended indefinitely. Either party may terminate this BAA if the other party materially breaches any provision and fails to cure the breach within 30 days of written notice. Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity within 30 days. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI for as long as it is maintained.

6. Contact for BAA Execution

To execute a Business Associate Agreement with Nexum Health, please contact us:

Nexum Health
Email: hello@nexum.health