BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (the "BAA") is entered into as of the date of electronic acceptance (the "Effective Date") by and between:
Covered Entity: The Clinic, Provider, or organization accepting these terms ("Covered Entity").
Business Associate: IGNITE SYNERGY, Inc., a Delaware corporation with a mailing address of 11024 Montgomery Blvd. NE, #291, Albuquerque, NM 87111 ("Business Associate").
Business Associate utilizes Google Cloud Platform to provide services to the Covered Entity. Covered Entity and Business Associate are each a "Party" and, collectively, the "Parties".
1. BACKGROUND
Covered Entity is a "covered entity" or "business associate" under HIPAA and is required to comply with regulations regarding the privacy and security of Protected Health Information (PHI).
Business Associate provides SaaS EHR services to Covered Entity through Google Cloud Platform.
In providing these services, Business Associate will have access to PHI and acts as a "business associate" of the Covered Entity.
Both Parties are committed to complying with federal and state laws governing the confidentiality and privacy of health information.
2. USE AND DISCLOSURE OF PHI
Permitted Use: Business Associate may use or disclose PHI as reasonably necessary to provide services to the Covered Entity and as required by law.
Management & Administration: Business Associate may use PHI for its own proper management, administration, and to carry out legal responsibilities.
Third-Party Assurances: Business Associate may disclose PHI to third parties for management purposes if the disclosure is required by law or if the third party provides written assurance that the PHI will remain confidential. Covered Entity may conduct reasonable on-site or remote audits annually and after material incidents, with remediation timelines.
Minimum Necessary: Business Associate will limit the use, disclosure or request of PHI to the minimum amount necessary to accomplish the intended purpose, in accordance with applicable law, including the HIPAA Privacy Rule.
Data Ownership: This agreement does not confer any data ownership rights to the Business Associate regarding data shared by the Covered Entity. Covered Entity retains all right, title, and interest in PHI and derivative works; Business Associate receives only limited license to use PHI to provide services.
De-Identification Rights: Business Associate may De-Identify PHI in accordance with HIPAA standards, expert determination, or Safe Harbor rules. Once De-Identified, such information is no longer PHI and cannot be re-identified, Business Associate may use such De-Identified information for its own business purposes, including service improvement and data analysis, but excluding sale or licensing to third parties without the consent of Covered Entity. Business Associate will document de-identifying methodology and retain expert reports. Covered Entity may also opt-out of Business Associate’s use of De-Identified Information with notice to Business Associate.
3. SAFEGUARDS AND REPORTING
Safeguards: Business Associate will implement administrative, physical, and technical safeguards, including, but not limited to, background checks, risk assessments, vulnerability management, patching Service Level Agreements (SLA), logging and monitoring, encryption of PHI in transit or at rest to protect the confidentiality, integrity, and availability of Electronic PHI using industry-standard algorithms.
Incident Reporting: Initial notice should be provided to Covered Entity within 24-72 hours of discovery. Business Associate will make final report any Security Incident or unauthorized use of PHI to the Covered Entity within 30 business days.
Breach Notification: Initial notice should be provided to Covered Entity within 24-72 hours of discovery. Business Associate will notify the Covered Entity of any Breach of Unsecured PHI within 30 calendar days of discovery.
Investigation and Cooperation: Business Associate shall cooperate with Covered Entity in investigating a Security Incident and assist Covered Entity in responding to the incident or determining if such incident constitutes a Breach. Business Associate shall preserve logs/evidence, provide forensic images on request, and cooperate with third-party investigators designated by Covered Entity. Business Associate shall also provide prompt response to governmental inquiries, subpoenas, and investigations related to PHI and cooperate with Covered Entity in responses.
Mitigation: Business Associate will take reasonable measures to mitigate harmful effects of any unauthorized PHI use or disclosure.
4. SUBCONTRACTORS AND AUDITS
Subcontractor Compliance: Business Associate will ensure that any agents or subcontractors (including Google Cloud Platform) agree in writing to the same restrictions and safeguards contained in this BAA including adherence to notice and reporting requirements. If there is a material change to security practices, hosting locations, subprocessors, or service architectures that could affect PHI Covered Entity retains the right to discuss, mitigate, and terminate this Agreement if this material change is adverse to Covered Entity.
Audit Access: Upon request, Business Associate will provide the Covered Entity with a copy of its most recent independent HIPAA compliance report, summaries of relevant privacy and security policies, or equivalent third-party audit.
5. INDIVIDUAL RIGHTS
Access and Amendment: Business Associate will provide the Covered Entity with copies of PHI in a Designated Record Set and make amendments as directed to satisfy an individual's rights.
Accounting of Disclosures: Business Associate will document and provide information for an accounting of disclosures within 10 business days of a written request. Business Associate will maintain and provide detailed disclosure and access logs for required HIPAA accounting periods, retain for a minimum of six (6) years, and support reporting on request within defined Service Level Agreements (SLA).
Forwarding Requests: If an individual contacts the Business Associate directly regarding their PHI, the Business Associate will forward that request to the Covered Entity within 10 business days.
6. TERM AND TERMINATION
Term: This BAA is effective until all obligations are met or the main Agreement is terminated.
Termination for Cause: Either Party may terminate this BAA if the other Party breaches a material term and fails to cure it within 30 days of written notice.
Return or Destruction: Upon termination, Business Associate will return or destroy all PHI or export PHI in unusable, documented formats within a reasonable timeline to Covered Entity. If destruction is not feasible, Business Associate will extend BAA protections to that information for as long as it is retained.
7. MISCELLANEOUS
Notices: All communications regarding this BAA should be sent to the address above or via email to legal@ignitesynergy.com.
Conflicts: The terms of this BAA govern in the event of a conflict with any other service agreements.
Indemnification: Each Party indemnifies the other for third-party claims arising from each party’s breach, gross negligence, or willful misconduct.
Breach: Business Associate bears reasonable costs arising from its breach: notification, call center, credit monitoring/identity protection, forensics, remediation, regulatory fines to the extent allowed, and third-party claims.
Survival: The confidentiality, indemnity, audit, cooperation, and record-retention obligations of this Agreement survive termination.
Governing Law and Disputes: The governing law in this Agreement is in accordance with the State of New Mexico. The Parties agree any dispute arising out of this Agreement will first be arbitrated. Failing arbitration the parties shall submit to a court of competent jurisdiction in the State of New Mexico.
HITECH Compliance: Both Parties agree to comply with the HITECH Act and negotiate in good faith to modify this BAA as necessary for future regulatory changes.
Electronic Acceptance
By checking the box "I Accept" and continuing to use the Ignite Synergy SaaS EHR platform, you represent that you are an authorized representative of the Covered Entity with the authority to bind said entity to these terms. The Parties agree that this electronic action constitutes a valid and binding signature.