Flexpa
Developer PortalFeedbackContact usOnboard

Guides

  • Home
  • Quickstart
  • Financial Data

Network

  • Network guide
  • Endpoints
  • Payers
  • Updates

Consent

  • Link SDK
  • Patient access

Records

  • FHIR API
  • Node SDK
  • FHIR Introduction
  • Usage
  • Terminology

Misc

  • Changelog
  • Support
    • Privacy Policy
    • Privacy Notice
    • Security
    • Terms of Service
    • Business Associate Agreement
    • Service Agreement
  • Flexpa OS
  • We're hiring

Business Associate Agreement

This Business Associate Agreement (the “BAA”) is made and entered into _______________ (the “Effective Date”) by and between Flexpa USA, Inc. (“Flexpa”) and ________________ (“Client”), hereinafter referred to individually as a “Party” and together as “the Parties.”

WHEREAS, pursuant to the Flexpa Service Agreement dated _____________ (the “Services Agreement”), which is hereby incorporated herein by reference, Flexpa provides certain functions, activities, and services (the “Services”) to Client;

WHEREAS, in its provision of the Services, Flexpa may create, receive, maintain, or transmit Protected Health Information (“PHI”) for, or on behalf of, Client;

WHEREAS, Client is a Business Associate of its Covered Entity clients and Flexpa’s provision of the Services would make Flexpa a Business Associate of Client as its subcontractor;

WHEREAS, both Client and Flexpa intend to comply with requirements under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”) to protect the privacy and security of PHI and wish to set forth the terms and conditions pursuant to which PHI will be used and disclosed.

Whereas

  1. Flexpa provides services to the Client and that, as a result, may access, view, transmit, store or otherwise use Protected Health Information and Electronic Protected Health Information (collectively referred to herein as "PHI").

  2. Client seeks certain assurances from Flexpa, and Flexpa wishes to provide such assurances to the Client, to help it achieve and maintain compliance with the Privacy Rule, Security Rule and Breach Notification Rule.

NOW, THEREFORE, Flexpa and Client agree as follows:

  1. Definitions.

    1. Breach shall have the same meaning as the term “breach” at 45 CFR § 164.402.
    2. Business Associate shall have the same meaning as the term “business associate” at 45 CFR § 160.103.
    3. Covered Entity shall have the same meaning as the term “covered entity” at 45 CFR § 160.103.
    4. Designated Record Set shall have the same meaning as the term “designated record set” at 45 CFR § 164.501.
    5. Electronic Protected Health Information (“ePHI”) shall have the same meaning as the term “electronic protected health information” at 45 CFR § 160.103.
    6. HHS shall mean the United States Department of Health and Human Services.
    7. Individual shall have the same meaning as the term “individual” at 45 CFR § 160.103.
    8. Protected Health Information (“PHI”) shall have the same meaning as the term “protected health information” at 45 CFR § 160.103, limited to the information created or received by Flexpa from or on behalf of Client. References to PHI shall include, but not be limited to, ePHI.
    9. Required by Law shall have the same meaning as the term “required by law” at 45 CFR § 164.103.
    10. Secretary shall mean the Secretary of the United States Department of Health and Human Services or his or her designee.
    11. Security Incident shall have the same meaning as the term “security incident” at 45 CFR § 164.304.
    12. Unsecured Protected Health Information (“Unsecured PHI”) shall have the same meaning as the term “unsecured protected health information” at 45 CFR § 164.402.

  2. General Terms

    1. Interpretation of Provisions. In the event of an inconsistency between the provisions of this BAA and the mandatory terms of HIPAA (as may be expressly amended from time to time), HIPAA shall prevail.
    2. Provisions Permitted by HIPAA. Where provisions of this BAA are different from those mandated by HIPAA, but are nonetheless permitted by HIPAA, the provisions of this BAA shall control.
    3. Conflicts with Service Agreement. In the event of an inconsistency between the provisions of this BAA and the Service Agreement, the provisions of this BAA shall prevail to the extent necessary to allow the Parties to comply with HIPAA.

  3. Obligations and Activities of Flexpa.

    1. Limits on Use and Disclosure. Flexpa agrees not to use or further disclose PHI other than as permitted or required by this BAA or as Required by Law.
    2. Safeguards. Flexpa agrees to use reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI and to prevent the use or disclosure of PHI not provided for by this BAA.
    3. Report of Improper Use or Disclosure. Flexpa shall, following the discovery of a breach of PHI not provided for by this BAA, including any Breach of Unsecured PHI, notify Client of such breach promptly without unreasonable delay and in no event later than sixty (60) days after discovery of the breach. A Breach of Unsecured PHI or Security Incident is considered “discovered” as of the first day on which the Breach of Unsecured PHI or Security Incident is known, or reasonably should have been known, to Flexpa. Flexpa shall, following the discovery of a Security Incident, notify Client of such Security Incident promptly without unreasonable delay and in no event later than sixty (60) days after discovery of the Security Incident. When notifying Client, Flexpa shall, to the extent possible, include identifying information (PatientIDs) for patients whose data is reasonably believed by Flexpa to have been, accessed, acquired, used, or disclosed during the breach, (b) a point of contact at Flexpa for Client to direct inquiries regarding the breach and (c) a description of remediation measures implemented by Flexpa to resolve the breach. The Parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents which are trivial in nature and the Parties agree that no additional notification to Client of such Unsuccessful Security Incidents is required. “Unsuccessful Security Incidents” include, but are not limited to, pings and other broadcast attacks on Flexpa’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above.
    4. Agents and Subcontractors. Flexpa agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from Client or created or received by Flexpa on behalf of Client, agrees to the same restrictions and conditions that apply through this BAA to Flexpa with respect to PHI.
    5. Access to Records. Upon written request, Flexpa shall make available PHI in a Designated Record Set for Client’s Covered Entity client to comply with its obligations under 45 CFR § 164.524 with respect to providing an Individual with access to PHI in a Designated Record Set.
    6. **Amendments to PHI.**Upon written request, Flexpa shall amend PHI in a Designated Record Set or take other measures as reasonably necessary for Client’s Covered Entity client to comply with its obligations under 45 CFR § 164.526 with respect to amending PHI in a Designated Record Set.
    7. Documentation of Disclosures. Upon written request, Flexpa shall provide documentation of disclosures for Client’s Covered Entity client to respond to a request for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. The documentation shall include: (i) the date of the disclosure; (ii) the name of the person receiving the PHI, and, if known, the address of such person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure or, instead of such statement, a copy of the request for disclosure. The above disclosure requirements shall not apply to disclosures that are excepted pursuant to 45 CFR § 164.528(a)(1).
    8. Availability of Internal Practices, Books, and Records. Flexpa shall make internal practices, books, and records relating to the use and disclosure of PHI received from Client, or created or received by Flexpa on behalf of Client, available to Client or at the request of Client to the Secretary, in a time and manner designated by Client or the Secretary, for purposes of determining Client’s compliance with HIPAA.

  4. Permitted Uses and Disclosures by Flexpa.

    1. Use or Disclosure to Perform Services. Subject to the provisions in this BAA, Flexpa may use or disclose PHI on behalf of Client as necessary to provide the Services and as otherwise provided in this BAA if such use or disclosure of PHI would not violate HIPAA if done by Client’s Covered Entity client.
    2. Data Aggregation. Flexpa may use or disclose PHI to perform data aggregation services as permitted by 45 CFR § 164.504(e)(2)(i)(B) to perform those functions, activities or services for, or on behalf of, Client as specified in the Services Agreement, provided that use or disclosure would not violate (i) the Privacy Rule or Security Rule if done by Client or (ii) the minimum necessary policies and procedures of Client for which Client provides services.
    3. De-identification. Flexpa may de-identify any and all PHI received or created by Flexpa for or on behalf of Client in accordance with 45 CFR §§ 164.514(a)-(c). Client acknowledges that such de-identified information no longer constitutes PHI and is not subject to this BAA.
    4. Use of PHI for Management and Administration. Except as otherwise limited in this BAA, Flexpa may use PHI for the proper management and administration of Flexpa or to carry out Flexpa’s legal responsibilities.
    5. Disclosure of PHI for Management and Administration. Except as otherwise limited in this BAA, Flexpa may disclose PHI to a third party for the proper management and administration of Flexpa or to carry out Flexpa’s legal responsibilities, provided that (a) the disclosure is Required by Law, or (b) Flexpa obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Flexpa of any instances of which it is aware in which confidentiality of the information has been breached.

  5. Obligations of Client.

    1. Notice of Privacy Practices. Client shall notify Flexpa of any limitations of which it is aware in the applicable Notice of Privacy Practices required by 45 CFR § 164.520 to the extent that such limitations may affect Flexpa’s permitted uses or disclosures of PHI.
    2. Change or Revocation of Permission. Client shall notify Flexpa of any changes in, or revocation of, permission by an Individual to use or disclose PHI of which it is aware, if such changes affect Flexpa’s permitted uses and disclosures.
    3. Restrictions on Use or Disclosure. Client shall notify Flexpa of any restriction on the use or disclosure of PHI that Client’s Covered Entity client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Flexpa’s use or disclosure of PHI. The Parties agree to negotiate in good faith appropriate amendment(s) to this BAA to give effect to these revised restrictions.
    4. Permissible Requests by Client. Except as necessary for the management, administrative, and legal activities of Flexpa as allowed in this BAA, Client shall not request that Flexpa use or disclose PHI in any manner that would not be permissible under HIPAA if done by Client’s Covered Entity client.

  6. Term and Termination.

    1. Term. This BAA shall be effective as of the Effective Date and shall have a term that runs concurrently with that of the Service Agreement. Upon termination of the Service Agreement or BAA, the obligations of the parties under this BAA shall continue in effect only for the limited purpose of comply with the terms of Section 6.4 Upon Flexpa’s compliance with the terms of Section 6.4, all obligations under the BAA shall terminate.
    2. Termination of Service Agreement. If the Service Agreement terminates for any reason, this BAA shall also terminate.
    3. Termination for Cause. Upon a party’s knowledge of a material breach by the other party of the terms of this BAA, the first party shall provide written notice of such breach in sufficient detail to enable the breaching party to understand the specific nature of the breach and provide an opportunity for the breaching party to cure the breach or end the violation. Either party may terminate this BAA and the Service Agreement if the breaching party does not cure the breach or end the violation within a reasonable time period specified by the first party in such notice, provided that such time period shall be at least 30 days.
    4. Effect of Termination. Upon termination of this BAA, Flexpa shall return or destroy, if return or destruction is feasible, all PHI received from Client or created or received by Flexpa on behalf of Client. Upon the mutual agreement of the Parties that returning or destroying the PHI is infeasible, Flexpa shall provide to Client notification of the conditions that make return or destruction infeasible, extend the protections of this BAA to such PHI, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Flexpa maintains such PHI.

  7. Indemnification and Limitation of Liability.

    1. Indemnification. Flexpa agrees to hold Client harmless from and against all claims, actions, proceedings, damages, losses, judgments, settlements, costs and expenses (including attorneys’ fees) arising from or in connection with based on or arising out of any breach of this BAA by Flexpa. on or For avoidance of doubt, this Section 7.1 does not cover any indemnification obligation related to the Services Agreement or that is covered by Section 6 of the Services Agreement.
    2. Patient Notifications Indemnification. In the event Client or a covered entity for which Client provides services is required, pursuant to the Breach Notification Rule, to notify Individuals that their Unsecured PHI has been impermissibly acquired, accessed, used or disclosed due to a breach of this Business Associate Agreement, Flexpa further agrees to indemnify Client for all reasonable costs, expenses and fees related to the breach notification and any costs to mitigate the breach.
    3. Limitation of Liability. Not withstanding the foregoing or any other provision in this BAA to the contrary, the total amount by which Flexpa agrees to indemnify the Client shall not exceed the fees paid by Client to Flexpa pursuant to the Services Agreement. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS BAA, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, FROM OR IN CONNECTION WITH THIS BAA (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) TO THE MAXIMUM EXTENT PERMITTED BY LAW

  8. Miscellaneous.

    1. Assignment. This BAA shall be binding upon and inure to the benefit of the respective legal successors of the Parties. Neither this BAA nor any rights or obligations hereunder may be assigned, in whole or in part, without the prior written consent of the other Party.
    2. **Survival. **The respective rights and obligations of Flexpa and Client under Section 6shall survive termination of this BAA.
    3. Amendment. The Parties agree to make reasonable efforts to amend this BAA from time to time as is necessary for compliance with the requirements of HIPAA. Any amendment of modification of this BAA pursuant to this Section 8.3 must comply with the requirements set forth in Section 8.6.
    4. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect, or as amended, and for which compliance is required.
    5. Entire BAA. This document, together with any written schedules, amendments, and addenda, constitute the entire BAA of the Parties and supersedes all prior oral and written BAAs or understandings between them with respect to the matters provided for herein.
    6. Modifications. Any modification to this BAA shall be valid only if made in writing and signed by a duly authorized agent of both Parties.
    7. Severability. The Parties agree that if a court determines, contrary to the intent of the Parties, that any of the provisions or terms of this BAA are unreasonable or contrary to public policy, or invalid or unenforceable for any reason in fact, law, or equity, such unenforceability or invalidity shall not affect the remaining terms and provisions of this BAA. Should any particular provision of this BAA be held unreasonable or unenforceable for any reason, then such provision shall be given effect and enforced to the fullest extent that would be reasonable and enforceable.
    8. Waiver of Breach. No failure or delay by either Party in exercising its rights under this BAA shall operate as a waiver of such rights, and no waiver of any breach shall constitute a waiver of any prior, concurrent, or subsequent breach.
    9. Titles. Titles or headings are used in this BAA for reference only and shall not have any effect on the construction or legal effect of this BAA.
    10. Independent Contractors. For purposes of this BAA, Flexpa is and will act at all times as an independent contractor of Client. None of the provisions of this BAA are intended to create, nor shall be deemed or construed to create, any relationship other than that of independent entities contracting with each other. None of the provisions of this BAA are intended to establish, nor shall be deemed or construed to establish, any partnership, agency, employment agreement, or joint venture between the Parties.
    11. No Third-Party Beneficiaries. It is the intent of the Parties that this BAA is to be effective only in regards to their rights and obligations with respect to each other. It is expressly not the intent of the Parties to create any independent rights in any third party or to make any third-party beneficiary of this BAA.
    12. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA, the Privacy Rule, the Security Rule, the Breach Notification Rule and the HITECH Act, as applicable.
    13. Governing Law. This BAA shall be interpreted, construed and enforced pursuant to and in accordance with the laws of the state of California, without regard to its conflicts of law principles.
    14. Force and Effect. The Parties acknowledge and agree that this BAA shall be of no force and effect unless and until a duly authorized representative of each party has signed the following signature page where indicated.
    15. Representation and Warranty. Each Party represents and warrants that it has full power and authority to enter into this BAA, and the person signing this BAA on behalf of either Party warrants that he/she has been duly authorized and empowered to do so.

IN WITNESS WHEREOF, the parties’ authorized signatories have duly executed this BAA as of the Effective Date.

April 1, 2024

Flexpa USA Inc

Status TwitterGitHub

© 2024 Flexpa. All rights reserved.

On this page