Printable agreement

Business Associate Agreement

Review, print or save as PDF, complete the signature fields, and email the signed agreement to OriNova Group.

OriNova Group

Business Associate Agreement

HIPAA Privacy, Security, and Breach Notification Requirements

This Business Associate Agreement (“BAA”) is entered into as of (“Effective Date”) by and between:

Covered EntityLegal nameAddress
Business AssociateOriNova GroupHouston, Texashello@orinovagroup.com

The Covered Entity and Business Associate are each a “Party” and together the “Parties.” This BAA supplements the service agreement or other written arrangement between the Parties (“Underlying Agreement”).

Definitions

Terms including “Breach,” “Business Associate,” “Covered Entity,” “Electronic Protected Health Information,” “Protected Health Information” (“PHI”), “Security Incident,” and “Unsecured PHI” have the meanings assigned under HIPAA and its implementing regulations, including 45 C.F.R. Parts 160 and 164. “HIPAA Rules” means the applicable Privacy, Security, Breach Notification, and Enforcement Rules.

Permitted uses and disclosures

Business Associate may use or disclose PHI only as necessary to perform reimbursement reconciliation, claim analysis, revenue cycle review, operational reporting, and related services described in the Underlying Agreement; as permitted by this BAA; or as required by law. Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted for proper management and administration or to carry out legal responsibilities.

Safeguards

Business Associate will implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI and to prevent uses or disclosures of PHI not permitted by this BAA. Business Associate will comply with applicable requirements of the HIPAA Security Rule.

Minimum necessary

Business Associate will request, use, and disclose only the minimum PHI reasonably necessary to accomplish the intended purpose, consistent with applicable HIPAA requirements and the agreed service scope.

Reporting

Business Associate will report to Covered Entity, without unreasonable delay, any use or disclosure of PHI not permitted by this BAA, any Breach of Unsecured PHI, and any Security Incident of which Business Associate becomes aware. The report will include available information reasonably necessary for Covered Entity to meet applicable notification obligations. The Parties may document reasonable reporting procedures for routine unsuccessful security events.

Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions, conditions, and safeguards at least as protective as those that apply to Business Associate under this BAA.

Access, amendment, and accounting

To the extent Business Associate maintains PHI in a designated record set or otherwise holds information needed by Covered Entity, Business Associate will make PHI available as required for Covered Entity to respond to access requests, incorporate amendments as directed or required, and provide information needed for an accounting of disclosures, within timeframes reasonably specified by Covered Entity and consistent with HIPAA.

Covered Entity obligations delegated to Business Associate

To the extent Business Associate performs an obligation of Covered Entity under the HIPAA Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in performing that obligation.

Government access

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

Term and termination

This BAA begins on the Effective Date and remains in effect until the Underlying Agreement ends and all PHI is returned or destroyed as provided below. Covered Entity may terminate the Underlying Agreement and this BAA if it determines that Business Associate has violated a material term and Business Associate does not cure the breach within a reasonable period specified by Covered Entity, when cure is possible.

Return or destruction of PHI

Upon termination, Business Associate will return or destroy PHI received from Covered Entity or created, maintained, or received on its behalf, including PHI held by subcontractors, if feasible. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.

Interpretation and amendment

This BAA will be interpreted to permit compliance with the HIPAA Rules. The Parties will amend it as reasonably necessary to comply with changes in applicable law. If this BAA conflicts with the Underlying Agreement regarding PHI, this BAA controls.

No third-party beneficiaries

Nothing in this BAA is intended to create rights in any person other than the Parties, except as required by law.

Signatures

Covered EntityAuthorized signaturePrinted name and titleDate
OriNova GroupAuthorized signaturePrinted name and titleDate