Business Associate Agreement

HIPAA Business Associate Agreement
Last updated: July 22, 2024

HIPAA Compliance Notice

This Business Associate Agreement (BAA) governs the handling of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between Simpl Healthcare, Inc., a Delaware corporation ("Business Associate," "Simpl," "we," "us," or "our"), and the healthcare provider or covered entity ("Covered Entity," "you," or "your") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended.

1. Definitions

1.1 Protected Health Information (PHI): Information that is created or received by Business Associate from or on behalf of Covered Entity and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for health care provided to an individual.

1.2 Electronic Protected Health Information (ePHI): PHI that is transmitted by electronic media or maintained in electronic media.

1.3 Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2. Permitted Uses and Disclosures

2.1 General Use: Business Associate may use or disclose PHI only as permitted or required by this BAA or as required by law.

2.2 Specific Permitted Uses: Business Associate may use PHI to:

  • Perform services as specified in the underlying service agreement
  • Provide data aggregation services relating to health care operations of Covered Entity
  • Report violations of law to appropriate Federal and State authorities
  • Perform management and administrative activities of Business Associate

2.3 Minimum Necessary: Business Associate will limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose.

3. Obligations of Business Associate

3.1 Non-Use and Non-Disclosure: Business Associate agrees not to use or disclose PHI other than as permitted or required by this BAA or as required by law.

3.2 Safeguards: Business Associate will implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA, including:

  • Administrative safeguards (policies, procedures, training)
  • Physical safeguards (facility access controls, workstation security)
  • Technical safeguards (encryption, access controls, audit logs)

3.3 Employee Training: Business Associate will ensure that all employees, contractors, and agents who have access to PHI receive appropriate HIPAA training.

3.4 Subcontractor Agreements: Business Associate will obtain satisfactory assurances from any subcontractors that handle PHI that they will appropriately safeguard the information.

4. Security Requirements

Technical Safeguards

  • Encryption: All PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Audit Logs: Comprehensive logging of all PHI access and modifications
  • Automatic Logoff: Session timeouts to prevent unauthorized access

Physical Safeguards

  • Data Centers: SOC 2 Type II certified facilities with 24/7 monitoring
  • Access Controls: Biometric access controls and visitor management
  • Media Disposal: Secure destruction of storage media containing PHI
  • Workstation Security: Endpoint protection and device management

5. Breach Notification

5.1 Discovery: Business Associate will notify Covered Entity of any discovery of a breach of unsecured PHI without unreasonable delay, but in no case later than sixty (60) calendar days after discovery.

5.2 Investigation: Business Associate will conduct a prompt investigation of any suspected breach and provide Covered Entity with:

  • Description of what happened and date of breach
  • Description of types of PHI involved
  • Number of individuals affected
  • Steps taken to mitigate harm
  • Contact information for further inquiries

5.3 Mitigation: Business Associate will take appropriate steps to mitigate any harmful effects of the breach and prevent future occurrences.

6. Individual Rights

6.1 Access Requests: Upon request by Covered Entity, Business Associate will provide access to PHI in a designated record set to enable Covered Entity to respond to individual requests for access.

6.2 Amendment Requests: Business Associate will make any amendments to PHI as directed by Covered Entity to enable compliance with individual amendment requests.

6.3 Accounting of Disclosures: Business Associate will provide an accounting of disclosures of PHI as necessary for Covered Entity to respond to individual requests.

7. Return or Destruction of PHI

Upon termination of this BAA, Business Associate will either return or destroy all PHI received from Covered Entity that Business Associate still maintains in any form. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

8. Compliance Certifications

SOC 2 Type II

Annual third-party security audits covering security, availability, and confidentiality.

HIPAA Compliance

Full compliance with HIPAA Security Rule and Privacy Rule requirements.

HITECH Act

Compliance with enhanced privacy and security provisions under HITECH.

State Regulations

Compliance with applicable state privacy and security regulations.

9. Term and Termination

9.1 Term: This BAA becomes effective on the date of signing and terminates when all PHI is returned or destroyed.

9.2 Survival: The obligations of Business Associate under this BAA shall survive termination of the underlying service agreement.

10. Data Location and Processing

10.1 Data Centers: PHI is stored and processed in HIPAA-compliant data centers located within the United States, with primary facilities in Virginia and California.

10.2 Cross-Border Transfer: Business Associate will not transfer PHI outside of the United States without prior written consent from Covered Entity.

10.3 Data Residency: All PHI backups and disaster recovery systems are maintained within the United States in SOC 2 certified facilities.

11. Subcontractors and Third Parties

11.1 Approved Subcontractors: Business Associate maintains a current list of all subcontractors who may have access to PHI, available upon request.

11.2 Subcontractor Agreements: All subcontractors with PHI access have executed HIPAA-compliant business associate agreements with equivalent protections.

11.3 Notification: Business Associate will notify Covered Entity of any new subcontractors that will have access to PHI at least thirty (30) days in advance.

12. Audit Rights and Compliance Monitoring

12.1 Audit Rights: Upon reasonable notice, Covered Entity may audit Business Associate's compliance with this BAA during normal business hours.

12.2 Documentation: Business Associate will maintain documentation demonstrating compliance with HIPAA requirements and make such documentation available during audits.

12.3 Third-Party Audits: Business Associate undergoes annual SOC 2 Type II audits and HIPAA assessments by qualified third-party auditors.

13. Business Continuity and Disaster Recovery

13.1 Backup Systems: PHI is backed up daily with encrypted backups stored in geographically separate locations within the United States.

13.2 Recovery Time: Business Associate maintains a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for PHI systems.

13.3 Business Continuity Plan: Business Associate maintains and regularly tests a comprehensive business continuity plan to ensure continuous availability of PHI.

14. Training and Workforce Security

14.1 HIPAA Training: All workforce members with PHI access receive initial and annual HIPAA training and acknowledge understanding of privacy and security requirements.

14.2 Background Checks: Business Associate conducts appropriate background checks on workforce members with PHI access.

14.3 Access Termination: Access to PHI is immediately terminated upon workforce member separation or role change not requiring PHI access.

15. Contact Information

For questions regarding this Business Associate Agreement or to report a security incident, please contact our HIPAA Security Officer at support@simplhealthcare.com.

HIPAA Contact Information

HIPAA Security Officer: support@simplhealthcare.com
Breach Reporting: support@simplhealthcare.com
General Privacy Questions: support@simplhealthcare.com
24/7 Security Hotline: Available upon request
Company: Simpl Healthcare, Inc.
Address: [Corporate Address upon execution]