Back to KeyNotes
Print this BAA

Business Associate Agreement

HIPAA-required contract
Template v1.0 · KeyNotes EHR
Important — Read Before Using This Business Associate Agreement template is provided as a starting point and reflects the standard provisions required by HIPAA (45 CFR §164.504(e)) and the HITECH Act. It is not legal advice. Before executing this agreement with a customer, both parties should have qualified healthcare counsel review and customize it for your specific arrangement. KeyNotes EHR is not liable for the legal sufficiency of this template as used.
Business Associate
BondbyteInc
Operating as KeyNotes EHR
PO Box 1355
Selah, WA 98942
509.949.2162
keynotes@bondbyte.com
Covered Entity
Legal Business Name Address Phone Primary Contact
Effective Date:

This Business Associate Agreement (“Agreement”) is entered into between BondbyteInc, doing business as KeyNotes EHR (“Business Associate”), and the entity named above (“Covered Entity”), collectively the “Parties.” This Agreement governs the use and disclosure of Protected Health Information (“PHI”) by Business Associate on behalf of Covered Entity, in connection with the services provided through the KeyNotes electronic health records platform (“Services”).

The Parties agree to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the implementing regulations at 45 CFR Parts 160 and 164 (collectively, the “HIPAA Rules”).

01

Definitions

Capitalized terms used but not otherwise defined in this Agreement have the meanings assigned to them in the HIPAA Rules.

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined at 45 CFR §160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
Electronic PHI (ePHI): PHI transmitted by or maintained in electronic media.
Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined at 45 CFR §164.402.
Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 CFR §164.304.
Subcontractor: A person or entity to whom Business Associate delegates a function, activity, or service involving PHI, other than in the capacity of a member of the workforce of Business Associate.
02

Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as follows:

  1. As necessary to perform the Services described in the underlying service agreement between the Parties;
  2. As required by law;
  3. For the proper management and administration of Business Associate, provided that any disclosures are required by law, or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used only as required by law or for the purpose disclosed, and the recipient will notify Business Associate of any breach of confidentiality;
  4. To provide data aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B);
  5. To report violations of law to appropriate federal and state authorities, consistent with 45 CFR §164.502(j)(1).
03

Obligations of Business Associate

Business Associate agrees to:

  1. Not use or further disclose PHI other than as permitted or required by this Agreement or as required by law;
  2. Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement;
  3. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI as required by 45 CFR §164.410, and any Security Incident, without unreasonable delay and in any event within five (5) business days of discovery;
  4. Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI;
  5. Make PHI available to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.524 (individual right of access);
  6. Make PHI available for amendment, and incorporate any amendments to PHI, as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.526;
  7. Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528;
  8. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations;
  9. Make Business Associate’s internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI, available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Rules.
04

Obligations of Covered Entity

Covered Entity agrees to:

  1. Notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices in accordance with 45 CFR §164.520, to the extent such limitation may affect Business Associate’s use or disclosure of PHI;
  2. Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent such changes may affect Business Associate’s use or disclosure of PHI;
  3. Notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed under 45 CFR §164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI;
  4. Not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
05

Breach Notification

Following the discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity in writing without unreasonable delay and in no case later than five (5) business days from the date of discovery. To the extent known, the notification shall include:

  1. The identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach;
  2. A description of what happened, including the date of the Breach and the date of discovery, if known;
  3. A description of the types of Unsecured PHI involved;
  4. The steps Business Associate is taking to investigate, mitigate harm, and protect against future Breaches.

For purposes of this section, a Breach is considered “discovered” as of the first day on which it is known to Business Associate or, by exercising reasonable diligence, would have been known.

06

Term and Termination

Term

This Agreement shall be effective as of the Effective Date and shall remain in effect until the underlying service agreement between the Parties is terminated, or until terminated as provided in this Article.

Termination for Cause

Upon Covered Entity’s knowledge of a material breach by Business Associate of this Agreement, Covered Entity shall provide written notice and an opportunity for Business Associate to cure the breach within thirty (30) days. If Business Associate does not cure the breach within that period, Covered Entity may terminate this Agreement and the underlying service agreement.

Effect of Termination

Upon termination of this Agreement, Business Associate shall:

  1. Return or destroy all PHI received from, or created or received on behalf of, Covered Entity, if feasible. The return or destruction shall be completed within thirty (30) days of termination;
  2. If return or destruction is not feasible, extend the protections of this Agreement to the retained PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
07

Miscellaneous

Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

Survival

The respective rights and obligations of Business Associate under Article 6 (Effect of Termination) shall survive the termination of this Agreement.

Interpretation

Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the HIPAA Rules.

Governing Law

This Agreement shall be governed by the laws of the State of Washington, without regard to its conflict of laws provisions.

Entire Agreement

This Agreement, together with the underlying service agreement between the Parties, constitutes the entire agreement of the Parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, and agreements.

Signatures

By signing below, the Parties acknowledge they have read and understood this Business Associate Agreement and agree to be bound by its terms.

Business Associate · BondbyteInc
Signature
Printed Name
Date
Title
Covered Entity
Signature
Printed Name
Date
Title