This Business Associate Agreement ("BAA" or "Agreement") is entered into as of the date of execution ("Effective Date") by and between:
WHEREAS, CE is a Covered Entity or Business Associate as defined under HIPAA; and
WHEREAS, BA provides cloud-based home care scheduling services that may involve the creation, receipt, maintenance, or transmission of PHI on behalf of CE; and
WHEREAS, HIPAA requires CE to enter into a Business Associate Agreement with BA before disclosing PHI to BA;
NOW, THEREFORE, in consideration of the mutual covenants herein and the parties' existing or contemplated business relationship, the parties agree as follows:
Terms used but not otherwise defined in this BAA shall have the meanings given in 45 C.F.R. Parts 160 and 164. The following terms shall have the meanings set forth below:
| Term | Definition |
|---|---|
| "Breach" | The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined at 45 C.F.R. § 164.402. |
| "HITECH Act" | The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. |
| "PHI" | Protected Health Information as defined at 45 C.F.R. § 160.103, including Electronic PHI ("ePHI") as defined at 45 C.F.R. § 160.103. |
| "Privacy Rule" | The regulations implementing HIPAA's privacy requirements at 45 C.F.R. Part 164, Subpart E. |
| "Required by Law" | As defined at 45 C.F.R. § 164.103. |
| "Security Incident" | The attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations. |
| "Security Rule" | The regulations implementing HIPAA's security requirements at 45 C.F.R. Part 164, Subpart C. |
| "Subcontractor" | A person who acts as a business associate on behalf of BA with respect to PHI. |
2.1 Use and Disclosure Restrictions. BA agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
2.2 Appropriate Safeguards. BA agrees to use appropriate administrative, physical, and technical safeguards and, with respect to ePHI, comply with the Security Rule at 45 C.F.R. Part 164, Subpart C, to prevent use or disclosure of PHI other than as provided for by this BAA.
2.3 Specific Security Measures. BA's technical safeguards for ePHI include:
2.4 Reporting of Improper Use or Disclosure. BA agrees to report to CE any use or disclosure of PHI not provided for by this BAA of which BA becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, and any Security Incidents of which it becomes aware.
2.5 Subcontractors. BA agrees, in accordance with 45 C.F.R. §§ 164.308(b)(2) and 164.502(e)(1)(ii), to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of BA agree to the same restrictions and conditions that apply to BA under this BAA by entering into a written agreement with each Subcontractor before disclosing PHI to them.
2.6 Access to PHI. To the extent BA holds PHI in a Designated Record Set, BA agrees to make PHI available to CE as necessary to satisfy CE's obligations under the Privacy Rule, including to provide individuals with access to their PHI at 45 C.F.R. § 164.524.
2.7 Amendment of PHI. To the extent BA holds PHI in a Designated Record Set, BA agrees to make PHI available to CE for amendment and to incorporate any amendments to PHI at 45 C.F.R. § 164.526.
2.8 Accounting of Disclosures. BA agrees to maintain and make available to CE the information necessary to provide an accounting of disclosures as required at 45 C.F.R. § 164.528.
2.9 Access by HHS. BA agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by BA on behalf of CE, available to the Secretary of HHS for purposes of determining CE's and BA's compliance with HIPAA, within 30 days of request.
2.10 Minimum Necessary. BA agrees to limit requests for and uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.514(d).
2.11 Return or Destruction of PHI. At termination of this BAA, if feasible, BA will return or destroy all PHI received from or created or received by BA on behalf of CE. If return or destruction is not feasible, BA will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
3.1 Services. Except as otherwise limited in this BAA, BA may use or disclose PHI to perform functions, activities, or services for, or on behalf of, CE as specified in the underlying service agreement (Terms of Service or MSA), provided that such use or disclosure would not violate HIPAA if done by CE directly.
3.2 Use for BA's Operations. BA may use PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA, in compliance with 45 C.F.R. § 164.504(e)(4).
3.3 Disclosure for BA's Operations. BA may disclose PHI for the proper management and administration of BA, provided that: (a) disclosures are Required by Law; or (b) BA obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies BA of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4 Data Aggregation. BA may use or disclose PHI to provide data aggregation services to CE as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
3.5 De-identification. BA may de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and use such de-identified information for product improvement, analytics, and benchmarking. De-identified information is not PHI and is not subject to the restrictions of this BAA.
3.6 Prohibited Uses. BA shall not:
4.1 Notice of Privacy Practices. CE shall notify BA of any limitation(s) in its notice of privacy practices under 45 C.F.R. § 164.520, to the extent that such limitation may affect BA's use or disclosure of PHI.
4.2 Permissions and Restrictions. CE shall notify BA of any changes in, or revocation of, permission by individuals to use or disclose PHI, to the extent that such changes may affect BA's permitted or required uses and disclosures.
4.3 Agreed-Upon Restrictions. CE shall notify BA of any restriction to the use or disclosure of PHI that CE has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect BA's use or disclosure of PHI.
4.4 Authorization for PHI Use. CE shall not request BA to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by CE.
4.5 Accuracy of PHI. CE is responsible for the accuracy and completeness of PHI it submits to the Service. CE shall not submit PHI to the Service without the appropriate patient authorization or other lawful basis.
4.6 User Training. CE is responsible for ensuring that its Authorized Users are appropriately trained on HIPAA requirements and on proper use of the SchedulerPro platform with respect to PHI.
5.1 Notification Obligation. Following the discovery of a Breach of Unsecured PHI, BA shall notify CE of such Breach in accordance with 45 C.F.R. § 164.410.
5.2 Timing. BA will provide notification to CE without unreasonable delay and, in any event, no later than seventy-two (72) hours after discovering the Breach, unless a law enforcement official has requested a delay pursuant to 45 C.F.R. § 164.412.
5.3 Content of Notification. To the extent known, BA's notification to CE shall include:
5.4 CE Responsibility for HHS and Individual Notification. CE is responsible for all notifications to HHS and affected individuals required under 45 C.F.R. §§ 164.404 and 164.408. BA will cooperate with CE and provide reasonably requested assistance in connection with such notifications.
5.5 Security Incidents. BA shall report to CE any Security Incidents of which it becomes aware on a quarterly basis, or immediately if a Security Incident results in or is likely to result in unauthorized access to PHI.
6.1 Term. This BAA is effective as of the Effective Date and continues until terminated in accordance with this Section or until the underlying service agreement between the parties is terminated.
6.2 Termination for Cause. Consistent with 45 C.F.R. § 164.504(e)(2)(iii), either party may terminate this BAA upon written notice if the other party has breached a material provision and fails to cure the breach within thirty (30) days of written notice.
6.3 Infeasibility of Termination. If either party determines that termination is not feasible following a material breach, it shall report the breach to the Secretary of HHS.
6.4 Effect of Termination. Upon termination, BA shall, if feasible, return to CE or destroy all PHI that BA still maintains in any form, and shall retain no copies. If return or destruction is not feasible, BA shall continue to extend the protections of this BAA to PHI for as long as it is retained. BA shall complete destruction of all PHI within ninety (90) days of termination.
6.5 Survival. Sections 1, 2.11, 5, 6.4, and 7 of this BAA shall survive termination.
7.1 Regulatory References. Any reference in this BAA to a section of HIPAA or the HITECH Act means the section as in effect or as amended, and includes any associated regulations, guidance, and guidance documents issued by HHS.
7.2 Amendment for Compliance. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the parties to comply with the requirements of HIPAA and the HITECH Act.
7.3 No Third-Party Beneficiaries. Nothing in this BAA shall confer any rights, benefits, or remedies upon any person or entity not a party to this BAA, including any patient whose PHI is subject to this BAA.
7.4 Relationship of Parties. BA is an independent contractor and is not an employee or agent of CE. This BAA does not create a partnership, joint venture, or similar relationship between the parties.
7.5 Governing Law. This BAA is governed by the laws of the Commonwealth of Virginia and applicable federal law, including HIPAA and the HITECH Act. In the event of a conflict between state and federal law, federal law governs to the extent required by applicable law.
7.6 Entire Agreement. This BAA, together with the applicable service agreement (Terms of Service or MSA), constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements concerning PHI. In the event of a conflict between this BAA and the service agreement on matters relating to PHI, this BAA controls.
7.7 Severability. If any provision of this BAA is held invalid or unenforceable, the remaining provisions continue in full force and effect.
7.8 Interpretation. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act. This BAA shall be construed as broadly as necessary to implement and comply with applicable laws.
7.9 Notices. All notices under this BAA must be in writing and sent by email with confirmation of delivery or by overnight courier. Notices to BA must be sent to: privacy@schedulerpro.io and SchedulerPro LLC, 8401 Mayland Dr, Suite A, Richmond, VA 23294.
By executing this BAA (whether by wet signature, electronic signature, or by accepting these terms through the SchedulerPro platform), the parties agree to be bound by all terms and conditions hereof. Each signatory represents and warrants that they are authorized to execute this BAA on behalf of the respective party.
To execute a Business Associate Agreement with SchedulerPro LLC, contact our privacy and legal team. We will prepare a customized BAA for execution and countersignature within 2 business days.
Privacy Officer: privacy@schedulerpro.io
Legal: legal@schedulerpro.io
Mail: 8401 Mayland Dr, Suite A, Richmond, VA 23294
Description of Permitted Uses and Services
BA provides the following services to CE that may involve PHI:
The categories of PHI that may be created, received, maintained, or transmitted by BA on behalf of CE include:
| PHI Category | Description |
|---|---|
| Patient Identifiers | Name, date of birth, address, phone number, and other HIPAA-defined identifiers associated with home care clients. |
| Scheduling Information | Visit dates, times, locations, and duration associated with identified patients. |
| Service Authorization | Payer authorization numbers, approved service codes, and care plan references. |
| Caregiver-Patient Assignments | Records linking identified caregivers to identified patients. |
| EVV Data | Electronic visit verification records including GPS-based check-in/out linked to patient visits. |
BA is permitted to use and disclose PHI solely for the following purposes:
BA may engage the following categories of Subcontractors who may access PHI to assist in providing the Services, each of whom will be bound by appropriate Business Associate obligations:
BA will maintain an up-to-date list of Subcontractors with PHI access and will notify CE of any material changes to this list with reasonable advance notice.