Business Associate Agreement
HIPAA Privacy, Security & Breach Notification Rules
RxGranted | ASKARX LLC | Moorestown, New Jersey
Pursuant to 45 C.F.R. § 164.504(e) and the HITECH Act
Recitals
WHEREAS, Covered Entity is a healthcare provider subject to the Privacy, Security, and Breach Notification Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), codified at 42 U.S.C. §§ 17921–17954, and the regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”);
WHEREAS, Business Associate provides prior authorization clinical documentation services to Covered Entity, which may involve the use, disclosure, creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”) on behalf of Covered Entity;
WHEREAS, the Parties desire to comply with the HIPAA Rules and to establish the permitted and required uses and disclosures of PHI by Business Associate;
NOW, THEREFORE, in consideration of the mutual promises set forth herein, the Parties agree as follows:
Article I — Definitions
Terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules:
- 1.1 “Breach” shall have the meaning given under 45 C.F.R. § 164.402.
- 1.2 “Designated Record Set” shall have the meaning given under 45 C.F.R. § 164.501.
- 1.3 “Electronic Protected Health Information” or “ePHI” shall have the meaning given under 45 C.F.R. § 160.103.
- 1.4 “Individual” shall have the meaning given under 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
- 1.5 “Minimum Necessary” shall have the meaning given under 45 C.F.R. § 164.502(b).
- 1.6 “Protected Health Information” or “PHI” shall have the meaning given under 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
- 1.7 “Required by Law” shall have the meaning given under 45 C.F.R. § 164.103.
- 1.8 “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or designee.
- 1.9 “Security Incident” shall have the meaning given under 45 C.F.R. § 164.304.
- 1.10 “Subcontractor” shall have the meaning given under 45 C.F.R. § 160.103.
- 1.11 “Unsecured Protected Health Information” shall have the meaning given under 45 C.F.R. § 164.402.
- 1.12 “Services” shall mean the prior authorization clinical documentation services, including: preparation of prior authorization letters, clinical justification documentation, appeal letters, and direct submission of prior authorization requests to payers on behalf of Covered Entity.
Article II — Obligations of Business Associate
2.1 Permitted Uses and Disclosures
Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Permitted purposes include:
(a) Performing the Services described in Section 1.12;
(b) Proper management and administration of Business Associate, provided such disclosures are Required by Law or the recipient provides reasonable assurances of confidentiality.
2.2 Minimum Necessary Standard
Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, per 45 C.F.R. § 164.502(b).
2.3 Safeguards
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. Part 164, Subpart C. Without limitation, Business Associate shall:
(a) Encrypt all ePHI at rest and in transit using AES-256 or equivalent;
(b) Implement role-based access controls limiting PHI access to authorized personnel only;
(c) Maintain audit logs of all access to and modifications of ePHI;
(d) Conduct risk assessments at least annually;
(e) Ensure all workforce members who access PHI complete HIPAA training prior to access and annually thereafter;
(f) Use HIPAA-compliant communication channels for all PHI transmission.
2.4 Reporting
Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI or Security Incident, per Article IV.
2.5 Subcontractors
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI agrees to the same restrictions and requirements under this Agreement, by entering into a written agreement per 45 C.F.R. § 164.504(e).
2.6 Access to PHI
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such information available to Covered Entity, or to Covered Entity's designee, as directed by Covered Entity and within the time reasonably requested by Covered Entity, to enable Covered Entity to meet its obligations under 45 C.F.R. § 164.524.
2.7 Amendment of PHI
Business Associate shall make any amendment(s) to PHI in a Designated Record Set, or otherwise enable such amendment(s), as directed by Covered Entity and within the time reasonably requested by Covered Entity, to enable Covered Entity to comply with 45 C.F.R. § 164.526.
2.8 Accounting of Disclosures
Business Associate shall document disclosures of PHI as required by the HIPAA Rules and shall provide such information to Covered Entity, as directed by Covered Entity, to enable Covered Entity to comply with 45 C.F.R. § 164.528.
2.9 Government Access
Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary for compliance determination.
2.10 Prohibition on Sale of PHI
Business Associate shall not sell PHI per 45 C.F.R. § 164.502(a)(5)(ii) without prior written authorization of the Individual and Covered Entity.
2.11 Prohibition on Marketing
Business Associate shall not use or disclose PHI for marketing per 45 C.F.R. § 164.501 without prior written authorization.
Article III — Obligations of Covered Entity
3.1
Covered Entity shall provide Business Associate with its Notice of Privacy Practices and any changes thereto.
3.2
Covered Entity shall notify Business Associate of any changes in or revocation of Individual permissions affecting Business Associate’s use of PHI.
3.3
Covered Entity shall notify Business Associate of any restrictions on PHI use or disclosure agreed to under 45 C.F.R. § 164.522.
3.4
Covered Entity shall provide only the minimum necessary PHI for Business Associate to perform Services.
Article IV — Breach Notification
4.1 Discovery and Notification
Business Associate shall provide preliminary notification to Covered Entity of any Breach of Unsecured PHI without unreasonable delay following discovery, and in no case later than ten (10) business days after discovery. Preliminary notification shall include the information available at the time of discovery and sufficient for Covered Entity to begin its own notification obligations under 45 C.F.R. § 164.404.
Business Associate shall provide a complete notification containing all information required under Section 4.2 as soon as reasonably practicable, and in no case later than sixty (60) calendar days after discovery, consistent with 45 C.F.R. § 164.410. Timing under this Section 4.1 does not waive or alter any outside deadline imposed by applicable law.
4.2 Content of Notification
Notification shall include, to the extent available:
(a) Identification of affected Individuals;
(b) Description of what happened;
(c) Types of PHI involved;
(d) Recommended protective steps;
(e) Business Associate’s investigation and mitigation actions.
4.3 Security Incidents
Business Associate shall report to Covered Entity any known Security Incident involving unauthorized access, use, disclosure, modification, or destruction of PHI, or interference with system operations in an information system containing PHI, without unreasonable delay and in no case later than ten (10) business days after discovery. Covered Entity acknowledges and agrees that routine, unsuccessful security incidents — including pings, port scans, blocked malware attempts, and unsuccessful login attempts — are inherent to internet operations and do not require separate notice unless they result in unauthorized access to PHI or otherwise constitute a reportable event under this Agreement.
4.4 Cooperation
Business Associate shall cooperate with Covered Entity in investigation and meeting obligations under 45 C.F.R. Part 164, Subpart D.
4.5 Mitigation
Business Associate shall take prompt corrective action to mitigate harmful effects and prevent recurrence.
Article V — Term and Termination
5.1 Term
Effective as of the Effective Date, continuing for the duration of the service relationship unless earlier terminated.
5.2 Termination for Cause
Either Party may terminate if the other materially breaches and fails to cure within thirty (30) days of written notice. If cure is not possible, immediate termination upon written notice.
5.3 Return or Destruction of PHI
Upon termination, Business Associate shall within thirty (30) days:
(a) Return or destroy all PHI including all copies;
(b) Certify destruction in writing;
(c) If infeasible, extend Agreement protections and limit further use.
(d) Deliver to Covered Entity a written certification of destruction, signed by an authorized representative of Business Associate, within five (5) business days of completion of the return or destruction.
5.4 Survival
Articles IV and V survive termination.
Article VI — Data Security Specifications
6.1
All ePHI encrypted using TLS 1.2+ in transit and AES-256 at rest.
6.2
Role-based access controls, unique user IDs, and multi-factor authentication where feasible.
6.3
HIPAA-compliant intake portal with session timeouts, HTTPS, input validation, and access logging.
6.4
PHI stored only on systems with appropriate physical and technical safeguards.
6.5
All personnel complete HIPAA training before PHI access and annually thereafter. Records maintained six (6) years.
6.6 Device Safeguards
Authorized workstations used to access PHI employ commercially reasonable safeguards, including full-disk encryption, authentication required before access, automatic locking after a defined period of inactivity, and, where available, remote-wipe capability. Business Associate maintains an inventory of authorized devices and reviews device safeguards periodically to confirm continued appropriateness.
6.7
PHI disposed per NIST SP 800-88 (electronic) or shredded (paper).
6.8
Business continuity plan maintained including backup, disaster recovery, and emergency mode operation.
6.9 Subcontractor BAAs
Business Associate represents and warrants that it has executed, or will execute prior to any PHI transmission, Business Associate Agreements with all Subcontractors that create, receive, maintain, or transmit PHI on Business Associate's behalf, including but not limited to database hosting providers, email delivery services, and serverless computing providers. A current list of Subcontractors and their BAA status is available to Covered Entity upon written request. Business Associate shall update this list within thirty (30) days of adding any new Subcontractor that processes PHI. The list above reflects known subcontractors as of the Agreement effective date and may be updated from time to time. An updated list is available upon written request.
Article VII — Indemnification and Liability
7.1
Business Associate shall indemnify and hold harmless Covered Entity from claims arising from Business Associate’s breach of this Agreement or negligent/willful handling of PHI.
7.2
Covered Entity shall indemnify and hold harmless Business Associate from claims arising from Covered Entity’s breach of this Agreement or failure to perform obligations under Article III.
7.3
Except in cases of gross negligence, willful misconduct, or breach of Protected Health Information obligations, RxGranted's aggregate liability shall not exceed the total fees paid by Client in the twelve (12) months preceding the event giving rise to the claim.
7.4
Business Associate shall maintain professional liability (E&O) insurance with reasonably sufficient coverage.
7.5 No Warranty of Outcome.
RxGranted makes no warranties regarding the outcome of any prior authorization request, appeal, or payer determination. Such outcomes are solely determined by the applicable payer or reviewing body and are outside the scope of this Agreement.
Article VIII — General Provisions
8.1
Regulatory references are to sections as in effect or amended.
8.2
Amendment requires writing signed by both Parties.
8.3
Ambiguity shall be interpreted to permit HIPAA compliance.
8.4
No third-party beneficiaries.
8.5
Governed by New Jersey law, except as preempted by federal law.
8.6
Entire agreement as to HIPAA compliance; supersedes prior agreements on this subject.
8.7
Severability — invalid provisions do not affect remaining provisions.
8.8
Waiver of one provision does not waive others.
Electronic Signatures
This Agreement may be executed electronically, and electronic signatures shall have the same legal force and effect as original signatures.