Business Associate Agreement

HIPAA Compliance Document

About This Agreement

This Business Associate Agreement (BAA) is required under HIPAA when a covered entity engages a business associate to perform functions involving Protected Health Information (PHI). BrightPath provides a BAA to all customers who require one.

Business Associate Agreement Summary

This Business Associate Agreement ("Agreement") is entered into by and between the Covered Entity (Customer) and BrightPath, Inc. ("Business Associate").

1. Definitions

Terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules, including "Protected Health Information" (PHI), "Electronic Protected Health Information" (ePHI), "Covered Entity," "Business Associate," and "Security Incident."

2. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted by this Agreement or as required by law
  • Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Report any use or disclosure not provided for by this Agreement
  • Ensure any subcontractors agree to the same restrictions and conditions
  • Make PHI available to individuals as required by HIPAA
  • Make PHI available for amendment as required by HIPAA
  • Provide an accounting of disclosures as required by HIPAA
  • Make internal practices available to HHS for compliance determination
  • Return or destroy all PHI upon termination

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI:

  • To perform functions, activities, or services for Covered Entity as specified in the Service Agreement
  • For the proper management and administration of Business Associate
  • To provide Data Aggregation services relating to healthcare operations
  • As required by law

4. Security Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.

5. Breach Notification

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 days after discovery of the Breach.

6. Term and Termination

This Agreement shall be effective for the duration of the Service Agreement. Either party may terminate this Agreement if the other party has materially breached its terms.

7. Effect of Termination

Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI.

Request Your BAA

To receive a signed Business Associate Agreement, please contact our compliance team. We'll work with you to ensure all HIPAA requirements are met.

Request BAAView HIPAA Compliance