Business Associate Agreement
This Business Associate Agreement is a launch-stage placeholder for healthcare billing agencies and practices that use PayerVista to process, transmit, or store protected health information in connection with revenue cycle management workflows.
1. Parties and purpose
This Business Associate Agreement ("BAA") is entered into by and between the customer organization using PayerVista ("Covered Entity" or, where applicable, another Business Associate) and PayerVista ("Business Associate"). This BAA governs the creation, receipt, maintenance, and transmission of Protected Health Information ("PHI") by Business Associate on behalf of Covered Entity to provide the PayerVista application and related revenue cycle management services.
2. Definitions
Capitalized terms not otherwise defined in this BAA have the meanings assigned under HIPAA, including the Privacy Rule, the Security Rule, and the Breach Notification Rule. References to PHI include Electronic Protected Health Information ("ePHI") where applicable.
3. Permitted and required uses of PHI
Business Associate may use and disclose PHI only as necessary to perform services for Covered Entity, including hosting the application, processing 835 and related billing data, supporting user authentication and account administration, providing customer support, securing the service, and meeting legal obligations. PHI may not be used or disclosed in a manner that would violate HIPAA if done by Covered Entity, except as expressly permitted for Business Associate under HIPAA.
4. Safeguards
Business Associate shall implement reasonable and appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided by this BAA. Business Associate shall implement safeguards required by the Security Rule with respect to ePHI and maintain security measures appropriate to the nature of the services provided through PayerVista.
5. Reporting and breach notification
Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA, any Security Incident of which Business Associate becomes aware that materially affects PHI, and any Breach of Unsecured PHI without unreasonable delay. Such report will include information reasonably available to Business Associate needed for Covered Entity to satisfy its HIPAA obligations.
6. Subcontractors
Business Associate may use subcontractors to perform portions of the services, provided that Business Associate obtains written assurances that each subcontractor will appropriately safeguard PHI and comply with restrictions and conditions that are at least as protective as those imposed on Business Associate by this BAA, as required by HIPAA.
7. Access, amendment, and accounting support
To the extent applicable and commercially reasonable in light of the services, Business Associate shall make PHI available to Covered Entity so Covered Entity may satisfy its obligations under HIPAA concerning access, amendment, and accounting of disclosures. Business Associate will cooperate with Covered Entity's reasonable requests relating to those obligations.
8. Minimum necessary and customer responsibilities
Covered Entity remains responsible for determining whether its use of PayerVista is appropriate for the data involved, configuring users and roles appropriately, and limiting disclosures to the minimum necessary standard where required. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.
9. Term and termination
This BAA remains in effect for as long as Business Associate maintains PHI on behalf of Covered Entity. If Business Associate materially breaches this BAA and cure is not reasonably possible, or is not cured within a reasonable time after notice, Covered Entity may terminate the underlying services agreement if feasible.
10. Return or destruction of PHI
Upon termination of the underlying services relationship, Business Associate shall, if feasible, return or destroy PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
11. Regulatory references and amendments
References in this BAA to HIPAA laws, regulations, and guidance include any amendments or successor provisions. The parties agree to amend this BAA as necessary to comply with changes in applicable law.
12. Placeholder and signature process
This page is a launch-stage placeholder template to make the intended business associate terms visible during product setup. It is not a substitute for a fully executed customer-specific BAA. Before production use with regulated client data, PayerVista should replace or supplement this page with a version approved by counsel and signed by the relevant parties.