Business Associate Agreement

Last Updated
Dec 1, 2024

This Business Associate Agreement (this “BAA”) is entered into between Claimable, Inc., a Delaware corporation (“Business Associate”), and any healthcare provider, patient advocate, or other authorized entity that accesses or uses Claimable’s services, including any affiliated, managed, or member accounts and their respective users (collectively, the “Covered Entity” and each a “Member Entity”).

This BAA and the Partner Terms of Service (“Partner TOS”) take effect on the date (the “Effective Date”) when the Covered Entity clicks the “Agree and continue” button (or any other electronic means provided by Claimable for acceptance) presented with these agreements. By clicking “Agree and continue” or by accessing or using the Service, the Covered Entity agrees to be bound by this BAA and the Partner TOS, and represents and warrants that it has the legal authority to do so on behalf of any affiliated, managed, or member accounts.

Applicability
This BAA applies solely to the services provided by Business Associate under the Partner TOS, and it does not apply to any services, activities, or data processing conducted outside the scope of the Agreement. In the event of any conflict between this BAA and the Partner TOS, the terms of this BAA shall govern with respect to Protected Health Information (“PHI”) and Business Associate’s obligations under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), as well as the security and privacy provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), enacted as part of the American Recovery and Reinvestment Act of 2009.

Recitals
Covered Entity is a covered entity as such term is defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information;

  • Each Member Entity, including any affiliated, managed, or member accounts and their respective users, is deemed to have entered into a separate Claimable Business Associate Agreement under the same terms as this Agreement (except where expressly applicable only to the Covered Entity). References to “you” or “your” will refer to the applicable Member Entity, and references to the “Agreement” will refer to Claimable’s Partner TOS. The Covered Entity represents and warrants that it has the authority to bind each Member Entity to this Agreement and to terminate it on their behalf.
  • This BAA applies only to Provider Accounts created by Covered Entities, and is supplemented by our Partner TOS (as found on www.getclaimable.com/partner-terms-of-service), pursuant to which Business Associate may receive, create, maintain or transmit Protected Health Information from, for or on behalf of Covered Entity; and

By providing services pursuant to the Partner TOS and receiving Protected Health Information for or on behalf of Covered Entity, Business Associate shall become a Business Associate of Covered Entity, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Business Associate receives from or on behalf of, Covered Entity.


In consideration of the mutual covenants, promises, and agreements contained herein, the parties hereto agree as follows:

1. Definitions.

For the purposes of this BAA, “Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care. All other capitalized terms shall have the meanings ascribed to them below. All other capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.

2. Obligations of Business Associate

  • General Compliance with Law

    Business Associate warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the Partner TOS; (ii) shall not use or disclose PHI other than as permitted or required by this BAA or required by law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes. Business Associate warrants that its services, including but not limited to those under the Partner TOS, shall comply with this BAA, HIPAA, and all applicable laws.
  • Use and Disclosure of Protected Health Information

    Subject to the restrictions of this BAA, Business Associate may use the information received from Covered Entity if necessary for (i) the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of Business Associate.

    Subject to the restrictions of this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that: (i) disclosures are required by law, or (ii) Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

    Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Covered Entity by Business Associate pursuant to this BAA with PHI, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Covered Entity.

    Business Associate may de-identify any and all PHI created or received by Business Associate under this BAA. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer PHI and no longer subject to this BAA.

    Business Associate acknowledges that, as between Business Associate and Covered Entity, all PHI shall be and remain the sole property of Covered Entity, including any and all forms thereof developed by Business Associate in the course of its fulfillment of its obligations pursuant to the BAA and Partner TOS.

  • Covered Entity Obligations

    To the extent the Partner TOS explicitly obligates Business Associate to carry out any of Covered Entity’s obligations that are regulated by HIPAA, Business Associate shall comply with the HIPAA requirements that apply to the Covered Entity in the performance of such obligation.

  • Safeguards

    Business Associate shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of Business Associate’s operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA.
  • Availability of Books and Records

    Business Associate shall permit the Secretary of the U.S. Department of Health and Human Services and other regulatory and accreditation authorities to audit Business Associate’s internal practices, books and records at reasonable times as they pertain to the use and disclosure of PHI in order to ensure that Covered Entity and/or Business Associate is in compliance with the requirements of HIPAA.

  • Individuals’ Rights to Their PHI
    • Access to and Amendment of Information. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Covered Entity to respond to a request by an Individual to exercise their right under HIPAA for access to or amendment of PHI, Business Associate, within fifteen (15) business days upon receipt of written request by Covered Entity, shall make available to Covered Entity such PHI and, if applicable, incorporate any amendments, statements of disagreement, and/or rebuttals approved by Covered Entity into such Designated Record Set. In the event that any Individual directs such request to Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.
    • Covered Entity will be solely responsible for making all determinations regarding the grant or denial of such requests, whether or not conveyed to Business Associate, and the resolution and reporting of all appeals and/or complaints arising from denials, and Business Associate will make no such determinations.Except as Required by Law, only Covered Entity will be responsible for releasing PHI to an Individual pursuant to any such request.

  • Accounting of Disclosures

    To allow Covered Entity to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Business Associate shall, within ten (10) business days of a written request by Covered Entity for an accounting of disclosures of PHI about an Individual, make available to Covered Entity such PHI. At a minimum, Business Associate shall provide Covered Entity with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure. In the event that any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days. Covered Entity will be responsible for preparing and delivering an accounting to Individual. Business Associate shall implement an appropriate record keeping process to enable it to comply with the requirements of this BAA.
  • Disclosure to Subcontractors and Agents
  • Notwithstanding anything to the contrary in the Partner TOS or this BAA, Business Associate, subject to the restrictions set forth in this provision, may use subcontractors to fulfill its obligations under this BAA. Business Associate shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Business Associate for or on behalf of Covered Entity, pursuant to which such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to Business Associate under this BAA with respect to such PHI.

  • Reporting Obligations

    In the event of a Breach of any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date the Breach is discovered. Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the Business Associate’s response to the Breach.

    In the event of a use or disclosure of PHI that does not comply with this BAA but does not constitute a Breach, Business Associate shall report such use or disclosure to Covered Entity within ten (10) business days after the date on which Business Associate becomes aware of such use or disclosure.

    In the event of any successful Security Incident, Business Associate shall report such Security Incident in writing to Covered Entity within ten (10) business days of the date on which Business Associate becomes aware of such Security Incident. The parties acknowledge that unsuccessful Security Incidents that occur within the normal course of business shall not be reported pursuant to this BAA. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings,” and unsuccessful log-on attempts, broadcast attacks on Business Associate’s firewall, denials of service or any combination thereof if such incidents are detected and neutralized by Business Associate’s anti-virus and other defensive software and not allowed past Business Associate’s firewall.

    Business Associate will identify and respond internally to any suspected or known Breach of any Unsecured PHI, Security Incident or other improper use or disclosure of PHI, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide documentation of any successful Security Incident and Breach of any Unsecured PHI to Covered Entity upon request.

3. Obligations of Covered Entity

  • Permissible Requests

    Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Covered Entity. Covered Entity may request Business Associate to disclose PHI directly to another party only for the purposes allowed by HIPAA and the HITECH Act.

    Covered Entity shall notify Business Associate of any (i) limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI; (ii) changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; and (iii) restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

4. Term and Termination

  • ​General Term and Termination

    This BAA takes effect on the Effective Date and will remain in effect until the Covered Entity’s account is deactivated or this BAA is otherwise terminated in accordance with its terms. This BAA will automatically terminate upon the earlier of:
    • Deactivation or closure of the Covered Entity’s account; or
    • Written notice of termination from either party, provided that all obligations regarding PHI under this BAA have been met.


Upon termination for any reason, Claimable may immediately deactivate or delete the Covered Entity’s account and all related data stored within the Claimable Service, except as required by applicable law or HIPAA.​

  • Material Breach

    Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BAA. If cure is not possible, the BAA will terminate immediately upon notice.
  • Return or Destruction of PHI

    Upon termination of this BAA for any reason, Business Associate shall: (i) if feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by Business Associate for or on behalf of Covered Entity that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or (ii) if Business Associate determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section shall survive the termination of this BAA.

5. Miscellaneous

  • Amendment

    If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall amend this BAA to the extent necessary to comply with such amendments or interpretations.
  • Interpretation

    Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.
  • Conflicting Terms

    In the event that any terms of this BAA conflict with any terms of the Partner TOS, the terms of this BAA shall govern and control.
  • Notices

    Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act. If any terms of this BAA conflict with any terms of the Partner TOS, the terms of this BAA shall govern and control. Any notices pertaining to this BAA shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party’s authorized representative as listed below or sent by means of a (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; (iii) electronically via email (if to Claimable to legal@getclaimable.com); or (iv) overnight delivery service with proof of delivery. Notices shall be deemed given upon receipt.
  • Severability

    The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein. Except as expressly modified or amended under this BAA, the Partner TOS remain in full force and effect.

Explore
Social