Business Associate Agreement

1.1This Agreement establishes the terms under which the Business Associate will receive, create, maintain, transmit, or otherwise have access to Protected Health Information (“PHI”) in connection with the dental billing, revenue cycle management, insurance verification, claims processing, and related services provided to the Covered Entity.

1.2This Agreement is intended to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and all applicable regulations promulgated thereunder, including but not limited to 45 C.F.R. Parts 160 and 164.

2.1 “Protected Health Information” or “PHI” shall have the meaning ascribed to it under 45 C.F.R. § 160.103, and includes electronic Protected Health Information (“ePHI”) as defined under HIPAA.

2.2 “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, as further defined in 45 C.F.R. § 164.402.

2.3 “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.

2.4 “Designated Record Set” shall have the meaning given to it under 45 C.F.R. § 164.501.

2.5 All capitalized terms not otherwise defined in this Agreement shall have the meanings established by HIPAA, HITECH, and their implementing regulations.

3.1 The Business Associate shall use and disclose PHI solely for the purpose of performing dental billing services, revenue cycle management, insurance verification, claims submission, denial management, credentialing, and other services as specified in the Service Agreement, and as permitted or required by applicable law.

3.2 The Business Associate may use or disclose PHI as necessary for its proper management and administration, or to fulfill any legal obligation of the Business Associate, provided that any such disclosure is required by law or the Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or disclosed only as required by law or for the purposes for which it was disclosed, and that the recipient will notify the Business Associate of any instance of which it becomes aware in which the confidentiality of the PHI has been breached.

3.3 The Business Associate shall not use or disclose PHI in any manner that would violate the requirements of HIPAA if done by the Covered Entity, except as expressly authorized under this Agreement or as permitted for Business Associates under applicable regulations.

4.1 Administrative, Physical, and Technical Safeguards. The Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 C.F.R. Part 164, Subpart C. Such safeguards shall include, but not be limited to, encryption of data in transit and at rest, role-based access controls, multi-factor authentication, regular security assessments, and workforce training on PHI handling.

4.2 Incident Reporting. The Business Associate shall report to the Covered Entity the following events:

• (a) Any use or disclosure of PHI not authorized by this Agreement, within five (5) business days of the Business Associate becoming aware of such use or disclosure.
• (b) Any Security Incident of which the Business Associate becomes aware, within five (5) business days. The parties acknowledge that unsuccessful security attempts (such as pings, port scans, unsuccessful login attempts, or interception of traffic by firewalls) shall not constitute reportable Security Incidents.
• (c)Any Breach of Unsecured PHI, as defined in 45 C.F.R. § 164.402, within five (5) business days of discovery. Such notification shall include, to the extent available, the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach, and any other information required under 45 C.F.R. § 164.410.

4.3 Subcontractors. The Business Associate shall require any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of the Business Associate to execute a written agreement containing substantially similar terms and conditions to those set forth in this Agreement, ensuring an equivalent level of protection for PHI.

4.4 Access to PHI. The Business Associate shall make PHI contained in Designated Record Sets available to the Covered Entity as necessary to enable the Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 regarding individual access rights, within fifteen (15) business days of receiving a written request.

4.5 Amendment of PHI. The Business Associate shall make PHI contained in Designated Record Sets available for amendment and shall incorporate any amendments to PHI as directed by the Covered Entity, in accordance with 45 C.F.R. § 164.526.

4.6 Disclosure Accounting. The Business Associate shall maintain a record of disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528. The Business Associate shall make such information available to the Covered Entity within fifteen (15) business days of a written request.

4.7 Government Access. The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining the Covered Entity's compliance with HIPAA.

4.8 Minimum Necessary Standard. The Business Associate shall limit its use, disclosure, or request of PHI to the minimum amount necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b) and the minimum necessary provisions of HIPAA.

5.1 The Covered Entity shall provide the Business Associate with only the PHI that is necessary for the Business Associate to perform its obligations under the Service Agreement.

5.2 The Covered Entity shall obtain all necessary patient consents, authorizations, and permissions required under HIPAA and applicable state law prior to providing PHI to the Business Associate.

5.3The Covered Entity shall notify the Business Associate in writing of any restrictions on the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restrictions affect the Business Associate's use or disclosure of PHI.

5.4The Covered Entity shall notify the Business Associate in writing of any changes to, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes may affect the Business Associate's use or disclosure of PHI.

5.5 The Covered Entity shall not request that the Business Associate use or disclose PHI in any manner that would be impermissible under HIPAA if done by the Covered Entity.

6.1 Term. This Agreement shall become effective on the date the Covered Entity first engages the services of Dental Billing Assist and shall remain in effect until the Service Agreement is terminated and all PHI has been returned or destroyed in accordance with this section, or this Agreement is otherwise terminated.

6.2 Termination. Either party may terminate this Agreement at any time by providing thirty (30) days written notice to the other party. A material breach of this Agreement by either party shall constitute a material breach of the Service Agreement. Upon learning of a material breach, the non-breaching party shall provide written notice to the breaching party and allow a reasonable period of thirty (30) days to cure the breach. If the breach is not cured within such period, the non-breaching party may terminate this Agreement and the Service Agreement.

6.3 Return or Destruction of PHI. Upon termination of this Agreement, the Business Associate shall, at the direction of the Covered Entity, return or destroy all PHI received from, or created or received on behalf of, the Covered Entity. This provision applies to PHI that is in the possession of the Business Associate or its subcontractors or agents. If the Business Associate determines that returning or destroying the PHI is not feasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.

6.4 De-Identified Data. Notwithstanding Section 6.3, the Business Associate may retain data that has been de-identified in accordance with 45 C.F.R. § 164.514, as de-identified data is no longer considered PHI and is not subject to the provisions of this Agreement.

10.1 This Agreement, together with the Service Agreement, constitutes the complete understanding between the parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, and agreements, whether written or oral, relating to the protection of PHI.

10.2 This Agreement may not be modified or amended except by a written instrument signed by both parties. However, in the event that any provision of HIPAA or its implementing regulations is amended in a manner that materially changes the obligations of either party under this Agreement, the parties shall negotiate in good faith to amend this Agreement to reflect such changes.

All notices required or permitted under this Agreement shall be in writing and shall be deemed given when delivered by confirmed electronic mail or by certified mail, return receipt requested, to the following addresses:

Notice to the Covered Entity shall be sent to the email address or mailing address on file with Dental Billing Assist as provided during the onboarding process.