Business Associate Agreement
Last Updated: March 18, 2026
This Business Associate Agreement (“Agreement”) is entered into by and between PracticeRunner LLC (“Business Associate”) and the healthcare provider or legal entity subscribing to the PracticeRunner Service (“Covered Entity”) (each a “Party” and collectively the “Parties”).
This Agreement supplements and is incorporated into the PracticeRunner Terms of Service and governs the use and disclosure of Protected Health Information (“PHI”) pursuant to HIPAA, HITECH, and their implementing regulations (collectively, the “HIPAA Rules”).
Business Associate offers this Agreement through the Service on a standard click-wrap basis. Business Associate's assent is manifested by making this Agreement available through the Service for electronic acceptance, and no separate manual signature or countersignature by Business Associate is required.
RECITALS
WHEREAS, PracticeRunner LLC (“Business Associate”) provides technology, software, and administrative support services to healthcare providers and other covered entities (the “Service”), and in the course of providing such services may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of such healthcare providers or covered entities; and
WHEREAS, the healthcare provider or legal entity subscribing to the PracticeRunner Service (“Covered Entity”) is a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations (collectively, the “HIPAA Rules”); and
WHEREAS, Covered Entity desires to engage Business Associate to provide the Service, and Business Associate may create, receive, maintain, or transmit PHI in connection with the provision of the Service; and
WHEREAS, the Parties seek to comply with the HIPAA Rules and establish the terms and conditions under which PHI may be used, disclosed, and safeguarded by Business Associate; and
WHEREAS, this Agreement supplements and is incorporated into the PracticeRunner Terms of Service and sets forth the rights, obligations, and responsibilities of the Parties with respect to PHI;
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. SCOPE AND STRUCTURE
1.1 Definitions of Entities:
a. An “Organization” within the Service represents a single legal entity that has created a subscription or account to use the PracticeRunner Service. Where applicable, an Organization may correspond to a single HIPAA Covered Entity.
b. Role-based access controls within an Organization allow the Covered Entity to assign internal permissions to workforce members, contractors, or affiliates. Such role-based access controls are administrative tools only and do not create separate legal entities or alter legal responsibility for PHI.
c. The Covered Entity is the legal entity identified in the applicable account registration, order form, or subscription that creates, receives, maintains, or transmits PHI through the Service. The Covered Entity is solely responsible for determining the scope of PHI uploaded, shared, or otherwise handled within its Organization account
d. For purposes of this Agreement, all references to PHI, ePHI, or any protected health data pertain to information created, received, maintained, or transmitted by the Covered Entity through the Service, regardless of whether such information is stored temporarily, in backups, or in any automated processing environment.
1.2 Covered Entity Representations:
a. Covered Entity represents and warrants that it is a Covered Entity as defined under HIPAA, and that it has the legal authority to provide, authorize, and manage access to PHI in accordance with applicable privacy and security requirements.
b. Covered Entity confirms that it exercises full legal control over the PHI maintained within its Organization account and is responsible for ensuring that all workforce members comply with the HIPAA Rules and any other applicable federal or state privacy laws.
c. Covered Entity acknowledges that any restrictions or limitations imposed in its Notice of Privacy Practices, account settings, or internal policies must be communicated to Business Associate to ensure compliance with HIPAA and the terms of this Agreement.
1.3 Effective Date:
a. This Agreement shall become effective upon the earlier of:
i) The date Covered Entity creates an account that enables PHI processing through the Service; or
ii) The date Covered Entity first uploads, creates, receives, maintains, or transmits PHI through the Service.
b. This Agreement applies retroactively to all PHI processed by Business Associate on behalf of Covered Entity from the first date PHI was uploaded, created, or otherwise handled within the Service.
c. Any PHI that was processed prior to formal electronic acceptance of this Agreement is deemed subject to this Agreement upon its effective date.
d. The Parties acknowledge that the effective date establishes the start of Business Associate’s obligations with respect to PHI safeguards, breach notification, and other HIPAA compliance requirements described in this Agreement.
1.4 Applicability Across Entities and Locations.
a. The terms of this Agreement apply uniformly to all entities, subsidiaries, or branches of Covered Entity using the Service under the same Organization account.
b. Covered Entity shall ensure that all PHI originating from any affiliated entity or site is subject to the same protections and obligations outlined in this Agreement.
c. Any use of the Service across multiple locations, departments, or business units does not create separate agreements or obligations; all such use is governed by this single Agreement.
2. DEFINITIONS
2.1 General Rule: Capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the HIPAA Rules at 45 CFR Parts 160 and 164.
2.2 Specific Terms. For purposes of this Agreement, the following terms shall have the meanings set forth below unless the context clearly indicates otherwise:
a. Protected Health Information (“PHI”) – Individually identifiable health information transmitted or maintained in any form or medium that is created, received, maintained, or transmitted by the Covered Entity or Business Associate, including but not limited to electronic, paper, or oral formats, as defined in 45 CFR §160.103.
b. Electronic Protected Health Information (“ePHI”) – PHI that is transmitted or maintained in electronic media, including but not limited to information stored in databases, cloud services, or other digital storage, as defined in 45 CFR §160.103.
c. Breach – The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA Rules that compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
d. Required by Law – A mandate contained in law that compels a use or disclosure of PHI, including but not limited to statutes, regulations, court orders, subpoenas, or other legal or administrative processes, as defined in 45 CFR §164.103.
e. Designated Record Set – A group of records maintained by or for a Covered Entity that is used, in whole or in part, to make decisions about Individuals, including medical and billing records, enrollment records, and other PHI, as defined in 45 CFR §164.501.
f. Security Incident – For purposes of this Agreement, a “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system containing Protected Health Information. Security Incidents do not include routine or unsuccessful attempts to access systems or data that do not result in unauthorized access to Protected Health Information. Such routine events may include, but are not limited to, pings, port scans, firewall blocks, unsuccessful login attempts, denial-of-service attempts, or similar automated system activity, provided that no unauthorized access, acquisition, or disclosure of Protected Health Information occurred.
g. Individual – The person who is the subject of PHI, as defined in 45 CFR §160.103.
h. Subcontractor – A person or entity, other than a workforce member of the Business Associate, who creates, receives, maintains, or transmits PHI on behalf of Business Associate, as defined in 45 CFR §160.103.
2.3 Interpretation. Terms used in this Agreement shall be interpreted in a manner consistent with HIPAA and HITECH, including their implementing regulations, as amended from time to time.
2.4 Scope of Definitions. Any ambiguity in the definition of a term shall be resolved in favor of broad protection of PHI and compliance with applicable law.
3. PERMITTED USES AND DISCLOSURES
3.1 General Use of PHI: Business Associate shall not use or disclose PHI except as permitted or required by this Agreement or as Required by Law. All uses and disclosures of PHI shall be consistent with HIPAA, HITECH, and applicable federal or state privacy regulations. Business Associate may use and disclose PHI for the purposes of providing, maintaining, and supporting the Service, including troubleshooting, technical support, hosting, storage, and operational features required by Covered Entity. PHI may also be used for the proper management, administration, and internal operations of Business Associate, including audits, compliance monitoring, quality assurance, risk management, and business planning, provided such uses do not result in disclosure to unauthorized third parties. In addition, PHI may be used to carry out Business Associate’s legal responsibilities, including responding to subpoenas, court orders, or other legally mandated processes, in a manner consistent with HIPAA’s minimum necessary standards. Business Associate may also perform data aggregation services permitted under 45 CFR §164.504(e) to analyze healthcare operations, outcomes, or trends, as well as create de-identified information in accordance with 45 CFR §164.514, ensuring that such information cannot reasonably identify any Individual. All uses and disclosures under this section must implement administrative, technical, and physical safeguards consistent with HIPAA requirements.
3.2 Automated and AI-Assisted Processing: Business Associate may employ automated processing technologies, including artificial intelligence, machine learning, or other machine-assisted tools, solely to provide features of the Service requested, configured, or enabled by Covered Entity. Such automated processing shall operate within HIPAA-eligible environments and be subject to administrative, technical, and physical safeguards, including audit logging, user authentication, and incident response procedures. Automated tools may only be used for purposes of providing the Service, supporting Covered Entity workflows, or performing operational and analytic functions expressly authorized by Covered Entity. PHI shall not be exposed or disclosed to any entity or model beyond what is necessary to deliver the Service. Business Associate shall maintain traceability, documentation, and logging of all automated processing activities involving PHI and ensure that PHI is not used to train or improve generalized machine learning models unrelated to the Covered Entity’s Service.
3.3 Restrictions on PHI Use: Business Associate shall not sell, trade, or barter PHI, nor shall it use PHI for marketing, advertising, or solicitation purposes without express written authorization from Covered Entity. PHI shall not be used to train, fine-tune, or improve generalized machine learning models unrelated to providing the Service. Business Associate shall ensure that any subcontractors, service providers, or third-party vendors who may access PHI in connection with automated or AI-assisted processing comply with these same restrictions and conditions. Monitoring and auditing processes must be implemented to detect and prevent unauthorized uses or disclosures of PHI, including any misuse for purposes not permitted under this Agreement. Any known or suspected misuse of PHI, including violations related to AI or automated processing, shall be promptly reported to Covered Entity in accordance with Section 9 (Breach Notification and Security Incidents).
4. SAFEGUARDS
4.1 Implementation of Safeguards: Business Associate shall implement comprehensive administrative, physical, and technical safeguards designed to ensure the confidentiality, integrity, and availability of PHI. Administrative safeguards include policies, procedures, workforce training, and access controls to ensure only authorized personnel can access PHI. Physical safeguards include secure facilities, controlled access to hardware and storage media, and protection against environmental hazards or unauthorized physical access. Technical safeguards include encryption of PHI both in transit and at rest using industry-standard protocols, role-based access controls, unique user identification, and audit logging sufficient to record and examine access to PHI. Additionally, Business Associate shall maintain secure hosting environments, supported by written agreements with any hosting or infrastructure providers that require appropriate safeguards consistent with HIPAA requirements. These safeguards shall be designed to prevent unauthorized access, alteration, loss, or destruction of PHI.
4.2 Compliance with HIPAA Security Rule: Business Associate shall comply with all applicable provisions of the HIPAA Security Rule with respect to electronic PHI (ePHI). This includes implementing policies and procedures to protect ePHI from any reasonably anticipated threats or hazards, unauthorized uses or disclosures, and ensuring integrity and availability. Business Associate shall maintain documentation of its security measures and controls, demonstrate compliance through audits or internal reviews, and update safeguards as necessary to remain compliant with evolving HIPAA standards and guidance.
4.3 Periodic Risk Assessment: Business Associate shall conduct periodic risk assessments to identify vulnerabilities and risks to PHI, including those related to administrative processes, technical systems, and physical storage. Following each risk assessment, Business Associate shall implement corrective actions to mitigate identified risks, including patching software, updating policies and procedures, reconfiguring access controls, enhancing encryption protocols, and retraining workforce members. Risk assessments shall be conducted on a regular basis and after significant changes to systems, infrastructure, or business operations that could impact PHI security. Documentation of risk assessments and mitigation actions shall be maintained and made available to Covered Entity upon request for audit or compliance purposes.
5. SUBCONTRACTORS
5.1 Subcontractor Obligations: Business Associate shall ensure that any subcontractor, vendor, or service provider who creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to comply with the same restrictions, conditions, and obligations that apply to Business Associate under this Agreement. Such agreements shall require the subcontractor to implement administrative, physical, and technical safeguards consistent with HIPAA and this Agreement, including policies for data privacy, breach notification, access control, and secure handling of PHI. Business Associate shall maintain records of all subcontractor agreements and ensure that all subcontractors are trained and monitored to comply with these requirements.
5.2 Liability: Business Associate remains fully responsible and liable for any acts, omissions, or failures of its subcontractors that result in a violation of this Agreement or applicable HIPAA requirements. This liability includes, without limitation, any unauthorized use, disclosure, loss, or breach of PHI by a subcontractor. Business Associate shall promptly take corrective action if a subcontractor fails to comply with the obligations of this Agreement, including but not limited to suspension of access to PHI, remediation, and notification to Covered Entity as required under Section 9 (Breach Notification and Security Incidents). Notwithstanding the foregoing, and to the maximum extent permitted by applicable law, the total aggregate liability of Business Associate arising out of or relating to this Agreement, including any acts or omissions of its subcontractors, shall not exceed One Million Dollars ($1,000,000). This limitation applies to all claims collectively, whether arising in contract, tort, statute, or otherwise, except to the extent such limitation is prohibited by applicable law.
6. ACCESS, AMENDMENT, AND ACCOUNTING
6.1 Access to PHI: To the extent that Business Associate maintains PHI in a Designated Record Set, it shall provide Covered Entity with access to such PHI as necessary for Covered Entity to comply with 45 CFR §164.524. Business Associate shall make PHI available in the format requested by Covered Entity if it is readily producible, including electronic or paper form, and shall respond to access requests in a timely manner consistent with HIPAA requirements. Access shall include the right to inspect, copy, or obtain electronic copies of PHI for review, reporting, or other lawful purposes.
6.2 Amendment of PHI: Business Associate shall incorporate amendments to PHI as directed by Covered Entity pursuant to 45 CFR §164.526. Upon receiving notice from Covered Entity of any required amendment, Business Associate shall promptly update its records to reflect the amendment and ensure that all PHI maintained in its systems remains accurate, complete, and consistent. Business Associate shall also communicate such amendments to any subcontractors or agents who maintain PHI on its behalf, if applicable, to ensure the integrity of the amended data.
6.3 Accounting of Disclosures: Business Associate shall maintain a record of all disclosures of PHI, including the date, recipient, purpose, and any other information necessary to comply with 45 CFR §164.528. Upon request, Business Associate shall provide Covered Entity with the information required for an accounting of disclosures, including disclosures made by subcontractors or agents. Records of disclosures shall be retained for the minimum period required by HIPAA and made available to Covered Entity for inspection, audit, or reporting purposes.
6.4 Direct Access via Service: The Service provides Covered Entity with the ability to directly access, export, and manage PHI within its Organization account. Business Associate shall not engage in any practices that knowingly or unreasonably interfere with Covered Entity’s lawful access to its electronic health record data. This includes, but is not limited to, actions that block, delay, or corrupt data export, restrict user permissions beyond the role-based access controls authorized by Covered Entity, or otherwise limit the ability to review or retrieve PHI stored within the Service.
7. MINIMUM NECESSARY
7.1 Limitation of Use: Business Associate shall limit its uses and disclosures of PHI to the minimum necessary to accomplish the specific purpose for which the information was provided or created, in accordance with HIPAA and its implementing regulations. Business Associate shall ensure that all workforce members, subcontractors, and agents access, use, or disclose only the PHI required to perform their assigned duties or to provide the Service requested by Covered Entity. Any use or disclosure beyond the minimum necessary shall require express authorization from Covered Entity or be permitted by law.
7.2 Review of Access: Business Associate shall regularly review and audit user access privileges, role-based permissions, and system configurations to ensure compliance with the minimum necessary standard. Access reviews shall include verification that workforce members, subcontractors, and agents are granted only the level of access necessary to perform their authorized functions. Any unnecessary or excessive access shall be promptly revoked or modified. Documentation of these reviews and any corrective actions taken shall be maintained to demonstrate compliance with HIPAA requirements and made available to Covered Entity upon request.
8. OBLIGATIONS OF COVERED ENTITY
8.1 Notice of Limitations: Covered Entity shall promptly notify Business Associate of any limitations described in its Notice of Privacy Practices or other policies that affect Business Associate’s permitted use or disclosure of PHI. Such notification ensures that Business Associate operates within the parameters established by Covered Entity and maintains compliance with HIPAA requirements. Any changes or restrictions provided by Covered Entity shall be documented and incorporated into Business Associate’s internal procedures to prevent unauthorized access or disclosure.
8.2 Changes in Permissions: Covered Entity shall notify Business Associate of any changes, modifications, or revocation of permissions granted to Business Associate to use or disclose PHI. Business Associate shall implement such changes in a timely manner to ensure that all uses and disclosures of PHI remain compliant with HIPAA and the terms of this Agreement. Failure to provide timely notice may result in Business Associate continuing previously authorized actions, but Covered Entity retains responsibility for ensuring accurate instructions.
8.3 Compliance Requests: Covered Entity shall not request or require Business Associate to use or disclose PHI in any manner that would constitute a violation of HIPAA, HITECH, or applicable federal or state privacy laws. Any request from Covered Entity that would conflict with HIPAA requirements must be rejected by Business Associate until the request is amended to comply with applicable regulations.
8.4 Workforce Responsibility: Covered Entity represents and warrants that all individuals granted access to the Service under its Organization account, including employees, contractors, associates, associates, trainees, and other workforce members, act under the authority of Covered Entity. Covered Entity is solely responsible for ensuring that its workforce complies with applicable privacy and security requirements, including those required under HIPAA. Business Associate has no obligation to enter into separate business associate agreements with individual workforce members and shall rely on Covered Entity to enforce compliance within its own workforce.
9. BREACH NOTIFICATION AND SECURITY INCIDENTS
9.1 Breach Notification: Business Associate shall promptly notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than fifteen (15) business days after discovery of the Breach. Such notification shall, to the extent available, include: identification of the affected Individuals; a detailed description of the nature and scope of the Breach; the types of PHI involved; steps that have been taken or are planned to mitigate potential harm; and contact information for Covered Entity to follow up for additional details or inquiries. Notifications shall be provided in a manner that allows Covered Entity to meet its obligations under HIPAA, HITECH, and applicable state privacy laws.
9.2 Security Incidents: Business Associate shall report any Security Incidents of which it becomes aware, including unauthorized access, use, disclosure, modification, or destruction of PHI, or interference with system operations affecting ePHI. For unsuccessful Security Incidents, such as routine port scans, failed login attempts, or other unsuccessful intrusion attempts, this provision constitutes standing notice, and no additional reporting is required unless the incident escalates to a successful breach. Covered Entity remains responsible for any notifications to Individuals, regulatory authorities, or the Secretary of Health and Human Services, as required under applicable law.
9.3 Corrective Action Plan: Following any Breach or Security Incident, Business Associate shall implement a corrective action plan designed to prevent recurrence and mitigate potential future risks. This plan shall include, where applicable, remediation of system vulnerabilities, modification of administrative or technical procedures, retraining of workforce members, and updates to security controls. Documentation of the corrective action plan, actions taken, and any subsequent monitoring shall be maintained and made available to Covered Entity upon request.
10. TERM AND TERMINATION
10.1 Term: This Agreement shall remain in effect for as long as Business Associate creates, receives, maintains, or transmits PHI on behalf of Covered Entity. The obligations of Business Associate under this Agreement, including the implementation of safeguards and compliance with HIPAA, shall continue throughout the term, irrespective of any changes to the Terms of Service or other agreements between the parties.
10.2 Termination of Service: Upon termination of the Service for any reason, Covered Entity shall have thirty (30) days to access, export, and retrieve all PHI maintained within the Service. After the expiration of this period, Business Associate shall, at the direction of Covered Entity, either return all PHI to Covered Entity or securely destroy such PHI in a manner consistent with industry best practices and HIPAA requirements, unless return or destruction is infeasible as described below.
10.3 Termination for Cause: Covered Entity may immediately terminate this Agreement or the Service if Business Associate breaches any material term of this Agreement, violates HIPAA or applicable privacy laws, or otherwise fails to comply with its obligations. Upon termination for cause, Business Associate shall return or destroy all PHI in accordance with Section 10 and implement any required safeguards for remaining PHI.
10.4 Infeasibility of Return or Destruction: If return or destruction of PHI is infeasible such as when PHI exists in secure backup systems or must be retained to comply with legal, regulatory, or contractual obligations Business Associate shall continue to extend the protections of this Agreement to such PHI. Business Associate shall limit further uses and disclosures of the PHI solely to those purposes that make return or destruction infeasible and shall maintain all administrative, technical, and physical safeguards required under this Agreement.
10.5 Survival of Obligations: Notwithstanding termination of the Service or this Agreement, all obligations relating to the confidentiality, integrity, and security of PHI, including restrictions on use and disclosure, safeguards, breach notification, and reporting obligations, shall survive and continue in effect for as long as Business Associate maintains any PHI on behalf of Covered Entity.
11. AUDIT RIGHTS
11.1 Right to Audit: Covered Entity shall have the right, upon providing reasonable notice, to audit Business Associate’s policies, procedures, and practices relating to the creation, receipt, maintenance, or transmission of PHI. Such audits are intended to verify that Business Associate is complying with the terms of this Agreement and with applicable HIPAA Rules. Audits may include, but are not limited to, reviewing security measures, administrative processes, training records, access logs, and subcontractor agreements to ensure that all safeguards and compliance obligations are properly implemented and maintained.
11.2 Access to Records and Personnel: Business Associate shall provide Covered Entity with reasonable access to all records, systems, documentation, and personnel necessary to conduct an audit, including access to relevant subcontractors or agents who perform functions related to PHI. Business Associate shall make reasonable efforts to accommodate Covered Entity’s audit schedule and provide copies or summaries of requested information, while protecting the confidentiality of other Covered Entity clients or proprietary Business Associate systems. Audits shall be conducted in a manner that minimizes disruption to Business Associate’s operations. To the extent required by applicable law, Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.
11.3 Audit Rights Limitation: Any audit or inspection requested by the Covered Entity shall be subject to reasonable limitations designed to protect security and confidentiality. Prior to requesting an audit, the Covered Entity agrees to review Business Associate’s available security documentation, which may include SOC-2 reports, security summaries, or similar compliance materials where available. If additional verification is reasonably required, the Covered Entity may request an audit no more than once per calendar year. Any such audit shall be conducted during normal business hours, subject to reasonable advance notice, and at the Covered Entity’s sole expense. Audits may not unreasonably interfere with Business Associate’s operations or compromise the security of other customers.
12. DATA BREACH INSURANCE
Business Associate shall maintain appropriate insurance coverage, including cyber liability or data breach insurance, sufficient to cover liabilities arising from unauthorized access, use, or disclosure of PHI. Such coverage shall include, but is not limited to, costs related to notification, mitigation, legal defense, and regulatory penalties. Business Associate shall provide proof of insurance to Covered Entity upon request and maintain coverage for the duration of this Agreement.
13. TRAINING AND AWARENESS
Business Associate shall ensure that all workforce members, subcontractors, and agents who create, receive, maintain, or transmit PHI receive periodic HIPAA privacy and security training. Training shall be conducted upon hire, at least annually thereafter, and whenever significant changes occur to policies, procedures, or systems affecting PHI. Business Associate shall maintain records of all training activities and provide such records to Covered Entity upon request.
14. DATA LOCATION AND STORAGE
Business Associate shall disclose the geographic location of systems and storage environments where PHI is maintained. Any transfer, storage, or processing of PHI outside the United States shall require the prior written consent of Covered Entity and must comply with applicable federal, state, and international privacy laws.
15. ENHANCED ENCRYPTION AND SECURITY STANDARDS
Business Associate shall implement encryption for PHI both at rest and in transit that meets or exceeds industry standards, including end-to-end encryption for transmission over public networks. Any changes or upgrades to encryption or security standards shall be communicated to Covered Entity in advance.
16. SUBPOENA OR LEGAL PROCESS NOTIFICATION
Business Associate shall promptly notify Covered Entity of any subpoena, court order, or other legal process requesting access to PHI, unless prohibited by law. Business Associate shall cooperate reasonably with Covered Entity in responding to such legal requests and shall provide relevant information necessary to comply with applicable privacy obligations.
17. BUSINESS CONTINUITY AND DISASTER RECOVERY
Business Associate shall maintain and periodically test a business continuity and disaster recovery plan to ensure the availability, integrity, and security of PHI in the event of system failures, natural disasters, or other emergencies. The plan shall include procedures for backup, restoration, and recovery of PHI and shall be made available to Covered Entity upon request.
18. THIRD-PARTY TRANSFERS
Business Associate shall not transfer, sell, or disclose PHI to third parties that are not directly involved in providing the Service, except as permitted by this Agreement or as required by law. Any proposed transfer to a third party not previously authorized by Covered Entity shall require prior written approval.
19. COMPLIANCE WITH STATE PRIVACY LAWS
In addition to HIPAA and HITECH, Business Associate shall comply with all applicable state privacy and security laws governing PHI, including, but not limited to, breach notification requirements and patient rights related to access, amendment, and disclosure of PHI.
20. INDEMNIFICATION
Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, damages, fines, penalties, or costs arising from Business Associate’s breach of this Agreement or violations of HIPAA, HITECH, or applicable privacy laws. This includes reasonable attorneys’ fees, investigation costs, and any regulatory penalties assessed due to Business Associate’s actions or omissions.
21. MISCELLANEOUS
21.1 Governing Law and Arbitration: This Business Associate Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict-of-law principles, except to the extent that federal law governing the protection of health information preempts state law. Any dispute, controversy, or claim arising out of or relating to this Agreement, including its breach, termination, or validity, shall be resolved exclusively through binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, except as otherwise required by law. The arbitration shall be conducted by a single arbitrator in a mutually agreed-upon location within the state governing this Agreement, or remotely if agreed by the Parties. The arbitrator’s decision shall be final and binding, and judgment upon the award rendered by the arbitrator may be entered in any court of competent jurisdiction. Each Party shall bear its own costs and attorneys’ fees, unless the arbitrator determines that a different allocation is appropriate.
21.2 Severability: If any provision of this Agreement is determined to be invalid, illegal, or unenforceable, such determination shall not affect the validity, legality, or enforceability of the remaining provisions. The Parties shall negotiate in good faith to replace any invalid or unenforceable provision with a valid provision that reflects the original intent as closely as possible.
21.3 Waiver: The failure of either Party to enforce any right or provision of this Agreement shall not constitute a waiver of that right or provision, nor prevent subsequent enforcement. Any waiver must be in writing and signed by the Party granting the waiver.
21.4 Assignment: Neither Party may assign or transfer its rights or obligations under this Agreement without the prior written consent of the other Party, except that Business Associate may assign this Agreement to a successor entity in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the successor entity assumes all obligations under this Agreement.
21.5 No Third-Party Beneficiaries: This Agreement is for the sole benefit of the Parties and their respective successors and permitted assigns. Nothing in this Agreement, express or implied, is intended to confer any rights or remedies upon any person other than the Parties.
21.6 Survival: The provisions of this Agreement that, by their nature, should survive termination or expiration including obligations regarding PHI, breach notification, safeguards, and confidentiality shall survive any termination or expiration of this Agreement.
21.7 Force Majeure: Neither Party shall be liable for any delay or failure to perform its obligations under this Agreement due to causes beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, labor disputes, or governmental actions.
21.8 Amendments: Business Associate may modify this BAA from time to time to reflect changes in applicable law, security practices, or the services provided. Business Associate will provide at least thirty (30) days’ advance notice of any material changes through electronic means, including email notification or in-platform notice. Continued use of the Service after the effective date of the revised BAA constitutes acceptance of the updated terms.
21.9 Notices: Unless otherwise required by law, notices under this Agreement may be provided electronically, including through the Service or via the email address associated with the Organization account. Covered Entity is responsible for maintaining accurate and current contact information.
21.10 Priority: In the event of any conflict between this Agreement and the Terms of Service regarding PHI, the terms of this Agreement shall control.
21.11 Entire Agreement: This Agreement, together with the PracticeRunner Terms of Service and any incorporated documents, constitutes the entire agreement between the Parties with respect to the subject matter herein and supersedes all prior agreements or understandings, whether written or oral, relating to such subject matter.
21.12 Electronic Acceptance and Updates: This Agreement is offered by Business Associate on a standard, non-negotiated basis through the PracticeRunner platform and may be accepted electronically by Covered Entity, including by clicking an “Accept,” “Agree,” or similar confirmation button within the PracticeRunner dashboard, during account registration, or while enabling PHI-related features. Business Associate’s assent is manifested by making this Agreement available through the Service for electronic acceptance, and no separate manual signature or countersignature by Business Associate is required. Covered Entity’s electronic acceptance of this BAA creates a binding agreement between the Parties with the same legal force and effect as a handwritten signature. Business Associate may modify this BAA from time to time as provided in Section 21.8, and Covered Entity’s continued use of the Service after the effective date of a revised BAA constitutes acceptance of the updated terms.
21.13 Headings: The section and paragraph headings in this Agreement are for convenience only and shall not affect the interpretation of this Agreement.
This Agreement becomes binding as of the Effective Date upon Covered Entity’s electronic acceptance through the Service, and no separate signature block or countersignature is required.