Legal · HIPAA
Business Associate Agreement
45 CFR §164.504(e) — Effective upon electronic acceptance during onboarding
HIPAA BUSINESS ASSOCIATE AGREEMENT
Effective Date: The date of electronic acceptance during CaseLogs onboarding
Parties: ArqaOne LLC. ("Business Associate") and the organization whose authorized representative accepts this Agreement ("Covered Entity")
This Business Associate Agreement ("BAA" or "Agreement") is entered into between ArqaOne LLC., a Minnesota corporation ("Business Associate" or "BA"), and the Covered Entity whose authorized representative electronically signs this Agreement. This BAA is incorporated into and made a part of the CaseLogs Terms of Use.
RECITALS
WHEREAS, Business Associate provides a cloud-based case management software platform (the "Service") to Covered Entity pursuant to the CaseLogs Terms of Use (the "Service Agreement");
WHEREAS, in the course of providing the Service, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;
WHEREAS, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder (collectively, "HIPAA Rules") require that a Covered Entity obtain satisfactory assurances from its business associates that they will appropriately safeguard PHI;
NOW, THEREFORE, in consideration of the mutual obligations set forth herein and in the Service Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
─────────────────────────────────────────
ARTICLE 1 — DEFINITIONS
The following terms have the meanings set forth below. Terms not defined herein shall have the same meanings as those terms in the HIPAA Rules (45 CFR Parts 160 and 164), as amended from time to time.
1.1 "Breach" has the meaning set forth in 45 CFR §164.402.
1.2 "Business Associate" refers to ArqaOne LLC. in its capacity as defined in 45 CFR §160.103.
1.3 "Covered Entity" means the HCBS case management organization that has accepted this BAA.
1.4 "Data Aggregation" has the meaning set forth in 45 CFR §164.501.
1.5 "Designated Record Set" has the meaning set forth in 45 CFR §164.501.
1.6 "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media, as defined in 45 CFR §160.103.
1.7 "HIPAA Rules" means the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule promulgated under HIPAA and HITECH, as amended.
1.8 "Individual" has the meaning set forth in 45 CFR §160.103 and includes a personal representative of the Individual.
1.9 "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
1.10 "Protected Health Information" or "PHI" has the meaning set forth in 45 CFR §160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
1.11 "Required by Law" has the meaning set forth in 45 CFR §164.103.
1.12 "Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.
1.13 "Security Incident" has the meaning set forth in 45 CFR §164.304.
1.14 "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
1.15 "Subcontractor" means a person who acts on behalf of Business Associate and who handles PHI, as defined in 45 CFR §160.103.
1.16 "Unsecured PHI" has the meaning set forth in 45 CFR §164.402.
─────────────────────────────────────────
ARTICLE 2 — OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Permitted Uses and Disclosures. Business Associate may use and disclose PHI only as follows:
(a) As necessary to provide the Service and perform its obligations under the Service Agreement, including storing client records, case notes, service agreements, documents, and audit logs entered by Covered Entity's authorized users;
(b) As required by law;
(c) For Business Associate's proper management and administration, or to carry out Business Associate's legal responsibilities, provided that any disclosure for such purposes is Required by Law, or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed;
(d) To provide Data Aggregation services to Covered Entity relating to the health care operations of Covered Entity, using only de-identified or aggregated data that does not identify any Individual or Covered Entity;
(e) To report violations of law to appropriate federal and state authorities as permitted by 45 CFR §164.502(j)(1).
2.2 Use and Disclosure Restrictions. Business Associate shall not:
(a) Use or disclose PHI other than as permitted or required by this BAA or as Required by Law;
(b) Use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted under Section 2.1(c) and (d);
(c) Sell PHI or use PHI for marketing purposes without written authorization from Covered Entity;
(d) Use or disclose PHI for fundraising purposes.
2.3 Appropriate Safeguards. Business Associate shall implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided for by this BAA, in accordance with 45 CFR §164.308, §164.310, and §164.312. Current safeguards include, without limitation:
(a) TLS 1.2 or higher encryption for all ePHI in transit;
(b) AES-256 encryption for all ePHI stored in AWS S3;
(c) Role-based access controls limiting PHI access to authorized users;
(d) Comprehensive HIPAA-grade audit logging of all PHI access and modification;
(e) Unique user authentication via Google Workspace OAuth;
(f) Logical multi-tenant data isolation preventing cross-organization access.
2.4 Reporting Obligations.
(a) Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware within ten (10) business days of discovery.
(b) Breaches of Unsecured PHI. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery, in accordance with 45 CFR §164.410. Notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI was or is reasonably believed to have been Breached, a brief description of the Breach, the type of PHI involved, and steps taken to mitigate harm.
(c) Unauthorized Disclosures. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware within ten (10) business days.
2.5 Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, by entering into a written agreement that meets the requirements of 45 CFR §164.504(e)(2). As of the effective date, Business Associate's relevant subcontractors processing PHI include Amazon Web Services (document storage). Business Associate shall maintain and, upon request, provide Covered Entity with a list of subcontractors processing PHI.
2.6 Access to PHI. Business Associate shall make available PHI in a Designated Record Set to Covered Entity within thirty (30) days of a request, to the extent necessary for Covered Entity to fulfill its obligations under 45 CFR §164.524 to provide Individuals access to their PHI.
2.7 Amendment of PHI. Within thirty (30) days of a request by Covered Entity, Business Associate shall make available PHI in a Designated Record Set for amendment and shall incorporate any amendments to PHI in accordance with 45 CFR §164.526.
2.8 Accounting of Disclosures. Business Associate shall maintain and make available to Covered Entity, upon request and within thirty (30) days, information required for an accounting of disclosures of PHI in accordance with 45 CFR §164.528, including the date, nature, and recipient of each disclosure. Business Associate's audit log feature is designed to support this obligation.
2.9 Access to Books and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules, in accordance with 45 CFR §164.504(e)(2)(ii)(I).
2.10 Minimum Necessary. Business Associate shall use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose, in accordance with the HIPAA minimum necessary standard.
─────────────────────────────────────────
ARTICLE 3 — OBLIGATIONS OF COVERED ENTITY
3.1 Covered Entity shall:
(a) Notify Business Associate of any limitation in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI;
(b) Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent such restriction may affect Business Associate's use or disclosure;
(c) Not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as provided in Section 2.1(c) and (d);
(d) Obtain and maintain any authorization, consent, or other permission required under HIPAA or other applicable law prior to entering PHI into the Service;
(e) Ensure that individuals with access to the Service are trained on applicable HIPAA policies and the proper use of the platform;
(f) Promptly notify Business Associate in writing of any changes to its HIPAA obligations or authorizations that may affect Business Associate's use or disclosure of PHI.
─────────────────────────────────────────
ARTICLE 4 — TERM AND TERMINATION
4.1 Term. This BAA is effective as of the date Covered Entity's authorized representative electronically accepts it during the CaseLogs onboarding process and shall remain in effect until terminated as provided herein or until the Service Agreement is terminated, whichever occurs first.
4.2 Termination for Cause. Either party may terminate this BAA and the Service Agreement immediately upon written notice if the other party has materially breached a provision of this BAA and, if the breach is capable of cure, has failed to cure the breach within thirty (30) days of receiving written notice of the breach.
4.3 Automatic Termination. This BAA shall automatically terminate upon the termination or expiration of the Service Agreement.
4.4 Effect of Termination — Return or Destruction of PHI.
(a) Upon termination of this BAA for any reason, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from or created on behalf of Covered Entity to the extent feasible. Business Associate shall not retain copies of PHI following return or destruction, except as required below.
(b) If return or destruction of PHI is not feasible, Business Associate shall continue to apply the protections of this BAA to any retained PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for as long as PHI is retained.
(c) Business Associate shall complete any return or destruction within sixty (60) days of termination and shall certify in writing to Covered Entity that all PHI has been returned or destroyed, or explain why destruction is infeasible.
4.5 Survival. The obligations of Business Associate under Section 4.4 and Article 1 shall survive the termination of this BAA.
─────────────────────────────────────────
ARTICLE 5 — GENERAL PROVISIONS
5.1 Regulatory References. Any reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended, and includes all guidance issued thereunder.
5.2 Amendment. The parties agree to amend this BAA to the extent necessary to comply with changes in the HIPAA Rules. CaseLogs may amend this BAA upon sixty (60) days written notice. Continued use of the Service after the effective date of any amendment constitutes acceptance.
5.3 Interpretation. Any ambiguity in this BAA shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA Rules.
5.4 No Third-Party Beneficiaries. Nothing in this BAA is intended to confer any right or remedy upon any person other than the parties. This BAA does not create any rights in Individuals whose PHI is handled under this BAA.
5.5 Governing Law. This BAA is governed by the laws of the State of Minnesota, without regard to conflict-of-law principles, except to the extent superseded by applicable federal law including HIPAA and HITECH.
5.6 Entire Agreement. This BAA, together with the Service Agreement and Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior representations, agreements, negotiations, or understandings, whether written or oral, relating to the same.
5.7 Counterparts / Electronic Signature. Electronic acceptance of this BAA during the CaseLogs onboarding process constitutes a valid and binding signature under the Electronic Signatures in Global and National Commerce Act (E-SIGN) and the Minnesota Uniform Electronic Transactions Act (Minn. Stat. §325L). CaseLogs will record the time, user identity, and organization name associated with acceptance and will maintain this record for the duration required by HIPAA.
5.8 Severability. If any provision of this BAA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
─────────────────────────────────────────
ELECTRONIC ACCEPTANCE
By typing your organization name in the confirmation field below and clicking "Sign & Continue," the authorized representative of your organization certifies that:
(i) You have read and understand this Business Associate Agreement in its entirety;
(ii) You have the authority to execute this Agreement on behalf of your organization as its Covered Entity;
(iii) Your organization agrees to be bound by the terms of this Agreement;
(iv) You acknowledge that this electronic acceptance constitutes a legally binding signature.
CaseLogs will record your name, organization name, timestamp, and IP address as evidence of execution and will maintain this record in accordance with HIPAA documentation requirements.
─────────────────────────────────────────
Contact: legal@caselogs.io