BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into between WeGotDocs LLC ("Business Associate") and the undersigned Client ("Covered Entity"). This BAA is incorporated into the MSA. In any conflict regarding PHI, this BAA governs.
SECTION 1 – DEFINITIONS
Capitalized terms not defined herein have the meanings in HIPAA (45 C.F.R. Parts 160 and 164) or the MSA, including: Breach (§ 164.402); Designated Record Set (§ 164.501); ePHI (§ 160.103); Required by Law (§ 164.103); Security Incident (§ 164.304); Subcontractor; and Unsecured PHI (§ 164.402).
SECTION 2 – NATURE AND SCOPE OF PHI
WeGotDocs operates a scheduling and appointment-notification platform. WeGotDocs does NOT integrate with any EMR. PHI handled is limited to: Patient name, contact information, requested appointment details, reason for visit if volunteered by the Patient, and the fact that a Patient sought an appointment with Covered Entity. WeGotDocs does not receive clinical records, diagnoses, treatment notes, or lab results. The parties acknowledge that even this limited data set constitutes PHI and both parties have HIPAA obligations.
SECTION 3 – OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Permitted Uses and Disclosures
Business Associate may use or disclose PHI only: to perform the Services; as Required by Law; for its proper management and administration (with required assurances from recipients); for Data Aggregation services; and to report violations of law per 45 C.F.R. § 164.502(j)(1).
3.2 Prohibited Uses
Business Associate shall not: use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity; use PHI for marketing without required authorizations; sell PHI; use PHI in connection with Review Content moderation beyond confirming booking history for review-eligibility purposes; or build patient databases beyond what the Services require.
3.3 Minimum Necessary
Business Associate shall apply minimum-necessary standards per 45 C.F.R. § 164.502(b) to all uses, disclosures, and requests.
3.4 Safeguards and Security Program
Business Associate shall maintain a written information security program compliant with the HIPAA Security Rule, including:
- Administrative safeguards: designated Security Officer and Privacy Officer; annual written risk analysis and risk management plan; workforce HIPAA training at hire and annually; sanctions policy; access management procedures.
- Technical safeguards: encryption of ePHI in transit (TLS 1.2+) and at rest (AES-256 or equivalent); unique user IDs; role-based access controls; automatic session timeouts; audit logging of PHI access; multi-factor authentication for administrative access.
- Physical safeguards: hosting in SOC 2-audited data centers; workstation and device security policies.
- A written Incident Response Plan addressing detection, containment, eradication, investigation, notification, and post-incident review, tested at least annually.
- Business continuity and data backup procedures, including a disaster recovery plan.
3.5 Subcontractors
Business Associate shall execute written agreements with all Subcontractors handling PHI imposing restrictions no less protective than this BAA, prior to any disclosure. Upon written request no more than once annually, Business Associate will provide Covered Entity a list of Subcontractor categories with access to PHI.
3.6 Reporting — Security Incidents and Breaches
Business Associate shall report: (a) any non-permitted use or disclosure or any Security Incident without unreasonable delay and no later than fifteen (15) calendar days after discovery; and (b) any Breach of Unsecured PHI per 45 C.F.R. § 164.410 without unreasonable delay and no later than thirty (30) calendar days after discovery, including (to the extent available) affected individuals, description, PHI types involved, mitigation steps, and protective steps for individuals, with prompt supplements as information develops. The parties acknowledge that unsuccessful, routine attempted attacks (pings, port scans, blocked malware) are reported via this provision in the aggregate and no further notice is required for them. Business Associate shall bear the reasonable, documented costs of breach notification and credit monitoring to the extent the Breach was caused by Business Associate's failure to meet its obligations under this BAA.
3.7 Access, Amendment, Accounting
To the extent Business Associate holds PHI in a Designated Record Set, it shall provide access within fifteen (15) days and incorporate amendments as directed (45 C.F.R. §§ 164.524, 164.526), and shall document and provide disclosure information for accountings within twenty (20) days (45 C.F.R. § 164.528).
3.8 HHS Access
Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance determinations.
3.9 Return or Destruction
Upon termination, at Covered Entity's election, Business Associate shall return or destroy all PHI (including backups) and certify destruction in writing within sixty (60) days. If return or destruction is infeasible, protections continue for retained PHI for as long as it is retained, and uses are limited to those purposes making return infeasible.
SECTION 4 – OBLIGATIONS OF COVERED ENTITY
Covered Entity shall: not request impermissible uses or disclosures; notify Business Associate of relevant limitations in its Notice of Privacy Practices, of restrictions agreed under 45 C.F.R. § 164.522, and of revocations of authorization; obtain any required patient authorizations; and apply minimum-necessary standards to its requests. Covered Entity is solely responsible for its own HIPAA compliance in responding to Patient reviews, communicating with Patients, and maintaining medical records.
SECTION 5 – TERM, TERMINATION, AND SURVIVAL
This BAA is effective with the MSA and survives until all PHI is returned or destroyed. Either party may terminate this BAA and the MSA if the other materially breaches this BAA and fails to cure within thirty (30) days of notice; if cure is infeasible, the non-breaching party may terminate immediately. Obligations regarding retained PHI survive termination.
SECTION 6 – MISCELLANEOUS
Regulatory references include amendments. The parties will negotiate in good faith amendments required by changes to HIPAA. No third-party beneficiaries, including Patients. Each party shall indemnify the other for fines, penalties, and losses (including reasonable attorneys' fees) arising from its own breach of this BAA or violation of HIPAA. This BAA is construed to permit compliance with HIPAA.