Business Associate Agreement for Provider Enrollment (Version 2025)

This Business Associate Agreement (“BAA”) is between The Stellar Health Group, Inc. (“Business Associate”), and Provider (“Provider”). This BAA is posted for reference purposes only and does not constitute an offer to contract. This BAA becomes binding and effective only when explicitly incorporated by reference into a separate written agreement signed by both Business Associate and Provider, and the effective date of this BAA shall be the effective date of such incorporating agreement.

Background

The purpose of this BAA is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91) (“HIPAA”), as amended  by the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII, of the American Recovery and Reinvestment Act of 2009  (Public Law 111-005) (“HITECH Act”), and related regulations, 45 C.F.R. Parts 160 and Part 164, Subparts A, C and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (“Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (“Security Rule”) (the Privacy Rule and the Security Rule are collectively called the “Privacy and Security Rules”).  Compliance with the Privacy and Security Rules, includes, but is not limited to, the business associate agreement requirements at 45 C.F.R. §§ 164.314(a) and 164.504(e), as promulgated under HIPAA and the and its implementing regulations and guidance (collectively, “HITECH”).

Provider and Business Associate therefore agree as follows:

         1. Scope of this BAA

 a. Provider is a “covered entity” and Business Associate is a “business associate” as those terms are defined under the Privacy and Security Rules.  This BAA applies to services provided by Business Associate to Provider, or any one or more of its Affiliates, under any services agreement agreed in writing by the parties (the “Services”). In connection with the Business Associate’s provision of the Services to the Provider, the Provider may disclose to the Business Associate “Protected Health Information” (“PHI”), including “Electronic Protected Health Information” (“ePHI”). Such disclosure results in the Business Associate creating, receiving, maintaining, or transmitting PHI, including ePHI, on behalf of the Provider.  

b. The parties acknowledge that the Provider may disclose information to Business Associate in Business Associate’s capacity as the business associate of one or more health plans or other entities rather than in Business Associate’s capacity as a business associate of Provider.  These are not Services subject to this BAA.  Business Associate is a Business Associate, and this BAA only applies, regarding PHI that Business Associate obtains in providing Services on behalf of Provider.

c. The parties acknowledge that they shall comply with Privacy and Security Rules regarding the use and disclosure of PHI and ePHI, pursuant to this BAA.

         2. Definitions

Unless otherwise provided in this BAA, capitalized terms have the same meanings as set forth in the Privacy and Security Rules.

a. “Breach” has the same meaning as the term “breach” in 45 C.F.R. § 164.402.

b. “ePHI” means Electronic Protected Health Information as defined in 45 C.F.R. § 160.103. 

c.  “PHI” means Protected Health Information as defined in 45 C.F.R. § 160.103. 

d. “Required by Law” has the same meaning as the term “required by law” in HIPAA.

e. “Security Incident” has the same meaning as the term “security incident” in 45 C.F.R. § 164.304. Notwithstanding anything to the contrary, “Security Incident” does not include inconsequential incidents that routinely occur, such as scans, “pings” or other unsuccessful attempts to penetrate computer networks or servers containing ePHI.

f. “Unsecured PHI” or “Unsecured Protected Health Information” has the same meaning as the term “unsecured protected health information” in 45 C.F.R. § 164.402, to the extent created, received, maintained or transmitted on behalf of Provider.

        3. Scope of Information Uses and Disclosures by Business Associate and Provider

a. In General. Except as otherwise limited in this BAA or by law, Business Associate may use or disclose PHI provided to Business Associate by Provider as required by law or to perform functions, activities, or Services for or on behalf of Provider, provided that such uses or disclosures would not violate the Privacy Rule if done by Provider. 

b. Use of PHI for Proper Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

c. Disclosure of PHI for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

d. Data Aggregation and De-identification. Business Associate may use or disclose PHI to provide Data Aggregation services to Provider as permitted by 45 CFR § 164.504(e)(2)(i)(B).  Business Associate has the unrestricted right to create and use De-Identified Data for any purpose, in accordance with HIPAA and applicable Privacy and Security Laws. For purposes of this BAA, “De-Identified Data” means health information that meets the standard and implementation specifications for de-identification under 45 CFR §164.514 (a) and (b), and any successor or additional regulation if §164.514 is modified, supplemented or amended. 

e. Limitation on Use and Disclosure of PHI. Business Associate shall limit its use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, as required by 45 C.F.R. § 164.502(b) and § 164.514(d).

f. Reporting Violation of Law. Business Associate may use PHI to report a violation of law to appropriate Federal and/or State authorities, consistent with 45 CFR §164.502(j)(1).

        4. Obligations of Business Associate

a. In General. Business Associate shall use or further disclose PHI only as permitted or required by this BAA or as Required by Law.

b. Safeguards. Business Associate shall use appropriate safeguards and comply, where applicable, with the HIPAA Security Rule, with respect to electronic PHI, to prevent use or disclosure of PHI other than as specifically authorized by this BAA. 

c. Mitigation. Business Associate shall mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that violates the requirements of this BAA or applicable law.

d. Reporting. Business Associate shall report to Provider any use or disclosure of PHI that is not sanctioned by this BAA of which Business Associate becomes aware within a reasonable timeframe.

e. Subcontractors. Business Associate shall require subcontractors or agents to whom Business Associate provides PHI to agree, in writing, to comply with the Privacy and Security Rules to the same extent Business Associate is required to comply. 

f. Inspection by Secretary. Business Associate shall make available to the Secretary of Health and Human Services Business Associate’s internal practices, books and records relating to the use and disclosure of PHI for purposes of determining Provider and Business Associate’s compliance with the Privacy and Security Rules and HITECH, subject to any applicable legal privileges.

g. Access to PHI. Business Associate shall provide to Provider, at Provider’s written request and in the time and manner it reasonably specifies, PHI necessary to respond to Individuals’ requests for access to PHI about them in accordance with 45 CFR §164.524, in the event that the PHI in Business Associate’s possession constitutes a Designated Record Set. 

h. Amendment to PHI. Business Associate shall, upon receipt of notice from Provider, incorporate any amendments or corrections to the PHI in accordance with the Privacy Rule in accordance with 45 CFR §164.526, in the event that the PHI in Business Associate’s possession constitutes a Designated Record Set.

i. Accounting of PHI.  Business Associate shall make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528. 

j. Notification of Security Incidents and Breach of Unsecured PHI. Business Associate shall, within a reasonable timeframe following discovery, notify Provider of any actual or suspected Security Incident or Breach of Unsecured Protected Health Information. The notice shall include: (i) the identification of each Individual whose PHI or Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Security Incident or Breach; (ii) a brief description of what happened, including the date of the Security Incident or Breach and the date of the discovery of the Security Incident or Breach; (iii) a description of the types of PHI or Unsecured PHI that were involved in the Security Incident or Breach; (iv) any preliminary steps taken to mitigate the damage; and (v) a description of any investigatory steps taken. In addition, Business Associate shall provide any additional information reasonably requested by Provider for purposes of investigating a Breach of Unsecured PHI. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate, or, by exercising reasonable diligence, would have been known to the Business Associate. 

         5. Obligations of Provider

a. Limitation in Notice of Privacy Practices. Provider shall notify Business Associate of any limitation in Provider’s Notice of Privacy Practices in accordance with the Privacy Rule, to the extent that the limitation may affect Business Associate’s use or disclosure of PHI.

b. Changes in Permission by Individual. Provider shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI to the extent that the change may affect Business Associate’s use or disclosure of PHI.

c. Restriction on Use/Disclosure of PHI. Provider shall notify Business Associate of any restriction on the use or disclosure of PHI that has been agreed to with an Individual and any restrictions on marketing or fundraising to the extent that the restriction may affect Business Associate’s use or disclosure of PHI.

d. Permitted by the Privacy Rule. Provider shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by a Provider, except to the extent Business Associate will use or disclose PHI for, and this BAA includes provisions for, Data Aggregation by or management, administrative, and legal activities of Business Associate.

          6. Term and Termination. 

The term of this BAA shall commence as of the Effective Date and shall continue for the duration of the Term and thereafter for so long as Business Associate retains the Provider’s PHI.  Upon termination or expiration of this BAA, Business Associate and Provider acknowledge that return or destruction of PHI may be infeasible.  Accordingly, Business Associate shall extend the protections of this BAA to such PHI for so long as it is not destroyed, and limit further uses and disclosures of that PHI to those purposes that make the return or destruction not feasible, for as long as Business Associate or any subcontractor of Business Associate maintains that PHI.  Reasons that return or destruction may be infeasible include, without limitation, support the performance of health care operations (e.g., care coordination) and to inform future performance of Business Associate’s application.  Upon the expiration of this period of infeasibility, if any, Business Associate shall destroy all PHI that it has retained.  

          7. Amendment. Provider and Business Associate agree to take any reasonable action as is necessary to amend this BAA from time to time as is necessary for Provider and Business Associate to comply with the requirements of the Privacy and Security Rules, and any modifications thereof, and any other implementing regulations or guidance. 

          8. Entire Agreement. This BAA represents the complete agreement between the parties on the subject of HIPAA compliance and business associate relationships. It replaces and supersedes any previous Business Associate Agreements between the parties. Both parties acknowledge that this document contains all terms and conditions agreed upon, and any earlier discussions, promises, or agreements on this subject not included here are no longer valid or binding. Changes to this BAA are only valid if made in writing and signed by authorized representatives of both parties.

          9. Interpretation. Any ambiguity in this BAA shall be resolved to permit Provider to comply with the Privacy and Security Rules.

        10. Survival. The obligations of Business Associate under Sections 5 and 7 of this BAA survive any termination of the Agreement.

         11. Further Assurances.  Each party agrees to promptly perform any further acts and execute, acknowledge, and deliver any documents which may be reasonably necessary to carry out the provisions of this BAA or affect its purpose.