Legal

Business Associate Agreement

This BAA is executed between HealthXfer, Inc. and the Covered Entity (your organization).

Effective: April 2026

Note: This is a template BAA for informational purposes. Contact legal@healthxfer.com to execute a signed BAA for your organization.

1. Definitions

The following terms are used as defined in 45 CFR §160.103 and the HIPAA Rules:

  • Covered Entity — A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form, as defined under 45 CFR §160.103.
  • Business Associate — HealthXfer, Inc., which performs services for or on behalf of the Covered Entity that involve the creation, receipt, maintenance, or transmission of protected health information.
  • PHI (Protected Health Information) — Individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or its Business Associate, as defined under 45 CFR §160.103.
  • Electronic PHI (ePHI) — PHI that is created, received, maintained, or transmitted in electronic form, subject to the Security Rule under 45 CFR Part 164, Subparts A and C.

2. Obligations of Business Associate

HealthXfer, Inc. agrees to:

  1. Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
  2. Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).
  3. Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 CFR §164.410, within 60 days of discovery of such breach.
  4. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of HealthXfer agree to the same restrictions and conditions that apply to HealthXfer with respect to such information.
  5. Make PHI available to facilitate the Covered Entity's compliance with patient access rights under 45 CFR §164.524.
  6. Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining compliance with the HIPAA Rules.
  7. At termination of this Agreement, return or destroy all PHI received from or created on behalf of the Covered Entity, if feasible, and retain no copies; or if return or destruction is not feasible, extend the protections of this Agreement to the PHI and limit further uses and disclosures.

3. Permitted Uses and Disclosures

HealthXfer may use or disclose PHI only:

  • As necessary to perform the services described in the underlying service agreement between HealthXfer and the Covered Entity, including facilitating healthcare record exchange, routing requests to fulfilling departments, and writing audit events to the Covered Entity's EHR.
  • As required by law, including responding to lawful requests from government authorities.
  • For the proper management and administration of HealthXfer's business, or to carry out its legal responsibilities, provided that disclosures are required by law or HealthXfer obtains reasonable assurances that the recipient will keep the information confidential.

HealthXfer will not use or disclose PHI for any other purpose without prior written authorization from the Covered Entity.

4. Term and Termination

This Agreement is effective upon execution of the underlying service agreement between the parties and shall remain in effect for the duration of that agreement.

Either party may terminate this Agreement upon 30 days' written notice to the other party. Either party may terminate immediately if the other party materially breaches a provision of this Agreement and fails to cure such breach within 30 days of written notice.

Upon termination for any reason, HealthXfer shall return to the Covered Entity or securely destroy all PHI received from or created on behalf of the Covered Entity that HealthXfer still maintains in any form, and shall retain no copies of such PHI.

5. Miscellaneous

This Agreement shall be construed in accordance with and governed by applicable federal HIPAA regulations (45 CFR Parts 160 and 164) and applicable state law.

This Agreement supersedes and replaces any prior business associate agreements entered into between the parties. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Rules.

If any provision of this Agreement is found to be unenforceable, the remaining provisions shall remain in full force and effect.

6. Contact

For BAA execution, questions about this Agreement, or data privacy inquiries, contact: legal@healthxfer.com

Ready to execute a signed BAA?

We'll send a countersigned copy to your legal contact within one business day.

Request Signed BAA