Legal

Business Associate Agreement

HIPAA Business Associate Agreement for healthcare partners and covered entities working with Elderwise.

This Business Associate Agreement ("BAA") is entered into between Elderwise Pte. Ltd. ("Business Associate") and the healthcare organisation or covered entity ("Covered Entity") that executes this agreement. This BAA supplements and is made a part of the underlying services agreement between Business Associate and Covered Entity.

This BAA is required under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164.

Definitions

For purposes of this BAA, the following terms have the meanings ascribed to them:

  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
  • Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media, as defined in 45 CFR 160.103.
  • Business Associate: Elderwise Pte. Ltd., which creates, receives, maintains, or transmits PHI on behalf of the Covered Entity in connection with the Services.
  • Covered Entity: The healthcare provider, health plan, or healthcare clearinghouse that enters into this BAA with Business Associate.
  • Security Incident: The attempted or successful unauthorised access, use, disclosure, modification, or destruction of information or interference with system operations, as defined in 45 CFR 164.304.

Obligations of Business Associate

Business Associate agrees to the following obligations:

  • Safeguards: Implement appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as permitted by this BAA, including compliance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).
  • Breach Notification: Report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including any Breach of Unsecured PHI as defined in 45 CFR 164.402, without unreasonable delay and in no event later than sixty (60) days after discovery.
  • Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this BAA.
  • Access: Make PHI available to Covered Entity or to individuals as required under 45 CFR 164.524, within thirty (30) days of a written request.
  • Accounting of Disclosures: Maintain and make available information required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR 164.528.
  • Government Access: Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for determining compliance.

Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

  • Services: As necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the underlying services agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.
  • Management and Administration: For the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that disclosures are required by law or Business Associate obtains reasonable assurances that the information will be held confidentially.
  • De-Identification: To de-identify PHI in accordance with 45 CFR 164.514(a)-(c), provided that the de-identification meets the requirements of the HIPAA Privacy Rule.
  • Data Aggregation: To provide data aggregation services relating to the healthcare operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B).

Term and Termination

This BAA shall be effective as of the date both parties execute this agreement and shall remain in effect for the duration of the underlying services agreement, unless terminated earlier as provided herein.

Termination for Cause: Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA. The non-breaching party shall provide written notice of the breach and allow thirty (30) days for the breaching party to cure the violation. If the breach is not cured, the non-breaching party may terminate this BAA.

Effect of Termination: Upon termination of this BAA, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains such PHI.

Contact

To execute this BAA or for questions regarding HIPAA compliance and our business associate obligations, please contact our compliance team:

Elderwise Pte. Ltd.

Email: compliance@elderwise.ai

Web: Contact Form

Effective date: February 1, 2025. Last updated: February 1, 2025. This BAA template is provided for informational purposes. Execution of a BAA requires mutual agreement and signature by both parties.

Related Legal Documents

HIPAA Privacy Notice Privacy Policy Compliance Terms of Service
Try Elderwise Free

We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience and analyze website traffic. By clicking "Accept," you agree to our website's cookie use as described in our Cookie Policy.