Skip to content 
BAA
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (“BAA”) applies to the extent IGX Technologies LLC, dba Growth99 (“Growth99”) functions, activities, or services under the Growth 99 Services Agreement Terms and Conditions (the “Agreement”) by and between Growth99 and Customer (the “Covered Entity”) constitutes activities of a “business associate” as such term is defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”) and governs Growth99’s processing of Protected Health Information (as defined under the HIPAA Rules, “PHI”) it may receive, create, maintain, use, or disclose in connection with the Agreement. Growth99 and Covered Entity may be referred to in this BAA individually as a “party” and collectively as the “parties.
RECITALS
A. Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Growth99 when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.
B. Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
C. A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.
NOW THEREFORE, in consideration of the parties’ continuing obligations under HIPAA and the regulations promulgated thereunder regarding privacy and security of PHI, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree to the provisions of this Agreement as follows:
AGREEMENT
GENERAL OBLIGATIONS.
1.1. Growth99 agrees not to use or disclose PHI, other than as permitted or required by this BAA or the Agreement, as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
1.2. Growth99 agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.
1.3. Growth99 agrees to mitigate, to the extent practicable, any harmful effect that is known to Growth99 as a result of a use or disclosure of PHI by Growth99 in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.
1.4. Growth99 agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware as soon as reasonably practicable, which period shall not exceed 30 calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Growth99 to have been, accessed, acquired, or disclosed in connection with such Breach. Growth99 also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Growth99’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time. In the event of Growth99’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Growth99 bears the burden of demonstrating that notice as required under this Section was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
1.5. Growth99 agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Growth99 agree to the same restrictions, conditions, and requirements that apply to Growth99 with respect to such information.
1.6. Growth99 agrees:
(i) to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524;
(ii) to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law;
(iii) to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4); and
(iv) that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
1.7. Growth99 agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.
1.8. Growth99 agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528. and to the extent required by law, and subject to applicable attorney client privileges, to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by Growth99 on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule.
1.9. To the extent that Growth99 is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Growth99 agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
1.10. Growth99 agrees to:
(i) maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI;
(ii) provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this 1.10, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI; and
(iii) account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in 4) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by Growth99 made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested from Covered Entity. In the case of an EHR that Growth99 acquired on behalf of the Covered Entity as of January 1, 2009, subclause (iii) above shall apply to disclosures with respect to PHI made by Growth99 from such EHR on or after January 1, 2014. In the case of an EHR that Growth99 acquires on behalf of the Covered Entity after January 1, 2009, subclause (iii) above shall apply to disclosures with respect to PHI made by Growth99 from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.
1.11. Growth99 agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
1.12. Growth99 acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
2. PERMITTED USES AND DISCLOSURES.
2.1. Growth99 may use or disclose PHI as Required By Law. Growth99 agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or the “Standards for the Security of Electronic Protected Health Information,” at 45 CFR parts 160, 162 and 164, (“Security Rule”), and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity
2.2. Growth99 agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures, as provided in writing by Covered Entity to Growth99 from time to time. Growth99 may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.
OBLIGATIONS OF COVERED ENTITY.
3.1. Covered Entity shall:
(i) provide Growth99 with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Growth99’s use or disclosure of PHI;
(ii) notify Growth99 of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Growth99’s use or disclosure of PHI under this BAA; and
(iii) notify Growth99 of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Growth99’s permitted or required uses and disclosures of PHI under this BAA.
3.2. Covered Entity shall not request Growth99 to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under 2 of this BAA.
COMPLIANCE WITH SECURITY RULE.
4.1. Growth99 shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
4.2 In accordance with the Security Rule, Growth99 agrees to:
(i) implement administrative and technical safeguards set forth in the HIPAA Security Rule and shall apply to Growth99 in the same manner that such safeguards apply to Customer and the additional requirements of Subtitle D of the HITECH Act (Sections 13400 through 13411) that relate to security are made applicable with respect to covered entities shall also be applicable to Growth99 and are hereby incorporated into this BAA;
(ii) require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
(iii) report to the Covered Entity any Security Incident of which it becomes aware.
TERMINATION.
5.1. This BAA shall terminate on the earlier of the date that:
(i) either party terminates for cause as authorized under the Agreement;
(ii) either party terminates the Agreement for any reason or such Agreement otherwise expires in accordance with its terms; or
(iii) all of the PHI received from Covered Entity, or created or received by Growth99 on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with 5.2.
5.2. Upon termination of this BAA for any reason, Growth99, with respect to PHI received from Covered Entity, or created, maintained, or received by Growth99 on behalf of Covered Entity, shall:
(i) retain only that PHI that is necessary for Growth99 to continue its proper management and administration or to carry out its legal responsibilities;
(ii) return to Covered Entity or, if agreed to by Covered Entity, destory the remaining PHI that Growth99 still maintains in any form;
(iii) continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 5, for as long as Growth99 retains the PHI;
(iv) not use or disclose the PHI retained by Growth99 other than for the purposes for which such PHI was retained and subject to the same conditions which applied prior to termination; and
(v) return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Growth99 when it is no longer needed by Growth99 for its proper management and administration or to carry out its legal responsibilities. The obligations of Growth99 under this Section 5 shall survive the termination of this BAA.
MISCELLANEOUS.
6.1. The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.
6.2. This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Agreement imposes more stringent requirements related to the use and protection of PHI upon Growth99. This BAA is subject to the limitations of liability and exclusions set forth in the Agreement. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
6.3. This BAA will be binding on the successors and assigns of the Covered Entity and Growth99. However, this BAA may not be assigned, in whole or in part, by Covered Entity without the written consent Growth99. Any attempted assignment in violation of this provision shall be null and void.
6.4. Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Agreement.
