Skip to content Skip to footer
Register Now
Let’s Talk

BUSINESS ASSOCIATE AGREEMENT

Close

 

BUSINESS ASSOCIATE AGREEMENT (BAA) – SWIFTCHARTING 

Nationwide Psychiatry PLLC d/b/a SwiftCharting  

This Business Associate Agreement (“BAA”) is entered into and becomes effective on the date and time the Covered Entity creates a SwiftCharting account (the “Effective Date”) by and between: 

1.  You, the customer organization or provider creating an account (the “Covered Entity”), and 

2. Nationwide Psychiatry PLLC, an Arizona professional limited liability company, doing business as SwiftCharting (“SwiftCharting” or “Business Associate”). 

This BAA supersedes and replaces any prior business associate agreement between the parties relating to the Services. This BAA amends, supplements, and is incorporated into the SwiftCharting Terms of Service / Subscription Agreement (the “Agreement”), as it may be updated from time to time. 

RECITALS 

A.  Covered Entity is a “covered entity” as defined at 45 C.F.R. § 160.103.
B. In providing services under the Agreement, SwiftCharting may create, receive, maintain, or transmit certain Protected Health Information (“PHI”) on behalf of Covered Entity.
C. The parties intend to protect the privacy and security of PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and applicable regulations and guidance issued by the U.S. Department of Health and Human Services (collectively, “HIPAA”), and other applicable federal and state laws. 
D. The purpose of this BAA is to satisfy the requirements of HIPAA, including 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e). 
E. This BAA applies only to the extent SwiftCharting qualifies as a “business associate” with respect to Covered Entity under 45 C.F.R. § 160.103. 

For good and valuable consideration, the parties agree as follows: 

I. DEFINITIONS

Capitalized terms not defined in this BAA have the meanings given in HIPAA and its implementing regulations. If a definition is ambiguous, it will be interpreted in a manner that supports HIPAA compliance. 

  1.  “Breach” has the meaning set forth at 45 C.F.R. § 164.402, as applied to Unsecured PHI created, received, maintained, or transmitted by SwiftCharting for or on behalf of Covered Entity. 
  2. “Data Aggregation” has the meaning in 45 C.F.R. § 164.501.
  3. “Designated Record Set” has the meaning in 45 C.F.R. § 164.501. 
  4. “Electronic Protected Health Information” / “ePHI” has the meaning in 45 C.F.R. § 160.103, as applied to ePHI created, received, maintained, or transmitted by SwiftCharting for or on behalf of Covered Entity. 
  5. “Individual” has the meaning in 45 C.F.R. § 160.103, including a personal representative under 45 C.F.R. § 164.502(g). 
  6. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended. 
  7. “Protected Health Information” / “PHI” has the meaning in 45 C.F.R. § 160.103, as applied to PHI created, received, maintained, or transmitted by SwiftCharting for or on behalf of Covered Entity. 
  8. “Reportable Event” means: (i) any use or disclosure of PHI not permitted by this BAA; (ii) a Security Incident; or (iii) a Breach of Unsecured PHI. 
  9. “Required by Law” has the meaning in 45 C.F.R. § 164.103. 
  10. “Secretary” means the Secretary of the U.S. Department of Health and Human Services, or designee. 
  11. “Security Incident” has the meaning in 45 C.F.R. § 164.304, as applied to ePHI created, received, maintained, or transmitted by SwiftCharting for or on behalf of Covered Entity. 
  12. “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended. 
  13. “Subcontractor” has the meaning in 45 C.F.R. § 160.103. 
  14. “Unsecured PHI” has the meaning in 45 C.F.R. § 164.402, as applied to PHI created, received, maintained, or transmitted by SwiftCharting for or on behalf of Covered Entity.
II.PERMITTED USES AND DISCLOSURES OF PHI BY SWIFTCHARTING

Except as otherwise restricted by this BAA or the Agreement, SwiftCharting may: 

A.  Use or Disclose PHI to Provide Services

Use or disclose PHI as necessary to perform functions, activities, or services for or on behalf of Covered Entity, as permitted by the Agreement, provided that such use or disclosure would not violate the Privacy Rule or applicable state law if performed by Covered Entity. 

B.  Management and Administration

Use PHI for the proper management and administration of SwiftCharting and to carry out SwiftCharting’s legal responsibilities. 

C.  Disclosures for Administration or Legal Responsibilities

Disclose PHI for SwiftCharting’s management/administration or legal responsibilities only if: 

  1. the disclosure is Required by Law, or 

2. SwiftCharting obtains reasonable assurances from the recipient that the PHI will remain confidential, be used or further disclosed only as Required by Law or for the intended purpose, and the recipient agrees to notify SwiftCharting promptly of any known breach of confidentiality. 

D.  Reporting Violations of Law

Use PHI to report violations of law to appropriate authorities consistent with 45 C.F.R. § 164.502(j). 

E..Data Aggregation

Use PHI to provide Data Aggregation relating to Covered Entity’s health care operations as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). 

F.  De-Identification

De-identify PHI in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)–(c) and use de-identified information for lawful purposes, consistent with applicable law. 

 

III. OBLIGATIONS AND ACTIVITIES OF SWIFTCHARTING 
A.  Limitations on Use/Disclosure

SwiftCharting will not use or disclose PHI except as permitted by this BAA, the Agreement, or as Required by Law. 

B.  HIPAA Compliance Where SwiftCharting Performs Covered Entity Obligations

To the extent SwiftCharting is responsible for performing obligations of Covered Entity under HIPAA pursuant to the Agreement or this BAA, SwiftCharting will comply with the HIPAA requirements applicable to those obligations. 

C.  Safeguards and Security Rule Compliance

SwiftCharting will implement appropriate safeguards and, where applicable, comply with the Security Rule and HITECH requirements with respect to ePHI to prevent use or disclosure of PHI other than as allowed by this BAA. 

D.  Reportable Events (Notice, Cooperation, Mitigation)
  1. Notice Timing. SwiftCharting will notify Covered Entity of any Reportable Event it discovers without unreasonable delay and in no case later than fifteen (15) business days after discovery. Notice may be provided by email or telephone. 

2.  Notice Content. To the extent reasonably available, SwiftCharting’s notice will include: 

  • (i) identification of each Individual whose PHI was, or is reasonably believed to have been, accessed, acquired, used, lost, modified, destroyed, or disclosed; 
  • (ii) what occurred, including relevant dates (event date and discovery date); 
  • (iii) the type(s) of PHI involved; 
  • (iv) recommended steps individuals can take to protect themselves; 
  • (v) actions SwiftCharting is taking to investigate, respond, remediate, and mitigate harm, and to prevent future occurrences; and 
  • (vi) any other information reasonably available that Covered Entity may need to meet its legal notification duties. 
    SwiftCharting will supplement the notice as additional information becomes available. 

3.  Cooperation. SwiftCharting will cooperate with Covered Entity in investigating the Reportable Event and support Covered Entity in determining whether it constitutes a Breach of Unsecured PHI. 

4.  Mitigation. SwiftCharting will mitigate, to the extent practicable, any harmful effects of a Reportable Event that become known to SwiftCharting. 

5.  Background Security Activity. Covered Entity acknowledges that SwiftCharting experiences ongoing unsuccessful security events (e.g., firewall pings, scans, unsuccessful login attempts, unsuccessful denial-of-service attempts) that do not result in unauthorized access, use, loss, modification, destruction, or disclosure of PHI. This subsection constitutes notice of such ongoing attempted Security Incidents. Separate notice is required only when such events become a Reportable Event as defined in this BAA. 

E. Subcontractors

If SwiftCharting uses a Subcontractor that creates, receives, maintains, or transmits PHI on SwiftCharting’s behalf, SwiftCharting will require the Subcontractor to agree in writing to restrictions, conditions, and safeguards substantially similar to those in this BAA, consistent with 45 C.F.R. §§ 164.314(a) and 164.504(e). 

F. Access to PHI (Designated Record Set)

To the extent SwiftCharting maintains PHI within a Designated Record Set, SwiftCharting will provide access to such PHI (including, where applicable, via in-app export) to Covered Entity or, at Covered Entity’s direction, to an Individual, to enable compliance with 45 C.F.R. § 164.524 and applicable HITECH requirements. This obligation does not apply if SwiftCharting does not maintain any PHI in a Designated Record Set for Covered Entity. 

G. Amendments to PHI

To the extent SwiftCharting maintains PHI in a Designated Record Set, SwiftCharting will make amendments as directed or agreed to by Covered Entity in a time and manner consistent with 45 C.F.R. § 164.526. 

H. Accounting of Disclosures

SwiftCharting will provide information necessary for Covered Entity to respond to requests for an accounting of disclosures as required by 45 C.F.R. § 164.528 and, as applicable, HITECH Section 13405(c) and implementing regulations. SwiftCharting will have a reasonable time to respond and will not be required to produce an accounting in fewer than ten (10) business days after receiving a request from Covered Entity. 

I.  Individual Requests Sent to SwiftCharting

Unless another written agreement states otherwise, if SwiftCharting receives an Individual request related to access, amendment, accounting of disclosures, or similar rights, SwiftCharting will direct the Individual to Covered Entity. 

j.  Secretary Access

SwiftCharting will make its internal policies, practices, books, and records related to the use and disclosure of PHI received from, or created/received on behalf of, Covered Entity available to the Secretary for the purpose of determining HIPAA compliance. 

k.  Minimum Necessary

SwiftCharting will comply with HIPAA’s minimum necessary standard where applicable. 

L.  Communication With Other Business Associates

In performing services, SwiftCharting may disclose PHI to other business associates of Covered Entity and may receive PHI from them as if it originated from Covered Entity. Covered Entity is responsible for ensuring it maintains compliant BAAs with its other business associates. 

IV.  OBLIGATIONS OF COVERED ENTITY
A. Notice of Privacy Practices

Covered Entity will notify SwiftCharting in writing of any limitation(s) in Covered Entity’s Notice of Privacy Practices that affect SwiftCharting’s use or disclosure of PHI. 

B. Revocation or Changes to Authorizations

Covered Entity will notify SwiftCharting in writing of any changes to, or revocation of, an Individual’s authorization that affects SwiftCharting’s permitted use or disclosure of PHI. 

C. Restrictions on Use/Disclosure

Covered Entity will notify SwiftCharting in writing of any restrictions to use or disclosure of PHI that Covered Entity has agreed to or must follow under 45 C.F.R. § 164.522, to the extent such restrictions affect SwiftCharting. 

D. Modifications to Accounting Requirements

Covered Entity will notify SwiftCharting in writing of modifications to accounting of disclosures requirements applicable under 45 C.F.R. § 164.528 and HITECH, to the extent they affect SwiftCharting. 

E. No Impermissible Requests

Covered Entity will not request SwiftCharting to use or disclose PHI in any manner that would be impermissible under HIPAA or applicable law if performed by Covered Entity. 

F. Minimum Necessary Disclosures to SwiftCharting

Covered Entity will provide SwiftCharting only the minimum PHI necessary to enable SwiftCharting to provide the Services. 

V.  TERM AND TERMINATION
A.  Term

This BAA begins on the Effective Date and remains effective for the duration of the Agreement, renewing year-to-year as applicable, unless terminated earlier in accordance with this Section. 

B. Termination for Cause
  1. By Covered Entity.
    If Covered Entity determines SwiftCharting materially breached this BAA, Covered Entity will provide written notice describing the breach in sufficient detail and give SwiftCharting thirty (30) days to cure. If not cured within 30 days, Covered Entity may terminate this BAA and the Agreement. 
  2. By SwiftCharting.
    If SwiftCharting determines Covered Entity materially breached this BAA, SwiftCharting will provide written notice describing the breach and give Covered Entity thirty (30) days to cure. If not cured within 30 days, SwiftCharting may terminate this BAA and the Agreement. 
C.  Effect of Termination
  1. Return or Destruction. Upon termination of this BAA for any reason, SwiftCharting will return or destroy all PHI it maintains on behalf of Covered Entity in any form, and will not retain copies, to the extent feasible. 
  2. If Return/Destruction Is Not Feasible. If return or destruction is not feasible, SwiftCharting will: 
  • retain only the PHI that cannot feasibly be returned or destroyed; 
  • return or destroy all remaining PHI that is feasible to return or destroy; 
  • continue to safeguard and protect retained PHI under this BAA and comply with the Security Rule and HITECH requirements with respect to retained ePHI; 
  • not use or disclose retained PHI except for the purposes that make retention necessary and under the same restrictions that applied prior to termination; and 
  • return or destroy retained PHI when and if it becomes feasible. 

This Section V.C survives termination. 

VI. MISCELLANEOUS
A. Regulatory References

References to HIPAA sections refer to those sections as amended from time to time. 

B. Automatic Updates for Legal Changes; Amendments; No Waiver

This BAA will be deemed automatically amended as necessary to comply with later-enacted HIPAA/HITECH changes, regulations, or guidance (the “Regulations”), unless the parties mutually agree otherwise in writing where permitted. Except as otherwise required by law, any other amendment must be in writing and signed by both parties. Failure to enforce any provision is not a waiver of the right to enforce it later. 

C. Interpretation

Any ambiguity will be interpreted to permit compliance with HIPAA. Headings are for convenience only. If a provision of this BAA conflicts with mandatory HIPAA requirements, HIPAA requirements control. 

D. Entire Agreement; Priority Over Conflicting Terms

This BAA and the Agreement constitute the entire understanding regarding the subject matter. If a term of this BAA directly conflicts with a term of the Agreement, this BAA controls to the extent necessary to comply with HIPAA. 

E.  Relationship of Parties

The parties are independent contractors. Nothing in this BAA creates an agency, partnership, employment, or joint venture relationship. 

F.  No Third-Party Beneficiaries

This BAA confers no rights on any third party. 

G.  Severability

If any provision is invalid or unenforceable, the remainder remains in effect. 

H.  Assignment

Assignment is governed by the Agreement. 

I.  Governing Law

This BAA is governed by the governing law specified in the Agreement, except where federal law preempts. 

J. Dispute Resolution

Disputes will be handled according to the dispute resolution process set forth in the Agreement. 

K. Notices (No Mailing Address)

All notices under this BAA must be in writing. 

  • Notices to Covered Entity: send to the email address provided by Covered Entity during account creation (as updated by Covered Entity in writing) 

Either party may change its notice email by written notice to the other. 

ACCEPTANCE / EFFECTIVE DATE 

By creating a SwiftCharting account, clicking “I Agree,” or otherwise using the Services under the Agreement, Covered Entity accepts this BAA, effective as of the Effective Date.