Skip to content Skip to footer
Let’s Talk
Close

 

BUSINESS ASSOCIATE AGREEMENT (BAA) – SWIFT CHARTING 

Nationwide Psychiatry PLLC d/b/a Swift Charting  

This Business Associate Agreement (“BAA”) is entered into and becomes effective on the date and time the Covered Entity creates a Swift Charting account (the “Effective Date”) by and between: 

1.  You, the customer organization or provider creating an account (the “Covered Entity”), and 

2. Nationwide Psychiatry PLLC, an Arizona professional limited liability company, doing business as Swift Charting (“Swift Charting” or “Business Associate”). 

This BAA supersedes and replaces any prior business associate agreement between the parties relating to the Services. This BAA amends, supplements, and is incorporated into the Swift Charting Terms of Service / Subscription Agreement (the “Agreement”), as it may be updated from time to time. 

RECITALS 

A.  Covered Entity is a “covered entity” as defined at 45 C.F.R. § 160.103.
B. In providing services under the Agreement, Swift Charting may create, receive, maintain, or transmit certain Protected Health Information (“PHI”) on behalf of Covered Entity.
C. The parties intend to protect the privacy and security of PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and applicable regulations and guidance issued by the U.S. Department of Health and Human Services (collectively, “HIPAA”), and other applicable federal and state laws. 
D. The purpose of this BAA is to satisfy the requirements of HIPAA, including 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e). 
E. This BAA applies only to the extent Swift Charting qualifies as a “business associate” with respect to Covered Entity under 45 C.F.R. § 160.103. 

For good and valuable consideration, the parties agree as follows: 

I. DEFINITIONS

Capitalized terms not defined in this BAA have the meanings given in HIPAA and its implementing regulations. If a definition is ambiguous, it will be interpreted in a manner that supports HIPAA compliance. 

  1.  “Breach” has the meaning set forth at 45 C.F.R. § 164.402, as applied to Unsecured PHI created, received, maintained, or transmitted by Swift Charting for or on behalf of Covered Entity. 
  2. “Data Aggregation” has the meaning in 45 C.F.R. § 164.501.
  3. “Designated Record Set” has the meaning in 45 C.F.R. § 164.501. 
  4. “Electronic Protected Health Information” / “ePHI” has the meaning in 45 C.F.R. § 160.103, as applied to ePHI created, received, maintained, or transmitted by Swift Charting for or on behalf of Covered Entity. 
  5. “Individual” has the meaning in 45 C.F.R. § 160.103, including a personal representative under 45 C.F.R. § 164.502(g). 
  6. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended. 
  7. “Protected Health Information” / “PHI” has the meaning in 45 C.F.R. § 160.103, as applied to PHI created, received, maintained, or transmitted by Swift Charting for or on behalf of Covered Entity. 
  8. “Reportable Event” means: (i) any use or disclosure of PHI not permitted by this BAA; (ii) a Security Incident; or (iii) a Breach of Unsecured PHI. 
  9. “Required by Law” has the meaning in 45 C.F.R. § 164.103. 
  10. “Secretary” means the Secretary of the U.S. Department of Health and Human Services, or designee. 
  11. “Security Incident” has the meaning in 45 C.F.R. § 164.304, as applied to ePHI created, received, maintained, or transmitted by Swift Charting for or on behalf of Covered Entity. 
  12. “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended. 
  13. “Subcontractor” has the meaning in 45 C.F.R. § 160.103. 
  14. “Unsecured PHI” has the meaning in 45 C.F.R. § 164.402, as applied to PHI created, received, maintained, or transmitted by Swift Charting for or on behalf of Covered Entity.
II.PERMITTED USES AND DISCLOSURES OF PHI BY SWIFT CHARTING

Except as otherwise restricted by this BAA or the Agreement, Swift Charting may: 

A.  Use or Disclose PHI to Provide Services

Use or disclose PHI as necessary to perform functions, activities, or services for or on behalf of Covered Entity, as permitted by the Agreement, provided that such use or disclosure would not violate the Privacy Rule or applicable state law if performed by Covered Entity. 

B.  Management and Administration

Use PHI for the proper management and administration of Swift Charting and to carry out Swift Charting’s legal responsibilities. 

C.  Disclosures for Administration or Legal Responsibilities

Disclose PHI for Swift Charting’s management/administration or legal responsibilities only if: 

  1. the disclosure is Required by Law, or 

2. Swift Charting obtains reasonable assurances from the recipient that the PHI will remain confidential, be used or further disclosed only as Required by Law or for the intended purpose, and the recipient agrees to notify Swift Charting promptly of any known breach of confidentiality. 

D.  Reporting Violations of Law

Use PHI to report violations of law to appropriate authorities consistent with 45 C.F.R. § 164.502(j). 

E..Data Aggregation

Use PHI to provide Data Aggregation relating to Covered Entity’s health care operations as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). 

F.  De-Identification

De-identify PHI in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)–(c) and use de-identified information for lawful purposes, consistent with applicable law. 

III. OBLIGATIONS AND ACTIVITIES OF SWIFT CHARTING 
A.  Limitations on Use/Disclosure

Swift Charting will not use or disclose PHI except as permitted by this BAA, the Agreement, or as Required by Law. 

B.  HIPAA Compliance Where Swift Charting Performs Covered Entity Obligations

To the extent Swift Charting is responsible for performing obligations of Covered Entity under HIPAA pursuant to the Agreement or this BAA, Swift Charting will comply with the HIPAA requirements applicable to those obligations. 

C.  Safeguards and Security Rule Compliance

Swift Charting will implement appropriate safeguards and, where applicable, comply with the Security Rule and HITECH requirements with respect to ePHI to prevent use or disclosure of PHI other than as allowed by this BAA. 

D.  Reportable Events (Notice, Cooperation, Mitigation)
  1. Notice Timing. Swift Charting will notify Covered Entity of any Reportable Event it discovers without unreasonable delay and in no case later than fifteen (15) business days after discovery. Notice may be provided by email or telephone. 

2.  Notice Content. To the extent reasonably available, Swift Charting’s notice will include: 

  • (i) identification of each Individual whose PHI was, or is reasonably believed to have been, accessed, acquired, used, lost, modified, destroyed, or disclosed; 
  • (ii) what occurred, including relevant dates (event date and discovery date); 
  • (iii) the type(s) of PHI involved; 
  • (iv) recommended steps individuals can take to protect themselves; 
  • (v) actions Swift Charting is taking to investigate, respond, remediate, and mitigate harm, and to prevent future occurrences; and 
  • (vi) any other information reasonably available that Covered Entity may need to meet its legal notification duties. 
    Swift Charting will supplement the notice as additional information becomes available. 

3.  Cooperation. Swift Charting will cooperate with Covered Entity in investigating the Reportable Event and support Covered Entity in determining whether it constitutes a Breach of Unsecured PHI. 

4.  Mitigation. Swift Charting will mitigate, to the extent practicable, any harmful effects of a Reportable Event that become known to Swift Charting. 

5.  Background Security Activity. Covered Entity acknowledges that Swift Charting experiences ongoing unsuccessful security events (e.g., firewall pings, scans, unsuccessful login attempts, unsuccessful denial-of-service attempts) that do not result in unauthorized access, use, loss, modification, destruction, or disclosure of PHI. This subsection constitutes notice of such ongoing attempted Security Incidents. Separate notice is required only when such events become a Reportable Event as defined in this BAA. 

E. Subcontractors

If Swift Charting uses a Subcontractor that creates, receives, maintains, or transmits PHI on Swift Charting’s behalf, Swift Charting will require the Subcontractor to agree in writing to restrictions, conditions, and safeguards substantially similar to those in this BAA, consistent with 45 C.F.R. §§ 164.314(a) and 164.504(e). 

F. Access to PHI (Designated Record Set)

To the extent Swift Charting maintains PHI within a Designated Record Set, Swift Charting will provide access to such PHI (including, where applicable, via in-app export) to Covered Entity or, at Covered Entity’s direction, to an Individual, to enable compliance with 45 C.F.R. § 164.524 and applicable HITECH requirements. This obligation does not apply if Swift Charting does not maintain any PHI in a Designated Record Set for Covered Entity. 

G. Amendments to PHI

To the extent Swift Charting maintains PHI in a Designated Record Set, Swift Charting will make amendments as directed or agreed to by Covered Entity in a time and manner consistent with 45 C.F.R. § 164.526. 

H. Accounting of Disclosures

Swift Charting will provide information necessary for Covered Entity to respond to requests for an accounting of disclosures as required by 45 C.F.R. § 164.528 and, as applicable, HITECH Section 13405(c) and implementing regulations. Swift Charting will have a reasonable time to respond and will not be required to produce an accounting in fewer than ten (10) business days after receiving a request from Covered Entity. 

I.  Individual Requests Sent to Swift Charting

Unless another written agreement states otherwise, if Swift Charting receives an Individual request related to access, amendment, accounting of disclosures, or similar rights, Swift Charting will direct the Individual to Covered Entity. 

j.  Secretary Access

Swift Charting will make its internal policies, practices, books, and records related to the use and disclosure of PHI received from, or created/received on behalf of, Covered Entity available to the Secretary for the purpose of determining HIPAA compliance. 

k.  Minimum Necessary

Swift Charting will comply with HIPAA’s minimum necessary standard where applicable. 

L.  Communication With Other Business Associates

In performing services, Swift Charting may disclose PHI to other business associates of Covered Entity and may receive PHI from them as if it originated from Covered Entity. Covered Entity is responsible for ensuring it maintains compliant BAAs with its other business associates. 

IV.  OBLIGATIONS OF COVERED ENTITY
A. Notice of Privacy Practices

Covered Entity will notify Swift Charting in writing of any limitation(s) in Covered Entity’s Notice of Privacy Practices that affect Swift Charting’s use or disclosure of PHI. 

B. Revocation or Changes to Authorizations

Covered Entity will notify Swift Charting in writing of any changes to, or revocation of, an Individual’s authorization that affects Swift Charting’s permitted use or disclosure of PHI. 

C. Restrictions on Use/Disclosure

Covered Entity will notify Swift Charting in writing of any restrictions to use or disclosure of PHI that Covered Entity has agreed to or must follow under 45 C.F.R. § 164.522, to the extent such restrictions affect Swift Charting. 

D. Modifications to Accounting Requirements

Covered Entity will notify Swift Charting in writing of modifications to accounting of disclosures requirements applicable under 45 C.F.R. § 164.528 and HITECH, to the extent they affect Swift Charting. 

E. No Impermissible Requests

Covered Entity will not request Swift Charting to use or disclose PHI in any manner that would be impermissible under HIPAA or applicable law if performed by Covered Entity. 

F. Minimum Necessary Disclosures to Swift Charting

Covered Entity will provide Swift Charting only the minimum PHI necessary to enable Swift Charting to provide the Services. 

V.  TERM AND TERMINATION
A.  Term

This BAA begins on the Effective Date and remains effective for the duration of the Agreement, renewing year-to-year as applicable, unless terminated earlier in accordance with this Section. 

B. Termination for Cause
  1. By Covered Entity.

    If Covered Entity determines Swift Charting materially breached this BAA, Covered Entity will provide written notice describing the breach in sufficient detail and give Swift Charting thirty (30) days to cure. If not cured within 30 days, Covered Entity may terminate this BAA and the Agreement. 

  2. By Swift Charting.

    If Swift Charting determines Covered Entity materially breached this BAA, Swift Charting will provide written notice describing the breach and give Covered Entity thirty (30) days to cure. If not cured within 30 days, Swift Charting may terminate this BAA and the Agreement. 

C.  Effect of Termination
  1. Return or Destruction. Upon termination of this BAA for any reason, Swift Charting will return or destroy all PHI it maintains on behalf of Covered Entity in any form, and will not retain copies, to the extent feasible. 
  2. If Return/Destruction Is Not Feasible. If return or destruction is not feasible, Swift Charting will: 
  • retain only the PHI that cannot feasibly be returned or destroyed; 
  • return or destroy all remaining PHI that is feasible to return or destroy; 
  • continue to safeguard and protect retained PHI under this BAA and comply with the Security Rule and HITECH requirements with respect to retained ePHI; 
  • not use or disclose retained PHI except for the purposes that make retention necessary and under the same restrictions that applied prior to termination; and 
  • return or destroy retained PHI when and if it becomes feasible. 

This Section V.C survives termination. 

VI. MISCELLANEOUS
A. Regulatory References

References to HIPAA sections refer to those sections as amended from time to time. 

B. Automatic Updates for Legal Changes; Amendments; No Waiver

This BAA will be deemed automatically amended as necessary to comply with later-enacted HIPAA/HITECH changes, regulations, or guidance (the “Regulations”), unless the parties mutually agree otherwise in writing where permitted. Except as otherwise required by law, any other amendment must be in writing and signed by both parties. Failure to enforce any provision is not a waiver of the right to enforce it later. 

C. Interpretation

Any ambiguity will be interpreted to permit compliance with HIPAA. Headings are for convenience only. If a provision of this BAA conflicts with mandatory HIPAA requirements, HIPAA requirements control. 

D. Entire Agreement; Priority Over Conflicting Terms

This BAA and the Agreement constitute the entire understanding regarding the subject matter. If a term of this BAA directly conflicts with a term of the Agreement, this BAA controls to the extent necessary to comply with HIPAA. 

E.  Relationship of Parties

The parties are independent contractors. Nothing in this BAA creates an agency, partnership, employment, or joint venture relationship. 

F.  No Third-Party Beneficiaries

This BAA confers no rights on any third party. 

G.  Severability

If any provision is invalid or unenforceable, the remainder remains in effect. 

H.  Assignment

Assignment is governed by the Agreement. 

I.  Governing Law

This BAA is governed by the governing law specified in the Agreement, except where federal law preempts. 

J. Dispute Resolution

Disputes will be handled according to the dispute resolution process set forth in the Agreement. 

K. Notices (No Mailing Address)

All notices under this BAA must be in writing. 

  • Notices to Covered Entity: send to the email address provided by Covered Entity during account creation (as updated by Covered Entity in writing) 

Either party may change its notice email by written notice to the other. 

ACCEPTANCE / EFFECTIVE DATE 

By creating a Swift Charting account, clicking “I Agree,” or otherwise using the Services under the Agreement, Covered Entity accepts this BAA, effective as of the Effective Date.