top of page

BAA

Medlog Business Associate Agreement


This Business Associate Agreement ("BAA”) is entered into by and between Medlog, LLC, a Utah limited liability company (“Medlog” or "Business Associate"), and the healthcare provider, medical practice, or other HIPAA-covered entity that (i) electronically accepts this BAA during account registration or first login to Medlog Services, or (ii) signs an Order Form that incorporates this BAA by reference (“Customer”, "Client", or "Covered Entity"). The Covered Entity and Medlog are each a "Party" and collectively the "Parties". 
 

1. Recitals

A. Covered Entity wishes to use Medlog's software and related services (the "Services") and the Parties have entered into an agreement or agreements ("Agreement") for the provision of the Services.

B. In providing the Services, Medlog will create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity, thereby acting as a "Business Associate" under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (collectively, "HIPAA").

 

C. HIPAA requires Covered Entity to obtain adequate assurances that Medlog will appropriately safeguard PHI.

D. Medlog and Covered Entity wish to enter into this BAA to govern Medlog's use and disclosure of PHI and implementation of safeguards for the security of Electronic PHI under the Agreement. Medlog and Covered Entity are both committed to complying with (a) HIPAA, (b) the HIPAA Rules, and (c) applicable state law, as these statutes and regulations may be amended from time to time. This BAA sets forth the terms and conditions pursuant to which Protected Health Information will be handled by Medlog as Covered Entity's Business Associate during the term of the Agreement. 

Therefore, the Parties agree as follows:

2. Definitions

Unless otherwise defined in this BAA, capitalized terms have the meaning set forth in 45 CFR Parts 160 & 164. 

 

  • "Effective Date" means (i) the date the Covered Entity electronically accepts this BAA as described in Section 8.1, or (ii) if executed via Order Form, the date of last signature on such Order Form.

  • "Electronic Protected Health Information" ("ePHI") means PHI that is transmitted or maintained in electronic media and is limited to the PHI received from, or received or created on behalf of, Covered Entity by Business Associate pursuant to performance of the Services.

  • "Security Incident", "Breach", "Unsecured PHI", and other HIPAA terms have the meanings given in 45 CFR 164.304 et seq.

3. Permitted Uses and Disclosures by Business Associate

 

3.1 Performance of Services. Medlog may use and disclose PHI solely to perform the Services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate HIPAA if done by Covered Entity. 

3.2 De-identification. Medlog may de-identify PHI in accordance with 45 CFR 164.514 and may use such de-identified data for lawful business purposes, including analytics and product improvement. 

3.3 Management and Legal Responsibilities. Medlog may, consistent with the subject limitations and requirements of HIPAA, use or disclose PHI for its proper management and administration and to carry out its legal responsibilities if the disclosure is required by law. If Medlog believes it has a legal obligation to disclose any PHI, it will notify Covered Entity as soon as reasonably practical after it learns of such obligation, and in any event at least ten (10) business days prior to the proposed release, as to the legal requirement pursuant to which it believes the Protected Health Information must be released. If Covered Entity objects to the release of such PHI, Medlog will allow Covered Entity to exercise any legal rights or remedies Covered Entity might have to object to the release of the PHI, and Medlog agrees to provide such assistance to Covered Entity, at Covered Entity's expense, as Covered Entity may reasonably request in connection therewith. Should Covered Entity fail to respond, Business Associate shall be entitled to disclose the PHI as it deems reasonably necessary to comply with the law.  

4. Obligation of Business Associate

4.1 Safeguards. Medlog shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, and shall comply with the applicable requirements of the HIPAA Security Rule (45 CFR 164.308-164.312. 


4.2 Minimum Necessary. Medlog shall request, use, and disclose only the minimum PHI necessary to provide the Services, as permitted or required by this BAA, or as otherwise required by law. 

4.3 Reporting. Medlog shall report to Covered Entity: (a) any Breach of Unsecured PHI or any Security Incident that results in unauthorized acquisition, access, use, or disclosure of PHI, without unreasonable delay and in no case later than three (3) business days after discovery; and (b) any other impermissible use or disclosure of PHI of which it becomes aware. 

 

4.4 Subcontractors. Medlog shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on Medlog's behalf agrees in writing to restrictions and conditions that are no less stringent than those that apply to Medlog under this BAA.

4.5 Individual Rights. To the extent Covered Entity is required to provide access to, amend, or account for disclosures of PHI, Medlog shall cooperate to satisfy such obligations within the timeframes required by HIPAA.

4.6 Mitigation. Medlog shall mitigate, to the extent practicable, any harmful effect it learns was caused by an impermissible use or disclosure of PHI.

4.7 HHS Audits. Medlog shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with HIPAA.

4.8 Return or Destruction of PHI. Upon termination of this BAA, Medlog shall, at Covered Entity’s option, return or securely destroy all PHI. If return or destruction is infeasible, Medlog shall protect the PHI in accordance with this BAA and limit further uses to those that make return or destruction infeasible.

4.9 Retention Requirement. Medlog shall retain HIPAA‑required documentation for at least six (6) years from the later of (i) the date of creation or (ii) termination, and longer if required by applicable state law.

5. Obligations of Covered Entity

5.1 Authority & Consents. Covered Entity represents that it has obtained all consents, authorizations, and legal authority necessary to disclose PHI to Medlog.. 

 

5.2 Minimum Necessary. Covered Entity shall disclose only the minimum PHI necessary for Medlog to perform the Services.

5.3 Restrictions & Revocations. Covered Entity shall promptly notify Medlog of any restrictions on the use or disclosure of PHI or revocation of authorization that would affect Medlog’s obligations.

6. Term and Termination

 

6.1 Term. This BAA is effective as of the Effective Date and continues until all PHI is returned or destroyed in accordance with Section 4.8.

6.2 Termination for Cause. Either Party may terminate this BAA if the other Party materially breaches this BAA and fails to cure within thirty (30) days after written notice.

6.3 Effect of Termination. Upon any termination, the provisions of Section 4.8 shall apply. Sections 2, 4, 6.3, and 7 and any others that by their nature should survive shall survive termination.

 

7. Miscellaneous

7.1 Relationship to Other Agreements. This BAA is hereby incorporated into and forms part of any master services agreement, terms of service, and/or Order Form between the Parties (collectively, "Underlying Agreements"). In the event of conflict, this BAA governs with respect to HIPAA matters; otherwise, the Underlying Agreements govern.

7.2 Amendment. The Parties shall take such action as is necessary to amend this BAA from time to time to comply with changes to HIPAA. Medlog may update this BAA by (i) posting the revised version on its website and (ii) requiring Electronic Acceptance under Section 8 or execution of a new Order Form.

7.3 No Third-Party Beneficiaries. Nothing in this BA confers any rights on any person other than the Parties.

7.4 Severability. If any provision of this BAA is held illegal or unenforceable, the remainder shall remain in effect.

7.5 Notices. All notices required or permitted under this BAA shall be in writing and deemed given when sent by email to privacy@medloghealth.com (for Medlog) and to the primary administrative email address on file for the Covered Entity, or to such other email address as either Party may designate in writing.

8. Execution

8.1 Electronic Acceptance. By clicking "I Agree" or otherwise electronically indicating acceptance, the individual accepting represents that they are duly authorized to bind the Covered Entity to this BAA, and the Covered Entity is deemed to have executed this BAA as of the date of such electronic acceptance.

8.2 Order Form Execution. The Parties may also execute this BAA by signing an Order Form that expressly incorporates this BAA by reference, in which case the signatories of Order Form represent that they are duly authorized to bind their respective Parties.

bottom of page