Business Associate Agreement
Reference template. This page mirrors the Business Associate Agreement that healthcare providers accept inside the Doctalink app. The in-app copy is pre-filled with your name and NPI when you sign. This public page exists so the contract is discoverable before sign-up.
| Business Associate | Doctalink, operated as a sole proprietorship by Nithin Jay Dodla (Texas, USA). Contact: doctalinksupport@gmail.com. |
|---|---|
| Covered Entity | The licensed U.S. healthcare provider who accepts this agreement on their own behalf. |
| Effective date | The date the Covered Entity accepts this agreement inside the Doctalink app. |
1. Definitions
Terms used but not otherwise defined have the meaning given in the HIPAA Rules (45 CFR Parts 160 and 164). "PHI" means Protected Health Information; "ePHI" means electronic PHI. "Business Associate" ("BA") means Doctalink; "Covered Entity" ("CE") means the signing healthcare provider/practice. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules.
2. Permitted uses and disclosures by Business Associate
2.1 BA may use or disclose PHI only as necessary to perform the services provided to CE (operating an end-to-end encrypted messaging service), as required by law, or as permitted by this Agreement. Because message content is end-to-end encrypted, BA does not access PHI message content in the ordinary course.
2.2 BA may use PHI for the proper management and administration of BA, or to carry out its legal responsibilities.
2.3 BA may disclose PHI for its proper management and administration only if the disclosure is required by law, or BA obtains reasonable assurances that the recipient will hold the PHI confidentially and notify BA of any breach.
2.4 BA will not use or disclose PHI in a manner that would violate the Privacy Rule if done by CE, except as stated in 2.2–2.3.
3. Obligations of Business Associate
BA agrees to:
- (a) Not use or disclose PHI other than as permitted by this Agreement or required by law.
- (b) Use appropriate administrative, physical, and technical safeguards, and comply with the Security Rule with respect to ePHI, to prevent unauthorized use or disclosure.
- (c) Report to CE any use or disclosure not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR §164.410, without unreasonable delay and no later than 60 days after discovery.
- (d) In accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit PHI on BA's behalf agree to the same restrictions, conditions, and requirements that apply to BA.
- (e) Make PHI available to CE as necessary to satisfy CE's obligations under §164.524 (individual access).
- (f) Make any amendment(s) to PHI as directed by CE pursuant to §164.526.
- (g) Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy §164.528.
- (h) To the extent BA carries out a CE obligation under the Privacy Rule, comply with the requirements that apply to CE in performing that obligation.
- (i) Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
4. Permitted uses by Business Associate (services)
BA performs the following for CE: provision of an end-to-end encrypted messaging application for verified providers, including account / identity verification, encrypted message transport and storage, content-free push notifications of new messages, and audit logging.
5. Obligations of Covered Entity
5.1 CE will notify BA of any limitation(s) in its Notice of Privacy Practices that may affect BA's use or disclosure of PHI.
5.2 CE will notify BA of any changes in, or revocation of, an individual's permission to use or disclose PHI.
5.3 CE will not request BA to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by CE.
6. Term and termination
6.1 Term. This Agreement is effective on the Effective Date and remains in effect until terminated or until all PHI is returned or destroyed.
6.2 Termination for cause. If either party materially breaches this Agreement, the non-breaching party may terminate after providing an opportunity to cure within a reasonable time, or terminate immediately if cure is not possible.
6.3 Effect of termination. Upon termination, BA will, if feasible, return or destroy all PHI it maintains in any form and retain no copies. If return or destruction is infeasible, BA will extend the protections of this Agreement to the PHI and limit further uses/disclosures to those purposes that make return/destruction infeasible. BA retains audit logs and records for the period required by law (six years).
7. Breach notification
BA will follow its documented breach-notification process and notify CE of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery, including the information required by §164.410. Where PHI is encrypted consistent with HHS guidance, the encryption safe harbor may apply.
8. Miscellaneous
8.1 Regulatory references are to the cited regulation as in effect or amended.
8.2 Amendment. The parties will amend this Agreement as necessary to comply with the HIPAA Rules.
8.3 Interpretation. Ambiguities are resolved to permit compliance with the HIPAA Rules.
8.4 Survival. Section 6.3 obligations survive termination.
8.5 Governing law. This Agreement is governed by the laws of the State of Texas, consistent with HIPAA.
9. Signature
Acceptance is captured electronically inside the Doctalink app at the time you complete healthcare provider registration. The acceptance record stores the version of this Agreement, the date and time of acceptance, the typed attestation that you are the licensed U.S. healthcare provider identified by the NPI provided, and a hashed network identifier associated with the acceptance event. Continued use of the Doctalink service constitutes ongoing acceptance of this Agreement until terminated.
For questions about this Agreement: doctalinksupport@gmail.com.