SendMeDocs

Business Associate Agreement

1. Definitions

"Business Associate" means SendMeDocs LLC, operator of the SendMeDocs platform.

"Covered Entity" means the organization that has entered into a subscription agreement with Business Associate for the use of the SendMeDocs service and is subject to HIPAA.

"Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined by 45 CFR 160.103.

"Service" means the SendMeDocs document collection platform, including the dashboard, upload portal, API, and associated features.

"Underlying Agreement" means the Terms of Service and any subscription agreement between the parties governing use of the Service.

2. Scope of PHI

In performing the Service, Business Associate may create, receive, maintain, or transmit the following categories of PHI on behalf of Covered Entity:

  1. Recipient identifying information: names, email addresses, and phone numbers of individuals from whom Covered Entity requests documents.
  2. Request context: custom messages included in document requests by Covered Entity's authorized users, which may contain or imply information about the recipient's relationship to Covered Entity.
  3. Uploaded documents: files submitted by recipients through the upload portal in response to Covered Entity's requests.
  4. Transactional metadata: timestamps, request statuses, notification records, and audit logs associated with the above.

Covered Entity is responsible for determining whether the information it submits to or collects through the Service constitutes PHI and for ensuring that its use of the Service complies with HIPAA.

3. Obligations of Business Associate

  1. Permitted uses and disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
  2. Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).
  3. Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, and any Security Incident or Breach of Unsecured PHI, without unreasonable delay and no later than sixty (60) days after discovery.
  4. Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement. A current list of HIPAA-covered services and subprocessors is maintained at sendmedocs.com/covered-services.
  5. Access to PHI. Business Associate shall make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524 (individual access rights).
  6. Amendment of PHI. Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR 164.526.
  7. Accounting of disclosures. Business Associate shall make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528.
  8. HHS access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.
  9. Minimum necessary. Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR 164.502(b).

4. Permitted Uses and Disclosures

  1. Business Associate may use or disclose PHI as necessary to perform its obligations under the Underlying Agreement, including storing, transmitting, and making PHI available to authorized users of Covered Entity's account.
  2. Business Associate may use or disclose PHI as required by law.
  3. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that any disclosure for such purpose is required by law or Business Associate obtains reasonable assurances that the information will be held confidentially.

5. Obligations of Covered Entity

  1. Covered Entity shall obtain any necessary consents, authorizations, or other permissions from individuals before submitting their PHI to the Service.
  2. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent such restrictions may affect Business Associate's performance under this Agreement. Business Associate shall not be liable for failing to comply with any restriction of which it has not been notified.
  3. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
  4. Covered Entity shall maintain a Notice of Privacy Practices in accordance with 45 CFR 164.520 that covers, where applicable, the types of uses and disclosures that Business Associate is authorized to make under this Agreement.
  5. Covered Entity shall ensure that any PHI provided to Business Associate through the Service is limited to the minimum necessary for the intended purpose of the document request.

6. Term and Termination

  1. Term. This Agreement takes effect upon Covered Entity's electronic acceptance through the Service and remains in effect for the duration of the Underlying Agreement. By accepting this Agreement through the Service, Covered Entity acknowledges that electronic acceptance constitutes a valid and binding execution of this Agreement, equivalent to a handwritten signature, and that Business Associate's publication of these terms constitutes its execution.
  2. Termination for cause. Either party may terminate this Agreement if the other party materially breaches this Agreement and fails to cure the breach within thirty (30) days of receiving written notice.
  3. Effect of termination. Upon termination, Business Associate shall return or destroy all PHI in its possession, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the remaining PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. Uploaded documents are automatically destroyed within the configured retention period after request completion. Recipient identifying information and request metadata are destroyed when Covered Entity deletes the associated requests or organization account through the Service, or upon written request to Business Associate.

7. Miscellaneous

  1. Regulatory references. Any reference to a section of HIPAA or its implementing regulations means the section as in effect or as amended.
  2. Amendment. Business Associate may update this Agreement by publishing a revised version through the Service. Material changes require Covered Entity to re-accept the updated Agreement through the Service before continued use. Covered Entity's electronic acceptance of an updated version constitutes agreement to the amended terms.
  3. Survival. The obligations of Business Associate under Section 6.3 shall survive the termination of this Agreement.
  4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA.
  5. Governing law. This Agreement shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws provisions. To the extent that federal law, including HIPAA, applies, federal law shall control.
  6. Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
SendMeDocs