00 Overview
This Business Associate Agreement ("BAA") is entered into between the healthcare facility ("Covered Entity") and Sigla LLC, operating as IntakeFlow ("Business Associate"), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
IntakeFlow processes Protected Health Information (PHI) on behalf of Covered Entities to provide digital intake management, electronic signature collection, and related healthcare administration services.
01 Definitions
- Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form, as defined by 45 CFR 160.103
- Electronic Protected Health Information (ePHI): PHI transmitted or maintained in electronic media
- Covered Entity: The healthcare facility using IntakeFlow services
- Business Associate: Sigla LLC / IntakeFlow
- Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations
02 Obligations of Business Associate
Sigla LLC agrees to:
- Not use or disclose PHI other than as permitted by this BAA, the service agreement, or as required by law
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI
- Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach, within 24 hours of discovery
- Ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions
- Make PHI available to Covered Entity or individuals as required by HIPAA (45 CFR 164.524)
- Make PHI available for amendment as required by HIPAA (45 CFR 164.526)
- Maintain and make available information required for Covered Entity to provide an accounting of disclosures (45 CFR 164.528)
- Make internal practices, books, and records relating to PHI use available to HHS for compliance determination
- Comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C) with respect to ePHI
03 Subprocessors
Business Associate uses HIPAA-compliant subprocessors for infrastructure, authentication, and email delivery. Each subprocessor processes ePHI only as necessary and is bound by a Business Associate Agreement. The current subprocessor list is set forth in Schedule A below and is incorporated by reference into this Agreement.
Business Associate shall notify Covered Entity of any material changes to its subprocessor list at least thirty (30) days prior to engaging a new subprocessor that will process PHI.
Schedule A · Current Subprocessors
- Google Cloud Platform· Primary infrastructure (compute, database, object storage, AI inference). BAA on file. US.
- Firebase Identity Platform· Authentication and session management. Covered by the same Google Cloud BAA.
- Amazon Web Services (SES)· Transactional email delivery. BAA on file. US.
- HIPAA-Compliant Fax Provider· Inbound and outbound referral fax transmission on behalf of customer facilities. Fax PDFs transit encrypted and are written to our primary object storage on receipt. BAA on file. US.
- Cloudflare· DNS resolution and CDN for the marketing landing page only. No PHI transits.
- Vercel· Hosting for the marketing landing page only. No PHI transits.
04 Subcontractor Flow-Down
Business Associate shall ensure that any subcontractors, agents, or downstream entities that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to such PHI. Business Associate remains fully responsible for the acts and omissions of its subcontractors as if performed by Business Associate itself.
05 Permitted Uses and Disclosures
Business Associate may use or disclose PHI:
- To perform services as outlined in the service agreement, including referral intake, AI-assisted prescreening and document data extraction, payer list management, eligibility and authorization tracking, admission and service agreement generation, electronic signature facilitation, referral pipeline and waitlist management, PDF packet generation, and visit scheduling
- For the proper management and administration of Business Associate, if required by law or if Business Associate obtains reasonable assurances that the information will be protected
- To provide data aggregation services relating to healthcare operations of Covered Entity
- To report violations of law to appropriate federal and state authorities
06 Security Safeguards
Business Associate shall implement and maintain:
- AES-256 encryption for all ePHI at rest
- TLS 1.2 or higher for all ePHI in transit
- Role-based access controls with facility-level data isolation
- Automatic session timeout after 15 minutes of inactivity
- Multi-factor authentication (MFA) required for all workforce members accessing ePHI
- Comprehensive audit logging of all ePHI access and modifications
- Workforce training on HIPAA requirements
- Annual risk assessments conducted in accordance with 45 CFR 164.308(a)(1)(ii)(A), with documented findings and remediation plans
- Incident response procedures with documented breach notification process
- Technology asset inventory maintained and reviewed at least annually, including all systems that create, receive, maintain, or transmit ePHI
- Patch management: critical security patches applied within fifteen (15) days of release; all other patches applied within thirty (30) days
07 Disaster Recovery
Business Associate commits to restoring systems that process ePHI within seventy-two (72) hours of any system failure, disaster, or disruption that renders the Service unavailable. Business Associate shall maintain and test disaster recovery procedures at least annually.
08 Breach Notification
Business Associate shall notify Covered Entity of any Breach of unsecured PHI within 24 hours of discovery. Notification shall include:
- Identification of each individual whose PHI was or is reasonably believed to have been affected
- A description of the circumstances of the breach
- The date of discovery and date of the breach
- A description of the types of PHI involved
- Steps individuals should take to protect themselves
- What Business Associate is doing to investigate, mitigate, and prevent future breaches
09 Term and Termination
This BAA remains in effect for the duration of the service agreement. Upon termination:
- Business Associate shall, at the direction of Covered Entity, return all PHI in a standard, portable format (e.g., CSV, JSON, or PDF) or securely destroy all PHI received from or created on behalf of Covered Entity within thirty (30) days of termination
- Upon completion of return or destruction, Business Associate shall provide Covered Entity with a written certification confirming that all PHI has been returned or destroyed, including PHI held by subcontractors
- If return or destruction is not feasible due to legal retention requirements, protections of this BAA shall extend to retained PHI, and Business Associate shall limit further uses and disclosures of retained PHI to the purposes that make return or destruction infeasible
- Business Associate shall identify and document any PHI that cannot be returned or destroyed and the specific legal basis for its retention
Either party may terminate this BAA if the other party materially breaches its terms and fails to cure within 30 days of written notice.
10 Governing Law
This BAA shall be governed by HIPAA, HITECH, and their implementing regulations, as well as the laws of the Commonwealth of Virginia where they do not conflict with federal law.
11 Request a BAA
To execute a Business Associate Agreement for your facility, contact us:
