Overview
This Business Associate Agreement ("BAA") is entered into between the healthcare facility ("Covered Entity") and Sigla LLC, operating as IntakeFlow ("Business Associate"), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
IntakeFlow processes Protected Health Information (PHI) on behalf of Covered Entities to provide digital admissions management, electronic signature collection, and related healthcare administration services.
1. Definitions
- Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form, as defined by 45 CFR 160.103
- Electronic Protected Health Information (ePHI): PHI transmitted or maintained in electronic media
- Covered Entity: The healthcare facility using IntakeFlow services
- Business Associate: Sigla LLC / IntakeFlow
- Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations
2. Obligations of Business Associate
Sigla LLC agrees to:
- Not use or disclose PHI other than as permitted by this BAA, the service agreement, or as required by law
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI
- Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach, within 24 hours of discovery
- Ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions
- Make PHI available to Covered Entity or individuals as required by HIPAA (45 CFR 164.524)
- Make PHI available for amendment as required by HIPAA (45 CFR 164.526)
- Maintain and make available information required for Covered Entity to provide an accounting of disclosures (45 CFR 164.528)
- Make internal practices, books, and records relating to PHI use available to HHS for compliance determination
- Comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C) with respect to ePHI
3. Permitted Uses and Disclosures
Business Associate may use or disclose PHI:
- To perform services as outlined in the service agreement (admissions management, form generation, e-signature facilitation, waitlist management, PDF generation)
- For the proper management and administration of Business Associate, if required by law or if Business Associate obtains reasonable assurances that the information will be protected
- To provide data aggregation services relating to healthcare operations of Covered Entity
- To report violations of law to appropriate federal and state authorities
4. Security Safeguards
Business Associate shall implement and maintain:
- AES-256 encryption for all ePHI at rest
- TLS 1.2 or higher for all ePHI in transit
- Role-based access controls with facility-level data isolation
- Automatic session timeout after 15 minutes of inactivity
- Comprehensive audit logging of all ePHI access and modifications
- Workforce training on HIPAA requirements
- Risk assessments conducted annually
- Incident response procedures with documented breach notification process
5. Breach Notification
Business Associate shall notify Covered Entity of any Breach of unsecured PHI within 24 hours of discovery. Notification shall include:
- Identification of each individual whose PHI was or is reasonably believed to have been affected
- A description of the circumstances of the breach
- The date of discovery and date of the breach
- A description of the types of PHI involved
- Steps individuals should take to protect themselves
- What Business Associate is doing to investigate, mitigate, and prevent future breaches
6. Term and Termination
This BAA remains in effect for the duration of the service agreement. Upon termination:
- Business Associate shall return or destroy all PHI received from or created on behalf of Covered Entity, if feasible
- If return or destruction is not feasible, protections of this BAA shall extend to retained PHI
- Business Associate shall limit further uses and disclosures of retained PHI to the purposes that make return or destruction infeasible
Either party may terminate this BAA if the other party materially breaches its terms and fails to cure within 30 days of written notice.
7. Governing Law
This BAA shall be governed by HIPAA, HITECH, and their implementing regulations, as well as the laws of the Commonwealth of Virginia where they do not conflict with federal law.
8. Request a BAA
To execute a Business Associate Agreement for your facility, contact us: