PMS Logix

Login
Schedule A Demo Now
Login

Business Associate Agreement

PMSLogix – Business Associate Agreement

Last Updated: 19 June 2025

 

1. Purpose

This Business Associate Agreement (“BAA” or “Agreement”) supplements and is deemed part of the PMSLogix Terms of Service (the “Master Agreement”) when the Customer is a Covered Entity and will transmit, upload, or otherwise provide Protected Health Information (“PHI”) to PMSLogix, Inc. and its affiliates (“PMSLogix,” “we,” “us,” or “Business Associate”).

2. Definitions

Capitalised terms not otherwise defined herein have the meanings assigned in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”).  If a term is not defined in HIPAA, the meaning set forth in the Master Agreement will apply.

  • Breach, Covered Entity, Designated Record Set, Individual, Minimum Necessary, Required by Law, Security Incident, Subcontractor, Unsecured PHI – have the same meanings as in 45 C.F.R. § 160.103 or § 164.304.

3. Obligations of PMSLogix

  1. Permitted Use & Disclosure. PMSLogix will not use or disclose PHI other than (a) as permitted by this BAA, (b) as otherwise agreed in writing, or (c) as Required by Law. All uses/disclosures will be limited to the Minimum Necessary to accomplish the purpose.

  2. PMSLogix will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (ePHI) in accordance with the HIPAA Security Rule.

  3. PMSLogix will mitigate, to the extent commercially practicable, any harmful effect known to it from an impermissible use or disclosure of PHI.

  4. PMSLogix will notify Customer (a) of any impermissible use or disclosure of PHI, or (b) any Breach of Unsecured PHI, without unreasonable delay and in no event later than 60 calendar days after discovery, as required by 45 C.F.R. § 164.410.
    • Security Incidents. Unsuccessful, immaterial Security Incidents (e.g., pings, port scans, or blocked login attempts) are hereby deemed reported and require no additional notice.

  5. PMSLogix may engage Subcontractors that require PHI to perform services, provided each Subcontractor agrees in writing to safeguards and restrictions no less stringent than those in this BAA.

  6. Access & Amendment. PMSLogix will, within 30 days of Customer’s written request, make PHI in a Designated Record Set available to Customer or amend such PHI as directed, to enable Customer to satisfy its obligations under 45 C.F.R. §§ 164.524 & 164.526.

  7. Accounting of Disclosures. PMSLogix will document disclosures of PHI and, upon written request, provide information needed for Customer to respond to an Individual’s request for an accounting under 45 C.F.R. § 164.528.

  8. Regulatory Access. PMSLogix will make its internal policies, procedures, and PHI records relating to use and disclosure available to the Secretary of HHS for HIPAA compliance review, subject to reasonable confidentiality and operational constraints.

  9. Performance of Covered Entity Obligations. To the extent PMSLogix performs any of Customer’s obligations under the Privacy Rule, PMSLogix will comply with the requirements applicable to Customer when carrying out those obligations.

  10. Fees for Extraordinary Assistance. If Customer requests services outside the ordinary scope of the Master Agreement (e.g., extensive data extraction or audit support), PMSLogix may charge time-and-materials fees as mutually agreed in writing.

4. Permitted Uses and Disclosures by PMSLogix

  1. Service Delivery. PMSLogix may use PHI to provide, maintain, and improve the Platform and related professional services for or on behalf of Customer, provided such use would be permissible if done by Customer.

  2. Management & Administration. PMSLogix may use and disclose PHI for its own proper management and legal responsibilities, including regulatory compliance and risk management, provided that (a) the disclosure is Required by Law, or (b) PMSLogix obtains reasonable written assurances that the recipient will keep the PHI confidential and report any breach.

  3. Data Aggregation. PMSLogix may use PHI to provide Data Aggregation services as defined in 45 C.F.R. § 164.504(e)(2)(i)(B).

  4. De-Identification. PMSLogix may de-identify PHI in accordance with 45 C.F.R. § 164.514 and may use or disclose such de-identified information for any lawful purpose. PMSLogix is the exclusive owner of the resulting de-identified datasets.

5. Obligations of Customer

  1. Notice of Privacy Practices. Customer will inform PMSLogix of any limitations in its notice of privacy practices that affect PMSLogix’s permitted use/disclosure of PHI.

  2. Patient Permissions & Restrictions. Customer will notify PMSLogix of any changes in, or revocation of, patient authorisations or restrictions that would impact PMSLogix’s use or disclosure of PHI.

  3. Minimum Necessary Requests. Customer will not request PMSLogix to use or disclose PHI in a manner that would violate HIPAA if done by Customer.

6. Term & Termination

  1. This BAA is effective on the earlier of (a) Customer’s acceptance of the Master Agreement or (b) the date PMSLogix first receives PHI from Customer, and remains in effect until all PHI is returned or destroyed per Section 6.3.

  2. Termination for Cause. Either party may terminate this BAA upon 30 days’ written notice if the other party materially breaches this BAA and fails to cure within 60 days of written notice.

  3. Effect of Termination. Upon termination of the Master Agreement:
    • PMSLogix will, at Customer’s option, return or destroy all PHI in its possession, except to the extent PMSLogix is required by law or its document-retention policies to retain copies.

    • If return or destruction is infeasible, PMSLogix will continue to protect the PHI in accordance with this BAA and will limit further uses/disclosures to those purposes that make return or destruction infeasible.

7. Miscellaneous

    • HIPAA Changes. The parties will negotiate in good faith to amend this BAA as needed for compliance with changes to HIPAA or other applicable law. If they cannot agree within 90 days, either party may terminate the Master Agreement on 30 days’ written notice.

    • Payment Processing Exemption. Activities falling under HIPAA § 1179 (payment processing) are excluded from this BAA.
    • Any ambiguity in this BAA will be interpreted to permit compliance with HIPAA.In case of conflict between this BAA and the Master Agreement, this BAA controls.

    Survival. Sections 3–6 survive termination of the Master Agreement for so long as PMSLogix retains any PHI.

End of Business Associate Agreement