Legal

HIPAA Business Associate Agreement

Last updated: March 1, 2025

This is a summary of our standard Business Associate Agreement. Enterprise customers will receive the full, executable BAA during onboarding. For Starter and Professional plans, BAA is available as an add-on.

1. Definitions

This Business Associate Agreement ("BAA") supplements the Terms of Service between Rendum, Inc. ("Business Associate") and the Customer ("Covered Entity"). Terms used but not defined herein shall have the meaning ascribed to them under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 CFR Parts 160 and 164.

  • "Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form as defined under 45 CFR 160.103.
  • "Electronic Protected Health Information" (ePHI) means PHI that is transmitted or maintained in electronic media.
  • "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
  • "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.

2. Obligations of Business Associate

Rendum, as Business Associate, agrees to:

  • Not use or disclose PHI other than as permitted by this BAA or as required by law
  • Implement administrative, physical, and technical safeguards to protect ePHI as required by the HIPAA Security Rule
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach, within 24 hours of discovery
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions as this BAA
  • Make available PHI in accordance with 45 CFR 164.524 (individual access rights)
  • Make available PHI for amendment in accordance with 45 CFR 164.526
  • Provide an accounting of disclosures in accordance with 45 CFR 164.528
  • Make internal practices, records, and books available to the Secretary of HHS for determining compliance
  • Return or destroy all PHI upon termination of the BAA, where feasible

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only for the following purposes:

  • To perform functions, activities, or services specified in the Terms of Service, specifically: eligibility file processing, billable-day calculation, invoice generation, and related billing automation services
  • For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurance that the information will be held confidentially
  • To provide data aggregation services relating to the healthcare operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)
  • To de-identify PHI in accordance with 45 CFR 164.514(a)-(c), only with prior written consent of Covered Entity

4. Security Safeguards

Business Associate shall implement and maintain:

  • Encryption: AES-256 encryption for ePHI at rest; TLS 1.2+ for ePHI in transit
  • Access Controls: Role-based access with unique user identification, automatic logoff, and multi-factor authentication
  • Audit Controls: Comprehensive logging of all access to and operations on ePHI, retained for 6 years
  • Integrity Controls: Checksums and validation to protect ePHI from improper alteration or destruction
  • Transmission Security: All ePHI transmitted via encrypted channels; no plaintext PHI transmission permitted
  • Facility Security: Azure data center physical security controls including multi-factor access, CCTV, and 24/7 security personnel
  • Workforce Security: Background checks, security training, and access termination procedures for all personnel with access to ePHI

5. Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity within 24 hours of discovery. Notification shall include:

  • Identification of each individual whose PHI has been, or is reasonably believed to have been, compromised
  • A description of the nature of the Breach, including types of information involved
  • The date of the Breach and date of discovery
  • Steps Business Associate is taking to investigate, mitigate harm, and prevent future Breaches
  • Contact information for individuals who can provide additional information

Business Associate shall cooperate with Covered Entity in meeting Covered Entity's notification obligations under 45 CFR 164.404-408 and shall bear the costs of notification and mitigation to the extent caused by Business Associate's acts or omissions.

6. Term and Termination

This BAA is effective upon execution and shall remain in effect for the duration of the Terms of Service. Either party may terminate this BAA if the other party materially breaches any obligation under this BAA and fails to cure the breach within 30 days of written notice.

Upon termination, Business Associate shall return or destroy all PHI in its possession within 30 days. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI indefinitely and limit further uses and disclosures to those purposes that make return or destruction infeasible.

7. Subcontractors

Business Associate uses the following subcontractors that may have access to ePHI, each of whom has executed a BAA with Business Associate:

  • Microsoft Azure: Cloud infrastructure, compute, storage, and database services
  • Auth0 (Okta): Identity and authentication services
  • Stripe: Payment processing (no PHI access)

8. Contact

For questions about this BAA or to request an executable copy, contact:

Rendum, Inc.
Attn: Compliance Officer
Email: hipaa@rendum.io