Overview: The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities have a Business Associate Agreement (BAA) in place with any organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on their behalf. This agreement establishes the legal framework for how Ondara handles PHI and the obligations both parties have under HIPAA regulations.

What is a Business Associate Agreement?

A Business Associate Agreement is a legally binding contract required by the Health Insurance Portability and Accountability Act (HIPAA). It establishes the terms under which a Business Associate (in this case, Ondara) agrees to handle Protected Health Information (PHI) on behalf of a Covered Entity (your healthcare practice or organization). The BAA outlines the specific security and privacy measures that must be implemented, the permitted uses and disclosures of PHI, and the responsibilities of both parties in maintaining HIPAA compliance. Without a properly executed BAA, healthcare practices cannot legally use third-party services to store or process patient data.

Why Does Your Practice Need a BAA with Ondara?

If your mental health practice uses Ondara to manage patient intake forms and store Protected Health Information, federal law requires that you have an executed BAA in place. This agreement protects both your practice and Ondara by establishing clear expectations about data security, breach notification procedures, and regulatory compliance. The BAA ensures that Ondara has the same legal and ethical obligations to protect patient privacy as your practice does, creating a comprehensive compliance framework. Without a BAA, your practice could face regulatory penalties and liability for any breaches of patient information through Ondara.

Definitions

Covered Entity: Your healthcare practice or organization that is subject to HIPAA regulations and creates or receives Protected Health Information in the course of providing healthcare services.

Business Associate: Ondara, as a service provider that creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity.

Protected Health Information (PHI): Any information in a medical record or health plan that can be used to identify an individual patient, including names, medical record numbers, diagnoses, treatment plans, and clinical assessment data.

Breach: The unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information.

Obligations of Business Associate

Ondara agrees to implement and maintain comprehensive safeguards to protect all PHI. Specifically, we commit to:

• Implement and maintain administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI
• Use AES-256-GCM encryption for all PHI at rest and in transit
• Implement role-based access controls and multi-factor authentication for all accounts with access to PHI
• Maintain comprehensive audit logs of all access to and modifications of PHI
• Conduct regular risk assessments and security testing to identify and address vulnerabilities
• Provide immediate notification to the Covered Entity of any suspected or confirmed breach of PHI
• Only use or disclose PHI as permitted by the BAA or as required by law
• Ensure that all subcontractors and business associates handling PHI execute comparable BAAs
• Upon request, provide audit reports and documentation of compliance with HIPAA Security and Privacy Rules

Permitted Uses and Disclosures

Ondara may only use or disclose PHI for the purposes of performing services as defined in the BAA and as authorized by the Covered Entity. Specifically, we may use PHI to:

• Process patient intake forms and generate clinical summaries as requested by the Covered Entity
• Maintain and improve our platform and services
• Comply with applicable legal and regulatory requirements
• Investigate and address suspected breaches and security incidents

Ondara will not use or disclose PHI for any other purposes, including marketing, research, or sale of information, without prior written authorization from the Covered Entity. Any use of PHI beyond what is authorized under the BAA is strictly prohibited.

Obligations of Covered Entity

The healthcare practice (Covered Entity) agrees to:

• Limit access to PHI to authorized individuals within the practice
• Establish and maintain policies regarding the appropriate use and disclosure of PHI
• Provide training to all workforce members regarding HIPAA privacy and security requirements
• Notify Ondara immediately of any suspected breach of PHI or unauthorized access
• Cooperate with Ondara in investigating any potential security incidents
• Maintain all documentation required for demonstrating HIPAA compliance

Term and Termination

This BAA becomes effective when executed by both parties and continues until termination. Either party may terminate the BAA for material breach if the breaching party fails to cure the breach within thirty (30) days of written notice. Covered Entity may terminate the BAA at any time upon written notice. Upon termination, Ondara will securely return or destroy all PHI as directed by the Covered Entity. If destruction is impractical, Ondara will maintain appropriate security measures for the retained PHI and limit its use and disclosure to the purposes preventing its return or destruction.

Miscellaneous

This BAA constitutes the entire agreement between the parties regarding HIPAA compliance and supersedes any prior agreements or understandings. The BAA is governed by applicable federal HIPAA regulations and the laws of the state in which the Covered Entity is located. This BAA may be amended only through written consent of both parties. If any provision of this BAA is found invalid or unenforceable, all other provisions shall remain in full force and effect.