Business Associate Agreement (BAA)

Effective Date: 2024-10-01

1. Parties and Purpose

1.1 Parties

This Business Associate Agreement ("BAA") is between:

  • ReliableFax ("Business Associate")
  • The customer ("Covered Entity") using ReliableFax services

1.2 Applicability

This BAA applies to any entity that:

  • Maintains an active ReliableFax account
  • Transmits Protected Health Information (PHI)
  • Is subject to HIPAA regulations
  • Accepts our Terms of Service

1.3 Purpose

This BAA establishes:

  • HIPAA compliance responsibilities
  • PHI handling requirements
  • Security obligations
  • Privacy protection standards

2. Definitions

2.1 Regulatory Definitions

  • "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
  • "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act.
  • "Protected Health Information" or "PHI" has the same meaning as defined in 45 CFR 160.103.

2.2 Service Definitions

  • "Services" means the HIPAA-compliant fax transmission services provided by ReliableFax.
  • "Transmission" means the electronic transfer of faxes between sending and receiving parties.
  • "Storage" means the temporary retention of faxes for up to 12 months.

2.3 Security Definitions

  • "Security Incident" means attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI.
  • "Breach" has the same meaning as defined in 45 CFR 164.402.
  • "Unsecured PHI" means PHI not rendered unusable, unreadable, or indecipherable through encryption.

3. Use and Disclosure of PHI

3.1 Permitted Uses

Business Associate may use PHI only to:

  • Transmit faxes as directed by Covered Entity
  • Process successful delivery confirmations
  • Maintain required audit trails
  • Provide temporary document storage
  • Perform optional AI processing when enabled

3.2 Permitted Disclosures

Business Associate may disclose PHI only:

  • To complete authorized transmissions
  • In response to a valid court order
  • When specifically required by law
  • To report security incidents as required by HIPAA

3.3 Prohibited Uses

Business Associate will not:

  • Use PHI for marketing
  • Sell PHI or related data
  • Use PHI beyond service provision
  • Share PHI for any other purposes

3.4 Minimum Necessary

Business Associate will:

  • Limit PHI access to essential personnel
  • Use only required PHI for service
  • Maintain access controls
  • Monitor PHI access patterns

4. Business Associate Obligations

4.1 Security Measures

Business Associate will maintain:

  • TLS 1.3 encryption for transmission
  • AES-256 encryption for storage
  • Multi-factor authentication systems
  • Access control and monitoring

4.2 Breach Response

In the event of a breach, Business Associate will:

  • Aim to notify Covered Entity within 48 hours of discovery
  • Provide complete notification within 60 days as required by HIPAA
  • Provide initial known details with subsequent updates
  • Support Covered Entity's reporting obligations
  • Maintain detailed incident records

Note: "Discovery" means when the breach becomes known to or reasonably should have been known to Business Associate.

5. AI Processing and Data Usage

5.1 AI Features

When enabled by Covered Entity:

  • AI processing is available for document analysis
  • Processing occurs within HIPAA-compliant systems
  • All security safeguards remain in effect
  • Results are available only to authorized users

5.2 AI Processing Controls

Business Associate ensures:

  • All processing follows HIPAA requirements
  • Processing occurs in US datacenters
  • Processing is strictly opt-in
  • PHI handling follows BAA terms

5.3 Feature Control

Covered Entity maintains:

  • Full control over AI feature usage
  • Ability to enable/disable processing
  • Access to processing audit logs
  • Control over processed data

6. Term and Termination

6.1 Term

This BAA:

  • Begins upon service activation
  • Continues through service period
  • Remains in effect during data retention
  • Terminates with service agreement

6.2 Termination for Cause

Either party may terminate if:

  • Other party materially breaches obligations
  • Breach remains uncured for 30 days
  • Written notice of breach is provided

6.3 Effect of Termination

Upon termination:

  • Transmission service access ends
  • Standard 12-month retention applies
  • Access to historical faxes maintained
  • Required records preserved

6.4 Data Handling

Following termination:

  • Customer retains data access
  • Normal security controls continue
  • Regulatory compliance maintained
  • Standard deletion policy applies

7. General Provisions

7.1 Infrastructure

Business Associate:

  • Operates on HIPAA-compliant infrastructure
  • Maintains enterprise-grade security
  • Ensures US data residency
  • Follows industry security standards

7.2 Regulatory Changes

This BAA will:

  • Incorporate regulatory updates
  • Maintain HIPAA compliance
  • Adapt to security requirements
  • Follow industry standards

7.3 Interpretation

In this Agreement:

  • HIPAA rules prevail in conflicts
  • Required terms are incorporated
  • State laws are observed
  • Definitions follow HIPAA

7.4 Notice

All notices regarding this BAA:

  • Must be in writing
  • Sent to designated contacts
  • Include relevant details
  • Follow service agreement methods

Contact Information For questions about this Business Associate Agreement, please contact us at compliance@reliablefax.com.

Reliable Fax

Coming Soon: Secure, HIPAA-compliant faxing for healthcare and legal professionals.

Terms & Conditions

Privacy policy

Contact Us

An unhandled error has occurred. Reload 🗙