Business Associate Agreement
Business Associate Agreement
Last Updated May 16, 2025
This Business Associate Agreement (“BAA”) is between you and Quanta Suite, Inc. (“Quanta”) and is required under the Health Insurance Portability and Accountability Act of 1996, and the rules and regulations thereunder, as amended, (“HIPAA”) to ensure that the Parties will appropriately safeguard PHI, as required under HIPAA.
The “Terms” refers to the Terms of Service entered into between you and Quanta which govern your use of Quanta’s services, including, among other things, Quanta’s websites, software, cloud-based platforms, hardware and other products and services, (collectively, the “Services”). Together with the Terms, this BAA will govern each party’s respective obligations regarding PHI.
You represent and warrant that: (i) you have full legal authority to enter into this BAA, (ii) you have read and understand this BAA, and (iii) you agree to the terms of this BAA.
IF YOU DO NOT AGREE TO BE BOUND BY THIS BAA, YOU SHOULD NOT ACCESS OR USE THE SERVICES.
Definitions. All capitalized terms used in this BAA and not defined herein which are defined under HIPAA shall have the meanings set forth in HIPAA.
“Business Associate” shall have the same meaning as “business associate” referenced at 45 CFR 160.103 and in reference to the party to this BAA shall mean Quanta.
“Covered Entity” shall have the same meaning as “covered entity” at 45 CFR 160.130 and in reference to the party to this BAA shall mean you.
Business Associate and the Covered Entity are collectively referred to as the “Parties.”
Obligations of the Business Associate. The Business Associate agrees to:
Meet the requirements of a business associate under HIPAA;
Not use or disclose PHI other than as permitted or required by this BAA, the Terms, or as required by law;
Use appropriate safeguards to prevent unauthorized use or disclosure of PHI as required by the Security Rule;
Report to the Covered Entity, any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of Unsecured PHI as required at 45 CFR 164.410 and any Security Incident; however, the Business Associate is not required to report unsuccessful attempts at unauthorized access, use, or interference with systems that do not result in a breach of security;
Assist the Covered Entity in responding to requests for access to, amendment of, or accounting of PHI in a Designated Record Set in accordance with 45 CFR 164.524, 164.526 and 164.528;
Ensure that any agents and subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate with respect to such information;
Make available to Health and Human Services (“HHS”) its internal practices, books, and records which relate to the use and disclosure PHI for purposes of determining compliance with HIPAA, subject to any applicable legal privileges or protections; and
Use reasonable commercial efforts to mitigate any harmful effect that is known to the Business Associate of a use or disclosure of PHI in violation of this BAA.
Obligations of the Covered Entity. The Covered Entity must use appropriate safeguards to prevent against the unauthorized Use or Disclosure of PHI, consistent with this BAA, and as otherwise required under the Security Rule. If Covered Entity transmits PHI through the Services without encryption, Covered Entity shall be responsible for documenting, in accordance with the Security Rule, that encryption is not reasonable and an appropriate safeguard for such transmission, and for implementing any equivalent alternative measures if reasonable and appropriate.
The Covered Entity shall not request or cause the Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity, except that the Business Associate may Use or Disclose PHI for data aggregation, management, and administrative activities as permitted under HIPAA.
The Covered Entity shall promptly notify the Business Associate, in writing, of:
Any changes in, or revocation of, an Individual’s authorization or permission that may affect the Business Associate’s permitted or required Uses or Disclosures of PHI under this BAA;
Any arrangement, restriction, or limitation agreed to with an Individual under 45 CFR §164.522 that affects the Business Associate’s Use or Disclosure of PHI;
Any limitation in the Covered Entity’s notice of privacy practices under 45 CFR §164.520 to the extent such limitation may affect the Business Associate’s Use or Disclosure of PHI;
Any legal requirement that would impose a restriction or limitation on the Business Associate’s Use or Disclosure of PHI.
The Covered Entity shall not include in its notice of privacy practices any limitation that restricts the Business Associate’s permitted or required Uses or Disclosures of PHI under this BAA, unless required by law. In the event such a limitation is required by law, the Covered Entity shall promptly notify the Business Associate of the limitation.
Representations of Business Associate. Business Associate acknowledges and agrees that is it directly subject to and must comply with the applicable requirements under HIPAA and may be subject to civil, and in some cases, criminal penalties for making use and disclosures of PHI that are not authorized by this BAA or required by law and for failing to safeguard PHI in accordance with the HIPAA Security Rule.
Requests submitted to the Business Associate.
To the extent the Business Associate maintains PHI in a Designated Record Set, it shall, upon written request from the Covered Entity, provide the Covered Entity with the PHI necessary for the Covered Entity to respond to an Individual’s request for access under 45 CFR § 164.524. The Business Associate will provide such information within twenty (20) calendar days of receiving a written request from the Covered Entity.
If the Business Associate receives a request directly from an Individual seeking access to, amendment of, or other action regarding their PHI, the Business Associate shall, within five (5) business days, forward such request to the Covered Entity. The Covered Entity shall be responsible for responding to such requests, including any denials of access or amendment.
The Business Associate will make available to the Covered Entity the information required for the Covered Entity to provide an accounting of disclosures of PHI as required by the Privacy Rule within thirty (30) calendar days of receiving a written request from the Covered Entity. The information provided by the Business Associate will include, to the extent known: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person, (iii) a brief description of the PHI disclosed, and (iv) one of the following if applicable: (a) a brief statement of the purpose of such disclosure which includes an explanation that reasonably informs the Individual of the basis for such disclosure or in lieu of such statement, (b) a copy of a written request from the Secretary of HHS to investigate or determine compliance with HIPAA; or (c) a copy of the Individual’s request for an accounting. In the event the request for an accounting is delivered directly to the Business Associate, the Business Associate shall within seven (7) business days forward such request to the Covered Entity. The timeline for the preceding requests may change according to state and federal requirements.
Permitted Uses and Disclosures by Business Associate.
The Business Associate may use or disclose PHI as permitted or required by this BAA or as required by law.
The Business Associate is permitted to use or disclose PHI to perform the Services pursuant to the Terms, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity.
The Business Associate agrees to make uses and disclosures and requests for PHI consistent with the Covered Entity’s minimum necessary policies and procedures.
The Business Associate may use or disclose PHI if the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
The Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may use and disclose health information that has been de-identified in accordance with HIPAA at its discretion.
Termination. This BAA will automatically terminate without further action of the Parties upon the termination or expiration of the business association between the Parties. In the event that either party breaches any material provision contained in the BAA; the non-breaching party shall give the breaching party at least 10 days’ written notice to cure the breach. If the breaching party fails to cure the breach within the specified period, the non-breaching party may terminate the Terms pursuant to Section 11 of the Terms.
Obligations of the Business Associate Upon Termination. Upon termination of the BAA for any reason, the Business Associate, with respect to PHI received from the Covered Entity, or PHI created, maintained, or received by Business Associate on behalf of the Covered Entity, shall: 1) retain only that PHI which is necessary for the Business Associate to continue its proper management and administration, or to meet its legal responsibilities; 2) return or, if agreed by the Covered Entity, securely destroy the remaining PHI maintained by the Business Associate in a manner consistent with standard data destruction practices applicable to cloud environments, including the use of automated or scheduled deletion mechanisms and storage lifecycle policies, provided that if complete destruction is infeasible (e.g., system backups or immutable logs), the Business Associate shall maintain such PHI in accordance with the protections of this BAA and HIPAA; 3) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as the Business Associate retains the PHI; 4) Not use or disclose the PHI retained by the Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in this BAA which applied prior to termination; and 5) Return or, if agreed by the Covered Entity, securely destroy PHI consistent with the procedures outlined in this Section, when Business Associate no longer needs the PHI for its proper management and administration or to carry out its legal responsibilities.
The Business Associate may retain de-identified information created prior to termination in accordance with HIPAA. The obligations of the Business Associate under this section shall survive the termination of this BAA.
Amendments to BAA. This BAA may be amended by Quanta from time to time as necessary to comply with the requirements of HIPAA and any other applicable laws. Any such amendment shall be effective upon written notice to you.
Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA.
Governing Law. This BAA shall be governed by the laws of Florida, except to the extent preempted by federal law.
Severability. The provisions of this BAA shall be severable, and the invalidity of any provision shall not affect the validity of any other provisions.
Notice. Any notice required under this BAA shall be in writing and given by electronic mail. Notice should be submitted to Quanta at hello@quantasuite.com and to you at the email address you provide when registering for the Services, or as you subsequently update in writing.
Assignment. This BAA may not be assigned or delegated by either party without the prior written consent of the other; provided, however, that in the event of a permitted assignment of the Terms, this BAA may be assigned together with the Terms. This BAA shall be binding upon and shall inure to the benefit of the Parties and their respective representatives, successors, and permitted assigns.
Entire Agreement. This BAA supersedes any prior agreements between the Parties relating to HIPAA covering the Services. To the extent of any conflict or inconsistency between this BAA and the Terms, the provisions of this BAA will govern. Except as expressly modified or amended under the BAA, the Terms remain in full force and effect.