The Pod Dispatch

Legal

Business Associate Agreement

Version 2.0 — Effective upon account creation by an owner-role user

Parties

This Business Associate Agreement ("BAA") is entered into between PodDispatch LLC ("Business Associate") and the operator company identified during account registration ("Covered Entity"). This BAA is incorporated by reference into the PodDispatch Terms of Service and is binding upon account creation by an owner-role user.

Definitions

Terms used in this BAA shall have the same meanings as defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations at 45 CFR Parts 160 and 164. "Protected Health Information" or "PHI" means any individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity through the platform.

Obligations of PodDispatch LLC (Business Associate)

PodDispatch LLC agrees to:

  • Use PHI only as necessary to provide platform services described in the Terms of Service.
  • Implement appropriate administrative, physical, and technical safeguards to protect PHI in accordance with 45 CFR Part 164 Subpart C.
  • Report security incidents and breaches of unsecured PHI to the Covered Entity within 60 days of discovery.
  • Ensure that any subcontractors who create, receive, maintain, or transmit PHI on Business Associate's behalf agree in writing to the same restrictions and obligations that apply to Business Associate under this BAA.
  • Make PHI available to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524 (right of access).
  • Make Business Associate's internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.
  • Return or destroy PHI upon termination of services where feasible. Where return or destruction is not feasible (for example, due to backup infrastructure constraints or legal hold), PHI shall continue to be protected under the terms of this BAA.

Obligations of the Operator (Covered Entity)

The Covered Entity agrees to:

  • Obtain all necessary patient authorizations and consents required under HIPAA before entering PHI into the platform.
  • Provide accurate patient information, demographics, insurance, and clinical documentation.
  • Not request or instruct PodDispatch to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity directly.
  • Notify Business Associate of any limitations in its notice of privacy practices, restrictions, or revocations of authorization that affect Business Associate's permitted uses or disclosures of PHI.
  • Manage workforce access to the platform, including provisioning, deprovisioning, and credential hygiene.

Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as necessary to provide the dispatch, scheduling, ePCR, claim generation, and billing-export services described in the Terms of Service, or for the proper management and administration of Business Associate's own business and to carry out its legal responsibilities. Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity.

Security of Electronic PHI

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI in accordance with 45 CFR Part 164 Subpart C, including encryption at rest using AES-256 and encryption in transit using TLS 1.2 or higher.

Term and Termination

This BAA is effective as of the date of account creation. Either party may terminate this BAA if the other party materially breaches a provision and fails to cure the breach within 30 days of written notice. Upon termination, Business Associate shall return or destroy PHI as described above.

Breach Notification

Business Associate shall notify Covered Entity without unreasonable delay and in no case later than 60 days following discovery of a breach of unsecured PHI. Notification shall identify each individual whose PHI was breached, describe the breach, identify the type of PHI involved, and describe the steps Business Associate has taken to investigate and mitigate the breach.

Limitation of Liability

Business Associate's total liability under this BAA shall not exceed the total fees paid by Covered Entity in the three months preceding the event giving rise to the claim.

Governing Law

This BAA is governed by the laws of the State of Georgia.

Contact

For BAA questions, contact support@thepoddispatch.com.