PrimaryPlus PrimaryPlus
HIPAA

Business Associate Agreement

PrimaryPlus standard HIPAA Business Associate Agreement.

Effective June 5, 2026

This Business Associate Agreement ("Agreement") is entered into by and between PrimaryPlus LLC ("Business Associate") and the covered entity or business associate that engages it for services and accepts this Agreement ("Covered Entity"). It supplements and is made part of the underlying services agreement between the parties (the "Underlying Agreement").

Introduction & Acceptance

Business Associate provides medical billing, coding, credentialing, and revenue cycle management services. In performing those services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity. The parties enter into this Agreement to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA").

How this Agreement is accepted. This Agreement may be executed by handwritten or electronic signature, or accepted electronically through Business Associate's onboarding process or client portal. By signing, clicking to accept, or by exchanging Protected Health Information with Business Associate under the Underlying Agreement, Covered Entity agrees to be bound by this Agreement. A copy is available at any time on request.

1. Definitions

Capitalized terms used but not defined in this Agreement have the meanings given to them in HIPAA. Without limitation, the terms Breach, Designated Record Set, Disclosure, Electronic Protected Health Information, Individual, Protected Health Information ("PHI"), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use have the meanings set out in 45 C.F.R. Parts 160 and 164. References to PHI mean PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. Obligations of Business Associate

Business Associate agrees to:

  1. not Use or Disclose PHI other than as permitted or required by this Agreement, the Underlying Agreement, or as Required By Law;
  2. use reasonable and appropriate safeguards, and comply with the applicable provisions of the Security Rule at 45 C.F.R. Part 164, Subpart C, with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement;
  3. report to Covered Entity any Use or Disclosure of PHI not permitted by this Agreement of which it becomes aware, and any Breach of Unsecured PHI, without unreasonable delay and in no event later than thirty (30) calendar days after Discovery, and report Security Incidents as described below;
  4. mitigate, to the extent practicable, any harmful effect known to Business Associate of a Use or Disclosure of PHI in violation of this Agreement;
  5. in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as protective as those that apply to Business Associate under this Agreement;
  6. make PHI in a Designated Record Set available to Covered Entity, or as directed by Covered Entity to an Individual, to the extent and in the manner necessary to satisfy Covered Entity's obligations under 45 C.F.R. 164.524, but only to the extent Business Associate maintains such PHI in a Designated Record Set;
  7. make PHI available for amendment and incorporate amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. 164.526, to the extent Business Associate maintains such PHI;
  8. maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. 164.528;
  9. to the extent Business Associate is to carry out any of Covered Entity's obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations; and
  10. make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA.
Security Incidents. The parties acknowledge that attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or Use or Disclosure of, PHI, such as pings, port scans, denial-of-service attempts, and similar routine events, occur frequently. This paragraph constitutes notice of such events, and no further report of them is required. Business Associate will report any Security Incident that results in unauthorized access to, or Use or Disclosure of, PHI in accordance with Section 2(c).

3. Permitted Uses & Disclosures

Except as otherwise limited by this Agreement, Business Associate may:

  1. Use and Disclose PHI as necessary to perform the services described in the Underlying Agreement and to meet its obligations to Covered Entity;
  2. Use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities;
  3. Disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that the Disclosure is Required By Law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and Used or further Disclosed only as Required By Law or for the purpose for which it was disclosed, and that the person will notify Business Associate of any breach of confidentiality;
  4. provide Data Aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. 164.504(e)(2)(i)(B); and
  5. de-identify PHI in accordance with 45 C.F.R. 164.514(a)-(c), and Use and Disclose the resulting de-identified information for any lawful purpose, which information will not be considered PHI and will not be subject to this Agreement.

4. Obligations of Covered Entity

Covered Entity agrees to:

  1. obtain any consent, authorization, or permission that may be required under HIPAA or other applicable law before furnishing PHI to Business Associate;
  2. notify Business Associate of any limitation in Covered Entity's notice of privacy practices, of any changes in or revocation of permission by an Individual to Use or Disclose PHI, and of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by, in each case to the extent it may affect Business Associate's Use or Disclosure of PHI; and
  3. not request, instruct, or cause Business Associate to Use or Disclose PHI in any manner that would not be permitted under HIPAA if done by Covered Entity, except to the extent Business Associate may Use or Disclose PHI for its own management and administration or data aggregation as set out in this Agreement.

5. Term & Termination

Term. This Agreement is effective on the date of acceptance and continues until the later of the termination of the Underlying Agreement or the date Business Associate no longer maintains any PHI of Covered Entity.

Termination for cause. If a party materially breaches a term of this Agreement, the non-breaching party may provide written notice describing the breach and may terminate this Agreement and the Underlying Agreement if the breaching party does not cure the breach within thirty (30) days of notice, or immediately if cure is not feasible.

Effect of termination. Upon termination, Business Associate will, if feasible, return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate maintains in any form, and will retain no copies. Where return or destruction is not feasible, including where retention is Required By Law, is part of routine system backups, or is necessary for Business Associate's proper management and administration, Business Associate will extend the protections of this Agreement to such PHI and limit further Uses and Disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate retains the PHI.

6. Liability, Indemnification & Insurance

Allocation of responsibility. Each party is responsible for its own acts and omissions and for those of its respective workforce and Subcontractors, and not for the acts or omissions of the other party. Business Associate is not responsible for any Breach or violation to the extent caused by Covered Entity's acts, omissions, instructions, systems, or failure to obtain required authorizations.

Indemnification. Each party will indemnify and hold the other harmless from third-party claims, penalties, and reasonable costs, including attorneys' fees, arising directly from the indemnifying party's violation of this Agreement or of HIPAA, except to the extent caused by the other party. This indemnity is the parties' sole indemnification obligation with respect to PHI.

Limitation of liability. EXCEPT FOR A PARTY'S INDEMNIFICATION OBLIGATIONS ABOVE AND TO THE EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF THIS AGREEMENT, AND BUSINESS ASSOCIATE'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL FEES PAID TO BUSINESS ASSOCIATE UNDER THE UNDERLYING AGREEMENT DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

Insurance. Business Associate will maintain commercially reasonable professional liability and cyber liability insurance appropriate to the services it provides.

7. Miscellaneous

Regulatory references. A reference to a section of HIPAA means the section as in effect or as amended, and for which compliance is required.

Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as needed for compliance with HIPAA and other applicable law. Business Associate may propose amendments by notice to Covered Entity; if required by a change in law, such amendment is effective thirty (30) days after notice unless Covered Entity objects in writing.

Interpretation. Any ambiguity in this Agreement is resolved in favor of a meaning that permits the parties to comply with HIPAA. In the event of a conflict between this Agreement and the Underlying Agreement regarding PHI, this Agreement controls.

No third-party beneficiaries. Nothing in this Agreement confers any rights upon any person other than the parties and their respective successors and permitted assigns.

Survival. The obligations of Business Associate under Section 5 (Effect of termination) and Sections 6 and 7 survive termination of this Agreement.

Governing law. This Agreement is governed by the laws of the State of Nevada and applicable federal law, without regard to conflict-of-laws principles.

8. Acceptance & Signatures

By signing below or accepting electronically, each party agrees to the terms of this Agreement as of the date of acceptance.

BUSINESS ASSOCIATE — PrimaryPlus LLCBy: ____________________________
Name: __________________________
Title: ___________________________
Date: ___________________________
COVERED ENTITYBy: ____________________________
Name: __________________________
Title: ___________________________
Date: ___________________________
PrimaryPlus LLC · info@myprimaryplus.org · 773.232.7268