Who needs this: This BAA applies to US-based healthcare practitioners and Covered Entities under HIPAA. EU-only practitioners do not need to accept a BAA.
This Business Associate Agreement (“BAA”) is entered into between Ruana LLC (“Business Associate”, “Ruana”) and the Covered Entity identified in the associated Ruana account (“Covered Entity”). This BAA is effective upon electronic acceptance at account setup or when you first use Ruana to process Protected Health Information (“PHI”). This BAA supplements and is incorporated into Ruana’s Terms of Service. In the event of a conflict on matters relating to PHI or HIPAA, this BAA shall prevail.
1. Definitions
“HIPAA” — the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH, and implementing regulations at 45 C.F.R. Parts 160 and 164.
“PHI” — Protected Health Information as defined in 45 C.F.R. § 160.103, limited to PHI that Ruana creates, receives, maintains, or transmits on behalf of Covered Entity.
“ePHI” — PHI created, received, maintained, or transmitted in electronic form.
“Breach” — as defined in 45 C.F.R. § 164.402.
“Security Incident” — as defined in 45 C.F.R. § 164.304.
“Services” — the practice management software provided by Ruana under the Terms of Service.
2. Obligations of Ruana as Business Associate
2.1 Permitted Uses and Disclosures
Ruana may use or disclose PHI only as permitted by this BAA or required by law, including to provide the Services, for proper management and administration of Ruana’s business, and to carry out legal responsibilities.
2.2 Safeguards
Ruana shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, consistent with 45 C.F.R. Part 164, Subpart C. Current security measures are at getruana.com/legal/security.
2.3 Minimum Necessary
Ruana shall use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose.
2.4 Subcontractors
Ruana shall ensure all subcontractors that create, receive, maintain, or transmit PHI agree to restrictions at least as stringent as this BAA through a written agreement.
2.5 Reporting
- Any impermissible use or disclosure of PHI — without unreasonable delay
- Security Incidents — unsuccessful attempts reported quarterly; successful unauthorized access without unreasonable delay
- Any Breach of Unsecured PHI within 60 calendar days of discovery per 45 C.F.R. § 164.410
2.6 Access, Amendment & Accounting
Ruana shall make PHI in a Designated Record Set available to Covered Entity as necessary to comply with individual rights of access (45 C.F.R. § 164.524), amendment (45 C.F.R. § 164.526), and accounting of disclosures (45 C.F.R. § 164.528).
2.7 HHS Access
Ruana shall make its internal practices, books, and records relating to PHI available to the Secretary of HHS for purposes of determining HIPAA compliance.
2.8 Mitigation
Ruana shall mitigate, to the extent practicable, any harmful effect known to Ruana of a use or disclosure of PHI by Ruana in violation of this BAA.
3. Obligations of Covered Entity
- Provide Ruana with a copy of its Notice of Privacy Practices if requested
- Notify Ruana of any restriction on PHI use or disclosure that affects Ruana’s obligations
- Not request Ruana to use or disclose PHI in a manner that does not comply with HIPAA
- Obtain all necessary patient authorizations and consents before transmitting PHI to Ruana
- Implement appropriate safeguards to protect PHI on Covered Entity’s systems and devices
4. Term and Termination
4.1 Term
This BAA is effective upon acceptance and remains in effect for the duration of the Terms of Service.
4.2 Termination for Cause
Either party may terminate if the other materially breaches this BAA and fails to cure within 30 days of written notice.
4.3 Termination for Convenience
Either party may terminate upon 90 days written notice.
4.4 Effect of Termination
Upon termination, Ruana shall return or destroy all PHI where feasible. The data retention provisions of the Terms of Service shall govern, and Ruana shall maintain the protections of this BAA for any retained PHI.
5. Permitted Uses for Management
Ruana may use PHI for proper management and administration of its business and to carry out legal responsibilities. Ruana may disclose PHI for these purposes only if required by law, or if Ruana obtains reasonable assurances from the recipient that the information will be held confidentially.
6. Miscellaneous
Entire Agreement on HIPAA: This BAA, together with the Terms of Service as it relates to PHI, constitutes the entire agreement with respect to HIPAA compliance.
Amendment: Ruana may update this BAA upon reasonable notice. Continued use following notice of a material amendment constitutes acceptance.
Governing Law: Governed by the laws of California, except to the extent federal law (including HIPAA) applies.
No Third-Party Beneficiaries: Nothing in this BAA shall confer any rights or remedies upon any person other than the parties and their respective permitted successors and assigns.
Interpretation: Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA. The parties agree that provisions shall be interpreted consistent with HIPAA and applicable HHS guidance.
Severability: If any provision of this BAA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
7. Electronic Acceptance
By using Ruana to process Protected Health Information, or by clicking the BAA acceptance checkbox during account setup, you acknowledge that you have read this BAA and agree to be bound by it. Electronic acceptance has the same legal effect as a written signature. Ruana records the date, time, and account associated with acceptance as documentation.
8. Contact
For HIPAA-related inquiries or to report a Security Incident or Breach:
support@getruana.com
Ruana LLC | 548 Market St #228047 | San Francisco, CA 94104 | USA