Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between Cowboy Systems ("Business Associate") and the healthcare practice or covered entity subscribing to the Cowboy Systems platform ("Covered Entity"). This BAA is required under HIPAA before any Protected Health Information may be stored or processed on the platform.

Recitals

WHEREAS, Covered Entity is a Covered Entity as defined under HIPAA and provides healthcare services to patients;

WHEREAS, Business Associate provides electronic health record, scheduling, billing, and practice management software services to Covered Entity pursuant to a Service Agreement;

WHEREAS, in the course of providing such services, Business Associate will create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;

WHEREAS, HIPAA requires Covered Entities to enter into a Business Associate Agreement with their Business Associates prior to the disclosure of PHI to such Business Associates;

NOW, THEREFORE, in consideration of the mutual promises set forth herein and in the Service Agreement, the parties agree as follows:

1. Definitions

The following terms shall have the meanings set forth below. Terms not defined here shall have the meanings ascribed to them in 45 CFR Parts 160 and 164.

"Protected Health Information" or "PHI"

Individually identifiable health information that is transmitted or maintained in any form or medium by Business Associate on behalf of Covered Entity, as defined in 45 CFR § 160.103, limited to the information Business Associate creates, receives, maintains, or transmits for Covered Entity.

"Breach"

The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.

"Security Incident"

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.

"Service Agreement"

The Terms of Service and any applicable Order Form governing Covered Entity's subscription to the Cowboy Systems platform.

"Subcontractor"

A person or entity to whom Business Associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use and disclose PHI only to the extent necessary to:

Provide the services specified in the Service Agreement;
Perform data aggregation services relating to the healthcare operations of Covered Entity, as permitted under 45 CFR § 164.504(e)(2)(i)(B);
Report violations of law to appropriate authorities as required by law;
Carry out its legal responsibilities as permitted or required by 45 CFR § 164.504(e)(2)(ii).

Business Associate shall not use or disclose PHI in any manner that would violate the Privacy Rule if done by Covered Entity, except as otherwise permitted under this BAA.

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards as required by the Security Rule (45 CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of Electronic PHI. These include but are not limited to:

AES-256 encryption of PHI at rest and TLS 1.3 encryption in transit
Role-based access controls and mandatory multi-factor authentication
Comprehensive audit logging retained for a minimum of 6 years
Workforce training and documented security policies
Annual risk assessments and documented risk management plans
Geo-redundant backups and disaster recovery procedures

2.3 Reporting

Business Associate shall report to Covered Entity:

Breaches of Unsecured PHI: Without unreasonable delay and in no event later than 60 days following discovery of a Breach, in accordance with 45 CFR § 164.410.
Security Incidents: Any Security Incident of which Business Associate becomes aware, promptly following discovery.
Unauthorized Disclosures: Any use or disclosure of PHI not provided for or permitted by this BAA.

Reports shall be made to Covered Entity's designated privacy contact and shall include the information required under 45 CFR § 164.410(c) to the extent available at the time of notification.

2.4 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, by executing a written Business Associate Agreement with such Subcontractor prior to allowing access to PHI.

2.5 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity (or, where directed, to the individual patient) within 30 days of a request, as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524.

2.6 Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity or required under 45 CFR § 164.526.

2.7 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity information necessary for Covered Entity to provide an accounting of disclosures of PHI as required under 45 CFR § 164.528.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity available to the Secretary of Health and Human Services for purposes of determining Covered Entity's or Business Associate's compliance with HIPAA, subject to legally applicable privileges.

3. Obligations of Covered Entity

Covered Entity shall:

Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or been required to abide by under 45 CFR § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI;
Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity;
Obtain any consents, authorizations, or other permissions required from patients for the use of telehealth, patient portal, and electronic communications features;
Promptly notify Business Associate of any patient privacy requests or complaints that may affect Business Associate's obligations under this BAA.

4. Term and Termination

4.1 Term

This BAA is effective upon the earlier of: (a) execution by both parties; or (b) Covered Entity's acceptance of the Service Agreement, and shall continue for the term of the Service Agreement unless earlier terminated as set forth herein.

4.2 Termination for Cause

Either party may terminate this BAA and the underlying Service Agreement immediately if the other party materially breaches this BAA and fails to cure such breach within 30 days of receiving written notice. If cure is not possible, the non-breaching party may terminate immediately upon written notice.

4.3 Effect of Termination

Upon termination of this BAA for any reason, Business Associate shall, at Covered Entity's election, either:

Return to Covered Entity all PHI received from or created on behalf of Covered Entity, in a commonly readable format within 60 days; or
Destroy all such PHI and certify in writing that all PHI has been destroyed, to the extent feasible.

If return or destruction is not feasible, Business Associate shall continue to apply the protections of this BAA to such PHI and limit further use or disclosure to those purposes that make return or destruction infeasible.

5. General Provisions

5.1 Amendment

The parties agree to amend this BAA to the extent necessary to comply with changes in HIPAA, HITECH, or applicable regulations. Cowboy Systems will provide written notice of proposed amendments. Continued use of the Service following the effective date of any amendment constitutes acceptance.

5.2 No Third-Party Beneficiaries

Nothing in this BAA shall confer any rights or remedies upon any person or entity other than the parties and their respective successors and permitted assigns.

5.3 Interpretation

This BAA shall be interpreted in a manner that allows Covered Entity to comply with HIPAA. In the event of a conflict between this BAA and the Service Agreement with respect to the subject matter of this BAA, the terms of this BAA shall control.

5.4 Governing Law

This BAA shall be governed by federal law, including HIPAA and HITECH, and to the extent not preempted, the laws of the applicable jurisdiction of Cowboy Systems.

5.5 Entire Agreement

This BAA, together with the Service Agreement, constitutes the entire agreement between the parties with respect to Business Associate's obligations regarding PHI and supersedes all prior agreements, understandings, and negotiations relating to the same subject matter.

Execution

By executing the Cowboy Systems Service Agreement or by checking the "I agree" box during account setup, both parties agree to be bound by the terms of this Business Associate Agreement. For a countersigned physical or PDF copy of this BAA, contact legal@cowboysystems.com.

Business Associate

Authorized Signature

Printed Name & Title

Date

Cowboy Systems

Covered Entity

Authorized Signature

Printed Name & Title

Date

Practice / Organization Name

Request a Signed BAA

To request a countersigned BAA or for questions about this agreement:

Email: legal@cowboysystems.com
Subject: BAA Request — [Your Practice Name]
Company: Cowboy Systems · cowboysystems.com