Blu Healthcare

en
Feedback & Invites

Blu Healthcare™

Business Associate Agreement

This Business Associate Agreement (“BAA”) is made in connection with the access to and use of the services of Blu Healthcare USA, Inc. a Delaware corporation (“Business Associate”), including its various websites (the “Services”) by any user of the Services (“Covered Entity”) who is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Covered Entity’s access to and use of the Services is conditioned on its acceptance of and compliance with this BAA. By accessing or using the Services, Covered Entity agrees to be bound by this BAA. The parties are entering into this BAA to assist the Covered Entity in complying with HIPAA, and to set forth Business Associate’s obligations under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Data Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Regulations”). Terms used in this BAA have the meanings given them in the HIPAA Regulations. This BAA applies to any Protected Health Information (“PHI”) Business Associate receives from Covered Entity, or creates, receives or maintains on behalf of Covered Entity, in the course of providing the Services to Covered Entity.

AGREEMENT

  1. Business Associate may use and disclose Covered Entity’s PHI to provide Covered Entity with the Services. Except as expressly provided below, this BAA does not authorize Business Associate to make any use or disclosure of PHI that Covered Entity would not be permitted to make.
  2. Business Associate will:
    1. Not use or further disclose Covered Entity’s PHI except as permitted by the terms of use and privacy policy governing the Services (“Terms of Use”) or this BAA, or as required by law;
    2. Use appropriate safeguards, and comply, where applicable, with the HIPAA Security Rule with respect to electronic PHI, to prevent use or disclosure of Covered Entity’s PHI other than as provided for by the Terms of Use or this BAA;
    3. Report to Covered Entity any use or disclosure of Covered Entity’s PHI not provided for by the Terms of Use or this BAA of which it becomes aware, including breaches of unsecured PHI as required by the Data Breach Notification Rule (45 CFR § 164.410), and any security incident of which Business Associate becomes aware.
    4. Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic PHI;
    5. Make any PHI in a designated record set available to Covered Entity to enable Covered Entity to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524;
    6. Make any PHI in a designated record set available for amendment and incorporate any amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526;
    7. Make available to Covered Entity the information concerning disclosures that Business Associate makes of Covered Entity’s PHI required to enable Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528;
    8. To the extent that Business Associate carries out Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations;
    9. Make Business Associate’s internal practices, books, and records relating to Business Associate’s use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the United States Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Regulations;
    10. Limit its requests for and uses and disclosures of Covered Entity’s PHI to the minimum necessary, and comply with any minimum necessary policies and procedures that covered entity provides to Business Associate in writing;
    11. Upon termination of the provision of Services to Covered Entity, return or destroy all Covered Entity’s PHI that Business Associate still maintains in any form and retain no copies of such information or, Business Associate determines that return or destruction is not feasible, extend the protections of this BAA to that information and limit further use and disclosure to those purposes that make the return or destruction of the information infeasible.
  3. Business Associate may use Covered Entity’s PHI for the management and administration of Business Associate’s company and to carry out Business Associate’s own legal responsibilities, and Business Associate may disclose the information for these purposes if Business Associate is required to do so by law, or if Business Associate obtains reasonable assurances from the recipient of the information (1) that it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (2) that the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the information is breached.
  4. Business Associate may use Covered Entity’s PHI for data aggregation, as permitted by the Privacy Rule.
  5. Business Associate may de-identity Covered Entity’s PHI, and use and disclosed the de-identified information without restriction.
  6. If Covered Entity determines that Business Associate has violated a material term of this BAA, and if Business Associate fails to cure such violation within thirty (30) days of delivery of written notice thereof, Covered Entity may terminate its use of the Services. By exercising this right, Covered Entity agrees that termination of its use of the Services is Covered Entity’s exclusive remedy for any violation by Business Associate of this BAA, and that Business Associate will not be liable for damages of any kind.
  7. Business Associate may charge for time and materials at its usual rates for services that Covered Entity specifically requests under this BAA, such as reproducing or amending information.
  8. This BAA is to be interpreted in accordance with HIPAA, the HITECH Act, and the regulations promulgated thereunder, as amended from time to time.

Copyright © 2025 by Blu Helathcare Technologies Limited, all rights reserved.

Download Our Business Associate Agreement in PDF