HIPAA Business Associate Agreement
Required before accessing BedFlows — please read carefully and accept to continue.
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into between BedFlows ("Business Associate") and the health care facility — Residential Care Facility for the Elderly or Skilled Nursing Facility — ("Covered Entity") that has registered for access to the BedFlows platform (the "Services"). This BAA is effective upon the Covered Entity's acceptance below.
1. DEFINITIONS
Capitalized terms used but not defined in this BAA have the meanings given to them in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder, including 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA Rules").
- Protected Health Information ("PHI") means individually identifiable health information transmitted or maintained in any form or medium, as defined under the HIPAA Rules.
- Electronic Protected Health Information ("ePHI") means PHI that is created, received, maintained, or transmitted in electronic form.
- Services means the BedFlows bed-availability coordination platform, including all related software, features, and communications.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
BedFlows agrees to:
- Not use or disclose PHI other than as permitted or required by this BAA or as required by law.
- Use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
- Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410.
- Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI.
- Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524.
- Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526.
- Make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.528.
- To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
- Make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
3. PERMITTED USES AND DISCLOSURES
Business Associate may use or disclose PHI only as follows:
- Services: To perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
- Operations: For the proper management and administration of Business Associate or to carry out its legal responsibilities.
- Data Aggregation: To provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- Required by Law: As required by law.
- De-identified Data: Business Associate may create de-identified information from PHI in accordance with 45 C.F.R. § 164.514, and may use such de-identified information without restriction.
4. OBLIGATIONS OF COVERED ENTITY
Covered Entity agrees to:
- Notify Business Associate of any limitations in its notice of privacy practices under 45 C.F.R. § 164.520, to the extent such limitations may affect Business Associate's use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate's use or disclosure of PHI.
- Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restrictions may affect Business Associate's use or disclosure of PHI.
- Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
- Ensure that all staff members who access the BedFlows platform are properly trained on HIPAA requirements and the Covered Entity's privacy and security policies.
5. SECURITY MEASURES
Business Associate shall implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, including but not limited to:
- Encryption of ePHI in transit and at rest using industry-standard protocols.
- Access controls limiting PHI access to authorized personnel only.
- Regular security assessments and vulnerability management.
- Audit logging of access to systems containing ePHI.
- Incident response procedures for potential breaches.
6. BREACH NOTIFICATION
Business Associate shall notify Covered Entity of any Breach of Unsecured PHI within sixty (60) calendar days of discovery of such Breach. Notification shall include, to the extent possible, the identification of individuals whose PHI was or may have been involved, a description of the Breach, the types of PHI involved, steps taken to mitigate harm, and steps taken to prevent future Breaches.
7. TERM AND TERMINATION
- Term: This BAA is effective upon Covered Entity's acceptance and continues in effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or until terminated as set forth herein.
- Termination for Cause: Either party may terminate this BAA immediately upon written notice if the other party has materially breached this BAA and failed to cure such breach within thirty (30) days after receiving written notice of the breach.
- Effect of Termination: Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate shall continue to extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction of such PHI infeasible.
8. MISCELLANEOUS
- Regulatory References: A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
- Amendment: The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation: Any ambiguity in this BAA shall be resolved in favor of a meaning that permits both parties to comply with the HIPAA Rules.
- Governing Law: This BAA shall be governed by and construed in accordance with the laws of the State of California.
- Entire Agreement: This BAA constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, between the parties with respect to the subject matter hereof.
By accepting this agreement, the authorized representative of Covered Entity represents and warrants that they have full authority to bind Covered Entity to the terms of this BAA, and that Covered Entity agrees to comply with all applicable HIPAA Rules.
Last updated: June 2026 · BedFlows · Questions? Contact legal@bedflows.com
Please check the box above to continue.
This acceptance is recorded with a timestamp and attributed to your user account. The agreement applies to your entire facility. Questions about this BAA? Contact legal@bedflows.com.