Synsormed Inc. Business Associate Agreement
Revision : 1/21/2026
How This Agreement Works
This Business Associate Agreement (the “Agreement”) is a standing agreement between SynsorMed, Inc. and each entity that enters into a services agreement with SynsorMed, Inc. It is incorporated by reference into, and forms a part of, the services agreement between the parties (including, without limitation, the SynsorMed Remote Care Management Agreement, the SynsorMed Remote Care Management Trial Agreement, or any successor, renewal, or substantially similar agreement) (the “Services Agreement”).
By executing, electronically accepting, clicking to accept, or otherwise agreeing to the Services Agreement, or by continuing to receive Services from SynsorMed, Inc. after the Effective Date of the Services Agreement, the Covered Entity acknowledges that it has read, understands, and agrees to be bound by this Agreement as posted at www.synsormed.com/baa. No separate signature to this Agreement is required.
SynsorMed, Inc. may update this Agreement from time to time as required to comply with changes in applicable law or regulation. Material changes will be communicated to Covered Entity by email or in-product notice, and the updated Agreement will be posted at www.synsormed.com/baa with a revised “Last Updated” date. Continued receipt of Services following notice of a material change constitutes acceptance of the updated Agreement.
The Parties
The parties to this Agreement are:
• SynsorMed, Inc., a Florida corporation (“SynsorMed” or the “Business Associate”); and
• The healthcare provider, medical practice, organization, or other entity that executes, electronically accepts, or otherwise agrees to the Services Agreement with SynsorMed (the “Covered Entity”).
For clarity, SynsorMed, Inc. is the “Business Associate” and the entity executing the Services Agreement is the “Covered Entity,” in each case as those terms are used in the HIPAA Privacy and Security Rules (as defined below). Each of SynsorMed and Covered Entity may be referred to herein individually as a “Party” and collectively as the “Parties.”
THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the Effective Date of the Services Agreement (the “Effective Date”) by and between Business Associate and Covered Entity.
WITNESSETH:
WHEREAS, Business Associate provides certain services on behalf of Covered Entity that require Covered Entity to disclose certain identifiable health information to Business Associate, pursuant to the terms of the Services Agreement;
WHEREAS, the Parties desire to enter into this Agreement to permit Business Associate to use or disclose such identifiable health information and to comply with the business associate requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the privacy and security regulations promulgated thereunder, as currently in effect or as hereafter amended (the “HIPAA Privacy and Security Rules”);
WHEREAS, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, modified the HIPAA Privacy and Security Rules (hereinafter, all references to the “HIPAA Privacy and Security Rules” shall include all amendments thereto set forth in the HITECH Act and the regulations promulgated thereunder, as currently in effect or as hereafter amended); and
WHEREAS, on January 25, 2013, the United States Department of Health and Human Services published its final omnibus rule modifying the HIPAA Privacy and Security Rules, as set forth in 78 Fed. Reg. 5566 (the “HIPAA/HITECH Omnibus Rule”).
NOW, THEREFORE, in consideration of the mutual promises and covenants made herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
1. DEFINITIONS
1.1 Breach. “Breach” shall have the same meaning as the term “Breach” set forth in 74 Fed. Reg. 42767-68 (Aug. 24, 2009), until codified at 45 C.F.R. § 164.402, upon which “Breach” shall have the meaning as codified at 45 C.F.R. § 164.402 upon the Compliance Date (as defined below).
1.2 Compliance Date. “Compliance Date” shall mean September 23, 2013 with respect to such provision of the HIPAA/HITECH Omnibus Rule, or such other compliance date as determined by the Secretary.
1.3 Electronic Protected Health Information. “Electronic Protected Health Information” shall mean Protected Health Information transmitted by or maintained in “electronic media” (as such term is defined in 45 C.F.R. § 160.103).
1.4 Protected Health Information. “Protected Health Information” (“PHI”) shall have the same meaning as the term “Protected Health Information” set forth at 45 C.F.R. § 160.103, limited to the information received from, or created or received by Business Associate on behalf of, Covered Entity.
1.5 Secretary. “Secretary” shall mean the Secretary of the United States Department of Health and Human Services or his/her designee.
1.6 Unsecured Protected Health Information. “Unsecured Protected Health Information” shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance published at 74 Fed. Reg. 19006 (April 27, 2009), and in annual guidance published thereafter.
1.7 All other capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning for those terms as set forth in the HIPAA Privacy and Security Rules. Where provisions of this Agreement are different than those mandated by the HIPAA Privacy and Security Rules, but are nonetheless permitted by the HIPAA Privacy and Security Rules, the provisions of this Agreement shall control.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Not to Use or Disclose PHI Unless Permitted or Required. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement, or as required by law, or as otherwise authorized by Covered Entity.
2.2 Use Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided for by this Agreement.
2.3 Mitigate Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of this Agreement.
2.4 Report Unpermitted Disclosures of PHI. Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information not permitted or required by this Agreement of which Business Associate becomes aware.
2.5 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
2.6 Requests for Restrictions. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and of which Business Associate has been notified by Covered Entity. In addition, and notwithstanding 45 C.F.R. § 164.522(a)(1)(ii), Business Associate agrees to comply with an individual’s request to restrict disclosures of Protected Health Information, of which Business Associate has been notified by Covered Entity, to a health plan for purposes of carrying out “payment” or “health care operations” (as such terms are defined in 45 C.F.R. § 164.501) if the Protected Health Information pertains solely to a health care item or service for which Covered Entity has been paid in full by the individual or the individual’s representative.
2.7 Provide Access. Business Associate will make available to Covered Entity Protected Health Information to the extent requested by Covered Entity as required under 45 C.F.R. § 164.524 and Section 13405(e) of the HITECH Act, which describe the requirements applicable to an individual’s request for access to Protected Health Information relating to the individual. The obligations of Business Associate in this Section apply only to Protected Health Information in a “Designated Record Set” in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501.
2.8 Incorporate Amendments. Business Associate will make available to Covered Entity Protected Health Information requested by Covered Entity as required for amendment of such Protected Health Information, and shall make and incorporate any such amendments, all in accordance with 45 C.F.R. § 164.526, which describes the requirements applicable to an individual’s request for an amendment to any Protected Health Information relating to the individual. The obligations of Business Associate in this Section apply only to Protected Health Information in a “Designated Record Set” in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501.
2.9 Document Disclosures. Business Associate will make available Protected Health Information requested by Covered Entity as required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act, which describe the requirements applicable to an individual’s request for an accounting of disclosures of Protected Health Information relating to the individual. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act.
2.10 Covered Entity Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s) as of the Compliance Date.
2.11 Disclose Practices, Books, and Records. If Business Associate receives a request, made on behalf of the Secretary, that Business Associate make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Privacy and Security Rules, then Business Associate will promptly comply with the request within the time period required for such response as specified in such request.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
3.1 Functions and Activities on Behalf of Covered Entity. Business Associate may use or disclose Protected Health Information for the purpose of meeting its obligations as set forth in this Agreement or as required by the Services Agreement.
3.2 Other Uses and Disclosures. Except as otherwise limited by this Agreement, Business Associate may use and disclose Protected Health Information as follows:
a. if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met:
i. the disclosure is required by law; or
ii. Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
b. for data aggregation services, if to be provided by Business Associate for the health care operations (as such terms are defined in 45 C.F.R. § 164.501) of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
3.3 Minimum Necessary. Business Associate shall use, disclose, or request only the minimum necessary amount of Protected Health Information to accomplish the intended purpose of such use, disclosure, or request.
4. SECURITY RULE SAFEGUARDS
4.1 Implement Safeguards. Business Associate shall implement the administrative, physical, and technical safeguards set forth in 45 C.F.R. §§ 164.308, 164.310, and 164.312 that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity; in accordance with 45 C.F.R. § 164.316, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements set forth in Sections 164.308, 164.310, and 164.312; and, as of the Compliance Date, comply with Subpart C of 45 C.F.R. Part 164, where applicable, with respect to Electronic Protected Health Information.
4.2 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit Electronic Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
4.3 Report Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For purposes of this Agreement, “Security Incident” means the successful unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information or interference with system operations in an information system, excluding: (a) “pings” on an information system firewall; (b) port scans; (c) attempts to log on to an information system or enter a database with an invalid password or user name; (d) denial-of-service attacks that do not result in a server being taken offline; or (e) malware (e.g., a worm or virus) that does not result in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information. Business Associate agrees to mitigate, to the extent practicable, any harmful effect resulting from such Security Incident.
5. BREACH NOTIFICATION
5.1 Timing of Notification. Following the discovery of a Breach of Unsecured Protected Health Information, Business Associate shall notify Covered Entity of such Breach without unreasonable delay, but in no event later than forty-five (45) calendar days following the discovery of the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, through the exercise of reasonable diligence, would have been known to Business Associate.
5.2 Law Enforcement Delay. Notwithstanding the provisions of Section 5.1, above, if a law enforcement official states to Business Associate that notification of a Breach would impede a criminal investigation or cause damage to national security, then:
a. if the statement is in writing and specifies the time for which a delay is required, Business Associate shall delay such notification for the time period specified by the official; or
b. if the statement is made orally, Business Associate shall document the statement, including the identity of the official making the statement, and delay such notification for no longer than thirty (30) days from the date of the oral statement unless the official submits a written statement during that time.
5.3 Contents of Notification. The Breach notification provided to Covered Entity shall include, to the extent possible:
a. the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach;
b. a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
c. a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
d. any steps individuals should take to protect themselves from potential harm resulting from the Breach;
e. a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breach; and
f. contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
Business Associate shall provide the information specified in this Section to Covered Entity at the time of the Breach notification, if possible, or promptly thereafter as information becomes available. Business Associate shall not delay notification to Covered Entity that a Breach has occurred in order to collect the information described in this Section, and shall provide such information to Covered Entity even if the information becomes available after the forty-five (45) day period provided in Section 5.1, above.
6. OBLIGATIONS OF COVERED ENTITY
6.1 Limitations in Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
6.2 Changes in Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
6.3 Restriction on Use of Protected Health Information. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
7. TERM AND TERMINATION
7.1 Term. The term of this Agreement shall commence as of the Effective Date. This Agreement shall terminate upon termination of the Services Agreement or on the date Covered Entity terminates for cause as authorized in Section 7.2, whichever is sooner.
7.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach or violation hereof by Business Associate, Covered Entity shall provide written notice to Business Associate of the breach or violation, and Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within thirty (30) days of receiving notice of the breach or violation and Covered Entity has taken reasonable steps to cure such breach or end such violation during such thirty (30) day period, and such steps are unsuccessful, Covered Entity may terminate this Agreement. If Business Associate has breached a material term of this Agreement and cure is not possible, Covered Entity may immediately terminate this Agreement.
7.3 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate will return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such information. If such return or destruction is not feasible, as reasonably supported by competent records and other written evidence of Business Associate, Business Associate will extend the protections of this Agreement to the information retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
8. MISCELLANEOUS PROVISIONS
8.1 Amendment. This Agreement may be updated by SynsorMed from time to time as set forth in the “How This Agreement Works” section above. In addition, in the event either Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Privacy and Security Rules, such Party shall so notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and shall amend the terms of this Agreement, if necessary, to bring it into compliance. If after such thirty (30) day period this Agreement fails to comply with the HIPAA Privacy and Security Rules with respect to the concern(s) raised pursuant to this Section, then either Party may terminate this Agreement upon written notice to the other Party.
8.2 No Third Party Beneficiary Rights. This Agreement is intended for the sole benefit of Business Associate and Covered Entity and does not create any third-party beneficiary rights.
8.3 Independent Contractor Relationship. The Parties agree that the legal relationship between Covered Entity and Business Associate is strictly an independent contractor relationship. Nothing in this Agreement shall be deemed to create a joint venture, agency, partnership, or employer-employee relationship between the Parties.
8.4 Headings. The section headings contained in this Agreement are for reference purposes only and will not affect the meaning of this Agreement.
8.5 Survival. The rights and obligations of Business Associate under Section 7.3 of this Agreement shall survive the termination of this Agreement.
8.6 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Privacy and Security Rules.
8.7 Waiver. Any failure of a Party to exercise or enforce any of its rights under this Agreement will not act as a waiver of such rights.
8.8 Binding Effect. This Agreement shall be binding upon, and shall inure to the benefit of, the Parties and their respective successors and permitted assigns.
8.9 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable under present or future laws effective during the term of this Agreement, the legality, validity, and enforceability of the remaining provisions of this Agreement shall not be affected thereby.
8.10 Relationship to Services Agreement. This Agreement is incorporated into the Services Agreement by reference. In the event of any conflict between the terms of this Agreement and the Services Agreement with respect to the use, disclosure, or protection of Protected Health Information, the terms of this Agreement shall control. In all other respects, the Services Agreement shall control.
8.11 Governing Law. This Agreement shall be construed and enforced in accordance with the laws of the State of Florida and applicable federal law, without regard to its conflict of laws principles.
9. ACCEPTANCE
No separate signature to this Agreement is required. By executing, electronically accepting, clicking to accept, or otherwise agreeing to the Services Agreement, or by continuing to receive Services from SynsorMed after the Effective Date, Covered Entity acknowledges that it has read this Agreement, understands it, and agrees to be bound by its terms. This Agreement, together with the Services Agreement, constitutes the entire understanding between the Parties with respect to the subject matter of this Agreement.
10. NOTICES
Any notice required or permitted under this Agreement shall be in writing and shall be deemed given when delivered by email (with confirmation of receipt) or by certified or overnight mail.
For SynsorMed, Inc.:
Attn: Contracts / HIPAA Compliance
SynsorMed, Inc.
Email: info@synsormed.com
Web: www.synsormed.com
For Covered Entity:
Notices to Covered Entity shall be sent to the notice address, email address, or primary contact information provided by Covered Entity in the Services Agreement, during account registration, or as otherwise designated by Covered Entity in writing to SynsorMed.