Guardian Health Business Associate Agreement
Effective date: January 1, 2025
This Business Associate Agreement (BAA) forms part of the services agreement between Guardian Health and Covered Entities. It outlines the responsibilities required under HIPAA and HITECH for protecting PHI when using the Guardian Health platform.
1. Definitions
"Agreement" means this Business Associate Agreement (BAA). "Business Associate" refers to Hearth and Alloy Inc., d/b/a Guardian Health. "Covered Entity" refers to the customer executing this Agreement. "Protected Health Information" (PHI) has the meaning given to it in 45 C.F.R. § 160.103. Other capitalized terms have the definitions set forth in HIPAA.
2. Permitted Uses and Disclosures
Business Associate may use and disclose PHI solely to perform services for Covered Entity as described in the underlying service agreement, for proper management and administration, to carry out legal responsibilities, or as otherwise permitted under HIPAA. Any disclosure for management and administration will be subject to applicable legal requirements and confidentiality obligations.
3. Safeguards and Compliance
Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI in accordance with 45 C.F.R. §§ 164.306 and 164.308-312. Business Associate will ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions.
4. Reporting Obligations
Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI, without unreasonable delay and no later than twenty-four (24) hours after discovery. Business Associate will provide information necessary for Covered Entity to meet its breach notification obligations.
5. Individual Rights and HHS Access
To the extent Business Associate maintains PHI in a designated record set, Business Associate will make PHI available for access, amendment, or accounting of disclosures as required by 45 C.F.R. §§ 164.524, 164.526, and 164.528. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (HHS) for determining compliance with HIPAA.
6. Term and Termination
This Agreement becomes effective on the date the parties execute a service order and remains in effect until all PHI is returned or destroyed. Either party may terminate this Agreement upon material breach by the other party that is not cured within a reasonable period after written notice. Upon termination, Business Associate will return or destroy all PHI if feasible. If return or destruction is not feasible, Business Associate will continue to extend protections in accordance with this Agreement.
7. Miscellaneous
This Agreement may be amended to reflect changes to HIPAA. Any ambiguity will be resolved in favor of a meaning that permits compliance with HIPAA. This Agreement is governed by the laws of the State of Tennessee.
Request a countersigned BAA
To obtain an executed copy, emaillegal@guardianhealth.dev with your organization details. Our Privacy Office will respond within one business day.
You may also review ourSecurity & Compliance documentation for details about implemented safeguards.