Logo

Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into by and between FirstIn Ltd. (“FirstIn”) and the organization agreeing to the terms of this BAA (“Customer”) as indicated in a service agreement, license agreement, order form, and/or similar document(s) referencing or otherwise incorporating this BAA (each or collectively, the “Underlying Agreement”), which shall be effective as of the Effective Date of the Underlying Agreement (the “BAA Effective Date”). FirstIn and Customer are each a “Party” and the “Parties” to this BAA.

FirstIn and Customer agree to the terms and conditions of this BAA in order to comply with the rules on handling of PHI (defined below) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, which include the standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the standards for Notification in the Case of Breach of Unsecured Protected Health Information, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), all as amended from time to time (collectively, “HIPAA”).

Ⅰ. DEFINITIONS; RELATIONSHIP TO THE UNDERLYING AGREEMENT

Except as may be expressly provided in the Underlying Agreement or this BAA, this BAA is subject to the terms and conditions of the Underlying Agreement. Unless otherwise provided in this BAA, all capitalized terms in this BAA shall have the meaning as provided in the Underlying Agreement or under HIPAA.“Protected Health Information” or “PHI” means PHI (as defined by HIPAA) that is received from Customer or created, maintained or transmitted on behalf of Customer by FirstIn for Customer’s HIPAA covered functions.“Unsuccessful Security Incident” means activities such as pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denials of service, and any combination of the foregoing, so long as no such incident results in unauthorized access, use, disclosure, modification, or destruction of PHI.

Ⅱ. USE AND DISCLOSURE OF PHI

A. Performance of ServicesFirstIn shall not use or disclose PHI, except for in connection with FirstIn’s performance of the services as set forth in the Underlying Agreement or as otherwise permitted under the terms of the Underlying Agreement, this BAA, or as otherwise requested or authorized by Customer; or as required or permitted by Applicable Law. FirstIn shall not use or further disclose PHI.B. SubcontractorsFirstIn agrees that, in accordance with 45 C.F.R. § 164.502(e)(1), if FirstIn’s Subcontractor creates, receives, maintains or transmits PHI on behalf of FirstIn, FirstIn will enter into an agreement with such Subcontractor that contains the same or more restrictive terms and conditions on the use and disclosure of PHI as contained in this BAA.C. FirstIn Management, Administration and Legal ResponsibilitiesFirstIn may use PHI to carry out FirstIn’s legal responsibilities or for its proper management and administration, including without limitation making and maintaining reasonable business records of transactions in which FirstIn has participated, operating an identity resolution management solution, operating a master patient index, or when FirstIn’s technology has been used (including without limitation back-up documentation). FirstIn may disclose PHI to a third party for such purposes only if: (1) the disclosure is required by law; or (2) FirstIn obtains reasonable assurances from the person or entity to whom the PHI is disclosed that: (a) it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (b) the person or entity notifies FirstIn of any instances of which it is aware in which the confidentiality of the information has been breached.D. Data Aggregation and De-Identification ServicesFirstIn may use PHI to perform Data Aggregation services as permitted by 45 C.F.R. §164.504(e)(2)(i)(B). FirstIn may also de-identify PHI in accordance with 45 C.F.R. §164.514(b).E. Delegation of ResponsibilitiesTo the extent that FirstIn is to carry out any of Customer’s obligations under the Privacy Rule, FirstIn shall comply with the requirements of the Privacy Rule that apply to the Customer in the performance of such obligations.F. Minimum Necessary StandardIf applicable, FirstIn shall only request, use or disclose the minimum amount of PHI necessary in accordance with 45 C.F.R. § 164.502(b).

Ⅲ. SAFEGUARDS FOR PROTECTED HEALTH INFORMATION

A. Adequate SafeguardsFirstIn shall implement and maintain reasonable and appropriate safeguards to prevent any use or disclosure of PHI for purposes other than those permitted by this BAA, including employing reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that FirstIn creates, receives, maintains, and transmits on behalf of Customer.B. Compliance with the Security RuleFirstIn shall comply with the applicable requirements of the Security Rule.

Ⅳ. REPORTING OF IMPROPER USE OR DISCLOSURE, SECURITY INCIDENT AND BREACHES

A. Use or Disclosure Not Permitted by this BAAFirstIn shall report to Customer any known unauthorized use or disclosure of PHI that is in violation of this BAA.B. Security IncidentsFirstIn shall report to Customer any known Security Incident with respect to PHI as required by the Security Rule. This Section IV.B constitutes notice by FirstIn to Customer of the ongoing existence, occurrence, or attempts of Unsuccessful Security Incidents, for which no additional notice to Customer is required.C. Breaches of Unsecured PHIFirstIn will report to Customer any Breach of Unsecured Protected Health Information without unreasonable delay following the date of discovery. FirstIn will provide such information to Customer as required in the Breach Notification Rule.

Ⅴ. INDIVIDUAL RIGHTS

A. No Designated Record SetNotwithstanding anything to the contrary in this Section V, and unless otherwise expressly stated in the Underlying Agreement, FirstIn does not maintain any Designated Record Set(s) for Customer that is not duplicative of a Designated Record Set maintained by Customer.B. Individual Access to PHITo the extent FirstIn maintains PHI in a Designated Record Set(s), FirstIn will make available PHI in accordance with 45 C.F.R. § 164.524. To the extent applicable, FirstIn may also make PHI available to an Individual in connection with any of FirstIn’s individual access services.C. Amendment of PHITo the extent FirstIn maintains PHI in a Designated Record Set(s), FirstIn will make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526.D. Accounting of PHITo the extent FirstIn maintains PHI in a Designated Record Set(s), FirstIn will maintain and make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528.

Ⅵ. ACCESS TO BOOKS AND RECORDS

FirstIn shall permit the Secretary of the U.S. Department of Health & Human Services to audit FirstIn’s internal practices, books, and records at reasonable times as they pertain to the use and disclosure of PHI to ensure that Customer and/or FirstIn is in compliance with HIPAA requirements. No attorney-client, accountant-client or other legal privilege will be deemed waived by FirstIn or Customer as a result of this Section.

Ⅶ. TERM AND TERMINATION; RETURN OR DESTRUCTION OF PHI

A. General Term and TerminationThis BAA shall become effective on the BAA Effective Date set forth above and shall terminate upon the termination or expiration of the Underlying Agreement.B. Material BreachCustomer may terminate this BAA upon material breach of this BAA after providing FirstIn with written notice of the breach of this BAA and affording FirstIn the opportunity to cure the breach within thirty (30) calendar days of the date of such notice. If FirstIn fails to timely cure the breach within reasonable satisfaction of Customer, Customer may terminate this BAA and the portion(s) of the Underlying Agreement affected by the breach.C. Return or Destruction of PHI1. General Return or Destruction ObligationUpon termination of this BAA and except as provided for in this Section VII.C, FirstIn shall return or destroy all PHI that FirstIn or its Subcontractors maintain in any form or format; provided, however, that FirstIn shall have no obligation to return PHI in a form or format that FirstIn does not support and Company shall pay FirstIn for all reasonable costs associated with any return of PHI or as otherwise provided for in the Underlying Agreement. FirstIn may in its sole discretion choose to destroy all PHI in lieu of return.2. Retention of PHI if Return or Destruction is InfeasibleIf FirstIn determines that return or destruction of PHI is not feasible, FirstIn will extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case FirstIn’s obligations under this Section shall survive the termination of this BAA with respect to the retained PHI. The obligations of this subsection last only for as long as FirstIn maintains or retains any such PHI.3. Retention of PHI at Consumer DirectionCustomer acknowledges and agrees that FirstIn may, at the direction and with the approval of an Individual consumer (including the consumer’s personal representative), continue to retain, use, disclose and/or transfer the consumer’s PHI in connection with the consumer’s continued use of FirstIn’s platform, application(s) or other direct-to-consumer services; provided that, FirstIn’s continued retention, use, disclosure and/or transfer of the consumer’s PHI is done in accordance with HIPAA.

Ⅷ. OBLIGATIONS OF COMPANY

A. No Violations; No Information BlockingCustomer shall fully comply with all of its obligation under HIPAA and other Applicable Law, and shall not request FirstIn to use or disclose PHI in any manner that would not be permissible under HIPAA or other Applicable Law if done by Customer; provided, however, that this provision shall not be interpreted to restrict FirstIn from using PHI for Data Aggregation or de-identification, or for FirstIn’s own management and administration or legal responsibilities, as permitted by this BAA. Customer shall provide FirstIn only with the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Customer shall not engage in practices that are likely to interfere with the access, exchange or use of electronic health information, except as required by law or covered by an exception set forth in 45 C.F.R. Part 171.B. No Voluntary RestrictionsCustomer does not have and must not permit voluntary limitations or restrictions on its ability to use or disclose PHI (including without limitation in its HIPAA Notice of Privacy Policy) to the extent that such a limitation or restriction would affect FirstIn’s permitted uses or disclosure of PHI under this BAA. To the extent Customer is required by Applicable Law to grant such a restriction, Customer shall notify FirstIn of any legally required restriction immediately. Customer shall also immediately notify FirstIn if such a legally required restriction is terminated.C. NotificationsIn the event that Customer amends any PHI in its possession, a copy of which is also maintained by FirstIn, Customer must promptly notify FirstIn in writing of such amendment. Customer shall further notify FirstIn in writing of any changes in, or revocation of, any permission, authorization or consent by an individual to use or disclose PHI, to the extent that such changes may affect FirstIn’s use or disclosure of PHI.

Ⅸ. MISCELLANEOUS

A. InterpretationAny ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA and other Applicable Law.B. Complete Integration; Conflicting TermsTogether with the Underlying Agreement and any other documents incorporated therein by reference, this BAA and the Underlying Agreement constitute the sole and entire agreement of the Parties with respect to the subject matter thereof (including without limitation HIPAA) and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. The terms of this BAA will govern in the event of conflict or inconsistency with any provision of the Underlying Agreement.C. SeverabilityThe provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

Logo

FirstIn is the world's smartest, fastest, and easiest online scheduler for dentists. FirstIn drastically increases new and existing patient bookings by allowing patients to schedule in as little as 3 clicks.

Pages

© 2025 FirstIn Practice Solutions LTD. All right reserved.

Terms & ConditionsBusiness Associate Agreement