1. Understanding the Agreement

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), a Business Associate Agreement (BAA) is a mandatory, legally binding contract between a healthcare provider (the "Covered Entity") and their software vendor (the "Business Associate").

This agreement explicitly outlines Gluuvo's responsibilities and legal liabilities regarding the safeguarding, use, and disclosure of your patients' Protected Health Information (PHI) and electronic Protected Health Information (ePHI).

Without a signed BAA in place, utilizing any cloud-based software to store or transmit patient data is a direct violation of federal law. Gluuvo bakes this compliance directly into our onboarding process, ensuring you are protected from day one.

2. Key Definitions

To ensure total clarity, our agreement adheres strictly to the definitions set forth by the U.S. Department of Health and Human Services:

• Protected Health Information (PHI): Any individually identifiable health information created, received, maintained, or transmitted by Gluuvo on your behalf.
• Breach: The unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of such information.
• Designated Record Set: A group of records maintained by or for a Covered Entity that comprises medical records, billing records, or any other records used to make decisions about Individuals.
• Reportable Event: Any use or disclosure of PHI not provided for by our BAA, including Security Incidents or Breaches of Unsecured PHI.

3. Permitted Uses and Disclosures of PHI

Gluuvo operates under the principle of minimal access. We may only use or disclose PHI under the following strictly defined conditions:

• Service Provision: To perform functions, activities, or services for your practice as outlined in our Terms of Service, provided such use does not violate the Privacy Rule.
• Legal Administration: For the proper management and administration of Gluuvo, or to carry out our legal responsibilities, provided we obtain reasonable assurances of confidentiality.
• Data De-identification: We may use PHI to create de-identified information in strict accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c).
• Required by Law: We will disclose PHI if formally mandated by appropriate federal, state, or local authorities.

4. Gluuvo’s Obligations as Your Business Associate

By entering into this agreement, Gluuvo assumes stringent obligations to protect your practice and your patients:

• Implement Appropriate Safeguards: We comply fully with the Security Rule and HITECH with respect to ePHI, utilizing administrative, physical, and technical safeguards to prevent unauthorized use or disclosure.
• Subcontractor Oversight: If we utilize Subcontractors who transmit or maintain PHI on our behalf, we require them to sign a written arrangement agreeing to the exact same restrictions and conditions that apply to Gluuvo.
• Access & Amendment to PHI: We provide you with in-app export tools to access PHI in a Designated Record Set. Furthermore, we facilitate your ability to amend records in a time and manner that meets the requirements of 45 C.F.R. § 164.526.
• Accounting of Disclosures: Upon request, Gluuvo will provide an accounting of any disclosures of an Individual's PHI to assist you in fulfilling your compliance obligations.
• Governmental Access: We make our internal policies, practices, books, and records available to the Secretary of Health and Human Services for purposes of determining HIPAA compliance.

5. Our Security Standards

6. Incident Response & Breach Notification

In the unlikely event of a security incident, transparency and speed are our top priorities.

Gluuvo will report to you any Reportable Event without unreasonable delay, and in no case later than the timeframe mandated by law following the discovery of the event. Our notification will include a brief description of the incident, the types of PHI involved, steps we are taking to investigate and mitigate the harm, and advice on steps Individuals should take to protect themselves.

We pledge full cooperation in determining whether an incident constitutes a formal Breach of Unsecured PHI and will mitigate, to the extent practicable, any known harmful effects.

7. Obligations of the Covered Entity

Compliance is a shared responsibility. As the Covered Entity, your practice agrees to the following:

• Minimum Necessary Rule: You agree to comply with HIPAA’s minimum necessary requirements and only provide Gluuvo the minimum PHI necessary to provide our software services.
• Notification of Restrictions: You must notify Gluuvo in writing of any changes in, or revocation of, an Individual's authorization to use or disclose PHI, or any specific restrictions you have agreed to under 45 C.F.R. § 164.522.
• Permissible Requests: You shall not request that Gluuvo use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by your practice.

8. Term, Termination, and Data Portability

You always retain complete ownership of your data. This BAA remains in full force for as long as you maintain an active Agreement with Gluuvo.

Termination for Cause: If either party determines a breach of a material term of this BAA, they shall provide written notice affording a 30-day window to cure the breach. Failure to cure results in the right to terminate the BAA and the underlying Terms of Service.

Effect of Termination: Upon termination for any reason, Gluuvo shall return or safely destroy all PHI maintained in any form. If return or destruction is technically infeasible, we will extend the protections of this BAA to the retained PHI, continuing to use appropriate safeguards to prevent unauthorized use or disclosure for as long as we retain the data.