Business Association Agreement

Home Page Last Updated: April 29, 2026

BUSINESS ASSOCIATE AND SUBCONTRACTOR AGREEMENT

This Business Associate Agreement (the "Agreement") is entered into by and between the user or entity agreeing to these terms ("Client") and IDR Solution Group, collectively referred to as the "Parties."

This Agreement is effective as of the date the Client electronically accepts it.

1. Scope and Definitions

This Agreement applies to all Protected Health Information (PHI) that IDR Solution Group creates, receives, maintains, or transmits on behalf of Client. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).

  • Client: Means the user or entity electronically accepting these terms, inclusive of its subsidiaries, affiliates, and any other registered users of the Service authorized by the Client's administrator to access the Client's account ("External Users"). Depending on its legal relationship to the PHI, Client is acting either as a Covered Entity or as a Business Associate acting on behalf of underlying Covered Entities.
  • IDR Solution Group: Means the provider of the web application and services. Depending on Client's status, IDR Solution Group is acting either as a Business Associate (if Client is a Covered Entity) or as a Subcontractor Business Associate (if Client is a Business Associate) pursuant to 45 CFR 164.502(e)(1)(ii).
  • Protected Health Information (PHI): Shall have the same meaning as the term "protected health information" at 45 CFR 160.103, limited to the information created, received, maintained, or transmitted by IDR Solution Group on behalf of Client.

2. Obligations and Activities of IDR Solution Group

IDR Solution Group agrees to:

  • Use and Disclosure: Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
  • Safeguards: Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
  • Reporting: Report to Client any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.
  • Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of IDR Solution Group agree to the same restrictions, conditions, and requirements that apply to IDR Solution Group with respect to such information.
  • Access Controls: Provide access to PHI based strictly on the role-based access permissions configured by the Client.
  • Client's Responsibility for External Users: Acknowledge that if the Client grants access to an External User (even if that user is a separately registered user of the Service), it is the Client's sole responsibility to ensure they have the appropriate authorizations, consents, and Business Associate Agreements in place directly with that External User prior to granting them access to PHI within the Client's account. IDR Solution Group's responsibility for the Client's PHI remains solely to the Client.
  • Access: Make available PHI in a designated record set to the Client as necessary to satisfy the obligations under 45 CFR 164.524.
  • Amendments: Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Client pursuant to 45 CFR 164.526.
  • Accounting of Disclosures: Maintain and make available the information required to provide an accounting of disclosures to the Client as necessary to satisfy the obligations under 45 CFR 164.528.
  • Compliance with Client's Obligations: To the extent IDR Solution Group is to carry out one or more of Client's (or Client's underlying Covered Entity's) obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to such entity in the performance of the obligation(s).
  • Books and Records: Make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures by IDR Solution Group

  • Service Provision: IDR Solution Group may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Client as specified in the underlying Terms of Service or Service Agreement. Without limiting the generality of the foregoing, IDR Solution Group is specifically permitted to use and disclose PHI to:
    • Facilitate the IDR Process: Receive, store, and process PHI to facilitate and manage participation in the Federal Independent Dispute Resolution (IDR) process.
    • Document Parsing and Data Extraction: Securely ingest, parse, and extract data from Explanation of Benefits (EOB) documents, remittance advices, and related claims files.
    • Deadline Tracking and Workflow Management: Utilize extracted data to calculate, monitor, and track statutory timelines, deadlines, and notification requirements mandated by the No Surprises Act or other applicable regulations.
    • Reporting and Submission: Compile, format, and transmit PHI as necessary to generate required documentation, notices, and dispute submissions to certified IDR entities or relevant regulatory bodies on behalf of the Client.
  • Prohibition on Unauthorized Use: IDR Solution Group shall not use or disclose PHI for any purpose other than as expressly permitted by this Agreement or required by law. Such permitted use or disclosure must not violate the HIPAA Rules if done by a Covered Entity.
  • Management and Administration: IDR Solution Group may use PHI for its proper management and administration or to carry out its legal responsibilities.
  • Data Aggregation: IDR Solution Group may provide data aggregation services relating to the health care operations of the Client or its underlying Covered Entities.

4. Term and Termination

  • Term: The Term of this Agreement shall be effective as of the date of electronic acceptance and shall terminate when all of the PHI provided by Client to IDR Solution Group, or created or received by IDR Solution Group on behalf of Client, is destroyed or returned to Client.
  • Termination for Cause: IDR Solution Group agrees that Client may terminate this Agreement if Client determines IDR Solution Group has violated a material term of the Agreement and IDR Solution Group has not cured the breach or ended the violation within 30 days of written notice.
  • Effect of Termination: Upon termination of this Agreement for any reason, IDR Solution Group shall return to Client or, if agreed to by Client, destroy all PHI received from Client, or created, maintained, or received by IDR Solution Group on behalf of Client, that IDR Solution Group still maintains in any form. IDR Solution Group shall retain no copies of the PHI. If return or destruction is infeasible, the protections of this Agreement will extend to such PHI.

5. Miscellaneous

  • Regulatory References: A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
  • Amendment: The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
  • Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

6. Electronic Acceptance and Signature

  • Authority to Bind: The individual checking the box indicating acceptance of this Agreement represents and warrants that they possess the legal authority to bind the Client, including all applicable subsidiaries and affiliates, to the terms of this Agreement. The individual further represents and warrants that they hold the necessary legal agreements (including Business Associate Agreements) with any External Users they subsequently invite to process PHI within their account. If Client is acting as a Business Associate to underlying Covered Entities, Client further represents and warrants that its respective agreements with those Covered Entities authorize Client to engage Subcontractor Business Associates like IDR Solution Group to process PHI.
  • Electronic Execution: By checking the box indicating acceptance, the Client acknowledges that they have read, understood, and agree to be bound by all terms and conditions contained herein.
  • Legal Validity: The Parties agree that this Agreement may be executed electronically. The Client's affirmative action of checking the acceptance box constitutes a valid, legally binding electronic signature, which has the same legal force and effect as a handwritten signature under applicable laws, including the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and the Uniform Electronic Transactions Act (UETA).