D
DenialFixer

Business Associate Agreement

HIPAA Business Associate Agreement — Last updated: March 2, 2026

1. Definitions

"Covered Entity" refers to your healthcare practice. "Business Associate" refers to DenialFixer, LLC. "PHI" refers to Protected Health Information as defined under HIPAA. Terms not otherwise defined herein shall have the meaning established under 45 CFR Parts 160 and 164.

2. Obligations of Business Associate

  • Not use or disclose PHI other than as permitted by this Agreement or as required by law
  • Use appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing administrative, physical, and technical safeguards per the HIPAA Security Rule
  • Report any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI, within 60 days of discovery
  • Ensure that any subcontractors or agents who receive PHI agree to the same restrictions and conditions
  • Make PHI available to the Covered Entity to satisfy obligations under the HIPAA Privacy Rule
  • Make internal practices, records, and books available to the Secretary of HHS for compliance determination

3. Permitted Uses

Business Associate may use PHI solely for the purpose of performing denial analysis, generating appeal letters, and submitting appeals on behalf of the Covered Entity. Business Associate may also use PHI for proper management and administration, and to carry out its legal responsibilities.

4. Security Measures

  • All PHI is encrypted at rest using AES-256 encryption
  • All data in transit is protected with TLS 1.3
  • Access to PHI is restricted to authorized personnel on a need-to-know basis
  • Audit logs are maintained for all access to PHI
  • Patient identifiers are hashed (SHA-256) and never stored in cleartext
  • Infrastructure is hosted on HIPAA-compliant cloud platforms with BAAs in place

5. Breach Notification

Business Associate shall notify Covered Entity of any breach of unsecured PHI within 60 days of discovery. Notification shall include the identification of each individual affected, a description of the breach, and steps being taken in response.

6. Term and Termination

This Agreement shall be effective upon acceptance and shall terminate when all PHI is destroyed or returned. Either party may terminate upon 30 days written notice of a material breach. Upon termination, Business Associate shall return or destroy all PHI within 30 days.

7. Contact

Privacy Officer: privacy@denialfixer.com