sessionbook

Business Associate Agreement

This Business Associate Agreement (“Agreement”) is entered into between the practitioner (“Covered Entity”) and sessionbook (“Business Associate”) and applies to all Protected Health Information handled by sessionbook on the practitioner's behalf, per the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

1. Definitions

“Covered Entity” means the practitioner accepting this Agreement. “Business Associate” means sessionbook. “PHI” (Protected Health Information) has the meaning given in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only to provide the sessionbook services (scheduling, records, telehealth coordination, billing) as set out in the service terms, as required by law, or as otherwise authorized in writing by Covered Entity. Business Associate will not use PHI for marketing and will not sell PHI.

3. Safeguards

Business Associate will use appropriate administrative, physical, and technical safeguards, including encryption of designated record fields at rest (AES-256-GCM) and encryption of all data in transit (TLS), to prevent use or disclosure of PHI other than as provided for by this Agreement, consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C).

4. Reporting

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, including breaches of unsecured PHI as required by 45 CFR § 164.410, without unreasonable delay and in no case later than 60 days after discovery.

5. Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate (e.g., cloud infrastructure and payment processors) agrees to restrictions and conditions at least as protective as those in this Agreement.

6. Access, Amendment, and Accounting

Business Associate will make PHI available to Covered Entity as needed to satisfy Covered Entity's obligations under 45 CFR §§ 164.524–164.528, including individual access, amendment, and accounting of disclosures.

7. Termination

Upon termination of the services, Business Associate will, at Covered Entity's election, return or destroy all PHI it maintains, where feasible. If return or destruction is not feasible, protections of this Agreement extend to the retained PHI and further use is limited to the purposes that make return infeasible.

8. Miscellaneous

Nothing in this Agreement creates rights in third parties. This Agreement is to be interpreted to permit compliance with HIPAA. This Agreement is effective as of the date the practitioner accepts it during account setup and is retained with a timestamp in the practitioner's account record.

Acceptance is recorded with a timestamp when you check the BAA box during account setup.