This Business Associate Agreement (“Agreement”) is entered into by and between the healthcare provider or organization accepting this Agreement (“Covered Entity”) and XBD, LLC d/b/a Referralogix (“RLX” or “Business Associate”).
By checking the acceptance box or clicking “I Agree” to this Agreement, Covered Entity acknowledges that it has read, understands, and agrees to be legally bound by the terms of this Agreement. This Agreement becomes effective on the date Covered Entity accepts it electronically (the “Effective Date”).
This Agreement is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including the HIPAA Privacy, Security, and Breach Notification Rules, and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
1. Purpose
RLX provides services including referral management, communication platform functions, and marketing services to healthcare providers. In connection with these services, RLX may receive, create, maintain, transmit, or access Protected Health Information (“PHI”) on behalf of Covered Entity. This Agreement governs RLX’s use and disclosure of PHI and ensures compliance with applicable HIPAA regulations.
2. Definitions
Capitalized terms not defined in this Agreement have the meanings given in HIPAA. For purposes of this Agreement:
PHI – Individually identifiable health information held or transmitted by RLX on behalf of Covered Entity.
De-Identified Data – Information from which all identifiers required by HIPAA are removed, such that the data is not individually identifiable.
Services – RLX services including referral communication platform, document exchange, and HIPAA-compliant marketing CRM (which does not process PHI).
3. Permitted Uses and Disclosures by RLX
RLX may use or disclose PHI only as follows:
To Provide Services
RLX may use PHI as necessary to provide services to Covered Entity, including hosting, storing, transmitting, displaying, or processing referral information.
For Operational Purposes
RLX may use PHI for internal operational purposes, including system administration, compliance monitoring, security auditing, and employee training.
As Required by Law
De-Identified Data
RLX may aggregate or de-identify PHI for analytics, benchmarking, and network intelligence purposes. De-identified data is not subject to HIPAA restrictions.
Minimum Necessary
RLX shall limit the use, disclosure, or access to PHI to the minimum necessary to perform its duties.
Prohibited Uses
RLX shall not sell PHI or use PHI for marketing purposes outside the scope of services explicitly authorized by Covered Entity.
4. Obligations of RLX
RLX agrees to:
Safeguards
Implement administrative, physical, and technical safeguards to protect PHI in accordance with the HIPAA Security Rule.
Access Controls
Restrict PHI access to authorized employees only, with audit logs and approval processes.
Subprocessors
Ensure any subcontractors or subprocessors supporting RLX services are bound by written agreements that impose HIPAA-compliant obligations.
Incident Response
Report any breach of unsecured PHI or security incident involving PHI to Covered Entity without unreasonable delay, and in no event later than sixty (60) days following discovery.
Mitigation
Mitigate, to the extent practicable, any harmful effects resulting from unauthorized use or disclosure of PHI.
Return or Destruction of PHI
Upon termination of the Services, RLX shall return or destroy all PHI received from Covered Entity, unless retention is required by law.
5. Covered Entity Responsibilities
Covered Entity agrees to:
Provide RLX with any required authorizations, consents, and notices to permit RLX’s use and disclosure of PHI in accordance with this Agreement.
Notify RLX promptly of any changes in its privacy practices or policies that may affect RLX’s use or disclosure of PHI.
Ensure its workforce and agents use RLX services in compliance with HIPAA and this Agreement.
6. Audits and Access
Upon reasonable request, RLX shall make available to Covered Entity information reasonably necessary to demonstrate RLX’s compliance with this Agreement and HIPAA, including:
Access and audit controls related to PHI;
Security and operational safeguards; and
Records of reportable disclosures or breaches.
7. Term and Termination
Term
This Agreement shall remain in effect for so long as RLX maintains PHI on behalf of Covered Entity.
Termination for Cause
Covered Entity may terminate this Agreement if it determines that RLX has materially breached this Agreement and RLX fails to cure such breach within thirty (30) days after written notice.
Effect of Termination
Upon termination, RLX shall return or securely destroy PHI in accordance with Section 4.6.
8. Breach Notification
RLX shall notify Covered Entity of any unauthorized use, disclosure, or breach of PHI in accordance with the HIPAA Breach Notification Rules and shall include, to the extent known:
A description of the nature of the breach,
The PHI affected, and
The actions taken to mitigate and remediate the breach.
9. Confidentiality
RLX shall treat PHI as confidential and shall not use or disclose PHI except as permitted by this Agreement or as required by law.
10. Miscellaneous
No Third-Party Beneficiaries
Nothing in this Agreement creates any rights in any person or entity other than the Parties.
Governing Law
This Agreement shall be governed by the laws of the State of Texas, without regard to conflicts of law principles.
Amendment
This Agreement may be amended only by a written amendment executed by RLX and Covered Entity, which may be accepted electronically.
Survival
Sections relating to confidentiality, breach reporting, and return or destruction of PHI shall survive termination of this Agreement.
Electronic Acceptance
Covered Entity’s electronic acceptance of this Agreement (by checking a box, clicking “I Agree,” or similar affirmative action) constitutes a legally binding agreement and is deemed the equivalent of a handwritten signature.