Business Associate Agreement (BAA)

This Business Associate Agreement (“BAA”) governs the use, disclosure, and safeguarding of Protected Health Information (“PHI”) when Client (“Covered Entity”) uses CCCM Consulting LLC DBA SignalEDI (“Business Associate”) to process healthcare data, including HL7 v2.x, FHIR, and HIPAA-regulated EDI transactions such as 837, 835, 270/271, 276/277, and 999 transaction sets.

• PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form as defined by 45 CFR §160.103.
• ePHI (Electronic PHI): PHI transmitted or maintained in electronic media.
• Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits health information electronically, as defined by HIPAA.
• Business Associate: A person or entity that performs functions or activities on behalf of a Covered Entity involving the use or disclosure of PHI.
• Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, as defined by 45 CFR §164.402.
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, as defined by 45 CFR §164.304.

• Not use or disclose PHI except as permitted by this BAA or as required by law.
• Implement administrative, physical, and technical safeguards including AES-256 encryption at rest and TLS 1.3 encryption in transit.
• Report breaches to Covered Entity within 72 hours of discovery.
• Make PHI available for access requests within 30 days.
• Return or destroy PHI upon termination, per Client’s election.
• Ensure any subcontractors agree to the same restrictions and conditions (flow-down provisions).
• Not use PHI for AI model training without explicit de-identification per the HIPAA Safe Harbor method (45 CFR §164.514(b)).
• Maintain audit logs for a minimum of 6 years per HIPAA requirements.

• Obtain necessary consents and authorizations before transmitting PHI to SignalEDI.
• Not request SignalEDI to use or disclose PHI in any manner that would violate HIPAA.
• Notify SignalEDI of any restrictions on the use or disclosure of PHI.
• Ensure the minimum necessary standard is applied when transmitting PHI.

Business Associate may use and disclose PHI as necessary to perform services on behalf of the Covered Entity, including:

• Treatment, payment, and healthcare operations as defined by HIPAA.
• Data aggregation services related to the healthcare operations of the Covered Entity.
• De-identified data (per Safe Harbor method) for analytics and service improvement.
• Management and administration of the Business Associate, provided disclosures are required by law or Business Associate obtains reasonable assurances of confidentiality.

• Business Associate shall notify Covered Entity within 72 hours of discovering a breach of unsecured PHI.
• Notification shall include: the nature and extent of the breach, the PHI involved, mitigation steps taken, and corrective actions planned.
• Business Associate shall cooperate fully with the Covered Entity’s breach response and notification obligations.

• This BAA is effective upon execution and remains in effect until terminated or until the underlying service agreement expires.
• Either party may terminate for material breach with a 30-day cure period.
• Upon termination, Business Associate shall return or destroy all PHI within 60 days, per Client’s written instructions.
• If return or destruction is not feasible, protections shall extend to retained PHI and further uses and disclosures shall be limited to purposes that make return or destruction infeasible.

In accordance with the 2026 HIPAA Security Rule requirements, Business Associate commits to restoration of critical systems within 72 hours of a disruption affecting the availability of ePHI. This includes restoration of access to electronic PHI, re-establishment of secure processing capabilities, and verification of data integrity post-restoration.

Contact support@signaledi.com to request execution of this Business Associate Agreement. A BAA must be fully executed before transmitting any Protected Health Information through SignalEDI.