Menu

HPS Business Associate Agreement

Last Updated: 2026-01-30

This Business Associate Agreement (this “Agreement”) is made by and among Health Performance Specialists, LLC, a Florida limited liability company (“HPS”), and the enrolling medical practice (“Practice”). Each of HPS and Practice are sometimes referred to herein as a “Party” and collectively, as the “Parties.”

By submitting an order form, enrolling in membership, purchasing services, or otherwise accessing HPS services, Practice acknowledges that it has read, understands, and agrees to be bound by this Agreement.

ARTICLE 1

DEFINITIONS

1.1 Generally

Unless otherwise provided herein, capitalized terms shall have the same meaning as set forth in HIPAA.

ARTICLE 2

SCOPE OF USE OF PHI

2.1 Performance of Agreement

Business Associate, its employees, agents and independent contractors (collectively referred to as “Business Associate”) may use PHI solely:

  1. To perform its duties under the Underlying Agreement;
  2. As directed by the Covered Entity;
  3. As permitted or required by the terms of the Underlying Agreement and this Agreement; and
  4. As permitted or required by law.

All other uses or disclosures not authorized by this Agreement or required by law are prohibited.

2.2 Safeguards for Protection of PHI

Business Associate agrees that it will:

(a) use commercially reasonable efforts to protect and safeguard from any oral and written disclosure all PHI and ePHI, regardless of the type of media on which it is stored (e.g., written or electronic, etc.), with which it may come into contact in accordance with applicable statutes and regulations, including, but not limited to, HIPAA and the HITECH Act;

(b) implement and maintain administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the PHI and ePHI that Business Associate accesses, creates, receives, maintains or transmits;

(c) use appropriate safeguards to prevent use or disclosure of PHI and ePHI other than as permitted by this Agreement or required by law;

(d) comply, where applicable, with the Security Rule with regard to ePHI; and

(e) to the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule applicable to Covered Entity in the performance of such obligations.

2.3 Reporting of Unauthorized Use

Business Associate shall promptly report to Covered Entity, in writing, within ten (10) business days of discovery, any unauthorized acquisition, access, use or disclosure of PHI in violation of this Agreement or any law, or any Security Incident, including any Breach, as defined in Section 1 above.

Such written notice of a Breach to Covered Entity shall include, to the extent reasonably known:

(a) the identity of each individual whose PHI was, or was reasonably believed to have been, breached;
(b) a brief description of what happened, including the date of the Breach and date of discovery of the Breach;
(c) a description of the PHI that was involved in the Breach;
(d) any steps the individual(s) should take to protect themselves from potential harm from the Breach;
(e) a description of what Business Associate is doing to investigate the breach, mitigate harm to the individual(s) and protect against further Breaches; and
(f) contact procedures for individual(s) to ask questions or get additional information.

Business Associate shall implement and maintain sanctions against any employee, subcontractor or agent who violates the requirements of this Agreement or the HIPAA or HITECH Act regulations. Business Associate shall, as requested by Covered Entity, take steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

Notwithstanding the foregoing, the parties agree to the following reporting procedure for Security Incidents that do not result in unauthorized access, use, disclosure, modification, destruction of information, or interference with system operations (“Unsuccessful Security Incidents”). For Unsuccessful Security Incidents, the parties agree that this paragraph constitutes notice of such Unsuccessful Security Incidents.

By way of example, the parties consider the following to be illustrative of Unsuccessful Security Incidents when they do not result in actual unauthorized access, use, disclosure, modification, destruction of electronic PHI, or interference with an information system:

  • (i) pings on firewall;
  • (ii) port scans;
  • (iii) attempts to log on to a system or enter a database with an invalid password or username;
  • (iv) denial-of-service attacks that do not result in a server being taken off-line; and
  • (v) malware (worms, viruses, etc.).

2.4 Use of Subcontractors

To the extent Business Associate uses one or more subcontractors or agents to provide services under the Underlying Agreement, and such subcontractors or agents create, receive, transmit or access PHI, Business Associate agrees that it will ensure that each such subcontractor or agent shall agree, in writing, to substantially the same restrictions, terms and conditions that apply to Business Associate in this Agreement, including but not limited to implementation of reasonable and appropriate safeguards to protect ePHI.

2.5 Breach or Misuse of PHI

Business Associate understands and agrees that any breach of confidentiality or misuse of information found in and obtained from PHI may result in the termination of the Underlying Agreement.

2.6 Data Aggregation

Except as otherwise provided in this Agreement, Business Associate may use PHI to provide data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

Except as otherwise provided in this Agreement, Business Associate may use PHI to create de-identified data and limited data sets, each as defined under HIPAA, for the express purpose of improving Business Associate’s Products, Services and Practice Portal (each as defined in the Underlying Agreement).

Business Associate may further use and disclose such limited data sets for the same purpose, provided Business Associate, as an agent for the Covered Entity, enters into a data use agreement that satisfies HIPAA requirements concerning limited data sets with each recipient of a limited data set.

2.7 Use/Disclosure for Administration of Business Associate

Except as otherwise limited in this Agreement, Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate and to carry out the legal responsibilities of Business Associate, provided that any such disclosures are permitted or Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as permitted Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

2.8 On Behalf of Covered Entity

On behalf of Covered Entity, Business Associate may use and disclose PHI for purposes set forth in 45 C.F.R. § 164.512.

ARTICLE 3

AVAILABILITY, AMENDMENT OF PHI

3.1 Availability of PHI

If Business Associate maintains a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, and in a reasonable time and manner designated by Covered Entity, to PHI in the Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524.

3.2 Amendments to PHI

If Business Associate maintains a Designated Record Set, Business Associate agrees to make any amendment(s) to the PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in a reasonable time and manner designated by Covered Entity.

ARTICLE 4

ACCOUNTING AND INSPECTIONS

4.1 Accounting of Disclosures

Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

4.2 Provide Accounting

Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable time and manner designated by Covered Entity, information collected in accordance with Section 4.1 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

4.3 Access by DHHS

Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity available to the Secretary of the Department of Health and Human Services or designee (“DHHS”) for purposes of determining Covered Entity’s compliance with HIPAA, the HITECH Act and the corresponding privacy and security regulations.

Upon Covered Entity’s reasonable request, Business Associate shall provide Covered Entity with copies of any information it has made available to DHHS under this section of the Agreement.

ARTICLE 5

OBLIGATIONS OF COVERED ENTITY

5.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.

5.2 Changes in Use of PHI

Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.

5.3 Restrictions on Use of PHI

Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.

5.4 Permissible Requests

Except as otherwise set forth in this Agreement, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

ARTICLE 6

TERM / TERMINATION

6.1 Term and Termination

This Agreement shall terminate when all of the PHI and ePHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy the PHI or ePHI, protections are to extend to such information, in accordance with the provisions of this Agreement.

6.2 Termination After Notice and Right to Cure

If the Covered Entity reasonably determines that the Business Associate has committed a material breach of this Agreement, Business Associate shall have thirty (30) calendar days, after delivery from Covered Entity of written notice pursuant to Section 7.2, to remedy the breach and provide evidence of cure to the Covered Entity. If such material breach is not cured within that time, Covered Entity may terminate this Agreement or the Underlying Agreement with notice to Business Associate.

6.3 Return and Destruction of PHI

Within fifteen (15) business days of the expiration or earlier termination of this Agreement or Underlying Agreement for whatever reason, Business Associate agrees that it will return or destroy all PHI, if feasible, received from, or created or received by it on behalf of Covered Entity, which Business Associate maintains in any form, and retain no copies of such information.

6.4 No Feasible Return and Destruction of PHI

To the extent such return or destruction of PHI is not feasible, Business Associate shall extend the precautions of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information unfeasible. Business Associate shall remain bound by the provisions of this Agreement, even after termination of this Agreement or the Underlying Agreement until such time as all PHI has been returned or otherwise destroyed as provided in this section.

6.5 Effect of Termination

All rights, duties and obligations of Business Associate established in this Agreement shall survive the termination of this Agreement.

ARTICLE 7

OTHER PROVISIONS

7.1 Construction

This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA and the HITECH Act and the regulations promulgated thereunder. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the Standards for Privacy and Security, HIPAA, the HITECH Act and any amendments thereto.

7.2 Notice

All notices and other communications required or permitted pursuant to this Agreement shall be in writing, addressed to the party at the address set forth at the end of this Agreement, or to such other address as either party may designate from time to time. All notices and other communications shall be mailed by registered or certified mail, return receipt requested, postage pre-paid, or transmitted by hand delivery or telegram. All notices shall be effective as of the date of delivery of personal notice or on the date of receipt, whichever is applicable.

7.3 Amendments

The parties recognize this Agreement may need to be modified from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to, HIPAA and the HITECH Act. This Agreement constitutes the entire agreement between the parties with respect to its subject matter. No oral statement or prior written material not specifically mentioned herein shall be of any force or effect and no change in or addition to this Agreement shall be recognized unless evidenced by a writing executed by Covered Entity and Business Associate, such amendment(s) to become effective on the date stipulated therein. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the Standards for Privacy and Security, HIPAA, the HITECH Act and any amendments thereto.

7.4 Assignment

Covered Entity has entered into this Agreement in specific reliance on the expertise and qualifications of Business Associate. Consequently, Business Associate’s interest under this Agreement may not be transferred or assigned or assumed by any other person, in whole or in part, without the prior written consent of Covered Entity; provided that Business Associate may assign this Agreement without the consent of Covered Entity as part of a corporate reorganization, consolidation, merger, or sale of all or substantially all of its assets or business to which this Agreement relates.

7.5 Headings

Headings contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement.

7.6 Binding Effect

This Agreement shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective permitted successors and assigns.

7.7 Priority of Agreement

If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement, the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of the Underlying Agreement are to be ratified in their entirety. This Agreement is hereby incorporated into and made a part of the Underlying Agreement as an addendum thereto. In the event that a provision of this Agreement is contrary to a provision of the Underlying Agreement, the provisions of this BAA shall control. Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA and any other applicable law.

7.8 No Construction Against Drafter

This Agreement is not to be construed against the drafting party.

7.9 Authority To Contract

Each party represents and warrants that said party is authorized to enter into this Agreement and to be bound by the terms of it.

Discover the strength in unity.

Transform your practice with the support of Health Performance Specialists.
Join our network and experience the collective power of independence.

Get in Touch Today

Sessions & Topics

Every session is carefully curated to help you increase revenue, enhance patient satisfaction, and elevate your clinical skills - giving you both the clinical and operational tools to thrive.

 

  • Mastering the Growth Journey: Proven steps to build, expand, and grow a vein practice.
  • Where Profit Comes From in Your Vein Center: Understanding and optimizing your true revenue drivers.
  • Advanced Clinical Updates: Foam sclerotherapy for SVT and leading venous therapies.
  • Insurance & Reimbursement Strategies: Maximize revenue while reducing denials.
  • Entrepreneurial Operating System (EOS): A framework to run your medical business more effectively.
  • Staff Leadership & Retention: Building a team that converts patients and drives growth.
Close
Close
Close

FAQ

Health Performance Specialists is the largest network of independent vein practices in the USA. HPS understands the unique challenges facing independent vein practices in today’s competitive healthcare landscape. Our team of experts, including nationally recognized leaders in design thinking, digital media, operations, and financial intelligence is dedicated to helping you succeed.

Friday Lecture 8 am – 5 pm. Saturday Lecture 8 am – 3 pm. Networking events and dinners will be held Friday after the lecture ends

Call us at 813-303-9216 to go over the different ticket options and we will be happy to answer any other questions you may have!

We provide discounts for large groups to help you bring all your key team members that will help you scale your practice. To speak with one of our practice growth advisors about special pricing for your group, please call: 813-303-9216

HPS members have special pricing and discounts. Please call 813-303-9216 to secure your seats.

Absolutely, as you complete your registration, you please indicate any special accommodations that you require during the course.

The event tuition includes lunch on Friday and Saturday.

Just like any other event or concert, there are no refunds or cancellations if you cannot attend. However, you are able to transfer your ticket to another team member at your practice to attend.

Business casual attire is recommended. Bring a jacket or sweater as the ballroom is kept at a cool temperature!

Seating is Limited!

Seating for the Vein Growth Practice Summit is extremely limited!

Fill out the form below and complete your purchase before they sell-out!

Close