Skip to content

Business Associate Agreement

Effective Date: Upon in-app acceptance on a Solo or Teams plan

This Business Associate Agreement (“BAA”) supplements the TallyFlex Terms of Service for users who are Covered Entities or Business Associates under HIPAA.

Definitions

  • “PHI” means Protected Health Information as defined by HIPAA
  • “Covered Entity” means you, the healthcare provider using TallyFlex
  • “Business Associate” means TallyFlex, LLC
  • “HIPAA” means the Health Insurance Portability and Accountability Act

Business Associate Obligations

TallyFlex agrees to:

  1. Use and Disclosure

    • Use PHI only to provide TallyFlex services
    • Not use or disclose PHI except as permitted by this BAA and HIPAA
    • Use minimum necessary PHI to accomplish intended purposes

  2. Safeguards

    • Implement administrative, physical, and technical safeguards
    • Comply with HIPAA Security Rule (45 CFR Part 164, Subpart C)
    • Encrypt PHI at rest and in transit

  3. Breach Notification

    • Report breaches of unsecured PHI within 72 hours of discovery
    • Discovery means when we first become aware or reasonably should have become aware
    • Provide details required by HIPAA Breach Notification Rule
    • Cooperate with Covered Entity’s breach response

  4. Subcontractors

    • Ensure subcontractors agree to same restrictions
    • Obtain written agreement before sharing PHI
    • Remain responsible for subcontractor compliance

  5. Access and Amendment

    • Provide access to PHI as directed by Covered Entity
    • Make amendments to PHI as directed
    • Maintain audit logs for 7 years

Covered Entity Obligations

You agree to:

  • Obtain necessary patient authorizations
  • Provide notice of privacy practices to patients
  • Notify us of any restrictions on PHI use
  • Use appropriate safeguards when transmitting PHI

Permitted Uses

TallyFlex may use PHI to:

  • Provide and support the services
  • Create de-identified data sets
  • Comply with legal obligations
  • Perform data aggregation services

Term and Termination

  • This BAA is effective upon in-app acceptance on a Solo or Teams plan. Acceptance is one-click in the TallyFlex app when you begin storing PHI. The same legal agreement applies to Solo and Teams.
  • This BAA is not effective for Free plan accounts unless and until you upgrade to Solo or Teams and accept the BAA in the app.
  • Terminates with your TallyFlex account
  • Upon termination, PHI will be returned or destroyed
  • Obligations survive for PHI retained for legal requirements

No Third Party Rights

This BAA is between TallyFlex and Covered Entity only. No third parties have rights under this agreement.

Contact

For HIPAA-related questions:
Email: compliance@tallyflex.com

Terms of Service | Privacy Policy