This Business Associate Agreement (BAA) is available to NODEX Enterprise plan subscribers. It governs the use of NODEX for communications involving Protected Health Information (PHI) as defined under HIPAA. By activating the HIPAA controls on your Enterprise account, you agree to the terms of this BAA.
The following terms have the meanings set forth below. Terms not defined here have the meanings set forth in HIPAA and its implementing regulations (45 CFR Parts 160 and 164).
Multiplex LLC agrees to use or disclose PHI only as permitted or required by this BAA or as required by law. Multiplex LLC will not use or disclose PHI in a manner that would violate HIPAA if done by the Covered Entity.
Multiplex LLC agrees to use appropriate safeguards and, where applicable, comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C), to prevent the unauthorized use or disclosure of PHI. This includes:
Multiplex LLC will obtain satisfactory assurances, in the form of a written agreement, from any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Multiplex LLC, that the subcontractor will comply with the applicable requirements of HIPAA. Current subcontractors with access to infrastructure that may process ePHI include Supabase (database) and Netlify (hosting).
Multiplex LLC agrees to report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, any Security Incident of which it becomes aware, and any Breach of Unsecured PHI as required by 45 CFR 164.410, without unreasonable delay and in no case later than 60 calendar days after discovery.
To the extent Multiplex LLC maintains PHI in a Designated Record Set, Multiplex LLC agrees to make PHI available to the Covered Entity to fulfill the Covered Entity's obligations to provide individuals access to their PHI under 45 CFR 164.524. Multiplex LLC agrees to make PHI available for amendment and to incorporate any amendments to PHI per 45 CFR 164.526.
Multiplex LLC agrees to document and make available to the Covered Entity information required for the Covered Entity to respond to an individual's request for an accounting of disclosures of PHI per 45 CFR 164.528.
Multiplex LLC agrees to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, per 45 CFR 164.502(b).
The Covered Entity agrees to:
This BAA is effective as of the date the Covered Entity activates HIPAA controls on their Enterprise NODEX account and remains in effect until the Enterprise subscription is terminated or the BAA is otherwise terminated per this section.
Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA and has failed to cure the violation within 30 days of written notice. If termination is not feasible, the aggrieved party must report the violation to the Secretary of the Department of Health and Human Services.
Upon termination of this BAA for any reason, Multiplex LLC agrees to return or destroy, if feasible, all PHI received from or created on behalf of the Covered Entity. If return or destruction is not feasible, Multiplex LLC agrees to extend the protections of this BAA to such PHI and to limit further uses and disclosures to those purposes that make return or destruction infeasible.
Any reference in this BAA to a section of HIPAA means the section as in effect or amended at the time of the relevant obligation, including all regulations promulgated thereunder.
Multiplex LLC may amend this BAA as necessary to comply with changes in HIPAA or other applicable law. Multiplex LLC will provide notice to Enterprise subscribers of material amendments. Continued use of NODEX after the effective date of an amendment constitutes acceptance.
The obligations of Multiplex LLC under Section 4c (Effect of Termination) shall survive the termination of this BAA.
This BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA. Any ambiguity shall be resolved in favor of a meaning that permits the Covered Entity to comply with HIPAA.
This BAA is governed by the laws of the United States applicable to HIPAA and, to the extent not preempted, the laws of the state in which Multiplex LLC is organized.
For BAA inquiries, HIPAA questions, or to report a Security Incident: