Overview

Why this agreement matters

When ProDocNotes creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate, a written Business Associate Agreement (BAA) is generally required before that PHI is processed in the Service.

Section 01

When a BAA is required

A BAA is typically required when a healthcare provider, health plan, or clearinghouse uses ProDocNotes to store or process PHI as part of a clinical, operational, or administrative workflow.

If your planned use of the Service will involve live patient information, you should not upload or process PHI until the required contractual paperwork is complete.

Section 02

Permitted uses and disclosures

Our standard BAA limits ProDocNotes to using and disclosing PHI only as necessary to provide the contracted Service, meet legal obligations, support proper internal administration, and perform other activities expressly permitted by the agreement and HIPAA.

• We do not use customer PHI for unrelated product marketing.
• We do not sell PHI.
• We do not disclose PHI except as allowed by the agreement, required by law, or directed by the customer.

Section 03

Safeguards and minimum necessary practices

The BAA requires ProDocNotes to implement reasonable and appropriate safeguards to protect PHI from unauthorized use or disclosure.

• encryption in transit and at rest;
• logical access controls and workforce access limitations;
• audit logging, change tracking, and incident response procedures;
• secure development and vendor management practices.

We also support minimum-necessary access principles by limiting PHI exposure based on service need and customer-defined permissions.

Section 04

Subcontractors and third-party providers

Where ProDocNotes uses vetted subprocessors to host, secure, or support the Service, we require those parties to accept appropriate confidentiality, privacy, and security obligations before they may access PHI.

Customers may request additional information about categories of subprocessors and service architecture during security or procurement review.

Section 05

Incident and breach notification

If we become aware of a breach of unsecured PHI or another reportable security event affecting customer PHI, we will notify the customer in accordance with the timing and process defined in the executed agreement and applicable law.

Our response process includes containment, investigation, impact assessment, mitigation, and coordinated customer communication.

Section 06

Return, destruction, and termination

At the end of the relationship, ProDocNotes will return or destroy PHI as required by the agreement, unless continued retention is legally required or technically infeasible under the circumstances described in the BAA.

Any retained information remains protected by the same contractual and legal restrictions that applied during the term of the agreement.

Section 07

Requesting an executed BAA

To request ProDocNotes' standard BAA, contact [email protected] with your organisation name, implementation contact, and anticipated use case. Procurement or security questionnaires can be sent through the same channel.

If you need the platform overview of privacy practices, see our Privacy Policy and Notice of Privacy Practices.