Business Associate Agreement

Business Associate Agreement - updated April 22, 2025

Business Associate Agreement:

This Business Associate Agreement (“BAA”) is made effective (the “Effective Date”) as of the date on the purchase order (the “PO”)by Total Community Options, Inc. dba InnovAge, an Affiliated Covered Entity, on behalf of its affiliates listed at https://www.innovage.com (collectively referred to as “Covered Entity”), and the entity identified as ‘Supplier’ (hereinafter referred to as “Business Associate”). Both Covered Entity and Business Associate may be referred to individually as a “Party” and collectively as the “Parties”.

 InnovAge is an Affiliated Covered Entity acting as a single covered entity pursuant to 45 CFR 164.105(b). Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity in connection with Business Associate’s performance of its obligations under any and all prior, existing, and future agreements and arrangements between the Parties (collectively, the “Underlying Agreement"). 

The purpose of this Agreement is to satisfy certain obligations of Covered Entity under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 CFR Parts 160 and 164) (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act, Pub. L. No. 111-5 (“HITECH”), pursuant to which the Privacy Rules mandate certain protections for the privacy and security of Protected Health Information to ensure the integrity and confidentiality of Protected Health Information and require such protections to be incorporated into business associate agreements.

1. Definitions.

1.1 Terms used in this BAA but not otherwise defined in this BAA shall have the same meaning as those terms in the Privacy Rule, the Security Rule, and the HITECH Act.

1.2 Specific Definitions.

  1.  “Breach” shall have the meaning set forth in 45 CFR § 164.402. 
  2.  “Designated Record Set” shall have the meaning set forth in 45 CFR § 164.501.
  3.  “Electronic Protected Health Information” shall mean Protected Health Information that is maintained in or transmitted by electronic media.  
  4.  “Electronic Health Record” shall have the meaning set forth in HITECH.
  5.  “Health Care Operations” shall have the meaning set forth in 45 CFR § 164.501(5).
  6.  “Individual” shall have the meaning set forth in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g) or the individual’s designee.
  7.  “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
  8.  “Protected Health Information” or “PHI” shall have the meaning set forth in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
  9.  “Required by Law” shall have the meaning set forth in 45 CFR § 164.103.
  10.  “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
  11.  “Security Incident” shall have the meaning set forth in 45 CFR § 164.304.
  12.  “Security Rule” shall mean the Security Standards and Implementation Specifications at 45 CFR Part 160 and Part 164, Subparts A and C.
  13.  “Unsecured Protected Health Information” shall have the meaning set forth in 45 CFR § 164.402.

2. Obligations and Activities of Business Associate.

2.1 Use and Disclosure of Protected Health Information. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law. Business Associate further agrees not to use or disclose Protected Health Information in any manner that would constitute a violation of the Privacy Rule or HITECH if so used or disclosed by Covered Entity. Business Associate agrees to use Protected Health Information solely for Covered Entity’s benefit and only for the purpose of performing the Services for Covered Entity as such Services are defined in Section 3.1 of this BAA, and as necessary to comply with Section 3.2 of this BAA. Business Associate further agrees that Covered Entity shall retain all rights in Protected Health Information not granted in this BAA.

2.2 Reasonable and Appropriate Safeguards. Business Associate will implement administrative, physical and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information, including electronic PHI, that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of Protected Health Information other than as provided in this BAA. Business Associate agrees, to the extent feasible, to use commercially reasonable efforts to ensure that the technology safeguards used by Business Associate to secure Protected Health Information will render such Protected Health Information unusable, unreadable, and indecipherable to individuals unauthorized to acquire or otherwise have access to such Protected Health Information.

2.3 Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of this BAA. 

2.4 Reporting of Violations. Business Associate agrees to report to Covered Entity any known access, use, or disclosure of Protected Health Information that is not authorized by this BAA and/or any Security Incident of which it becomes aware, as well as any Breach of Unsecured Protected Health Information of which it becomes aware, immediately by telephone call and by e-mail after discovery. Business Associate further agrees to notify Covered Entity of any suspected security incident, unauthorized access, use, or disclosure of data or PHI, or Security Incident, or intrusion, or potential loss of confidential data in violation of any applicable federal or state laws or regulations, or this BAA, without unreasonable delay, and in no case later than twenty-four (24) hours after discovery. In the event of a Breach, if a delay is requested by law enforcement, Business Associate may delay notifying Covered Entity for the applicable timeframe. At the request of Covered Entity, Business Associate agrees to identify the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Business Associate also agrees to provide Covered Entity with sufficient information to permit Covered Entity to comply with Breach notification requirements.  

Business Associate shall also comply with C.R.S. § 6-1-716, as applicable.

2.5 Indemnification. Business Associate agrees to indemnify, defend, and hold Covered Entity and its officers, directors, employees, agents, successors, and assigns harmless from and against any and all losses, claims, actions, demands, liabilities, damages, costs, and expenses arising from or related to improper access, use, or disclosure of Protected Health Information in violation of the terms of this BAA or applicable law. Business Associate further agrees to indemnify, defend, and hold Covered Entity and its officers, directors, employees, agents, successors, and assigns harmless from and against any and all losses, claims, actions, demands, liabilities, damages, costs, and expenses arising from or related to any Breach of Unsecured Protected Health Information and/or any violation of C.R.S. § 6-1-716. If Business Associate assumes the defense of a claim, Business Associate agrees that Covered Entity shall have the right to participate, at its expense, in the defense of such a claim. Business Associate agrees not to take any final action with respect to such claim without the prior written consent of Covered Entity. To the extent permitted by law, Business Associate agrees that it shall be fully liable to Covered Entity for any acts, failures, or omissions of Business Associate’s agents or subcontractors in furnishing services as if they were Business Associate’s own acts, failures, or omissions.

2.6 Breach Pattern or Practice. Business Associate agrees that if it knows of a pattern of activity or practice of one of its agents or subcontractors that constitutes a material breach of Business Associate’s obligations under this BAA, Business Associate must take reasonable steps to cure the breach or end the violation. Business Associate agrees that if the steps are unsuccessful, Business Associate must terminate its agreement with the agent or subcontractor, if feasible.

2.7 Third-Party Agreements. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, created, maintained, transmitted or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions and other requirements that apply through this BAA to Business Associate with respect to such information in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable. In addition, Business Associate shall ensure that any such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s Protected Health Information. On an annual basis, Business Associate shall identify any agent, including subcontractor, to whom it has provided Protected Health Information relating to Services on behalf of Covered Entity and provide an annual certification to Covered Entity that Business Associate has required such agent or subcontractor to agree to the same restrictions and conditions that apply to Business Associate pursuant to this BAA.

2.8 Availability of Books and Records. Business Associate agrees to make Protected Health Information and internal practices, books, records, including policies and procedures relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to Covered Entity or to the Secretary, within ten (10) business days of a written request by Covered Entity or as designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.

2.9 Access. Business Associate agrees to provide access, at the request of Covered Entity, within five (5) days of such request, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.

2.10 Amendment to PHI. Business Associate agrees to make any amendments to Protected Health Information in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, within ten (10) days of the request.

2.11 Documentation of Disclosures. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Business Associate further agrees to implement a process that allows for an accounting to be collected and maintained by Business Associate and its agents or subcontractors for at least six (6) years prior to the request. At a minimum, the information collected and maintained shall include:\

  1. The date of the disclosure;
  2. The name of the entity or person who received Protected Health Information and, if known, the address of the entity or person;
  3. A brief description of Protected Health Information disclosed; and

A brief statement of purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure. 

2.12 Accounting of Disclosures. Business Associate agrees to provide to Covered Entity or an Individual, within twenty (20) days, information collected in accordance with Section 2.11 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 and HITECH, as determined by Covered Entity. Business Associate agrees that such accounting obligations shall survive termination of this BAA and shall continue as long as Business Associate maintains Protected Health Information.

2.13 Requests for Accounting. In the event that a request for accounting is delivered directly to Business Associate or its agents or subcontractors, Business Associate agrees to forward the request to Covered Entity in writing within five (5) days. 

2.14 Minimum Necessary. Business Associate agrees to request, use, and disclose only the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use, or disclosure.

2.15 Ineligible Persons. Business Associate represents and warrants to Covered Entity that Business Associate:

  1. Is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. § 1320a-7b(f);
  2. Has not been convicted of a criminal offense related to the provision of health care items or services and not yet been excluded, debarred, or otherwise declared ineligible to participate in federal health care programs; and
  3. Is not under investigation or otherwise aware of any circumstances that may result in Business Associate being excluded from participation in federal health care programs.

2.16 Ongoing Representation and Warranty. Business Associate agrees that the representation in Section 2.15 is an ongoing representation and warranty during the term of this BAA, and Business Associate shall immediately notify Covered Entity of any change in the status of the representations and warranty set forth in Section 2.15. 

2.17 Compliance with the Privacy Rule. To the extent Business Associate agrees to carry out one or more of Covered Entity's obligation(s) under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s), including the minimum necessary requirements.

2.18 Audits, Inspection and Enforcement. No more than annually, upon reasonable advance notice and during normal business hours, Covered Entity may conduct routine inspections of the facilities, systems, books, procedures and records of Business Associate to monitor compliance with this BAA. Covered Entity may also conduct such inspections as needed upon a reasonable determination by Covered Entity that Business Associate has potentially or actually breached this BAA. Business Associate shall promptly remedy any violation of this BAA discovered in the course of such inspection and shall certify the same to Covered Entity in writing. To the extent Covered Entity determines such inspection is necessary to comply with Covered Entity's legal obligations pursuant to HIPAA relating to certification of its security practices, Covered Entity or its authorized agents or contractors, may, at Covered Entity 's expense, examine Business Associate’s facilities, systems, procedures and records as may be necessary for such agents or contractors to certify to Covered Entity the extent to which Business Associate’s administrative, physical and technical safeguards comply with HIPAA and/or this BAA.

 3. Permitted Uses and Disclosures by Business Associate.

3.1 General Use and Disclosure. Except as otherwise limited by this BAA, Business Associate may only use or disclose Protected Health Information on behalf of, or as necessary, for the purpose of providing services to Covered Entity (the “Services”), if such use or disclosure of Protected Health Information would not violate:

  1. The Privacy Rule, the Security Rule, and HITECH if done by Covered Entity; or
  2. The minimum necessary policies and procedures of Covered Entity. 

3.2 Specific Uses and Disclosures.

  1. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
  2. Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate:
    1. Provided the disclosures are required by Law; or
    2. Business Associate obtains reasonable assurances from the person to whom the information is disclosed that:
      1. Protected Health Information will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person; and
      2. The person notifies Business Associate of any instances of which it is aware in which confidentiality of Protected Health Information has been breached.
  3. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).
  4. Business Associate may use Protected Health Information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR § 164.502(j)(1).


4. Obligations of Covered Entity.

4.1 Notification of Limitations. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

4.2 Notification of Individual Authorization Revocations. Covered Entity shall notify Business Associate of any changes in, or revocations of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

4.3 Notification of Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to, in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.

4.4 Permissible Protected Health Information Disclosures. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

 5. Term and Termination.

5.1 Term. This BAA shall be effective as of the Effective Date and shall terminate when all Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section 5. 

5.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:

  1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate the BAA if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or 
  2. Immediately terminate the BAA if Business Associate has breached a material term of this BAA and cure is not possible.

However, in no event will a disclosure by Business Associate that was authorized by Covered Entity be treated as a material breach.

5.3 Effect of Termination.

  1. Except as provided in Paragraphs (b) and (c) of this Section 5.3, upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of Protected Health Information.
  2. In the event that Business Associate determines that returning or destroying Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon written notification that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protection of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
  3. The preceding provisions of this Section 5.3 shall not apply to the extent that Protected Health Information is maintained in the possession of Business Associate in accordance with its record retention procedures. Nevertheless, the protections of this BAA shall remain in effect as to that Protected Health Information as long as Business Associate retains such Protected Health Information.


6. General Provisions.

6.1 Intent. The Parties expressly acknowledge that it is, and shall continue to be, their intent to fully comply with all relevant federal, state, and local laws, rules, and regulations.

6.2 Regulatory References. A reference in this BAA to a section in the Privacy Rule, the Security Rule, or HITECH means the section as in effect or as amended.

6.3 Amendments Required by Law. The parties acknowledge that Federal and State laws relating to electronic data security and privacy are rapidly evolving. To that extent Business Associate agrees that Covered Entity may amend any material term or provision of this BAA, as Covered Entity determines is necessary to comply with HIPAA, the Privacy Rule, or HITECH, and other applicable laws, rules, or regulations by Covered Entity providing written notice setting forth that amendment (the “Notice of Proposed Amendment”). The Notice of Proposed Amendment shall be delivered to Business Associate not less than thirty (30) calendar days prior to the effective date of the amendment as stated in the Notice of Proposed Amendment, unless a shorter time is required for compliance with the law (“Notice Period”). 

  1. If Business Associate fails to respond to the Notice of Proposed Amendment, the amendment shall be effective on the date set forth in the Notice of Proposed Amendment.
  2. Business Associate may reject the amendment in writing by providing Covered Entity notice of the rejection prior to the expiration of the Notice Period. If the amendment is so rejected in writing, Covered Entity may terminate this BAA and any associated agreement for services with Covered Entity upon ten (10) business days’ notice.

6.4 Waiver. No provision of this BAA or any breach of this BAA shall be deemed a waiver unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.

6.5 Assignment. Neither Party may assign any of its rights or delegate or subcontract any of its obligations under this BAA without the prior written consent of the other Party. Notwithstanding the foregoing, Covered Entity shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of Covered Entity without the prior approval of Business Associate.

6.6 Equitable Relief. Business Associate understands and acknowledges that any disclosure or misappropriation of any Protected Health Information in violation of this BAA will cause Covered Entity irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as Covered Entity shall deem appropriate. Such right of Covered Entity is to be in addition to the remedies otherwise available to Covered Entity at law or in equity. Business Associate expressly waives the defense that a remedy in damages will be adequate and further waives any requirement in an action for specific performance or injunction for the posting of a bond by Covered Entity.

6.7 Notice. All notices, requests, demands, and other communications required or permitted to be given or made under this Agreement shall be in writing, shall be effective upon receipt, and shall be sent by (a) personal delivery, (b) certified or registered United States mail with return receipt requested, or (c) nationally recognized overnight delivery service with proof of delivery. Notices to Covered Entity will be sent to: InnovAge, 8950 E. Lowry Blvd, Denver, CO 80230, Attention: Legal, with a copy Legal@innovage.com. Notices to Business Associate will be sent to Business Associate’s address listed on the applicable PO. 

6.8 Survival of Certain Rights and Obligations. The rights and obligations of Business Associate under Section 5.3 of this BAA shall survive the termination of this BAA.

6.9 Construction. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the Privacy Rule, the Security Rule, HIPAA, and HITECH.

6.10 Invalidity or Unenforceability. If any provision of this BAA shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provisions and shall not in any way affect or render invalid or unenforceable any other provision of this BAA.

6.11 Rights. Nothing in this BAA shall be deemed to:

  1. Create any rights in third parties; or
  2. Waive the attorney-client, work product, or other privilege between Covered Entity and Business Associate arising under applicable law, except to the limited extent necessary to comply with the requirements of Section 2.8 or applicable law.

6.12 Entire Agreement. This BAA constitutes the complete agreement between Business Associate and Covered Entity relating to the matters specified in this BAA, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. No oral modification or waiver of any of the provisions of this BAA shall be binding on either Business Associate or Covered Entity. In the event of a conflict between this BAA and the Underlying Agreement, the terms of this BAA shall control.

6.13 Governing Law. This BAA shall be governed by and interpreted in accordance with the laws of the State of Colorado, excluding its conflicts of laws provisions. Jurisdiction and venue for any dispute relating to this BAA shall exclusively rest with the state and federal courts in the county in which Covered Entity is located.

6.14 Cooperation in Investigations. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action, or other inquiry.