Legal
Business Associate Agreement
Last updated: February 1, 2026
Automatic BAA for all customers
Every ReasonEMR subscription includes a signed Business Associate Agreement at no additional cost. Our standard BAA is automatically executed when you create your account and covers all HIPAA, HITECH, and 42 CFR Part 2 requirements.
1. Definitions
This Business Associate Agreement (“BAA”) is entered into between the healthcare provider or practice (“Covered Entity”) and Reason EMR, Inc. (“Business Associate”) and supplements the Terms of Service. Terms used but not defined herein shall have the meaning given in HIPAA, the HITECH Act, and their implementing regulations.
2. Obligations of Business Associate
Business Associate agrees to:
- Not use or disclose PHI other than as permitted by this BAA or as required by law
- Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI
- Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any security incident or breach
- Ensure that any subcontractors who access PHI agree to the same restrictions and conditions
- Make PHI available to satisfy Covered Entity's obligations under the HIPAA Privacy Rule
- Maintain an audit trail of all access to PHI for a minimum of six (6) years
3. Permitted Uses & Disclosures
Business Associate may use and disclose PHI solely for the purpose of providing the Service as described in the Terms of Service, including:
- Storing, processing, and transmitting clinical documentation
- Facilitating billing and claims processing
- Providing technical support and system maintenance
- Generating de-identified, aggregated analytics (with no individual patient data)
4. 42 CFR Part 2 Compliance
Business Associate acknowledges that certain records may be protected by 42 CFR Part 2 (governing substance use disorder records) and agrees to apply the more restrictive protections required by Part 2 to all records that may contain such information, including prohibitions on re-disclosure.
5. Breach Notification
Business Associate shall notify Covered Entity of any breach of unsecured PHI without unreasonable delay and no later than thirty (30) calendar days after discovery of the breach. Notification will include identification of affected individuals, description of the breach, types of information involved, and steps taken to mitigate harm.
6. Termination
Upon termination of this BAA or the underlying Terms of Service, Business Associate shall return or destroy all PHI in its possession within ninety (90) days, unless retention is required by law. Business Associate will certify destruction in writing upon request.
7. Contact
For questions about this BAA or to request a custom agreement, contact:
Reason EMR, Inc. — Privacy Office
Email: privacy@reasonemr.com
Phone: (555) 123-4567
Need a signed copy?
Contact our team to receive a countersigned PDF of the BAA for your records.