RevenueWell Business Associate Agreement (BAA): How to Request It and What It Covers

Understanding Business Associate Agreements

What a BAA is and why it matters

A Business Associate Agreement is a contract required by the Health Insurance Portability and Accountability Act that sets the rules for how a vendor handles your patients’ Protected Health Information. It spells out Business Associate Obligations, limits how PHI may be used or disclosed, and requires safeguards so you can maintain HIPAA Compliance while using third‑party services.

Who signs and when it is required

You, as a covered entity (for example, a dental or medical practice), sign a BAA with RevenueWell when the service involves creating, receiving, maintaining, or transmitting PHI on your behalf. The BAA should be in place before you upload, sync, or otherwise share any PHI with the platform.

What you can expect the RevenueWell BAA to address

• Scope of services and the minimum necessary PHI involved.
• Permitted uses and disclosures tied to delivering the contracted functionality.
• Required safeguards, workforce training, and incident response expectations.
• Breach Notification Rule duties and reporting timelines.
• Subcontractor Agreements and flow‑down requirements.
• Return or destruction of PHI and survival of obligations at termination.

Requesting a BAA from RevenueWell

Preparation

Confirm you are an authorized signatory for your organization and identify the legal entity name, address, and key contacts. Gather any specifics you want reflected in the agreement, such as designated privacy and security contacts or preferred notice channels.

Submission

• Sign in to your RevenueWell account and use the support or help option to submit a BAA request, or contact your customer success representative. If you are not yet a customer, ask sales to include the BAA in your order paperwork.
• State that you require a HIPAA BAA and provide your practice’s legal details and a primary email for e‑signature routing.
• If your counsel requires limited edits, note them clearly and provide redlines to streamline review.

Execution and recordkeeping

• Execute the agreement via the provider’s e‑signature process. Ensure the signer name and title match your legal entity.
• Save the fully executed copy with your compliance documentation, and record the effective date for your HIPAA Compliance files.
• If you have deadlines, request an estimated turnaround time and confirmation once countersigned.

Permitted Uses and Disclosures of PHI

Typical permitted uses under a RevenueWell BAA

• Use and disclose PHI only to deliver the contracted services you direct (for example, patient communications and practice operations you enable in the platform).
• Use PHI for the business associate’s proper management and administration, including internal operations, compliance, and quality assurance, provided privacy protections remain in place.
• Disclose PHI as required by law, with safeguards and minimum necessary applied.
• Create and use de‑identified information that no longer identifies an individual; de‑identified data may be used for analytics or service improvement.
• Meet your requests for access, amendment, or accounting of disclosures where the platform is needed to fulfill them.

Prohibited or restricted uses

• No use of PHI for marketing without your prior authorization where required.
• No sale of PHI.
• No disclosures beyond the agreement’s scope, except as expressly permitted or required by law.
• Always apply the minimum necessary standard to limit PHI exposure.

Safeguards to Protect PHI

Administrative Safeguards

• Risk analysis and ongoing risk management tailored to systems that create, receive, maintain, or transmit PHI.
• Documented policies, workforce training, and sanctions for violations.
• Access governance, including role‑based access and periodic access reviews.
• Contingency planning, backups, and disaster recovery procedures.
• Vendor management and Subcontractor Agreements with flow‑down privacy and security terms.

Physical Safeguards

• Facility access controls for data centers and workspaces handling PHI.
• Workstation and device protections, secure storage, and media disposal.
• Environmental and power protections to preserve system availability.

Technical Safeguards

• Strong authentication and authorization, including unique user IDs and multi‑factor authentication where applicable.
• Encryption in transit and at rest for PHI within the platform’s systems.
• Audit logging, monitoring, and alerting to detect and investigate anomalies.
• Integrity controls, secure software development practices, and timely patching.

Breach Notification Requirements

What qualifies and what must happen

A breach is an impermissible use or disclosure of unsecured PHI that compromises its privacy or security. Under the Breach Notification Rule, RevenueWell must notify you without unreasonable delay after discovery and provide details that allow you to meet your own notification duties.

Contents of the notice you should expect

• A description of the incident, including the date of the breach and its discovery.
• Types of PHI involved (for example, names, contact information, treatment data).
• The number or categories of individuals affected, if known.
• Mitigation steps taken and guidance for you to help protect patients.
• Contact information for follow‑up and coordination.

Most BAAs also require prompt reporting of security incidents that may not rise to a breach, along with cooperative investigation and documented risk assessments to determine notification obligations.

Subcontractor Compliance Obligations

Flow‑down of Business Associate Obligations

If RevenueWell uses subcontractors that touch PHI, the BAA requires those parties to sign written Subcontractor Agreements imposing the same HIPAA privacy and security commitments. This preserves a chain‑of‑trust for every party that creates, receives, maintains, or transmits PHI on your behalf.

Due diligence and oversight

• Risk‑based vetting of subcontractors’ security and privacy practices.
• Contractual breach reporting and cooperation requirements.
• Restrictions on offshore storage or processing where applicable and disclosed.
• Documentation you can review upon reasonable request to validate compliance.

Termination Conditions of the BAA

When termination can occur

• For cause, if a party commits a material breach and fails to cure within the agreed period.
• Upon service contract expiration or non‑renewal, when PHI handling is no longer needed.

What happens to PHI at the end

• Return or secure destruction of PHI you provided or the platform created for you, if feasible.
• If return or destruction is infeasible, continued protections and restrictions on further use and disclosure.
• Retention of certain logs or records only as required to meet legal, regulatory, or audit obligations, subject to ongoing safeguards.

In short, the RevenueWell Business Associate Agreement defines how PHI is handled, protected, and returned, ensuring HIPAA Compliance while you use the service. By requesting and executing the BAA before sharing PHI, you establish clear expectations for security, incident response, subcontractor oversight, and end‑of‑engagement disposition.

FAQs

How do I request a BAA from RevenueWell?

Log in to your account and open a support ticket or contact your customer success representative asking for a HIPAA BAA. Provide your practice’s legal name, address, and authorized signer details so the agreement can be sent for e‑signature. If you are evaluating the service, ask sales to include the BAA with your order documents.

What information does the RevenueWell BAA cover?

It covers the permitted and prohibited uses of Protected Health Information, the safeguards the vendor must maintain, cooperation on patient rights requests, Breach Notification Rule obligations, Subcontractor Agreements, and how PHI will be returned or destroyed when the relationship ends.

What safeguards does RevenueWell implement to protect PHI?

The BAA commits to administrative, physical, and technical measures such as risk management, workforce training, access controls, encryption, audit logging, contingency planning, and vetted subcontractors bound by equivalent Business Associate Obligations.

What happens if there is a breach under the RevenueWell BAA?

The vendor must notify you without unreasonable delay, share details about what happened and the PHI involved, help with mitigation, and cooperate on the risk assessment and any required patient or regulator notifications. The parties then implement corrective actions to prevent recurrence.