REVELATION DIAGNOSTICS BUSINESS ASSOCIATE AGREEMENT (BAA)

Last Updated: November 18, 2025

Effective upon acceptance during Partner enrollment

This Business Associate Agreement (“BAA”) is entered into by and between:

(1) Revelation Diagnostics, LLC, a Florida limited liability company (“Business Associate” or “RD”),

and

(2) The clinician, practice, organization, or partner enrolling in the Revelation Diagnostics Partner Program (“Covered Entity,” “You,” or “Partner”).

This BAA supplements the Revelation Diagnostics Partner Terms, Platform Terms of Service, and any interpretation or ordering agreements (“Underlying Agreement”).

This BAA is required under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and all associated regulations.

1. DEFINITIONS

Terms not defined here have the meanings set forth in 45 C.F.R. §§ 160.103 and 164.501.

1.1 “Protected Health Information” (PHI)

PHI has the same meaning as in HIPAA and includes individually identifiable health information that RD creates, receives, maintains, or transmits for Covered Entity.

1.2 “Electronic PHI” (ePHI)

PHI transmitted or maintained in electronic media.

1.3 “Business Associate”

Revelation Diagnostics, LLC.

1.4 “Covered Entity”

The clinician or organization entering into this BAA.

Note: Health coaches and unlicensed partners with no PHI access are not “Covered Entities” under HIPAA. They may still sign this BAA purely for contractual compliance when authorized PHI access is granted by a patient.

1.5 “Reportable Event”

Any:

(a) Use/disclosure of PHI not permitted by this BAA,

(b) Breach of Unsecured PHI, or

(c) Security Incident involving ePHI.

1.6 “Subcontractor”

Any third party to whom Business Associate delegates functions involving PHI.

1.7 “Unsecured PHI”

PHI that is not encrypted or otherwise secured in accordance with federal guidance.

2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

RD may use or disclose PHI only as follows:

2.1 To Provide Services Under the Underlying Agreement

Including:

  • Lab ordering, results retrieval, and display
  • Patient portal and profile management
  • Interpretation summaries or partner-linked contextual explanations
  • EHR-like partner tools (charting, notes, structured data storage)
  • Notifications and messaging
  • Reporting, analytics, and dashboard features
  • Coordination between interpretation partners and clinicians where permitted

2.2 For RD’s Proper Management and Operations

RD may use PHI for:

  • Security, audit, and fraud prevention
  • Legal compliance
  • Payment operations
  • Internal analytics and service improvement (not marketing to third parties)

RD may disclose PHI externally only if:

(1) Required by law, or

(2) RD obtains written assurances of confidentiality from the recipient.

2.3 Data Aggregation

RD may perform data aggregation for Covered Entity’s healthcare operations.

2.4 De-Identification

RD may de-identify PHI in compliance with HIPAA and may use de-identified data for any lawful purpose.

2.5 Minimum Necessary

RD will use and disclose only the minimum PHI necessary to accomplish permitted purposes.

3. OBLIGATIONS OF BUSINESS ASSOCIATE

3.1 Restrictions on Use and Disclosure

RD will not use or disclose PHI except as permitted by this BAA, the Underlying Agreement, or as required by law.

3.2 Safeguards

RD will implement administrative, technical, and physical safeguards, including:

  • Encryption of PHI at rest and in transit
  • Access controls and authentication
  • Logging and monitoring
  • Security risk assessments
  • HIPAA-compliant data hosting
  • Workforce training

3.3 Reporting Requirements

3.3.1 Reportable Events

RD shall report any Reportable Event to Covered Entity:

  • Without unreasonable delay, and
  • No later than fifteen (15) business days after discovery.

The report will include:

  • Individuals affected
  • Description of incident
  • PHI involved
  • Mitigation steps
  • Actions taken to prevent recurrence

RD will supplement information as it becomes available.

3.3.2 Ongoing Security Incidents

The parties acknowledge RD’s systems experience routine, unsuccessful security events (e.g., pings, failed login attempts). These require no additional reporting beyond this notice.

3.4 Subcontractors

RD may use subcontractors for hosting, email, analytics, etc., but must bind them under written agreements requiring HIPAA-compliant restrictions and safeguards.

3.5 Access to PHI / Designated Record Set

If RD maintains PHI in a designated record set, RD will:

  • Provide access to Covered Entity or the patient,
  • Enable export or electronic delivery of PHI held in RD systems, in compliance with 45 C.F.R. § 164.524.

3.6 Amendments to PHI

RD will update or amend PHI upon request from Covered Entity, per 45 C.F.R. § 164.526.

3.7 Accounting of Disclosures

RD will provide accounting of disclosures in compliance with 45 C.F.R. § 164.528.

3.8 Compliance with Secretary Investigations

RD will make relevant records available to the Secretary of HHS for HIPAA compliance investigations.

4. OBLIGATIONS OF COVERED ENTITY

Covered Entity agrees:

4.1 Minimum Necessary Disclosure

To provide RD only the minimum PHI necessary.

4.2 Patient Permissions

To ensure all patient consents, mandates, or authorizations for PHI sharing are valid.

4.3 Notification of Changes

Covered Entity must notify RD of:

  • Changes in privacy practices
  • Patient revocation of authorization
  • Restrictions on PHI use/disclosure
  • Errors or unauthorized disclosures by Covered Entity or its workforce

4.4 No Impermissible Requests

Covered Entity will not request RD to use or disclose PHI in a manner not permitted by HIPAA.

5. TERM AND TERMINATION

5.1 Term

This BAA begins upon acceptance and lasts until the Underlying Agreement is terminated.

5.2 Termination for Cause

Either party may terminate this BAA if the other party materially breaches it and fails to cure within 30 days.

5.3 Effect of Termination

5.3.1 Return or Destruction

Upon termination, RD will:

  • Return or destroy PHI if feasible.
5.3.2 If Destruction Is Not Feasible

RD will:

  • Retain only necessary PHI,
  • Continue applying BAA safeguards,
  • Use PHI only for the purpose retained,
  • Destroy PHI when feasible.

These obligations survive termination.

6. MISCELLANEOUS

6.1 Automatic Amendment for HIPAA Updates

This BAA automatically incorporates future HIPAA and HITECH amendments.

6.2 Interpretation

Ambiguities are resolved in favor of HIPAA compliance.

6.3 No Third-Party Beneficiaries

This BAA creates no rights for third parties.

6.4 Governing Law

Governed by Florida law except where federal law preempts.

6.5 Notices

Notices to RD:

Revelation Diagnostics, LLC

Attn: Compliance Officer

Email: team@revelationdiagnostics.com

Address: 17305 Saint James Court, Boca Raton, FL 33496

Notices to Covered Entity are sent to the email used during Partner enrollment.

Get Member Discounts
Get Member Discounts
Shopping Cart
Scroll to Top