business associate agreement baa

Last Updated: 5/1/2026

Provyn provides a signed Business Associate Agreement to all clinic clients during onboarding. The agreement below outlines the general framework governing the protection of Protected Health Information (“PHI”) when using the Provyn platform.

This Business Associate Agreement (“Agreement”) is entered into between Provyn (“Business Associate”) and the healthcare provider, clinic, or organization using the Provyn platform (“Covered Entity”).

This Agreement governs the use and protection of PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including applicable provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Purpose

Covered Entity may disclose certain Protected Health Information to Business Associate so that Business Associate may provide communication automation services through the Provyn platform. These services may include administrative communication workflows such as responding to missed calls, responding to patient inquiries, appointment reminders, scheduling notifications, and related patient communication coordination.

Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as necessary to perform services on behalf of the Covered Entity or as otherwise permitted or required under HIPAA. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if performed by the Covered Entity.

Safeguards

Business Associate implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Protected Health Information. These safeguards are intended to prevent unauthorized access, use, or disclosure of PHI.

Provyn uses encrypted infrastructure and secure data handling practices designed to support HIPAA compliance.

Subcontractors

Business Associate may engage subcontractors to support the operation of the Provyn platform. Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate will be required to maintain appropriate safeguards consistent with HIPAA requirements.

Breach Notification

Business Associate will notify the Covered Entity without unreasonable delay upon becoming aware of a breach of unsecured PHI as defined by HIPAA. Business Associate will cooperate with Covered Entity in responding to such incidents as required by applicable law.

Access and Amendment

To the extent PHI is maintained within the Provyn platform, Business Associate will cooperate with Covered Entity in providing access to PHI or facilitating amendments when required under HIPAA.

Text Messaging Compliance

Provyn enables clinics to communicate with patients through SMS text messaging for administrative communication purposes such as responding to missed calls, responding to patient inquiries, appointment reminders, and scheduling notifications.

Covered Entity is solely responsible for obtaining appropriate patient consent prior to sending SMS communications in accordance with applicable laws and regulations, including the Telephone Consumer Protection Act (TCPA) and applicable carrier messaging requirements.

Recipients may opt out of receiving SMS communications at any time by replying STOP. Recipients may request additional information by replying HELP.

Message frequency may vary depending on clinic communication activity. Standard message and data rates may apply depending on the recipient’s mobile carrier.

Provyn does not send marketing messages directly to patients and functions solely as the communication platform used by the clinic.

Termination

This Agreement remains in effect for as long as Business Associate provides services to Covered Entity involving PHI. Upon termination of services, Business Associate will return or securely destroy PHI when feasible, or continue to protect such information in accordance with HIPAA if return or destruction is not feasible.

Compliance with HIPAA

Both parties agree to comply with all applicable provisions of HIPAA and related federal regulations governing the protection of Protected Health Information.

Additional Platform Information

Provyn functions solely as a communication automation platform and does not participate in the delivery of healthcare services.

Provyn does not create or maintain patient medical records and does not make clinical decisions.

Provyn supports secure communication workflows while clinics retain full responsibility for patient care, regulatory compliance, and patient consent for communications.

Contact

For questions regarding this Business Associate Agreement, please contact:

[email protected]

Setting the editorial standard for clinical revenue recovery and practice intelligence. Revenue Recovery Systems for Clinics.

CONNECT

© 2026 PROVYN RECOVERY. ALL RIGHTS RESERVED. CLINICAL EXCELLENCE. FINANCIAL INTEGRITY.

EDITORIAL STANDARDS APPLIED.