1. Overview & Scope
TaskUp Global is committed to supporting compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the regulations promulgated thereunder. This HIPAA Compliance Agreement ("Agreement") serves as our standard Business Associate Agreement (BAA) framework.
This Agreement governs the relationship between TaskUp Global (acting as a "Business Associate") and our clients who operate as "Covered Entities" (healthcare providers, clinics, billing organizations, or health plans) under HIPAA guidelines. It outlines the technical, physical, and administrative measures we deploy to protect Electronic Protected Health Information (ePHI) handled by our matched virtual assistants during operational assignments.
2. Key Definitions
Terms used in this Agreement shall have the same meaning as those terms defined under the HIPAA Rules:
- Business Associate: Shall mean TaskUp Global, offering offshore specialized administrative support, billing coordination, and customer operations.
- Covered Entity: Shall mean the client contracting TaskUp Global services, who operates under HIPAA rules as a healthcare provider, health plan, or healthcare clearinghouse.
- Protected Health Information (PHI): Shall mean any individually identifiable health details, whether oral, written, or electronic, created or received by Covered Entity and accessed by Business Associate.
- ePHI: Shall mean Protected Health Information that is transmitted or maintained in electronic media.
3. Permitted PHI Uses & Disclosures
TaskUp Global professionals may access, use, or disclose Protected Health Information (PHI) solely under the following permitted conditions:
- To perform specialized back-office support, clinical scheduler logs, insurance prior authorizations, medical bookkeeping, and patient communications as requested by the Covered Entity.
- As explicitly authorized by the Covered Entity in active Standard Operating Procedures (SOPs) or Service Level Agreements (SLAs).
- For the proper management and administration of the Business Associate's BPO services, or to fulfill legal responsibilities.
- To compile aggregated, completely de-identified health metrics where patient identification details are permanently redacted in compliance with the HIPAA Safe Harbor method.
4. HIPAA Safeguards
We deploy comprehensive, industry-standard administrative, physical, and technical safeguards to prevent unauthorized access, disclosure, or alteration of patient records:
- Administrative Safeguards: All matched healthcare virtual assistants undergo mandatory HIPAA compliance training, background screening, and execute legally binding data-security NDAs. Access to patient portals is granted on a "minimum necessary" role-based standard.
- Physical Safeguards: Remote employees are prohibited from downloading, printing, or copying PHI onto local storage devices, flash drives, or paper records. Workstations must operate in secure, private home office environments with locked screens during absences.
- Technical Safeguards: Connections to Covered Entity portals (EHR, EMR, QuickBooks) must route through secure Virtual Private Networks (VPNs) with end-to-end encryption. Two-factor authentication (2FA) is enforced across all operational logins, and local disks utilize full encryption (e.g. BitLocker).
5. Our Obligations
As a Business Associate, TaskUp Global agrees to the following covenants:
- Not use or disclose PHI other than as permitted or required by this Agreement or as required by state or federal law.
- Ensure that any subcontractors or downstream agents that create, receive, maintain, or transmit PHI on our behalf agree in writing to the same restrictions and conditions that apply to us.
- Report immediately to Covered Entity any security incident or unauthorized acquisition, access, use, or disclosure of PHI (a "Breach") within seventy-two (72) hours of discovery.
- Make our internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (HHS) for purposes of determining compliance.
6. Client Obligations
The Covered Entity (Client) agrees to the following safeguards:
- Provide TaskUp Global specialists with only the minimum necessary PHI required to perform their designated administrative tasks.
- Maintain absolute control over EHR/EMR user profiles, ensuring that credentials assigned to remote assistants are unique and monitorable.
- Promptly notify Business Associate of any limitations in patient consent, changes in privacy notices, or restrictions on PHI usage that could affect task operations.
- Ensure that patient consents and authorizations required under HIPAA regulations have been fully obtained prior to granting resource access.
7. Incident & Breach Response
In the event of a security incident or suspected data breach involving client databases, TaskUp Global will initiate the following response framework:
We will immediately isolate the affected user profile, terminate system access credentials, and launch a complete audit of access logs. Covered Entity will be notified of the event details, including the number of affected patient records (if known) and mitigation actions, within 72 hours. TaskUp Global will cooperate fully with the client's compliance officers to compile formal reports and notify regulatory bodies if required.
8. Term & Termination
Term: This Agreement shall take effect upon client onboarding and continue in effect until the service relationship is terminated or the underlying SLA expires.
PHI Destruction: Upon termination of active services for any reason, TaskUp Global shall, at the option of Covered Entity, return or destroy all PHI received from Covered Entity that Business Associate still maintains in any form. If return or destruction is infeasible (e.g. nested in backup databases), we will extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.
Execute BAA Inquiries
For medical clinics or billing companies requiring a signed custom BAA addendum, please coordinate with our security operations team at operations@taskupglobal.com.