Business associate agreement
The HIPAA agreement Soro executes with every plan before any protected health information moves.
1. Definitions
Terms used here follow the HIPAA rules at 45 CFR parts 160 and 164, and the HITECH Act. Protected health information (PHI) has the meaning given in those rules.
2. Permitted uses of PHI
Soro uses PHI only to perform the audit and recovery services for the plan. Soro applies the minimum necessary standard and does not sell PHI or use it for marketing.
3. Safeguards
Soro maintains administrative, physical, and technical safeguards, including encryption of PHI in transit and at rest, access controls, and audit logging.
4. Breach reporting
Soro reports any breach of unsecured PHI within ten business days of discovery, consistent with 45 CFR sections 164.400 to 164.414.
5. Subcontractors
Soro requires any subcontractor that handles PHI on its behalf to agree in writing to the same restrictions and conditions that apply to Soro.
6. Individual rights
Soro supports the plan in meeting individual rights of access, amendment, and accounting of disclosures under 45 CFR sections 164.524, 164.526, and 164.528.
7. Books and records
Soro makes its internal practices and records relating to PHI available to the Secretary of Health and Human Services as required to determine compliance.
8. Term and termination
This agreement runs for the term of the services. Either party may terminate for an uncured material breach after a thirty day cure period.
9. Return or destruction of PHI
On termination, Soro returns or destroys all PHI it holds, and provides written certification of destruction where return is not feasible.
10. Miscellaneous
This agreement is construed to permit compliance with HIPAA. Where terms conflict, the interpretation that supports compliance controls.
11. Signatures
- Covered entity (the plan): name, title, signature, date
- Business associate (Soro LLC): name, title, signature, date

