Apply by Jan. 31 for Penn PORTAL career development funding to advance Learning Health System science. Learn more.

Business Associate Agreement

This page provides the Business Associate Agreement terms for Way to Health platform services (January 2024).


Provider agrees to be bound by the following HIPAA Business Associate Terms (“Terms”). These Terms are incorporated into the Master Services Agreement (MSA) and are effective as long as Customer’s Service Order for the Platform Services that involve sharing protected health information (PHI) with us is effective.  

We will use, access and share PHI received from Customers that are HIPAA-covered entities for the purpose of supporting the Platform Services as described in these Terms and the MSA. We will limit PHI to the minimum necessary to accomplish the intended purpose consistent with applicable law. We will also use and disclose PHI for quality assessment and service improvement purposes, for the proper management and administration of our functions, and to carry out legal responsibilities provided that disclosures are required by law or we obtain reasonable assurances from recipients that information will remain confidential and used or disclosed only as required by law or for the purposes for which it was disclosed and that they will notify us of any confidentiality incident or breach. We will only create, use and disclose data deidentified in accordance with the HIPAA standard at 45 C.F.R. 164.514 for quality assessment and service improvement purposes and as described in the MSA. 

We will require any subcontractors that create, receive, maintain, or transmit PHI on our behalf to agree in writing to restrictions and conditions regarding PHI that are as strict as these Terms. We will make books and records available to the HHS Secretary and other regulatory authorities as they pertain to compliance regarding the use and disclosure of PHI. 

We will use appropriate security measures, including by implementing administrative, physical and technical safeguards to prevent PHI use or disclosure other than these Terms and the MSA provide. We will report within 20 business days to covered entities if we become aware of any use or disclosure of their PHI not provided for by these Terms, including a Breach of Unsecured PHI. This section constitutes notice and no further notice shall be required for the ongoing existence of attempted but Unsuccessful Security Incidents that do not result in unauthorized access, use or disclosure, for example “pings” on system firewall, port scans, attempted log ons with invalid credentials, denial of service attacks that don’t result in a service being taken offline, and malware, provided they do not result in unauthorized access, use or disclosure of PHI.  

We agree to make PHI available to covered entities as necessary for them to meet HIPAA obligations to provide access, amendment, and accounting of disclosures to individuals. To the extent we are carrying out a covered entity’s obligation under the HIPAA Privacy Rule, we will comply with the Privacy Rule requirements that apply to the covered entity in performing the obligation.

Covered entities shall obtain any and all necessary consents or other permissions under applicable law for the disclosure of PHI to us.  

Covered entities shall not request us to use or disclose PHI in any way that would violate applicable laws, agreements, or notices if done by the covered entity.  

Where either party is aware of a material breach by the other party, the non-breaching party shall provide an opportunity to cure. If not cured within 30 business days, the non-breaching party shall if feasible terminate this agreement and covered entity’s use of the Platform Services.  

After termination of the relevant Service Order, we will promptly destroy a covered entity’s PHI after providing notice and an opportunity to download to the covered entity as described in the Way to Health data retention policy

Nothing in this agreement is intended to confer rights, remedies, obligations or liabilities on anyone other than us and the relevant covered entities.  

Covered entities shall provide us any notices by email to waytohealth@pennmedicine.upenn.edu and also by mail to (1) Way To Health, Chief Operating Officer, Center For Health Care Innovation, 3600 Civic Center Boulevard, 8th Floor, Philadelphia, PA 19104; and (2) University of Pennsylvania Office of General Counsel, Attention: Deputy General Counsel, 2929 Walnut Street, Suite 400, Philadelphia, PA 19104.