GamwellTech wins award and named one of the top 500 MSPs worldwide.
Sales:
915-613-4866
This HIPAA Business Associate Agreement (“BAA”) is entered into by and between Gamwell Technologies Inc (“Business Associate” or “GamwellTech”) and any client that qualifies as a Covered Entity or Business Associate under HIPAA (“Covered Entity” or “Client”).
This BAA applies only when (i) Client is a Covered Entity or Business Associate subject to HIPAA, and (ii) GamwellTech creates, receives, maintains, or transmits Protected Health Information (“PHI”) on behalf of Client in the course of providing Services.
1) Relationship to MSA; Order of Precedence
1.1 Services Agreement
This BAA supplements and is incorporated into GamwellTech’s Master Services Agreement (“MSA”) and any related Quote(s), proposal(s), and Services Statement(s) (collectively, the “Services Agreement”), which are available on GamwellTech’s website and/or provided to Client in connection with the Services.
1.2 No expansion of scope
This BAA applies only to the extent GamwellTech creates, receives, maintains, or transmits PHI on behalf of Client while performing Services as expressly described in an applicable Quote or Services Statement. Nothing in this BAA requires GamwellTech to perform any services not expressly included in a Quote or Services Statement. Out-of-Scope Services remain out-of-scope.
1.3 Conflicts
If there is a conflict between this BAA and the Services Agreement, this BAA controls only to the extent required to comply with HIPAA and only with respect to PHI-related obligations. All other terms (including fees, scope, service levels, remedies, limitations of liability, and dispute resolution) are governed by the Services Agreement.
1.4 Effective date of BAA
This BAA is deemed effective as of the Effective Date of the first Quote under which GamwellTech creates, receives, maintains, or transmits Protected Health Information on behalf of Client.
2) Definitions
Capitalized terms not otherwise defined in this BAA have the meanings set forth in HIPAA and its implementing regulations (45 C.F.R. Parts 160 and 164).
3) Permitted Uses and Disclosures
3.1 Services
GamwellTech may use and disclose PHI only as necessary to perform the Services described in the applicable Quote or Services Statement and as otherwise permitted by this BAA.
3.2 Management and administration
GamwellTech may use PHI for its proper management and administration and may disclose PHI for such purposes only if:
3.3 No impermissible use or disclosure
GamwellTech will not use or disclose PHI in a manner that would violate HIPAA if done by Client.
3.4 Minimum necessary
GamwellTech will make reasonable efforts to limit its use or disclosure of PHI to the minimum necessary to accomplish the intended purpose, consistent with the Services.
3.5 No sale or marketing
Unless expressly authorized in writing by Client and permitted by HIPAA, GamwellTech will not sell PHI or use or disclose PHI for marketing purposes.
4) Safeguards; Security Rule
4.1 Safeguards
GamwellTech will implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI in accordance with 45 C.F.R. Part 164, Subpart C.
4.2 No guarantee
Client acknowledges that no security solution is 100% effective. GamwellTech does not warrant or guarantee that threats, intrusions, malware, or unauthorized access will never occur.
4.3 Client responsibilities unchanged
Client remains responsible for its HIPAA compliance program, policies, workforce training, and decisions relating to its systems and environment, except to the extent the Services expressly allocate responsibilities to GamwellTech in writing.
5) Reporting: Security Incidents and Breach
5.1 Notice trigger
GamwellTech will notify Client of any Security Incident involving PHI that reasonably appears to constitute a Breach of Unsecured PHI (“Reportable Incident”) without unreasonable delay and in no event later than ten (10) business days after discovery, unless a shorter period is required by applicable law.
5.2 Investigation and determination
GamwellTech may conduct a reasonable investigation to determine whether a Security Incident constitutes a Reportable Incident. Client acknowledges that certain facts may be unavailable or may evolve as an investigation progresses.
5.3 Information provided
To the extent available and practicable, notice will include:
5.4 Security Incident noise carve-out
Client acknowledges and agrees that routine and unsuccessful security events (including but not limited to pings, port scans, firewall logs, and unsuccessful login attempts) do not constitute Reportable Incidents unless they result in unauthorized access to PHI.
5.5 Mitigation
GamwellTech will take reasonable steps to mitigate, to the extent practicable, the harmful effects of any improper use or disclosure of PHI caused by GamwellTech’s breach of this BAA.
6) Subcontractors and Third Party Providers
6.1 Subcontractors
GamwellTech may use subcontractors or agents that may access PHI, provided GamwellTech obtains written agreements requiring such subcontractors to comply with applicable HIPAA obligations for Business Associate subcontractors.
6.2 Third Party Services
Where Services involve Third Party Providers or Third Party Services as described in the Services Agreement, nothing in this BAA expands GamwellTech’s responsibility beyond:
7) Individual Rights Support
7.1 No Designated Record Set by default
Client acknowledges that GamwellTech does not maintain PHI in a Designated Record Set as part of the Services unless expressly stated in a Quote or Services Statement.
7.2 If applicable
To the extent required by HIPAA and only if GamwellTech maintains PHI in a Designated Record Set on Client’s behalf:
These obligations apply only to PHI within GamwellTech’s possession, custody, or control as part of the Services.
8) Books and Records; HHS Access
GamwellTech will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required by 45 C.F.R. §164.504(e)(2)(ii)(I).
9) Term; Termination for Cause
9.1 Term
This BAA remains in effect for as long as GamwellTech performs Services involving PHI and until PHI is returned or destroyed in accordance with this BAA.
9.2 Termination for cause
If either party becomes aware of a material breach of this BAA, the non-breaching party may provide written notice and allow a cure period consistent with the Services Agreement (or twenty (20) days if not specified). If not cured, the non-breaching party may terminate this BAA and/or affected Services as permitted by HIPAA and the Services Agreement.
10) Return or Destruction of PHI
10.1 Return or destroy where feasible
Upon termination of this BAA or termination of Services involving PHI, GamwellTech will, where feasible, return or destroy PHI maintained in its capacity as a Business Associate.
10.2 Infeasibility
If return or destruction is infeasible (including for backups or archival systems), GamwellTech will continue to protect the PHI and limit further uses or disclosures to those purposes that make return or destruction infeasible.
10.3 MSA data retention controls
Nothing in this BAA expands GamwellTech’s data retention or storage obligations beyond those required by HIPAA or expressly stated in the Services Agreement.
11) Liability, Remedies, and Disclaimers (MSA Controls)
11.1 Limitation of liability
All limitations of liability, exclusions of damages, and liability caps set forth in the Services Agreement apply to any claims arising out of or related to this BAA, including claims involving PHI, Security Incidents, or Reportable Incidents, except to the extent prohibited by applicable law.
11.2 No additional indemnity
This BAA does not create any indemnification obligations beyond those expressly set forth in the Services Agreement.
11.3 No compliance warranty
GamwellTech does not represent or warrant that the Services or safeguards will render Client compliant with HIPAA or any other law.
11.4 Time limitation on actions
Any action arising out of or related to this BAA must be commenced within the time limits set forth in the Services Agreement, and any action not commenced within such time limits is forever barred to the maximum extent permitted by law.
11.5 No third-party beneficiaries
Nothing in this BAA creates any rights in any third party, including any individual whose PHI is the subject of this BAA.
12) Notices
Notices under this BAA will be provided in the manner specified in the Services Agreement unless HIPAA requires a different method.
13) Governing Law; Dispute Resolution
This BAA is governed by the laws of the State of Texas, and the dispute resolution provisions (including arbitration) set forth in the Services Agreement apply to disputes arising under this BAA to the maximum extent permitted by law.
14) Miscellaneous
14.1 Interpretation
This BAA will be interpreted to permit compliance with HIPAA while preserving the allocation of risk and responsibility set forth in the Services Agreement.
14.2 Survival
Provisions relating to return or destruction of PHI, continued protection of PHI, and limitations of liability survive termination to the extent required.
Acceptance
Client’s acceptance of a Quote, proposal, or Services Agreement with GamwellTech constitutes acceptance of this BAA where applicable.
Last Updated January 2026
