This Business Associate Agreement ("BAA") governs the relationship between GMB Billing Firm and any Covered Entity using the GMB Billing Firm platform in connection with Protected Health Information (PHI) under HIPAA.
GMB Billing Firm's AI coding platform is NOT a HIPAA-compliant data processor for Protected Health Information (PHI). The platform is designed exclusively for processing de-identified clinical data that has been stripped of all 18 HIPAA identifiers per 45 CFR §164.514(b).
The PHI detection system embedded in this platform serves as a good-faith technical safeguard to identify and block common PHI patterns. However, GMB Billing Firm expressly disclaims liability for PHI that: (a) bypasses the automated detector, (b) is submitted after dismissing PHI warnings, or (c) is introduced through methods that circumvent the platform's safeguards.
By using this platform, you accept full responsibility for ensuring all submitted data is de-identified in compliance with HIPAA Safe Harbor or Expert Determination methods.
GMB Billing Firm provides AI-powered medical coding assistance, claim analysis, appeal letter generation, and related billing services ("Services") to healthcare organizations. These Services are designed to process de-identified clinical documentation only.
The GMB Billing Firm platform is authorized solely for processing clinical documentation from which all PHI has been removed pursuant to 45 CFR §164.514. The platform generates ICD-10, CPT, HCPCS codes, and billing documentation based on de-identified clinical inputs. It is not authorized for use as a repository, processor, or transmitter of PHI.
If a Covered Entity enters into a formal Business Associate Agreement with GMB Billing Firm for services explicitly involving PHI processing, such engagement must be governed by a separate signed agreement, subject to compliance review, additional technical safeguards, and applicable service fees. This general BAA does not authorize PHI processing absent such a separate signed agreement.
Submission of PHI to the GMB Billing Firm platform without an executed, specific PHI-processing BAA is strictly prohibited. Users who submit PHI despite PHI warnings displayed by the platform's detection system do so in violation of this Agreement and in breach of their own HIPAA obligations as a Covered Entity.
The Covered Entity agrees to the following obligations when accessing or using the GMB Billing Firm platform:
As the provider of the platform and, where applicable, Business Associate, GMB Billing Firm agrees to the following:
The PHI Detection System provides real-time pattern scanning of user-submitted text using regular expression matching for the following categories:
The PHI Detection System does not detect: (i) narrative descriptions identifying individuals by context (e.g., "the 45-year-old schoolteacher in Room 302"); (ii) employer names or workplace identifiers; (iii) geographic data smaller than state; (iv) full-face photographs or biometric identifiers embedded in text; (v) device serial numbers; (vi) web URLs or IP addresses in text form; (vii) account numbers not prefixed with recognized keywords; (viii) non-standard date formats. The Covered Entity must manually verify de-identification for all 18 HIPAA identifiers listed in 45 CFR §164.514(b)(2).
The PHI Detection System blocks submission and displays a warning when potential PHI is detected. If the user overrides this warning by removing the checkbox confirmation or otherwise bypassing the control, GMB Billing Firm assumes no liability for any PHI submitted thereafter. Such override constitutes a knowing violation of this Agreement by the Covered Entity.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PULSELINE HEALTH SHALL NOT BE LIABLE FOR ANY HIPAA VIOLATIONS, OCR ENFORCEMENT ACTIONS, CIVIL MONETARY PENALTIES, BREACH NOTIFICATION COSTS, OR DAMAGES OF ANY KIND ARISING FROM: (i) THE COVERED ENTITY'S SUBMISSION OF PHI TO THE PLATFORM IN VIOLATION OF THIS AGREEMENT; (ii) FAILURE OF THE PHI DETECTION SYSTEM TO IDENTIFY ALL PHI; (iii) THE COVERED ENTITY'S OVERRIDE OF PHI WARNINGS; OR (iv) THE COVERED ENTITY'S FAILURE TO DE-IDENTIFY DATA PRIOR TO SUBMISSION.
Covered Entity Indemnification: The Covered Entity agrees to indemnify, defend, and hold harmless GMB Billing Firm, its officers, directors, employees, and agents from and against any claims, damages, fines, penalties, or costs (including reasonable attorney's fees) arising from: (a) the Covered Entity's breach of this Agreement; (b) the Covered Entity's submission of PHI to the platform; (c) the Covered Entity's HIPAA violations; or (d) any regulatory enforcement action resulting from the Covered Entity's misuse of the platform.
No Warranty: The PHI Detection System is provided "as-is" without warranty of any kind, express or implied. GMB Billing Firm does not warrant that the detection system will identify all PHI or that the platform will be error-free. The PHI Detection System is a compliance aid, not a compliance guarantee.
HIPAA violations are subject to civil monetary penalties of $100 to $50,000 per violation (up to $1.9 million per violation category per year) under 45 CFR §160.404. Criminal violations may result in fines up to $250,000 and imprisonment up to 10 years under 42 U.S.C. §1320d-6. The Covered Entity is solely responsible for its own HIPAA compliance.
GMB Billing Firm maintains a Medical Coding Audit Log as a compliance and accountability measure. The audit log records the following events for each platform session:
GMB Billing Firm does NOT log or retain: the clinical text entered by users, the specific codes generated, the content of claim data, the text of appeal letters, or any information that could identify a patient. Audit logs contain only event metadata, not clinical content.
Audit logs are retained for a minimum of 6 years from the date of creation, consistent with HIPAA requirements under 45 CFR §164.530(j). Covered Entities may request their organization's audit log summary by contacting support@gmbcoding.com.
Term: This Agreement is effective upon the Covered Entity's first use of the GMB Billing Firm platform and remains in effect until terminated by either party.
Termination for Cause: Either party may terminate this Agreement if the other party materially breaches any provision and fails to cure the breach within 30 days of written notice. GMB Billing Firm reserves the right to immediately terminate platform access upon discovery of PHI submission in violation of this Agreement.
Obligations Upon Termination: Upon termination, GMB Billing Firm will, to the extent practicable, return or destroy any data submitted by the Covered Entity that remains in GMB Billing Firm's systems. Where return or destruction is not feasible, the protections of this Agreement will continue to apply to any retained data.
Survival: The provisions of Sections 5 (PHI Detector Limitations), 6 (Indemnification), 7 (Audit Log), and this Section 8 shall survive termination of this Agreement.
This Agreement is governed by the laws of the United States, including HIPAA (42 U.S.C. §1320d et seq.), the HITECH Act (42 U.S.C. §17921 et seq.), and their implementing regulations at 45 CFR Parts 160 and 164. To the extent state law applies, this Agreement shall be governed by the laws of the state in which the Covered Entity's principal place of business is located.
Any dispute arising from this Agreement shall be resolved by binding arbitration under the rules of the American Arbitration Association, with proceedings conducted in English. Notwithstanding the foregoing, either party may seek injunctive relief in a court of competent jurisdiction to prevent imminent irreparable harm.
Entire Agreement: This BAA, together with GMB Billing Firm's Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding HIPAA compliance and supersedes all prior agreements on the subject matter hereof.
Amendment: GMB Billing Firm may amend this BAA at any time by posting an updated version to the platform. Continued use of the platform after the effective date of any amendment constitutes acceptance of the amended BAA.
Severability: If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
No Third-Party Beneficiaries: This Agreement is for the sole benefit of GMB Billing Firm and the Covered Entity. Nothing herein shall create any rights in any third party, including patients whose de-identified data may be processed.
Contact for Privacy Matters: All privacy inquiries, breach reports, and BAA-related correspondence should be directed to: support@gmbcoding.com
GMB Billing Firm requires explicit, active acceptance of this Business Associate Agreement. You must complete all acknowledgments and provide your information below before accessing the platform. Passive use alone does not constitute acceptance.
This electronic acceptance is legally binding under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. §7001 et seq.) and the Uniform Electronic Transactions Act (UETA). Your checked acknowledgments, typed name, and submission timestamp constitute a valid electronic signature. A reference ID is generated upon acceptance for your records.
Step 1 — Check All Acknowledgments
Step 2 — Provide Your Information
Complete all 6 acknowledgments and all 4 fields to enable signing
Need a Wet-Signed or Countersigned BAA?
Contact support@gmbcoding.com with subject "BAA Execution Request". Include your organization name, NPI, and contact information. We respond within 2 business days.