Business Associate Agreement - GFunnel Business LLC

Business Associate Agreement

Last Updated: July 24, 2025

This Business Associate Agreement ("BAA") is entered into by and between GFunnel Business LLC ("GFunnel," "Business Associate," "we," "us," or "our") and the Client ("Covered Entity"), defined as an individual or entity, including their employees, staff, partners, or authorized representatives (collectively, "Users"), who subscribe to or use GFunnel’s services, software, and platforms (collectively, "Services"), including the Branded Flows AI software, GFunnel Email, SMS GFunnel, CRM, Websites, and other marketing and business tools, to manage business operations or serve third parties. This BAA applies to Clients acting as Covered Entities under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, and its implementing regulations (45 C.F.R. Parts 160 and 164). By executing this BAA and using the Services, the Covered Entity agrees to the terms herein, ensuring compliance with HIPAA for the handling of Protected Health Information ("PHI").

1. Purpose

This BAA establishes the responsibilities of GFunnel and the Covered Entity regarding the use, disclosure, and safeguarding of PHI, as defined by HIPAA, in connection with the Services. It supplements GFunnel’s Terms of Service (https://www.gfunnel.com/terms), Privacy Policy (https://www.gfunnel.com/privacy), Acceptable Use Policy (https://www.gfunnel.com/acceptable-use-policy), and AI Acceptable Use Policy (https://www.gfunnel.com/ai-acceptable-use-policy). The BAA ensures compliance with HIPAA and protects GFunnel from liability for misuse of PHI by the Covered Entity or its Users.

2. Definitions

  • Protected Health Information (PHI): Individually identifiable health information, as defined in 45 C.F.R. § 160.103, transmitted or maintained in any form or medium, that GFunnel creates, receives, or maintains on behalf of the Covered Entity.
  • Covered Entity: A health care provider, health plan, or health care clearinghouse, as defined in 45 C.F.R. § 160.103, that engages GFunnel to perform services involving PHI.
  • Business Associate: GFunnel, as an entity that performs functions or services on behalf of the Covered Entity involving the use or disclosure of PHI.
  • Users: Employees, staff, partners, or authorized representatives of the Covered Entity who access or use the Services under the Covered Entity’s account.

3. Permitted Uses and Disclosures of PHI

GFunnel may use or disclose PHI only as follows:

  • Service Provision: To provide and manage the Services as specified in the Service Agreement, including CRM data management, email/SMS campaigns, and website hosting, solely to the extent necessary to perform functions on behalf of the Covered Entity.
  • Data Aggregation: To aggregate PHI with that of other Covered Entities for analytics or reporting, provided data is anonymized and does not identify individuals, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
  • Legal Compliance: To comply with applicable legal requirements, such as responding to a court order or regulatory request, as permitted by HIPAA.
  • De-Identified Data: To create de-identified data for improving the Services, including training the Branded Flows AI software, in accordance with 45 C.F.R. § 164.514.

GFunnel will not use or disclose PHI in any manner that violates HIPAA, this BAA, or the Terms of Service, except as required by law.

4. Prohibited Uses and Disclosures

The Covered Entity and its Users are prohibited from:

  • Storing or processing PHI in unauthorized areas of the Services (e.g., non-designated CRM fields, Branded Flows AI outputs) without GFunnel’s express written consent and a signed BAA.
  • Using the AI Software to generate PHI-related content for automated decision-making with legal or significant effects (e.g., medical diagnoses) without human oversight.
  • Disclosing PHI to third parties not bound by this BAA or HIPAA, except as permitted by law.
  • Using PHI for marketing or advertising without obtaining prior authorization from individuals, as required by 45 C.F.R. § 164.508.

5. Obligations of GFunnel

As a Business Associate, GFunnel agrees to:

  • Use appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of PHI, as required by 45 C.F.R. § 164.306.
  • Limit uses and disclosures of PHI to those permitted by this BAA or required by law.
  • Report to the Covered Entity any known security incidents or breaches involving PHI within 72 hours of discovery, including details of the breach, affected records, and mitigation steps, as required by 45 C.F.R. § 164.410.
  • Ensure that any subcontractors handling PHI on GFunnel’s behalf agree to the same restrictions and conditions as this BAA, per 45 C.F.R. § 164.504(e)(2).
  • Make available PHI for the Covered Entity’s compliance with individual rights requests (e.g., access, amendment) under 45 C.F.R. § 164.524 and § 164.526, upon written request.
  • Provide an accounting of disclosures of PHI upon the Covered Entity’s request, as required by 45 C.F.R. § 164.528.
  • Return or destroy PHI upon termination of this BAA, if feasible, or extend protections to retained PHI, per 45 C.F.R. § 164.504(e)(2)(ii)(J).

6. Obligations of the Covered Entity

The Covered Entity agrees to:

  • Ensure that its Users comply with this BAA, the Terms of Service, Acceptable Use Policy, and AI Acceptable Use Policy when handling PHI.
  • Obtain and maintain necessary authorizations, consents, or notices for the use and disclosure of PHI, including for marketing purposes, as required by HIPAA.
  • Notify GFunnel in writing at onestop@gfunnel.com before storing or processing PHI in the Services, specifying the designated areas (e.g., CRM fields).
  • Train Users on HIPAA compliance and secure handling of PHI, ensuring they maintain the confidentiality of access credentials.
  • Be solely responsible for any PHI stored or processed in violation of this BAA, including by Users serving third parties.
  • Indemnify GFunnel for any claims, damages, or expenses arising from the Covered Entity’s or its Users’ misuse of PHI, as specified in the Terms of Service (Section 16).

7. Security and Breach Notification

GFunnel implements safeguards to protect PHI, including encryption and access controls. In the event of a breach of unsecured PHI, GFunnel will:

  • Notify the Covered Entity within 72 hours of discovery, including a description of the breach, affected records, and mitigation steps.
  • Cooperate with the Covered Entity to notify affected individuals, media, or authorities, as required by 45 C.F.R. § 164.404-410, unless GFunnel is directly at fault.

The Covered Entity is responsible for notifying individuals, media, or authorities (e.g., HHS, GDPR Lead Supervisory Authority) unless GFunnel’s actions directly caused the breach. The Covered Entity must not name GFunnel in breach notifications unless required by law, and copies of such notifications must be sent to GFunnel at onestop@gfunnel.com before release.

8. Term and Termination

This BAA takes effect upon execution by both parties and remains in force until terminated. Termination may occur:

  • By Agreement: Upon mutual written agreement or termination of the Service Agreement.
  • For Cause: By either party upon 30 days’ written notice if the other party materially breaches this BAA and fails to cure the breach within the notice period.
  • By GFunnel: Immediately, if GFunnel determines the Covered Entity or its Users are using PHI in a manner that violates HIPAA or this BAA.

Upon termination, GFunnel will return or destroy PHI, if feasible, or maintain protections for retained PHI, per 45 C.F.R. § 164.504(e)(2)(ii)(J). Access to the Services may be suspended or terminated, as specified in the Terms of Service (Section 5).

9. Indemnification

The Covered Entity shall indemnify and hold GFunnel harmless from any claims, damages, losses, or expenses, including reasonable attorneys’ fees, arising from the Covered Entity’s or its Users’ misuse of PHI or violation of this BAA, including unauthorized storage, processing, or disclosure of PHI.

10. Updates to this BAA

GFunnel may update this BAA to reflect changes in the Services, HIPAA regulations, or business needs. Updates will be posted at https://www.gfunnel.com/baa, with the "Last Updated" date revised. The Covered Entity will be notified of material changes via email or GFunnel platform notification. Continued use of the Services after updates constitutes acceptance of the revised BAA. If the Covered Entity does not agree with changes, it must notify GFunnel in writing within 30 days at onestop@gfunnel.com, and the prior BAA will apply until the end of the current Term.

11. Contact Information

For questions or concerns about this BAA, contact GFunnel at:

  • Email: onestop@gfunnel.com
  • Mail: GFunnel Business LLC, 5830 E 2nd St Ste 7000 #13094, Casper, WY 82609
  • Phone: +1 833 455 5538