Business Associate Agreement

1. Definitions

"Protected Health Information" ("PHI") has the meaning given in 45 CFR §160.103, limited to PHI that the Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity.

"Required By Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.

"Secretary" means the Secretary of the U.S. Department of Health and Human Services or any officer or employee of HHS to whom the authority involved has been delegated.

"HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and Part 164.

All other terms used but not defined herein shall have the meanings given to them under the HIPAA Rules.

• "Designated Record Set" — as defined at 45 CFR §164.501; includes medical records, billing records, and other records used to make decisions about the individual.
• "Electronic PHI" ("ePHI") — PHI that is created, received, maintained, or transmitted in electronic form.
• "Unsecured PHI" — PHI that has not been rendered unusable, unreadable, or indecipherable through a technology or methodology specified by HHS guidance.

2. Permitted Uses and Disclosures

The Business Associate may use or disclose PHI only as permitted or required by this BAA or as Required By Law. The Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities.

The Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided the disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed, and the recipient notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

• Providing, operating, and improving the Services as described in the applicable service agreement.
• De-identifying PHI in accordance with 45 CFR §164.514(b); de-identified data is no longer subject to this BAA.
• Using PHI for the Business Associate's own proper management and administration, or to carry out legal responsibilities, only to the minimum necessary extent.

3. Specific Use and Disclosure Provisions

Except as otherwise limited in this BAA, the Business Associate may use PHI to provide data aggregation services to the Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

• Data aggregation: the Business Associate may combine PHI from multiple Covered Entities to permit data analyses that relate to the Health Care Operations of the respective Covered Entities.
• Law reporting: disclosures to Federal or State authorities are limited to the minimum PHI necessary to report the violation.
• No other uses or disclosures of PHI are permitted under this Section without prior written authorisation from the Covered Entity.

4. Obligations and Activities of Business Associate

The Business Associate shall:

• Not use or disclose PHI other than as permitted or required by this BAA or Required By Law.
• Use appropriate safeguards, and comply with 45 CFR Part 164 Subpart C with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
• Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR §164.410, and any security incident of which it becomes aware, without unreasonable delay and in no case later than 60 days after discovery.
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI.
• Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 CFR §164.524.
• Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy the Covered Entity's obligations under 45 CFR §164.526.
• Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 CFR §164.528.
• To the extent the Business Associate is to carry out one or more of the Covered Entity's obligation(s) under 45 CFR Part 164 Subpart E, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
• Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

5. Permitted Uses and Disclosures by Covered Entity

The Covered Entity shall notify the Business Associate of any limitation(s) in the Covered Entity's Notice of Privacy Practices under 45 CFR §164.520, to the extent that such limitation may affect the Business Associate's use or disclosure of PHI.

The Covered Entity shall notify the Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect the Business Associate's permitted or required uses and disclosures.

The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.

• The Covered Entity warrants that all PHI it submits to the Services has been collected and may be disclosed in accordance with the HIPAA Rules.
• Limitation notifications must be delivered in writing to [YOUR-DPO-EMAIL] and take effect no later than 5 business days after confirmed receipt.
• The Covered Entity retains responsibility for obtaining any required patient authorisations before submitting PHI to the Services.

6. Term and Termination

This BAA shall be effective as of [EFFECTIVE-DATE] and shall remain in effect until all PHI provided by the Covered Entity to the Business Associate is destroyed or returned to the Covered Entity, or, if infeasible, protections are extended to such PHI in accordance with Section 9.

Either party may terminate this BAA upon material breach by the other party, provided the non-breaching party provides 30 days prior written notice to the breaching party and the breach is not cured within such notice period.

The Covered Entity may terminate this BAA immediately and without prior notice if it determines that the Business Associate has violated a material term of this BAA and cure is not possible.

Upon termination of this BAA for any reason, the Business Associate shall return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business Associate shall retain no copies of the PHI.

• Cure period: 30 days from receipt of written breach notice, unless the breach is incapable of cure.
• Immediate termination grounds: unauthorised disclosure of PHI, failure to implement required safeguards, or material non-compliance with HIPAA Rules.
• Data return or destruction must be certified in writing within 30 days of termination.

7. Miscellaneous

The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

This BAA shall be governed by and construed in accordance with the laws of [YOUR-JURISDICTION], without regard to its conflict-of-law provisions, except to the extent federal law applies.

• Amendment: amendments are effective only when made in writing and signed by authorised representatives of both parties.
• Waiver: failure to enforce any provision of this BAA does not constitute a waiver of future enforcement.
• Entire agreement: this BAA, together with the applicable service agreement, constitutes the entire agreement between the parties with respect to PHI.

8. Survival

The respective rights and obligations of the Business Associate under Section 9 (Effect of Termination) of this BAA shall survive the termination of this BAA.

• Sections 1 (Definitions), 8 (Survival), 9 (Effect of Termination), and 10 (Limitation of Liability) shall survive termination of this BAA.
• Confidentiality obligations with respect to PHI continue for as long as the Business Associate retains any PHI.

9. Effect of Termination

Except as provided in this Section, upon termination of this BAA, for any reason, the Business Associate shall return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity.

In the event the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon notification that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.

• PHI returned in machine-readable JSON format via a signed, time-limited download link within 30 days of written request.
• Destruction certified in writing; encrypted backup copies purged within 30 days of the effective termination date.
• Infeasibility notice delivered within 10 business days of determining that return or destruction cannot be completed.

10. Limitation of Liability

Each party's liability under this BAA shall be subject to the limitations and exclusions set out in the applicable service agreement, to the maximum extent permitted by applicable law, including the HIPAA Rules. Nothing in this BAA limits either party's liability for wilful misconduct, fraud, or gross negligence.

The Business Associate's boilerplate stack supports HIPAA technical safeguard controls (audit chain WORM, encryption at rest and in transit, access controls) — this statement describes the technical architecture; it is not a representation that the Business Associate has obtained HIPAA certification, which is not available under the HIPAA Rules.

• HHS civil monetary penalties attributable to the Business Associate's wilful neglect are not subject to the service agreement liability cap.
• The Covered Entity indemnifies the Business Associate against claims arising from the Covered Entity's own HIPAA violations or unlawful instructions.
• Neither party is liable for indirect, incidental, or consequential damages arising from this BAA, to the extent permitted by law.

11. Notice

Any notice required or permitted to be given hereunder shall be in writing and shall be deemed effective upon personal delivery, upon confirmed email transmission, or three (3) business days after deposit in the mail, postage prepaid, addressed as follows:

To Covered Entity: [CUSTOMER-NAME], as specified in the applicable service agreement.

To Business Associate: [YOUR-COMPANY-LEGAL-NAME], Attention: [YOUR-DPO-EMAIL].

• Email notices are effective upon confirmed delivery (read receipt or explicit acknowledgement).
• Either party may update its notice address by providing 10 business days' written notice to the other party.
• Breach notifications under Section 4 must be sent to the Covered Entity's designated security contact, not the general notice address.