Business Associate Agreement (BAA)

Last Updated: 1/31/2026

1. Definitions

"Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103.

"Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103.

"HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

2. Obligations and Activities of Business Associate

Business Associate agrees to:

• Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;
• Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
• Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410.

3. Encryption & Security

We implement AES-256-GCM encryption for data at rest and TLS 1.2+ for data in transit to ensure the confidentiality and integrity of PHI.