The text below is the boilerplate of our standard Business Associate Agreement under 45 CFR §164.504(e). This page is for reference; an executable countersigned PDF is provided when you subscribe (or on request from [email protected]).
1. Definitions
Capitalized terms not defined here have the meaning given in HIPAA, including 45 CFR Parts 160 and 164.
2. Permitted uses & disclosures
Business Associate may use or disclose PHI only:
- To perform functions, activities, or services for or on behalf of Covered Entity as specified in the Services agreement.
- For the proper management and administration of Business Associate.
- To carry out legal responsibilities of Business Associate.
- For data aggregation services to Covered Entity, when permitted under 45 CFR §164.504(e)(2)(i)(B).
3. Obligations of Business Associate
- Not use or disclose PHI other than as permitted by this BAA or required by law.
- Implement appropriate safeguards to prevent unauthorized use or disclosure (see Security Practices).
- Report any use or disclosure not provided for by this BAA, including breaches of unsecured PHI, within 24 hours of discovery.
- Ensure that subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions in writing.
- Make PHI available to Covered Entity for access, amendment, and accounting of disclosures requests.
- Make internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance.
- Return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, at termination of the Services.
4. Subcontractors
A current list of Business Associate's subcontractors that handle PHI is maintained at clinicflowai.app/legal/subprocessors. Business Associate will give Covered Entity 30 days' written notice of any new subcontractor that processes PHI.
5. Permitted Uses for Management
Business Associate may use PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential.
6. Term & Termination
- This BAA is effective on the date of execution and continues until the underlying Services Agreement terminates, except that obligations to protect PHI survive.
- Covered Entity may immediately terminate the Services Agreement and this BAA if Business Associate fails to cure a material breach within 30 days of written notice.
7. Effect of Termination
Upon termination, Business Associate will return or destroy all PHI in its possession, except where legally required to retain (e.g., HIPAA's 6-year audit-log retention). For any PHI that cannot feasibly be returned or destroyed, Business Associate will continue to extend the protections of this BAA to that PHI.
8. Miscellaneous
- Regulatory amendments. The parties will amend this BAA as needed to comply with changes to HIPAA.
- Interpretation. Any ambiguity in this BAA will be resolved in favor of a meaning that permits the parties to comply with HIPAA.
- Survival. Sections that by their nature should survive termination, including 7 and this Section, do survive.
This template is provided for transparency and convenience. The executable BAA you sign at subscription may include order-specific variations. If you require a redlined version, contact [email protected].