HIPAA Business Associate Agreement

Last updated: May 1, 2026

This HIPAA Business Associate Agreement (the “Agreement”) is entered into as of the date of electronic acceptance (the “Effective Date”) by and between the accepting party (the “Covered Entity”) and Operaitor (the “Business Associate”), collectively the “Parties”.

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms defined in HIPAA, including, but not limited to, “Business Associate,” “Covered Entity,” “Protected Health Information” (“PHI”), “Electronic Protected Health Information” (“ePHI”), “Breach”, and “De-identified Data”.

Business Associate

A “Business Associate” is any person or entity that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of Protected Health Information (PHI). Examples include third-party billing companies, cloud storage providers, or IT service providers who handle PHI.

Covered Entity

A “Covered Entity” refers to health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with transactions covered by HIPAA. These entities are directly responsible for protecting the privacy and security of patient information.

Protected Health Information (PHI)

“PHI” is any information, whether oral or recorded in any form, that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse, and relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare, or payment for healthcare. PHI can include names, addresses, birthdates, Social Security numbers, and medical records.

Electronic Protected Health Information (ePHI)

“ePHI” is any PHI that is created, stored, transmitted, or received electronically. This includes digital records, emails containing patient data, and electronic billing information. ePHI is subject to additional security requirements under the HIPAA Security Rule.

Breach

A “Breach” refers to the impermissible use or disclosure of PHI that compromises its security or privacy, unless the Covered Entity or Business Associate can demonstrate a low probability that the PHI has been compromised based on a risk assessment. Examples include data theft or loss of unencrypted devices containing PHI.

De-Identified Data

“De-Identified Data” is any information that has been de-identified in accordance with 45 C.F.R. §164.514(b) and therefore is not Protected Health Information.

2. Obligations and Activities of Business Associate

a. Use and Disclosure of PHI

The Business Associate may only use or disclose PHI as necessary to perform services outlined in the underlying service agreement or as required by law, but not in a manner that violates HIPAA regulations.

b. Safeguards

The Business Associate agrees to use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement, including compliance with HIPAA’s Security Rule (45 CFR Part 164 Subpart C) for ePHI.

c. Mitigation

The Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of this Agreement.

d. Reporting

The Business Associate agrees to report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI, in compliance with 45 CFR 164.410.

e. Subcontractors

The Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate under this Agreement.

f. Access, Amendment, and Accounting

Upon the Covered Entity’s written request — and within the time and manner reasonably designated by the Covered Entity — the Business Associate shall:

  • Provide access to PHI in a Designated Record Set, consistent with 45 C.F.R. § 164.524;
  • Make amendments to such PHI as directed by the Covered Entity, consistent with 45 C.F.R. § 164.526; and
  • Document and provide an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528.

The Business Associate may charge the Covered Entity its reasonable costs for fulfilling more than three (3) individual requests per calendar quarter for access, amendment, or an accounting of disclosures.

g. Compliance with Law

The Business Associate shall comply with the requirements of the HIPAA Rules that apply to business associates, including any amendments to HIPAA or other laws that affect this Agreement.

3. Permitted Uses and Disclosures by Business Associate

The Business Associate may:

  1. Use or disclose PHI to perform the services as set forth in the service agreement between the Covered Entity and Business Associate, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity.
  2. Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law or the Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and used only for its intended purpose.
  3. Use PHI to provide data aggregation services relating to the health care operations of the Covered Entity.
  4. Create de-identified data from PHI and may use or disclose such de-identified data for product improvement, analytics, research, benchmarking, and other lawful purposes. De-identified data is not subject to this Agreement.

4. Term and Termination

a. Term

This Agreement shall remain in effect until the termination of the service agreement or as otherwise provided by law.

b. Termination for Cause

The Covered Entity may terminate this Agreement if the Business Associate materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice.

c. Obligations Upon Termination

Within sixty (60) days of termination or expiration of the Service Agreement, Business Associate shall return or destroy all PHI received from, or created on behalf of, the Covered Entity. If return or destruction is not feasible, the Business Associate shall extend the protections of this Agreement to the PHI and limit further use and disclosures to those purposes that make return or destruction infeasible.

5. Audit and Inspection

Covered Entity may audit Business Associate’s HIPAA-compliance practices no more than once in any twelve-month period, with at least thirty (30) days’ prior written notice, during regular business hours, and at Covered Entity’s expense, unless a material breach is identified.

6. Liability and Insurance

a. To the fullest extent permitted by law, the aggregate liability of either Party arising out of or related to this Agreement shall not exceed the fees paid or payable by Covered Entity to Business Associate under the Service Agreement in the twelve (12) months preceding the event giving rise to the claim.

b. Neither Party shall be liable to the other for any indirect, special, incidental, punitive, or consequential damages, including lost profits or business interruption, even if advised of the possibility of such damages.

7. Miscellaneous

a. Amendment: This Agreement may only be amended in writing, signed by both parties.

b. Survival: The obligations of the Business Associate under this Agreement shall survive the termination of this Agreement with respect to PHI that cannot feasibly be returned or destroyed.

c. Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

Electronic Acceptance

By checking the “I agree to the Terms of Service and Business Associate Agreement” box during account registration, you acknowledge that you have read, understood, and agree to be bound by this Business Associate Agreement on behalf of your organization (the Covered Entity). This electronic acceptance constitutes a legally binding signature as of the date of acceptance.