Business Associate Agreement

Last updated: March 30, 2025

Business Associate Agreement

1. Parties and Effective Date

This Business Associate Agreement ("BAA") is established between you (the "Covered Entity") and HIKIP LLC (the "Business Associate") and is effective at the time the Covered Entity creates its HIKIP account (the "Effective Date"). This BAA supplements and modifies the Terms of Service between the Covered Entity and the Business Associate (the "Agreement") and replaces any previous business associate agreements.


2. Key Definitions

The following terms align with HIPAA regulations (45 C.F.R. Parts 160 and 164) and are critical to interpreting your and our obligations:

  • Breach: A breach of "Unsecured PHI" as defined in 45 C.F.R. § 164.402, concerning PHI created, received, maintained, or transmitted by the Business Associate for the Covered Entity.
  • Electronic Protected Health Information (ePHI): PHI transmitted by or maintained in electronic media, defined in 45 C.F.R. § 160.103.
  • Individual: The person who is the subject of PHI, including personal representatives per 45 C.F.R. § 164.502(g).
  • Marketing: Any communication about a product or service that encourages recipients to purchase or use such product or service, as clarified by 45 C.F.R. § 164.501(1), subject to various HIPAA exceptions.
  • PHI (Protected Health Information): As defined at 45 C.F.R. § 160.103, relating to the Covered Entity’s patients/clients.
  • Reportable Event: (1) Any use or disclosure of PHI not permitted by this BAA; (2) any Security Incident; or (3) any Breach of Unsecured PHI.
  • Required by Law: A mandate contained in law or regulation compelling the use or disclosure of PHI.
  • Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, per 45 C.F.R. § 164.304.
  • Subcontractor: A person or entity to whom the Business Associate delegates a function, activity, or service, who is not directly employed by the Business Associate, per 45 C.F.R. § 160.103.
  • Unsecured PHI: PHI that is not secured through technology or methodology specified by HHS guidance under 45 C.F.R. § 164.402.

Additional terms used but not defined here have the meanings provided by HIPAA. Any ambiguity must be resolved in favor of HIPAA compliance.


3. Purpose and Relationship to the Agreement

  • The Business Associate may use or disclose PHI as necessary to carry out the services specified in the Agreement, provided such use or disclosure is consistent with HIPAA and applicable law.
  • This BAA governs only if HIKIP LLC is deemed a "business associate" of the Covered Entity under 45 C.F.R. § 160.103.
  • If a term in this BAA conflicts with a term in the Agreement, the BAA controls to the extent needed for HIPAA compliance.

4. Permitted Uses and Disclosures

  1. Services for Covered Entity: The Business Associate may use or disclose PHI to perform services, activities, or functions for the Covered Entity under the Agreement if such uses or disclosures are permitted by HIPAA.
  2. Management and Legal Obligations: The Business Associate may use PHI for its internal management or to meet its legal responsibilities.
  3. Disclosure for Management/Legal: The Business Associate may disclose PHI for these purposes if (a) Required by Law, or (b) the recipient agrees to maintain confidentiality and promptly notify the Business Associate of any breach.
  4. Reporting Potential Violations: The Business Associate may use or disclose PHI to report violations of law to appropriate authorities, consistent with 45 C.F.R. § 164.502(j).
  5. Data Aggregation: The Business Associate may aggregate Covered Entity’s data with other data it holds in order to support health care operations, per 45 C.F.R. § 164.504(e)(2)(i)(B).
  6. De-identification: PHI may be de-identified according to 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c). De-identified information may be used and disclosed freely, subject to applicable laws.
  7. Prohibition on Marketing: The Business Associate will not use or disclose PHI for marketing unless it has the Covered Entity’s prior written authorization, consistent with HIPAA’s standards on marketing activities.

5. Obligations and Safeguards

  1. Use/Disclosure Limitations: The Business Associate must not use or disclose PHI except as allowed by this BAA, the Agreement, or as Required by Law.
  2. HIPAA Compliance: When the Business Associate performs a duty under HIPAA in place of the Covered Entity, it must follow HIPAA’s rules applicable to that duty.
  3. Safeguards: The Business Associate will implement administrative, technical, and physical safeguards to protect PHI, including ePHI, and maintain compliance with the Security Rule and HITECH.
  4. Minimum Necessary: The Business Associate will make reasonable efforts to use, disclose, or request only the minimum necessary PHI to accomplish the intended purpose.
  5. Subcontractors: If the Business Associate engages a Subcontractor, it must ensure the Subcontractor agrees in writing to restrictions and conditions that are substantially similar to those in this BAA.

6. Breach and Reportable Event Management

  1. Notification of Events: The Business Associate must notify the Covered Entity (via email or phone) of any Reportable Event (including any Breach of Unsecured PHI) without unreasonable delay and no later than fifteen (15) business days after discovering the event.
  2. Content of Notification: When feasible, the Business Associate’s notice should identify the affected Individuals, describe what happened (including dates), detail the types of PHI involved, recommend steps the Individuals should take to protect themselves, outline what the Business Associate is doing to investigate and mitigate the issue, and include other details necessary for the Covered Entity to meet its own notification duties.
  3. Cooperation: The Business Associate will assist the Covered Entity in investigating any Reportable Event or Breach and determining necessary notifications.
  4. Mitigation: The Business Associate will mitigate, to the extent practicable, any known harmful effects of a Reportable Event.
  5. Routine Security Incidents: Unsuccessful or routine attempts to access systems (e.g., port scans, pings, unsuccessful login attempts) are noted as ongoing occurrences that do not necessarily require separate reporting, unless they result in actual unauthorized access or use.

7. Access and Amendment Rights

  1. Access Requests: If the Business Associate manages PHI in a Designated Record Set, it will enable Covered Entity or the Individual to access that PHI, consistent with 45 C.F.R. § 164.524. If it does not maintain such PHI, it will inform the requester and coordinate with the Covered Entity as needed.
  2. Amendments: If the Business Associate maintains PHI in a Designated Record Set, it will amend or correct PHI upon the Covered Entity’s request, in line with 45 C.F.R. § 164.526.

8. Accounting of Disclosures

The Business Associate will document disclosures of PHI as required by 45 C.F.R. § 164.528 and HITECH, and provide such accounting information to the Covered Entity within a reasonable time (no fewer than ten (10) business days after a written request by the Covered Entity).


9. Term and Termination

  1. Term: This BAA remains in effect from the Effective Date and will terminate when the Agreement ends or if either party terminates this BAA for cause.
  2. Termination for Material Breach:
    1. If the Covered Entity believes the Business Associate materially violated this BAA, it will provide written notice specifying the breach. The Business Associate has thirty (30) days to cure. If it cannot or does not cure within that period, the Covered Entity may terminate this BAA (and the Agreement, if necessary).
    2. If the Business Associate believes the Covered Entity materially violated this BAA, it will provide written notice specifying the breach. The Covered Entity has thirty (30) days to cure. If it cannot or does not cure, the Business Associate may terminate this BAA (and the Agreement)
  3. Effect of Termination:
    1. Upon termination, the Business Associate must return or securely destroy all PHI. If return or destruction is not feasible, the Business Associate will continue to protect it and only use or disclose it as necessary for the purposes that prevented its return/destruction.
    2. These obligations survive the termination of this BAA.

10. Additional Legal Provisions

  1. No Third-Party Beneficiaries: This BAA does not create rights for any party other than the Covered Entity, the Business Associate, and their successors/assigns.
  2. Entire Agreement; No Waiver: This BAA and the Agreement together represent the entire agreement relating to the use or disclosure of PHI. Failure to enforce any provision does not constitute a waiver of that provision.
  3. Governing Law and Disputes: This BAA is governed by the governing law stated in the Agreement, except where federal law preempts. Any disputes arising from this BAA follow the Agreement’s dispute resolution process.
  4. Assignment: Rights and obligations regarding assignment follow the Agreement’s assignment provisions. This BAA binds and benefits successors and assigns.
  5. Interpretation: Any ambiguity in this BAA will be resolved in favor of a meaning consistent with HIPAA.
  6. Notices: Formal notices required under this BAA must be sent to the contact addresses provided by each party. Either party may update its notice address with written notice.
  7. Independent Contractors: The parties remain independent contractors. Nothing in this BAA creates an agency, partnership, or joint venture.