Business Associate Agreement

Last updated: [DATE — DRAFT ONLY]

What is a Business Associate Agreement?

Under HIPAA, a Business Associate Agreement (BAA) is a legally required contract between a covered entity (your clinic) and any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on the covered entity's behalf. The BAA establishes the permissible uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, and defines obligations in the event of a breach.

The BAA requirement is codified at 45 CFR §164.308(b) and §164.504(e). Operating without a signed BAA when PHI is involved constitutes a HIPAA violation.

PHIGuard's BAA

PHIGuard acts as a Business Associate under HIPAA when your clinic uses our platform to create or manage tasks that contain PHI. A signed BAA is included at every PHIGuard pricing tier — Essentials ($99/mo), Clinic ($249/mo), and Group ($499/mo).

The BAA is delivered automatically as part of your account creation process. You do not need to contact a sales team, negotiate terms, or upgrade to an enterprise plan to receive a signed BAA.

When the BAA applies

The BAA applies when your clinic uses PHIGuard to:

• Create tasks that reference patient names, appointment details, or other PHI
• Track compliance activities involving PHI (incident reports, breach assessments)
• Coordinate care-related tasks that include patient information
• Store policy documents that reference PHI handling

If your clinic uses PHIGuard exclusively for internal operational tasks that do not involve any PHI, the BAA is still in place but may not be legally required for that specific use case. When in doubt, treat any patient-related information as PHI and ensure the BAA governs your use.

Summary of BAA terms

The full BAA text is available at the link below. Key provisions include:

Permitted uses and disclosures of PHI

PHIGuard may use or disclose PHI only as permitted by the BAA and as necessary to provide the contracted services. PHIGuard will not use or disclose PHI for marketing, sale, or any purpose beyond service delivery.

Safeguards

PHIGuard implements appropriate administrative, physical, and technical safeguards to protect PHI, consistent with HIPAA Security Rule requirements. This includes encryption at rest (AES-256), encryption in transit (TLS 1.2+), immutable audit logging, and access controls.

Subcontractors

PHIGuard will enter into a written agreement with any subcontractor that creates, receives, maintains, or transmits PHI on PHIGuard's behalf, imposing the same PHI protections required of PHIGuard under the BAA.

Breach notification

PHIGuard will notify your clinic of any discovered breach of unsecured PHI within the timeframes required by 45 CFR §164.410. Notification will include, to the extent reasonably practicable, the identification of affected individuals, the date of breach, and a description of the PHI involved.

Termination

Upon termination of the service agreement, PHIGuard will return or destroy PHI as directed by your clinic, to the extent feasible. Where return or destruction is not feasible, PHIGuard will continue to protect the PHI for as long as it is retained.

Individual rights

PHIGuard will provide your clinic access to PHI in PHIGuard's possession when required for you to fulfill patients' rights requests under HIPAA (e.g., access requests, amendment requests).

Reviewing and downloading the BAA

The complete BAA text is available for review prior to signing up. You can review and download a copy from your PHIGuard account settings after account creation.

Note: The BAA document available for download is marked "DRAFT — NOT FOR EXECUTION — MUST BE REVIEWED BY QUALIFIED ATTORNEY BEFORE USE." The executed BAA that governs your use of PHIGuard is the version accepted during account creation.

Questions about the BAA

For questions about our Business Associate Agreement, contact: legal@phiguard.app

We respond to legal inquiries within two business days.

HIPAA Business Associate Agreement

DRAFT — NOT FOR EXECUTION — MUST BE REVIEWED BY A QUALIFIED ATTORNEY BEFORE USE

This Business Associate Agreement ("Agreement") is entered into between PHIGuard, Inc. ("Business Associate") and the covered entity identified in the associated PHIGuard account ("Covered Entity").

Article 1. Definitions

Terms used but not otherwise defined in this Agreement shall have the meanings given to them in the HIPAA Rules. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

"Protected Health Information" or "PHI" means protected health information as defined in 45 CFR §160.103, limited to the PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

Article 2. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this Agreement or as required by law;
• Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement;
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required at 45 CFR §164.410;
• Ensure any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement;
• Make available PHI in a designated record set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR §164.524;
• Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining Covered Entity's compliance with HIPAA Rules;
• Upon termination of this Agreement, if feasible, return or destroy all PHI received from or on behalf of Covered Entity; and
• Implement appropriate administrative, physical, and technical safeguards consistent with 45 CFR Part 164, Subpart C.

Article 3. Permitted uses and disclosures by Business Associate

Business Associate may use and disclose PHI only as necessary to perform services for Covered Entity as described in the applicable service agreement, and as permitted by this Agreement. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities.

Article 4. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitation in Covered Entity's Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI;
• Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose his or her PHI;
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA Rules if done by Covered Entity.

Article 5. Term and termination

This Agreement is effective as of the date Covered Entity creates a PHIGuard account and remains in effect for the duration of the service relationship. Either party may terminate this Agreement upon material breach by the other party. Upon termination, the data handling provisions of Article 2 shall survive.

Article 6. Miscellaneous

This Agreement is governed by federal law and the laws of [STATE — TO BE DETERMINED]. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA Rules. This Agreement supersedes all prior agreements between the parties relating to the subject matter hereof.