Business Associate Agreement (BAA)

1. Definitions

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules.

• Business Associate: HIPAA Hub Inc. ("Covered Entity" as defined in HIPAA)
• Covered Entity: The healthcare practice or organization using HIPAA Hub services
• HIPAA Rules: The Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations

2. Permitted Uses and Disclosures

Business Associate may use or disclose Protected Health Information (PHI) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.

3. Specific Obligations and Activities of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this Agreement or as required by law
• Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement
• Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate
• Make available PHI in accordance with 45 CFR § 164.524
• Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526
• Make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528
• Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules

4. Important Note

HIPAA Hub does not store or process Protected Health Information (PHI). Our platform is designed exclusively for compliance documentation, risk assessments, policy management, and evidence storage. We maintain a "zero PHI architecture" to ensure we never handle patient health information.

5. Term and Termination

This Agreement shall remain in effect until terminated by either party. Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

6. Contact Information

For questions about this BAA or HIPAA Hub's compliance practices, please contact: