SampleBusinessAssociateAgreement

This Business Associate Agreement ("BAA") is entered between the Covered Entity (or Business Associate customer) and BlueHive Health, LLC ("Business Associate"), effective as of the date stated in the signature block. Capitalized terms have the meanings set forth in HIPAA, including Breach, Disclosure, Individual, PHI, Security Incident, and Unsecured PHI. Terms not otherwise defined here have the same meaning as under HIPAA and its implementing regulations.

Business Associate may use and disclose PHI only as necessary to perform services for Covered Entity, as required by law, and as otherwise permitted in this BAA. Business Associate will not use or further disclose PHI in any manner that would violate HIPAA if done by Covered Entity, applies the minimum necessary standard where required, and may use/disclose PHI for its proper management and administration only where permitted by law and subject to required confidentiality assurances.

Business Associate will implement appropriate administrative, physical, and technical safeguards, including Security Rule safeguards for electronic PHI, to protect against impermissible use or disclosure of PHI. BlueHive hosts HIPAA-regulated application workloads in BlueHive-operated on-premises data centers; active third-party subprocessors with PHI access are listed on the Subprocessors page.

Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this BAA, any Security Incident of which it becomes aware, and any Breach of Unsecured PHI as required by HIPAA and this BAA, without unreasonable delay and in no case later than fifteen (15) days after awareness unless a shorter period is required by law. Business Associate will mitigate, to the extent practicable, harmful effects of any impermissible use or disclosure known to Business Associate. This section constitutes notice of unsuccessful security incidents, including routine scans, pings, and other unsuccessful attempts that do not result in unauthorized access, use, or disclosure of PHI.

Business Associate will ensure that subcontractors that create, receive, maintain, or transmit PHI on its behalf agree in writing to substantially the same restrictions and conditions that apply to Business Associate with respect to PHI.

To the extent required by HIPAA and requested by Covered Entity, Business Associate will make PHI available for access requests, provide information for amendment requests, and maintain disclosures information needed to support accounting of disclosures obligations. Where Business Associate maintains PHI in a designated record set, Business Associate will provide requested supporting information to Covered Entity within fifteen (15) days of written request unless a shorter period is required by law.

Covered Entity is responsible for providing and updating any notice of privacy practices, permissions, revocations, and agreed restrictions that may affect Business Associate's permitted uses or disclosures of PHI, and for obtaining and maintaining any authorizations required to disclose PHI to Business Associate for permitted purposes.

Business Associate will make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining HIPAA compliance, as required by law. Business Associate may report violations of law to appropriate federal and state authorities to the extent permitted by applicable law.

As between the parties, Covered Entity is and remains the owner of all PHI disclosed by Covered Entity to Business Associate. Covered Entity represents and warrants that it has obtained and will maintain all required consents and authorizations necessary to disclose PHI to Business Associate for the purposes permitted by this BAA.

This BAA shall not be construed to create a contractual obligation for one party to indemnify the other party for loss or damage resulting from any act or omission of such other party or its employees, directors, officers, representatives, or agents. Any broader limitation of liability or damages exclusions are governed by the parties' master services agreement or other applicable contract, if any.

This BAA is governed by the law specified in the parties' controlling commercial agreement (or, if none, the law identified in the signature block addendum), without regard to conflict-of-laws principles. The parties submit to the venue specified in that agreement for disputes arising from this BAA.

To the extent permitted by applicable law, each party agrees that any claim arising from or relating to this BAA will be brought only in an individual capacity and not as a plaintiff or class member in any purported class, collective, consolidated, or representative proceeding.

This BAA remains in effect while Business Associate processes PHI on behalf of Covered Entity. If Covered Entity identifies a material breach, Covered Entity may provide written notice and a thirty (30) day cure period, terminate immediately where cure is not possible, and/or report the violation to HHS as permitted by law. Upon termination, Business Associate will return or destroy PHI where feasible. If return/destruction is infeasible, Business Associate will extend BAA protections to retained PHI and limit further uses and disclosures to permitted retention purposes.

With respect to PHI only, this BAA controls over conflicting terms in other agreements between the parties.

References to HIPAA regulations mean those provisions as amended or superseded. The parties will take actions reasonably necessary to amend this BAA to comply with applicable law. Provisions that by their nature should survive termination (including retained-PHI protections) survive termination. This BAA is interpreted to permit HIPAA compliance, controls over conflicting PHI terms in other agreements, and may be modified only by a written instrument signed by both parties except where law requires updates. The parties remain independent contractors and no third-party beneficiary rights are created.