Business Associate Agreement — Template

Terms used but not otherwise defined in this BAA have the same meaning as those terms in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (45 CFR Parts 160 and 164).

• Covered Entity: the Enterprise customer organization signing this BAA.
• Business Associate: gasguide.app.
• PHI: Protected Health Information as defined at 45 CFR §160.103.
• ePHI: PHI transmitted by or maintained in electronic media.

Business Associate may use or disclose PHI only as necessary to perform the services specified in the Service Agreement between the parties, or as required by law. Business Associate will not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, except as set forth in this BAA.

Specifically, Business Associate may use PHI to: (a) provide credentialing, study-progress, and compliance-tracking services to the Covered Entity; (b) carry out its own legal responsibilities; (c) provide data aggregation services relating to the health-care operations of the Covered Entity, when applicable.

• Safeguards. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI. Specifically: TLS 1.2+ for data in transit; encryption-at-rest for stored ePHI; row-level security policies scoped to user/organization; principle of least privilege for administrator access; MFA required on all administrator accounts.
• Reporting. Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any breach of unsecured PHI as required by 45 CFR §164.410, within 10 business days of discovery.
• Subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate. Current subcontractors with PHI access: Supabase (storage + auth), Cloudflare (CDN + DDoS), Resend (transactional email), AWS Textract (OCR — when enabled). Each has signed a BAA with Business Associate.
• Access. Provide access to PHI to the Covered Entity or, as directed by Covered Entity, to the individual, in compliance with 45 CFR §164.524.
• Amendment. Make amendments to PHI in a designated record set in compliance with 45 CFR §164.526.
• Accounting. Document and provide accountings of disclosures of PHI in compliance with 45 CFR §164.528. gasguide.app logs every credential view via the credential_views audit table.
• Audit. Make internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA.
• Return or destruction. Upon termination of the Service Agreement, return or destroy all PHI received from, or created or received on behalf of, Covered Entity. If return or destruction is not feasible, extend the protections of this BAA to the PHI and limit further uses and disclosures.

• Notify Business Associate of any limitation in its notice of privacy practices, of any change in or revocation of permission by an individual, and of any restriction on use or disclosure that the Covered Entity has agreed to.
• Not request Business Associate to use or disclose PHI in a manner that would not be permitted under HIPAA if done by Covered Entity.

This BAA takes effect on the date of the underlying Service Agreement and continues until the Service Agreement terminates. Either party may terminate this BAA upon written notice if the other party has materially breached this BAA and the breach is not cured within 30 days of notice.

Upon discovery of a breach of unsecured PHI, Business Associate will notify Covered Entity without unreasonable delay and in any event within 10 business days of discovery. The notice will include, to the extent known: identification of the affected individuals, nature of the PHI involved, what is being done to investigate, mitigate, and prevent recurrence. Business Associate will assist Covered Entity in meeting its own breach-notification obligations under 45 CFR §164.404.

See our breach-notification SOP for full procedure.

This BAA is governed by the laws of the State of Florida and applicable federal law. If any provision is held invalid, the remaining provisions continue in full force. Amendments must be in writing and signed by both parties. This BAA supersedes any prior business-associate agreements between the parties.

Covered Entity:

Business Associate (gasguide.app):