EnWella Health Platform Effective Date: [INSERT DATE — or the date the Customer executes the Terms of Service]
This Business Associate Agreement ("BAA") is entered into between [COMPANY LEGAL NAME] ("Business Associate" or "EnWella") and the healthcare provider, practice, or health plan identified in the associated Order Form or Terms of Service ("Covered Entity").
This BAA is incorporated into and forms part of the Terms of Service between the parties. In the event of a conflict between this BAA and the Terms of Service regarding the handling of Protected Health Information, this BAA controls.
Terms used in this BAA that are not otherwise defined have the meanings given to them in 45 C.F.R. Parts 160 and 164 (the HIPAA Rules).
"Breach" has the meaning given in 45 C.F.R. § 164.402.
"Business Associate" has the meaning given in 45 C.F.R. § 160.103. For purposes of this BAA, EnWella is the Business Associate.
"Covered Entity" has the meaning given in 45 C.F.R. § 160.103.
"Data Aggregation" has the meaning given in 45 C.F.R. § 164.501.
"Designated Record Set" has the meaning given in 45 C.F.R. § 164.501.
"Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by or maintained in electronic media.
"HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
"Protected Health Information" or "PHI" has the meaning given in 45 C.F.R. § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
"Required by Law" has the meaning given in 45 C.F.R. § 164.103.
"Security Incident" has the meaning given in 45 C.F.R. § 164.304.
"Subcontractor" has the meaning given in 45 C.F.R. § 160.103.
"Unsecured Protected Health Information" has the meaning given in 45 C.F.R. § 164.402.
Business Associate may use or disclose PHI only:
(a) As necessary to perform the services described in the Terms of Service (the "Services"), which include: - Hosting, storing, and processing electronic health records - Enabling clinical documentation, scheduling, and billing functions - Facilitating secure patient communications - Providing PDF generation of clinical documents - Cloud storage of clinical documents and attachments - Any other service specified in the Terms of Service
(b) As Required by Law
(c) As otherwise permitted under the HIPAA Rules and this BAA
(d) For the proper management and administration of Business Associate's business, provided that: - Such disclosure is Required by Law, or - Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used/disclosed only as Required by Law or for the permitted purpose, and the recipient notifies Business Associate of any Breach
(e) To provide Data Aggregation services relating to the health care operations of Covered Entity
(f) To de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c), after which the data is no longer PHI and may be used without restriction under the HIPAA Rules
Business Associate may NOT: - Use or disclose PHI in a manner not permitted by this BAA or Required by Law - Use or disclose PHI for marketing without specific written authorization - Sell PHI without specific written authorization - Use PHI to train artificial intelligence or machine learning models without a separate written agreement and, where required, patient authorization
Business Associate shall: - Implement and maintain appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this BAA - Comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to all ePHI - Specifically implement the following safeguards: - Encryption in transit: TLS 1.2 or higher for all ePHI in transit - Encryption at rest: AES-256 encryption for all ePHI stored in databases and cloud storage - Access controls: Role-based access controls; unique user IDs; automatic session timeout - Audit controls: Comprehensive audit logging of all access to and modification of ePHI, retained for a minimum of 6 years - Integrity controls: Data validation to ensure ePHI is not improperly altered or destroyed - Availability: Backup and disaster recovery procedures; target 99.9% monthly uptime
Security Incidents: Business Associate shall notify Covered Entity of any Security Incident of which it becomes aware, without unreasonable delay and in no event more than 5 business days after discovery. Notice shall include: (a) description of the incident; (b) types of PHI involved; (c) number of individuals affected, if known; (d) steps taken to investigate and mitigate.
Breach of Unsecured PHI: Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event more than 10 business days after discovery, and in no event more than 60 days after discovery. Notice shall include all information required under 45 C.F.R. § 164.410 to the extent available at the time of notice (with supplementation as additional information becomes available). Covered Entity is responsible for notifying affected individuals and the Secretary of HHS as required under 45 C.F.R. §§ 164.404 and 164.406.
Attempted Unauthorized Access: Business Associate shall report, as part of periodic security reviews or upon request, the results of unsuccessful Security Incidents (such as blocked hacking attempts) in a reasonable and agreed-upon format.
Business Associate shall take reasonable steps to mitigate any harmful effect of a use or disclosure of PHI in violation of this BAA that it becomes aware of.
Business Associate shall: - Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to restrictions and conditions at least as stringent as those in this BAA, by entering into a written Business Associate agreement - Remain liable to Covered Entity for the acts and omissions of Subcontractors
Current sub-processors with access to PHI include: [LIST OF SUBPROCESSORS WITH PHI ACCESS — e.g., Google Cloud Platform, etc.] A full list is available upon request.
Business Associate shall make reasonable efforts to limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b).
Covered Entity shall: - Not request Business Associate to use or disclose PHI in any manner that would violate the HIPAA Rules or this BAA - Obtain any required patient authorizations before directing Business Associate to process PHI for purposes requiring authorization
Covered Entity shall notify Business Associate of: - Any limitation in Covered Entity's Notice of Privacy Practices that would affect Business Associate's permitted uses and disclosures - Any restriction on the use or disclosure of PHI that Covered Entity has agreed to with an individual - Any revocation of authorization for use or disclosure of PHI
Covered Entity is responsible for HIPAA training of its workforce members before they access PHI through the Service. Covered Entity shall implement appropriate sanctions for workforce members who violate applicable HIPAA policies.
Covered Entity shall configure the Service's role-based access controls to implement minimum necessary principles, ensuring workforce members access only the PHI required for their job function.
Upon request, Business Associate shall provide Covered Entity access to ePHI maintained in a Designated Record Set within 30 days, in the format requested (if readily producible in such format), to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524.
Upon direction from Covered Entity, Business Associate shall amend ePHI maintained in a Designated Record Set within 30 days, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.526.
Business Associate shall provide Covered Entity with information concerning disclosures of PHI that Business Associate makes on behalf of Covered Entity within 30 days of request, in the time frame and format requested, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528.
Business Associate shall, upon notification from Covered Entity, restrict disclosures of PHI as required under 45 C.F.R. § 164.522.
This BAA is effective as of the date the parties execute the Terms of Service and continues until the termination of the Terms of Service, unless earlier terminated as provided herein.
Either party may terminate this BAA (and the associated Terms of Service) immediately upon written notice if the other party materially breaches this BAA and: - The breach is incapable of cure, or - The breaching party fails to cure the breach within 30 days of written notice
If termination for cause is not feasible (e.g., would cause harm to patients), the non-breaching party may report the violation to the Secretary of HHS.
Return or Destruction of PHI: Upon termination of this BAA, Business Associate shall: - At Covered Entity's election: - Return to Covered Entity all PHI that Business Associate maintains in any form, or - Destroy all PHI and certify in writing that all PHI has been destroyed - If return or destruction is not feasible (e.g., PHI is backed up on systems where extraction is impractical), Business Associate shall: - Notify Covered Entity in writing of the reason return or destruction is infeasible - Continue to maintain protections required by this BAA for as long as the PHI is retained - Limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible - Destroy the PHI when feasible
Survival: Business Associate's obligations regarding PHI that it retains after termination survive the termination of this BAA.
Before termination becomes effective, Business Associate will provide Covered Entity with 90 days to export all data from the Service. After this period, data will be securely deleted in accordance with NIST 800-88 guidelines.
Any reference in this BAA to specific sections of the HIPAA Rules means those sections as in effect or as amended from time to time.
The parties agree to amend this BAA as necessary to comply with changes in applicable law, including any changes to the HIPAA Rules. Either party may request an amendment; the parties shall negotiate in good faith to reach agreement within 60 days of such request.
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA Rules. This BAA shall be interpreted in accordance with HIPAA and applicable guidance from HHS.
Nothing in this BAA is intended to create rights in any third party, including patients.
This BAA is incorporated into and supplements the Terms of Service. In the event of a conflict between this BAA and the Terms of Service regarding PHI, this BAA controls. Other provisions of the Terms of Service (including limitations of liability, dispute resolution, and general terms) remain in effect.
Business Associate's liability for breach of this BAA is subject to the limitations set forth in the Terms of Service, except that such limitations do not apply to: - Business Associate's obligation to indemnify Covered Entity for penalties imposed by HHS OCR directly resulting from Business Associate's failure to comply with this BAA - Gross negligence or willful misconduct by Business Associate
This BAA is governed by federal law (HIPAA) and, to the extent not preempted by federal law, the laws of the State of [STATE].
This BAA may be executed electronically. Acceptance of the Terms of Service constitutes acceptance of this BAA.
Business Associate may use PHI for the following purposes in connection with the Services:
Business Associate maintains the following security standards, which may be updated from time to time in accordance with industry best practices:
| Category | Standard |
|---|---|
| Encryption (transit) | TLS 1.2 or higher |
| Encryption (at rest) | AES-256 |
| Key management | Google Cloud KMS |
| Access logging | Immutable audit trails, 7-year retention |
| Authentication | Unique user IDs, MFA available |
| Vulnerability management | Regular penetration testing and patch management |
| Incident response | HIPAA-compliant breach response plan |
| Backup | Automated daily backups; point-in-time recovery |
| Data center | Google Cloud Platform (HIPAA BAA in place) |
By accepting the EnWella Terms of Service, Covered Entity and Business Associate agree to the terms of this Business Associate Agreement.
ATTORNEY REVIEW NOTICE: This BAA template must be reviewed by a licensed healthcare attorney before use. Requirements may differ based on state law, the type of covered entity, and the specific services provided. The limitation of liability provisions in particular require legal review.