This page summarizes the standard HIPAA Business Associate Agreement (“BAA”)
Beija offers to customers. It is a template for reference and is not an executed agreement.
A signed BAA is required before any Protected Health Information is exchanged — contact
legal@beija.ai to execute.
This BAA supplements and is incorporated into the Terms of Service or other services agreement between Beija, Inc. (“Business Associate”) and the customer (“Covered Entity”). It is intended to satisfy the requirements of 45 CFR 164.504(e).
1. Definitions
Capitalized terms used but not defined have the meanings given in the HIPAA Rules, including “Breach,” “Protected Health Information” (“PHI”), “Electronic PHI,” “Required by Law,” “Security Incident,” “Subcontractor,” and “Unsecured PHI.”
2. Obligations of Business Associate
- Permitted use. Not use or disclose PHI other than as permitted by this BAA or as Required by Law.
- Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with the Security Rule with respect to Electronic PHI, to prevent unauthorized use or disclosure.
- Reporting. Report to Covered Entity any use or disclosure not permitted by this BAA of which it becomes aware, any Security Incident, and any Breach of Unsecured PHI, without unreasonable delay and within the timeframes required by the Breach Notification Rule.
- Subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those that apply to Business Associate.
- Individual access. Make PHI in a Designated Record Set available to enable Covered Entity to meet its access obligations under 45 CFR 164.524.
- Amendment. Make PHI available for amendment and incorporate amendments as directed, consistent with 45 CFR 164.526.
- Accounting. Maintain and make available the information required to provide an accounting of disclosures under 45 CFR 164.528.
- Covered Entity obligations. To the extent Business Associate carries out an obligation of Covered Entity under the Privacy Rule, comply with the requirements applicable to that obligation.
- HHS access. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance.
3. Permitted Uses and Disclosures by Business Associate
- To perform the services described in the underlying agreement.
- For the proper management and administration of Business Associate, or to carry out its legal responsibilities, provided that disclosures are Required by Law or made with reasonable assurances of confidentiality and notice of any breach.
- To provide Data Aggregation services relating to the health care operations of Covered Entity, and to de-identify PHI in accordance with 45 CFR 164.514(a)–(c), where permitted by the underlying agreement.
4. Obligations of Covered Entity
- Notify Business Associate of any limitations in its notice of privacy practices, and of any changes in, or revocation of, an individual’s permission to use or disclose PHI, to the extent it affects Business Associate’s use or disclosure.
- Not request that Business Associate use or disclose PHI in a manner that would not be permitted under the Privacy Rule if done by Covered Entity, except as permitted for Data Aggregation or management of Business Associate.
5. Term and Termination
- Term. This BAA is effective as of the date PHI is first exchanged and continues until all PHI is returned or destroyed, or protections are extended as described below.
- Termination for cause. Covered Entity may terminate the underlying agreement and this BAA if Business Associate materially breaches and fails to cure within a reasonable period after notice.
- Effect of termination. Upon termination, Business Associate will return or destroy all PHI it maintains, and will require subcontractors to do the same. Where return or destruction is infeasible, Business Associate will extend the protections of this BAA to such PHI and limit further use or disclosure to the purposes that make return or destruction infeasible.
6. Miscellaneous
- Regulatory references. A reference to a section of the HIPAA Rules means the section as in effect or amended.
- Amendment. The parties will take such action as is necessary to amend this BAA to comply with the HIPAA Rules.
- Interpretation. Ambiguities are resolved to permit compliance with the HIPAA Rules.
- Survival. Obligations that by their nature should survive termination will survive.
7. Execution
To put a signed BAA in place, contact legal@beija.ai.