Business Associate Agreement (BAA)
Template version: TBD
This Business Associate Agreement ("BAA") is between Clarity (the "Business Associate") and the customer practice that has agreed to these terms (the "Covered Entity"). It governs the handling of Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations.
1. Definitions
Terms used in this BAA have the meanings given to them in 45 C.F.R. Parts 160 and 164, including without limitation "Protected Health Information," "Covered Entity," "Business Associate," "Required by Law," and "Subcontractor."
2. Permitted Uses and Disclosures
Business Associate may use and disclose PHI only as necessary to perform the services described in the Terms of Service, as Required by Law, or for the proper management and administration of Business Associate. Business Associate will not use or disclose PHI in any manner that would constitute a violation of HIPAA if done by Covered Entity.
3. Safeguards
Business Associate will implement administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, including encryption at rest and in transit, role-based access controls, audit logging, and the breach-notification process described below.
4. Reporting
Business Associate will report to Covered Entity, without unreasonable delay and no later than thirty (30) days after discovery, any use or disclosure of PHI not permitted by this BAA, any breach of unsecured PHI, and any security incident of which Business Associate becomes aware. Reports will be made to the Covered Entity's designated privacy contact.
5. Sub-processors
Business Associate may engage sub-contractors (sub-processors) to assist in performing the services. Each sub-processor will agree in writing to substantially the same restrictions and conditions that apply to Business Associate. The current sub-processor list is published below and updated when it changes.
Current sub-processors
| Sub-processor | Purpose | Touches PHI? | Agreement |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting (RDS Postgres, S3 Object Lock, ECS Fargate, etc.) | Yes | AWS BAA -- account-wide |
| Cloudflare | Edge / DNS / WAF | No | Conduit exception (no PHI in transit beyond TLS termination upstream) |
| Sentry | Error tracking | Yes | Sentry Business BAA |
| Stripe | Payment processing | No | Not required -- no PHI in payment flow |
| SendGrid | Transactional + notification emails | No | Not required -- emails contain notifications only, no PHI |
6. Patient Rights
Business Associate will, within fifteen (15) business days of a request from Covered Entity, make PHI available for access, amendment, and accounting of disclosures as required by 45 C.F.R. §§ 164.524, 164.526, and 164.528.
7. Termination
Upon termination of the Terms of Service, Business Associate will return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is infeasible (e.g. because of S3 Object Lock retention), Business Associate will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
8. Miscellaneous
This BAA constitutes the entire agreement between the parties with respect to its subject matter. It will be construed under federal law where applicable and otherwise under the laws of the state specified in the Terms of Service.
How to sign this BAA
Customers who accept the Terms of Service through the in-product signup flow execute this BAA at the same time -- there is a separate checkbox in the signup flow for the BAA, distinct from the Terms-of-Service checkbox. A countersigned copy is available on request from legal@sedationlog.com.