Template version: 2026-05-02. The executed version specific to your organization governs.
This Agreement is between HealthDash ("Business Associate") and the Customer organization ("Covered Entity").
1. Definitions
Capitalized terms not defined here have the meaning given them in 45 CFR §§ 160.103 and 164.501. "PHI" means Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
2. Permitted uses and disclosures
Business Associate may use or disclose PHI only:
- As necessary to perform the services in the underlying agreement.
- For Business Associate's proper management and administration.
- To carry out Business Associate's legal responsibilities.
- As Required by Law.
Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.
3. Safeguards
Business Associate will implement administrative, physical, and technical safeguards required by 45 CFR §§ 164.308, 164.310, and 164.312 to protect the confidentiality, integrity, and availability of electronic PHI.
4. Subcontractors
Business Associate will require any subcontractor that creates, receives, maintains, or transmits PHI on its behalf to enter into a written agreement with terms substantially the same as this Agreement before any PHI is disclosed.
5. Reporting
Business Associate will report to Covered Entity:
- Any use or disclosure of PHI not permitted by this Agreement within 72 hours of discovery.
- Any Security Incident within 72 hours.
- Any Breach of Unsecured PHI without unreasonable delay and in any event no later than 72 hours after discovery, with the information required by 45 CFR § 164.410.
6. Individual rights
Business Associate will assist Covered Entity in responding to individual requests for access (§ 164.524), amendment (§ 164.526), and accounting of disclosures (§ 164.528) within the timeframes established by HIPAA.
7. HHS access
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with HIPAA.
8. Term and termination
This Agreement is effective as of the date of execution and remains in effect for the term of the underlying agreement. On termination, Business Associate will return or destroy all PHI received from, or created on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate will continue to extend protections of this Agreement to such PHI for as long as it is retained.
9. Liability
Each party is liable for its own breaches of this Agreement and of HIPAA. Indemnification, if any, is governed by the underlying agreement.
10. Amendment
The parties will amend this Agreement as necessary to comply with changes to HIPAA, the HITECH Act, and the implementing regulations.
This template is provided for reference. Each Customer organization signs an executed counterpart referencing the specific underlying subscription agreement and any negotiated terms.