Platform AI Timeline Security Pricing
Log in Register

Business Associate Agreement (BAA)

Last Updated: March 6, 2026

Overview

This Business Associate Agreement ("BAA") establishes the terms under which Paz Technologies LLC d/b/a Data Hippo ("Business Associate") may use and disclose Protected Health Information ("PHI") on behalf of Covered Entities and their Business Associates ("Covered Entity") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

This BAA is incorporated by reference into the Terms of Service and any service agreement between the parties. By using Data Hippo's services, you acknowledge that you have read, understood, and agree to be bound by this BAA.

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Privacy Rule (45 CFR Parts 160 and 164) and the HIPAA Security Rule (45 CFR Parts 160 and 164).

  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
  • Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a transaction covered by HIPAA.
  • Business Associate: Paz Technologies LLC d/b/a Data Hippo, acting as a person or entity that performs functions or activities on behalf of a Covered Entity involving the use or disclosure of PHI.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the service agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.

Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed.

3. Obligations of Business Associate

3.1 Use and Disclosure Restrictions

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law
  • Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA
  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate
  • Make available PHI in accordance with 45 CFR § 164.524
  • Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526
  • Make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528
  • Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA

3.2 Security Safeguards

Business Associate shall implement and maintain:

  • Administrative safeguards including security management, workforce security, information access management, and security awareness training
  • Physical safeguards including facility access controls and workstation security
  • Technical safeguards including access control, audit controls, integrity controls, and transmission security
  • Encryption of PHI in transit and at rest
  • Regular security risk assessments and remediation

4. Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notification shall include:

  • The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach
  • A brief description of what happened, including the date of the breach and the date of discovery
  • A description of the types of Unsecured PHI involved
  • Steps individuals should take to protect themselves from potential harm
  • A brief description of what Business Associate is doing to investigate the breach, mitigate losses, and protect against further breaches

5. Obligations of Covered Entity

Covered Entity agrees to:

  • Notify Business Associate of any limitation(s) in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI
  • Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose their PHI
  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity

6. Term and Termination

This BAA shall remain in effect until terminated in accordance with this section. Either party may terminate this BAA:

  • For cause upon 30 days written notice to the other party of a material breach, if the breach is not cured within the 30-day period
  • Immediately if the other party is found to have breached a material term of this BAA and cure is not possible
  • As otherwise provided in the service agreement

Upon termination, Business Associate shall:

  • Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity
  • Retain no copies of such PHI
  • If return or destruction is not feasible, extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible

7. Compliance with HITECH Act

Business Associate acknowledges that the HITECH Act applies certain provisions of the HIPAA Security and Privacy Rules directly to Business Associates. Business Associate agrees to comply with:

  • All applicable requirements of the HIPAA Security Rule (45 CFR Parts 160 and 164, Subparts A and C)
  • All applicable requirements of the HIPAA Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) as if Business Associate were a Covered Entity
  • Civil and criminal penalties for violations of HIPAA as applied to Business Associates under HITECH

8. Miscellaneous

This BAA shall be interpreted in accordance with HIPAA and HITECH. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with HIPAA and HITECH.

The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, HITECH, and any other applicable law.

This BAA shall survive termination of the service agreement to the extent necessary for Business Associate to comply with its obligations regarding PHI.

9. Contact Information

For questions about this BAA or to report a potential breach, please contact:

Paz Technologies LLC d/b/a Data Hippo

HIPAA Compliance Officer

Email: [email protected]

In case of a security incident or breach, please contact us immediately at the above email address or through your designated account representative.