hipafy
← Back to hipafy.com
Legal Templates

Business Associate Agreement

Template version: 1.0 — May 2026 Regulatory basis: 45 CFR §§ 164.308, 164.314, 164.502, 164.504

Two uses for this document. (1) Hipafy as your Business Associate: This agreement governs the relationship between your practice (Covered Entity) and Hipafy (Business Associate) for the compliance documentation services Hipafy provides. Execute this agreement with Hipafy at legal@hipafy.com. (2) Template for your own vendors: Use this as a starting-point template when executing BAAs with your own vendors (EHR, telehealth, billing, etc.). Replace the party names and service description accordingly. Hipafy recommends attorney review before executing any BAA.

Contents
Parties Recitals
1. Definitions 2. Obligations of Business Associate 3. Permitted uses and disclosures 4. Obligations of Covered Entity 5. Breach notification 6. Individual rights 7. Security safeguards 8. Subcontractors 9. Term and termination 10. Effect of termination 11. Miscellaneous
Signatures
Parties

Agreement Between

Covered Entity (CE) Name
CE Address
CE NPI Number
CE Contact Name
CE Contact Email
and
Business Associate (BA) NameHipafy (operated as egyéni vállalkozó, Hungary)
BA ServicesHIPAA compliance documentation platform, staff training module, BAA tracking, and related compliance tools
BA Contactlegal@hipafy.com
Agreement effective date
Underlying agreementHipafy Terms of Service and active Subscription
Recitals

Background

WHEREAS, Covered Entity is a HIPAA-covered entity or business associate as defined under 45 CFR Part 160, engaged in providing healthcare services and subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, “HIPAA Rules”);

WHEREAS, Business Associate provides compliance documentation software and related services to healthcare practices, and in connection with those services may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity, thereby qualifying as a Business Associate as defined under 45 CFR § 160.103;

WHEREAS, HIPAA Rules require Covered Entity to enter into a written Business Associate Agreement with Business Associate prior to disclosing Protected Health Information to Business Associate, as required by 45 CFR §§ 164.502(e) and 164.504(e);

NOW, THEREFORE, in consideration of the mutual promises set forth herein and for other good and valuable consideration, the parties agree as follows:

Section 1

Definitions

The following terms have the meanings set forth in the HIPAA Rules, including as amended by HITECH. In the event of any conflict between definitions in this Agreement and those in the HIPAA Rules, the HIPAA Rules shall control.

  • Breach has the meaning set forth in 45 CFR § 164.402.
  • Business Associate has the meaning set forth in 45 CFR § 160.103.
  • Covered Entity has the meaning set forth in 45 CFR § 160.103.
  • Data Aggregation has the meaning set forth in 45 CFR § 164.501.
  • Designated Record Set has the meaning set forth in 45 CFR § 164.501.
  • Electronic Protected Health Information (ePHI) means PHI that is transmitted by or maintained in electronic media as defined in 45 CFR § 160.103.
  • HITECH Act means the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).
  • Individual has the meaning set forth in 45 CFR § 160.103 and shall include a personal representative of such individual.
  • Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164.
  • Protected Health Information (PHI) has the meaning set forth in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • Required by Law has the meaning set forth in 45 CFR § 164.103.
  • Secretary means the Secretary of the U.S. Department of Health and Human Services or designee.
  • Security Incident has the meaning set forth in 45 CFR § 164.304.
  • Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Subparts A and C of 45 CFR Part 164.
  • Unsecured PHI has the meaning set forth in 45 CFR § 164.402.
Section 2

Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate agrees not to use or disclose PHI except as permitted or required by this Agreement or as Required by Law. 45 CFR § 164.504(e)(2)(i)

2.2 Appropriate Safeguards

Business Associate agrees to implement appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in compliance with the Security Rule. 45 CFR §§ 164.308, 164.310, 164.312, 164.316

2.3 Minimum Necessary

Business Associate agrees to use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with the minimum necessary standard of the Privacy Rule. 45 CFR § 164.502(b)

2.4 Mitigation

Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI in violation of this Agreement.

2.5 Prohibition on Further Disclosure

Business Associate agrees not to use or further disclose PHI in a manner that would violate the requirements of the Privacy Rule if done by Covered Entity, except as otherwise set forth in Section 3 of this Agreement.

2.6 Books and Records

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity’s compliance with the HIPAA Rules. 45 CFR § 164.504(e)(2)(ii)(H)

Section 3

Permitted Uses and Disclosures by Business Associate

3.1 Services

Business Associate is authorized to use and disclose PHI as necessary to perform the services described in the Hipafy Terms of Service and active Subscription agreement, specifically including:

  • Receiving practice-level operational information provided by Covered Entity during the compliance assessment to generate compliance documentation;
  • Generating, storing, and making available compliance documentation, including Security Risk Assessments, Notices of Privacy Practices, Incident Response Plans, and related policies;
  • Operating the staff training module and issuing completion certificates based on staff information provided by Covered Entity;
  • Tracking BAA expiry dates and sending renewal reminders based on information entered by Covered Entity;
  • Providing customer support and technical assistance in connection with the foregoing.

Important scope note: Hipafy’s platform is designed to process operational and administrative information about your practice, not patient-level PHI. The primary PHI-related obligation triggered by this BAA is the limited handling of practice information that could indirectly relate to patient care. Hipafy does not process, store, or transmit individual patient records, clinical notes, or diagnoses.

3.2 Management and Administration

Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that: (a) disclosures are Required by Law; or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will promptly notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 45 CFR § 164.504(e)(4)

3.3 Data Aggregation

Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity. For the avoidance of doubt, any such aggregation will use only de-identified or aggregated data and will not identify individual patients or practices.

3.4 Required by Law

Business Associate may use or disclose PHI as Required by Law, and shall notify Covered Entity of any such required disclosure promptly after Business Associate becomes aware of it, to the extent such notification is permitted by law.

Section 4

Obligations of Covered Entity

4.1 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitation in Covered Entity’s Notice of Privacy Practices, to the extent such limitation may affect Business Associate’s use or disclosure of PHI. 45 CFR § 164.520

4.2 Changes in Permission

Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent such change or revocation may affect Business Associate’s permitted or required uses and disclosures.

4.3 Agreed Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI.

4.4 Impermissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

4.5 Accuracy of Information

Covered Entity is solely responsible for the accuracy, completeness, and currency of all information provided to Business Associate through the Hipafy platform. Business Associate’s obligations under this Agreement are contingent on Covered Entity providing accurate information. Documentation generated based on inaccurate information remains the responsibility of Covered Entity.

Section 5

Breach Notification

5.1 Notification by Business Associate

Following the discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity of such Breach without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. 45 CFR § 164.410

5.2 Content of Notification

The notification shall include, to the extent possible:

  • The identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
  • A brief description of what happened, including the date of the Breach and date of discovery;
  • A description of the types of Unsecured PHI involved;
  • Steps individuals should take to protect themselves from potential harm;
  • A brief description of what Business Associate is doing to investigate, mitigate, and prevent recurrence;
  • Contact information for follow-up questions.

5.3 Security Incidents

Business Associate agrees to report to Covered Entity any Security Incident of which it becomes aware within a reasonable time of discovery, even where such incident does not rise to the level of a Breach requiring notification. 45 CFR § 164.314(a)(2)(i)(C)

5.4 Unsuccessful Attempts

The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful security incidents for which no additional notification to Covered Entity shall be required, unless such incidents become successful Security Incidents or Breaches.

Section 6

Individual Rights

6.1 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make such PHI available to Covered Entity (or, at Covered Entity’s direction, to an Individual) as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.524, in the time and manner reasonably designated by Covered Entity.

6.2 Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make PHI available for amendment and incorporate any amendments to PHI at Covered Entity’s direction, in accordance with 45 CFR § 164.526.

6.3 Accounting of Disclosures

Business Associate agrees to document and make available to Covered Entity information required for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528, including the date, recipient, description, and purpose of each disclosure. Business Associate shall maintain such documentation for at least six (6) years.

6.4 Direct Requests by Individuals

If an Individual makes a direct request to Business Associate for access, amendment, or accounting, Business Associate shall promptly forward such request to Covered Entity and shall cooperate with Covered Entity in responding.

Section 7

Security Safeguards

7.1 Compliance with Security Rule

With respect to ePHI, Business Associate agrees to comply with the applicable requirements of Subparts A and C of 45 CFR Part 164, including: 45 CFR § 164.308 (administrative safeguards), 45 CFR § 164.310 (physical safeguards), 45 CFR § 164.312 (technical safeguards), and 45 CFR § 164.316 (policies and procedures).

7.2 Specific Safeguards

Business Associate represents that its security safeguards include, at minimum:

  • Encryption of all ePHI in transit using TLS 1.2 or higher;
  • Encryption of all ePHI at rest using industry-standard encryption;
  • Access controls limiting PHI access to authorized personnel;
  • Audit logging of access to systems containing ePHI;
  • Regular security risk assessments;
  • A documented incident response procedure;
  • Secure disposal of electronic media containing ePHI.

7.3 Risk Assessment

Business Associate agrees to conduct periodic risk assessments to identify reasonably anticipated threats to the security or integrity of ePHI and implement reasonable and appropriate security measures to reduce such risks, in accordance with 45 CFR § 164.308(a)(1).

Section 8

Subcontractors and Agents

In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate is bound by a written agreement that imposes substantially the same conditions, restrictions, and requirements that apply to Business Associate under this Agreement with respect to such PHI.

Current subcontractors of Hipafy that may have limited access to PHI-adjacent data include: cloud infrastructure providers (hosting), email service providers (transactional notifications), and payment processors. All are bound by data processing agreements that meet or exceed the requirements of this section.

Business Associate shall notify Covered Entity if it engages a new subcontractor that will have access to PHI, and shall ensure a compliant BAA is in place before such access is granted.

Section 9

Term and Termination

9.1 Term

This Agreement shall be effective on the date first set forth above and shall remain in effect for so long as Covered Entity maintains an active Hipafy Subscription and Business Associate performs services for Covered Entity, unless earlier terminated as provided herein.

9.2 Termination for Cause

Either party may terminate this Agreement upon written notice if the other party has materially breached a provision of this Agreement and has failed to cure such breach within thirty (30) calendar days of receiving written notice of the breach. 45 CFR § 164.504(e)(2)(iii)

9.3 Termination Upon Subscription End

This Agreement shall automatically terminate when Covered Entity’s Hipafy Subscription expires or is cancelled, and all PHI has been returned or destroyed in accordance with Section 10.

9.4 Termination as Alternative to Cure

If Business Associate determines that curing a material breach is not feasible, Business Associate shall report the breach to the Secretary and terminate the Agreement. If Covered Entity determines that curing a breach by Business Associate is not feasible, Covered Entity may report the problem to the Secretary and terminate the Agreement.

Section 10

Effect of Termination and Data Return

10.1 Return or Destruction

Upon termination of this Agreement for any reason, Business Associate shall, at Covered Entity’s election: (a) return to Covered Entity all PHI received from, or created or received on behalf of, Covered Entity; or (b) destroy all such PHI, if return is not feasible. 45 CFR § 164.504(e)(2)(ii)(J)

Business Associate shall complete the return or destruction within sixty (60) days of termination and shall certify in writing to Covered Entity that it has done so.

10.2 Infeasibility of Return or Destruction

If return or destruction is not feasible, Business Associate shall notify Covered Entity of the reasons why and shall extend the protections of this Agreement to such PHI for as long as Business Associate retains it, using it only for the purpose that made return or destruction infeasible.

10.3 Survival

The following provisions shall survive termination of this Agreement: Section 1 (Definitions), Section 7 (Security Safeguards) to the extent necessary to protect retained PHI, Section 10 (Effect of Termination), and Section 11 (Miscellaneous).

Section 11

Miscellaneous

11.1 Amendment

The parties agree to amend this Agreement as necessary to ensure compliance with the HIPAA Rules as they may be amended from time to time. Hipafy will notify Covered Entity of required amendments and provide reasonable time to execute them.

11.2 Interpretation

This Agreement shall be interpreted in a manner consistent with the HIPAA Rules. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

11.3 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.

11.4 Regulatory References

Any reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended. This Agreement incorporates by reference all requirements of HITECH that apply to Business Associates.

11.5 Relationship to Service Agreement

In the event of any conflict between this Agreement and the Hipafy Terms of Service with respect to the subject matter of this Agreement (the use and protection of PHI), the terms of this Agreement shall control.

11.6 Entire Agreement

This Agreement, together with the Hipafy Terms of Service and active Subscription agreement, constitutes the entire agreement between the parties relating to the Business Associate relationship and supersedes all prior agreements, representations, and negotiations on this subject.

11.7 Governing Law

This Agreement is governed by applicable United States federal law with respect to HIPAA requirements and by the governing law specified in the Hipafy Terms of Service for all other matters.

Execution

Signatures

By signing below, each party agrees to be bound by the terms of this Business Associate Agreement and represents that the signatory has the authority to bind the party named below.

Covered Entity
Signature
Printed name and title
Organization name
Date
Business Associate — Hipafy
Signature
Printed name and title
Hipafy
Date

To execute this BAA with Hipafy: email legal@hipafy.com with subject “BAA Execution Request.” Hipafy will return a countersigned copy within 5 business days. This template is provided for informational and planning purposes and does not constitute legal advice. Review by a qualified healthcare attorney is recommended before execution.