Last updated: May 19, 2026
If your organization requires a countersigned Business Associate Agreement for your records, contact our compliance team and we'll provide one within 2 business days.
Request Signed BAA →Unless otherwise defined herein, capitalized terms have the meanings given to them under HIPAA, the HITECH Act, and their implementing regulations.
Business Associate agrees not to use or disclose PHI other than as permitted or required by this BAA or as required by law.
Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA. Safeguards include:
Business Associate agrees to report to Covered Entity:
Business Associate agrees to ensure that any member of its workforce that creates, receives, maintains, or transmits PHI on behalf of Covered Entity has been trained on HIPAA Privacy and Security requirements.
Business Associate agrees to make reasonable efforts to use, disclose, and request only the minimum necessary amount of PHI to accomplish the intended purpose.
Covered Entity agrees to:
Business Associate may use and disclose PHI as necessary to perform the services described in the AjutaCare Terms of Service, including:
Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided disclosures are required by law or Business Associate obtains reasonable assurances from any recipient.
Business Associate may use de-identified data (as defined under 45 CFR §164.514) for improving the Service, product development, and benchmarking, provided such data has been de-identified in accordance with HIPAA standards.
Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.
Current subcontractors handling PHI include our cloud infrastructure provider (DigitalOcean) and email delivery services. All subcontractors are subject to Data Processing Agreements with equivalent protections.
In the event of a Breach of Unsecured PHI, Business Associate will:
Business Associate's obligation to report a Breach shall not be construed as an acknowledgment of fault or liability.
Business Associate agrees to provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, within 30 days of a request.
Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR §164.526.
Business Associate agrees to document and make available to Covered Entity an accounting of disclosures of PHI as would be required for Covered Entity to respond to an Individual's request for an accounting of disclosures.
Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules.
This BAA is effective as of the date Customer first uses AjutaCare to process PHI and remains in effect until the termination of the AjutaCare subscription agreement.
Either party may terminate this BAA if the other party materially breaches a provision of this BAA, and such breach is not cured within 30 days of written notice.
Upon termination of this BAA for any reason, Business Associate agrees to return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. This provision applies to PHI in the possession of subcontractors as well. Business Associate will retain no copies of the PHI, except as required by law.
If return or destruction is not feasible, Business Associate will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains such PHI.
A reference in this BAA to a section in the HIPAA Rules means the section in effect or as amended.
The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules.
Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the HIPAA Rules.
Nothing in this BAA shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.
The obligations of Business Associate under Section 8.3 (Effect of Termination) shall survive the termination of this BAA.
Our compliance team is available to answer questions, provide clarifications, or issue a countersigned copy of this agreement.
Contact Compliance Team →