Business Associate Addendum

Last Modified: October 18, 2024

This Business Associate Addendum (“BAA”) is made by and between Pi Health (“Business Associate”) and [CUSTOMER] (“Covered Entity”) pursuant to one or more service agreements entered into between the parties to which this BAA is attached (collectively, the “Agreement”).

Covered Entity and Business Associate mutually agree to the terms of this BAA in order to comply with the HIPAA Rules, as defined below. In the event of a conflict between the terms of this BAA and the rest of the Agreement with respect to Protected Health Information, this BAA shall control.


1. Definitions
  • "Covered Entity" refers to the Customer.
  • "Business Associate" refers to Pi Health.
  • "Breach" shall have the same meaning as the term "Breach" in 45 CFR 164.402.
  • "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5) (the "HITECH Act") and the federal regulations ("HIPAA Rules") published at 45 CFR parts 160 and 164.
  • "Privacy Rule" means the privacy regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and E, as they exist now or as they may be amended.
  • "Security Rule" means the security regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and C, as they exist now or as they may be amended.
  • "Individual" shall have the same meaning as the term “Individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g) or other applicable federal or state law.
  • "Protected Health Information" shall have the same meaning as such term as defined in 45 CFR 160.103, but limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • "Secure" shall mean to render unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
  • "Successful Security Incident" shall mean any Security Incident (as defined in 45 CFR 164.304) that results in the unauthorized use, access, disclosure, modification or destruction of electronic Protected Health Information.

All capitalized terms used in this BAA and not defined elsewhere herein or in the Agreement shall have the same meaning as those terms as used or defined in the HIPAA Rules.


2. Obligations of Business Associate with respect to Use and Disclosure of Protected Health Information
  • Business Associate agrees to satisfy and comply with the HIPAA Rules concerning the confidentiality, privacy, and security of Protected Health Information that apply to business associates consistent with the nature of the services provided.
  • Business Associate shall not use or disclose Protected Health Information except as permitted or required by this BAA or as Required by Law. Subject to the limitations set forth in this BAA, Business Associate may use and disclose Protected Health Information as necessary in order to provide its services as described in the Agreement.
  • Subject to the limitations set forth in this BAA, Business Associate may use Protected Health Information if necessary for its proper management and administration or to carry out its legal responsibilities. In addition, Business Associate may disclose Protected Health Information as necessary for its proper management and administration or to carry out its legal responsibilities provided that:
    • Any such disclosure is Required by Law; or
    • Business Associate obtains reasonable assurances, in the form of a written agreement, from the Person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the Person; and (2) the Person agrees to immediately notify Business Associate (which shall immediately notify Covered Entity in accordance with this section) of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.
  • Business Associate may de-identify Protected Health Information as necessary to provide its services as described in the Agreement and in accordance with the de-identification methods permitted under 45 CFR § 164.514(a)-(c) for any lawful purpose.
  • Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity as necessary to provide its services as described in the Agreement.
  • To the extent the Business Associate is to carry out a Covered Entity's obligation under 45 CFR Part 164 Subpart E, comply with the requirements of that Subpart that apply to the covered entity in the performance of such obligation.
  • Business Associate agrees to mitigate: (i) any harmful effect resulting from a Security Incident involving Protected Health Information or any use or disclosure of Protected Health Information in violation of the requirements of this BAA or the HIPAA Rules; and (ii) any risks identified or discovered as a result of a Security Incident that does not result in the unauthorized use, access, disclosure, modification or destruction of electronic Protected Health Information.
  • Business Associate agrees to ensure that any agent, including without limitation a Subcontractor, to whom it provides Protected Health Information agrees in writing to terms and conditions which are at least as protective as those that apply to Business Associate with respect to such information under this BAA.
  • Business Associate agrees that it shall request from Covered Entity, use itself, and disclose to its affiliates, subsidiaries, agents and Subcontractors or other third parties, only the Minimum Necessary Protected Health Information to perform or fulfill a specific function required or permitted hereunder.
  • Business Associate agrees to report any use or disclosure of Protected Health Information not permitted by this BAA and any Successful Security Incident (each a “Potential Breach”) to Covered Entity promptly and in no event later than ten (10) business days of discovery (within the meaning of 45 CFR 164.410(a)(2)). Such report shall be made by email to the email address provided by Covered entity. The parties shall collaborate in good faith to determine if any Potential Breach constitutes a Breach. In the event of a Potential Breach, Business Associate shall provide the information required by 45 C.F.R. § 164.410(c) to the extent available, and other information reasonably required by Covered Entity to determine whether a Breach has occurred, including Business Associate’s own risk assessment to determine whether a Breach has occurred. If such information is not available to Business Associate at the time the Potential Breach is required to be reported to Covered Entity, Business Associate shall provide such information to Covered Entity promptly as it becomes available.
  • Subject to consistency with the nature of the services provided by Business Associate under the Agreement, within ten (10) business days of receipt of a request from Covered Entity, Business Associate shall provide to Covered Entity or, at its direction, to an Individual, Protected Health Information relating to that individual held by Business Associate or its agents or Subcontractors in a Designated Record Set in accordance with 45 CFR 164.524. In the event any Individual requests access to his or her Protected Health Information directly from Business Associate, Business Associate shall, within ten (10) business days of receipt of such request, forward the request to Covered Entity unless the Privacy Rule requires Business Associate to receive and respond to such requests directly, in which case Business Associate shall respond directly as required by and in accordance with 45 CFR 164.524, and shall send a copy of such response to Covered Entity.
  • Subject to consistency with the nature of the services provided by Business Associate under the Agreement, within ten (10) business days of receipt of a request from Covered Entity, Business Associate agrees to make any requested amendment(s) to Protected Health Information held in a Designated Record Set by it, or any of its agents or Subcontractors in conjunction with any other measures necessary to satisfy the requirements set forth in 45 CFR § 164.526. In the event an individual requests an amendment to his or her Protected Health Information directly from Business Associate, Business Associate shall within five (5) business days of receipt thereof, forward such request to Covered Entity.
  • Subject to consistency with the nature of the services provided by Business Associate under the Agreement, within ten (10) business days after a request from Covered Entity, Business Associate, its agents or Subcontractors shall prepare a list of any disclosure of Protected Health Information for which an accounting may be required under 45 CFR 164.528, and provide such list in writing, via email, to the email address provided by Covered Entity. In the event any Individual requests an accounting of disclosures under 45 CFR 164.528(a) directly from Business Associate, Business Associate shall, within ten (10) business days of receipt of such request, forward the request to Covered Entity unless the Privacy Rule requires or Covered Entity directs that Business Associate to receive and respond to such requests directly, in which case Business Associate shall respond directly as required by and in accordance with 45 CFR 164.528, and shall send a copy of such response to Covered Entity.
  • Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary of the Department of Health and Human Services or her/his designees or other government authorities in a time and manner designated by Covered Entity or such governmental authorities, for purposes of determining compliance with the HIPAA Rules.

3. Security of Protected Health Information
  • Business Associate agrees to implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, as required by the HIPAA Rules.

4. Covered Entity Obligations
  • Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
  • Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
  • Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business associate’s use or disclosure of Protected Health Information.
  • Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except to the extent that Business Associate will use or disclose Protected Health Information for the management and administration and legal responsibilities of the Business Associate.
  • Covered Entity shall disclose to Business Associate only the minimum amount of Protected Health Information necessary to allow Business Associate to fulfill its obligations to Covered Entity under the Agreement.

5. Term and Termination.
  • This BAA shall continue for so long as the Agreement remains in effect, except that Section 5(c) shall survive after the termination of the Agreement for as long as Business Associate retains any Protected Health Information.
  • Upon either party’s determination that the other party has violated or breached a material term of this BAA, the non-breaching party shall (1) provide an opportunity for the breaching party to cure the breach or end the violation, and (2) terminate this BAA and the Agreement if the breaching party does not cure the breach or end the violation within a reasonable period.
  • Effect of Termination. (1) Except as provided in paragraph (b) of this subsection infra, upon termination of the Agreement for any reason, Business Associate shall, at the election of Covered Entity, return to Covered Entity or destroy all Protected Health Information in its possession or that of its Subcontractors or agents. Business Associate and its agents and Subcontractors shall retain no copies of the Protected Health Information. (2) In the event that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity written notification within ten (10) business days after termination of the Agreement of the conditions that make return or destruction infeasible. Upon agreement by Covered Entity that return or destruction of the Protected Health Information is infeasible, Business Associate shall extend the protections of this BAA to such Protected Health Information, and limit further uses and disclosures of it to those purposes that make the return or destruction infeasible, for so long as Business Associate or its agents or Subcontractors hold such Protected Health Information.

6. Limitation of Liability
  • In the event of a Breach of Protected Health Information under the control of Business Associate or its agents or subcontractors’, Business Associate agrees to perform any reasonable mitigation or remediation services, and Business Associate agrees to be responsible for: (i) reasonable cost of providing required notice to Individuals affected by the Breach of Protected Health Information; (ii) reasonable cost of providing required notice to government agencies, credit bureaus, and/or other required entities, and non-appealable fines or penalties assessed by governments or regulators. The reasonable costs or fees borne by Business Associate pursuant to this section shall not exceed three times the fees paid by Covered Entity to Business Associate over the preceding twelve months.

7. Miscellaneous
  • The parties agree to negotiate in good faith to amend this BAA from time to time to comply with the requirements of any HIPAA Rules. If either party disagrees with any such amendment proposed by the other party, it shall so notify the proposing party in writing no later than fifteen (15) business days after receipt of notice of the amendment. If the parties are unable to agree on an amendment, Covered Entity may, at its option, terminate this BAA or the Agreement.
  • A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended, and as of its effective date.
  • Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules.
  • It is expressly agreed that Business Associate, its divisions, and its affiliates, including its employees and Subcontractors, are performing the services under this BAA as independent contractors for Covered Entity. Neither Business Associate nor of its affiliates, officers, directors, employees or Subcontractors is an employee or agent of Covered Entity. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) an agency relationship.
  • A waiver of a breach of this BAA shall not be deemed to be a waiver of a breach of any other provision of this BAA, or of a future waiver of any subsequent breach of the same provision.
  • Except as it relates to the agreements with subcontractors referred to in Section 2(h) above, nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any Person other than the parties and the respective successors and permitted assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
  • This BAA constitutes the entire understanding among the parties with respect to its subject matter. If the terms of this BAA are inconsistent with the terms of any present or future underlying service or sale agreement between the parties, the terms of this BAA shall control.