← Back to Medroid

HIPAA Business Associate Agreement

Effective Date: January 7, 2026

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose Protected Health Information ("PHI") only as permitted by this BAA or as required by law. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of HIPAA if used or disclosed by Covered Entity.

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided for by this BAA. These safeguards include:

• End-to-end encryption of PHI in transit and at rest using AES-256 encryption
• Multi-factor authentication for all user accounts accessing PHI
• Role-based access controls limiting PHI access to authorized personnel only
• Regular security audits and vulnerability assessments
• Comprehensive audit logging of all PHI access and modifications
• Secure data centers with SOC 2 Type II certification
• Regular employee training on HIPAA compliance and data security

2.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including breaches of unsecured PHI, within 24 hours of discovery. Business Associate shall provide all information required for Covered Entity to meet its breach notification obligations under HIPAA.

3. Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI.

4. Access to PHI

Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.

5. Amendment of PHI

Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual.

6. Accounting of Disclosures

Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

7. Availability of Books and Records

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

8. Return or Destruction of PHI

Upon termination of this BAA, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.

9. Minimum Necessary

Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

10. Data Security Measures

Business Associate implements comprehensive security measures including:

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Authentication: Multi-factor authentication (MFA) required for all users
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Backup: Automated encrypted backups with geographic redundancy
• Disaster Recovery: Comprehensive business continuity and disaster recovery plans
• Penetration Testing: Regular third-party security assessments and penetration testing

11. Compliance Certifications

Medroid AI maintains the following compliance certifications and standards:

• HIPAA-ready architecture and security controls
• SOC 2 Type II certification (in progress)
• Regular security audits and vulnerability assessments
• Compliance with NIST Cybersecurity Framework

12. Term and Termination

This BAA shall be effective as of the date Covered Entity begins using Medroid AI Services and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

13. Breach Notification

In the event of a breach of unsecured PHI, Business Associate shall:

1. Notify Covered Entity within 24 hours of discovery
2. Provide all information necessary for Covered Entity to meet its breach notification obligations
3. Cooperate with Covered Entity in investigating and mitigating the breach
4. Document all breach-related activities and remediation efforts

14. Indemnification

Business Associate shall indemnify and hold harmless Covered Entity from any claims, damages, or costs arising from Business Associate's breach of this BAA or violation of HIPAA regulations.