Legal

HIPAA Business Associate Agreement

Last updated: January 2026

This BAA applies only where the Covered Entity is subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).

This BAA supplements the Enterprise Terms of Service and the Data Processing Agreement. It governs solely the handling of Protected Health Information (“PHI”) of US patients.

Nothing in this BAA modifies or displaces obligations under UK GDPR, the Data Protection Act 2018, or other UK law.

1. Definitions

Capitalised terms not otherwise defined have the meanings set out in HIPAA and 45 C.F.R. §160.103.

  • “PHI” means Protected Health Information transmitted or maintained in any form or medium.
  • “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA which compromises the security or privacy of the PHI.

2. Permitted Uses and Disclosures

The Business Associate may use and disclose PHI solely to:

  • (a) perform services for the Covered Entity;
  • (b) carry out proper management and administration; and
  • (c) comply with legal obligations.

The Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity.

The Business Associate shall make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose.

3. Safeguards

The Business Associate shall implement administrative, physical, and technical safeguards in accordance with:

  • 45 C.F.R. §164.308
  • 45 C.F.R. §164.310
  • 45 C.F.R. §164.312

to protect the confidentiality, integrity, and availability of PHI.

4. Subcontractors

The Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to the same restrictions and conditions. The Business Associate remains fully responsible for the acts and omissions of its subcontractors.

5. Reporting of Breaches and Incidents

The Business Associate shall report any impermissible use or disclosure of PHI, including any Security Incident.

In the event of a Breach of Unsecured PHI, the Business Associate shall notify the Covered Entity without unreasonable delay and no later than fifteen (15) days after discovery, including all information required under HIPAA.

The Business Associate shall mitigate, to the extent practicable, any harmful effect of any use or disclosure of PHI in violation of this BAA.

6. Access, Amendment, and Accounting

The Business Associate shall make PHI available for access, amendment, and accounting in accordance with 45 C.F.R. §§164.524–528.

7. Term and Termination

This BAA remains in effect for so long as the Business Associate maintains PHI. Upon material breach, the Covered Entity may terminate this BAA and the underlying services agreement.

8. Return or Destruction of PHI

Upon termination, the Business Associate shall return or destroy all PHI. If infeasible, protections shall continue and uses shall be limited.

9. Precedence and Survival

This BAA governs with respect to PHI. Obligations survive termination.

10. Regulatory Access

The Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of the U.S. Department of Health and Human Services for compliance purposes.

11. No Partnership

Nothing in this BAA creates a partnership, joint venture, or agency relationship.

12. Governing Law and Venue

This BAA is governed by US federal law as it applies to HIPAA. All other contractual matters are governed by the Enterprise Terms of Service.

Contact Information

For questions regarding this HIPAA Business Associate Agreement, please contact us at:

Email: info@cubiqcloud.com

Chat with us on WhatsApp