BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
HIPAA

Business Associate Policy

Effective: March 17, 2026

1. Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that covered entities and business associates obtain satisfactory assurances from their business associates that PHI will be appropriately safeguarded. These assurances must be documented in a written Business Associate Agreement (BAA) that meets the requirements of 45 CFR §164.504(e) (Privacy Rule) and 45 CFR §164.314(a) (Security Rule).

The HITECH Act extended the direct applicability of certain HIPAA requirements to business associates, including the Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule. Business associates are now directly liable for compliance with these requirements and subject to civil and criminal penalties for violations.

2. Purpose

This policy establishes the process H33.ai, Inc. (“H33”) follows to ensure that written Business Associate Agreements are in place before any PHI is disclosed to or accessible by a business associate. This policy applies both to H33’s role as a Business Associate to its covered entity customers and to H33’s management of its own subcontractors that may access PHI.

3. Scope

This policy applies to H33 in its capacity as a Business Associate. It governs:

  • H33’s execution of BAAs with its covered entity customers
  • H33’s management of subcontractors and downstream business associates that perform functions involving PHI on H33’s behalf
  • The review, approval, and maintenance of all BAAs
  • The termination of BAAs and the return or destruction of PHI upon contract conclusion

4. Policy

H33 shall obtain satisfactory written assurances, in the form of a Business Associate Agreement, from each subcontractor or third-party service provider before disclosing PHI or allowing access to PHI. No PHI shall be disclosed to any entity that has not executed a BAA with H33, except as otherwise permitted by HIPAA (e.g., for treatment purposes between covered entities, disclosures required by law).

Similarly, H33 shall execute a BAA with each covered entity customer before creating, receiving, maintaining, or transmitting PHI on that customer’s behalf.

5. Procedure

5.1 Contract Review and BAA Necessity Determination

Before entering into any arrangement with a third-party vendor or subcontractor, H33 evaluates whether the arrangement involves access to, or the creation, receipt, maintenance, or transmission of, PHI. The evaluation considers:

  • Whether the vendor will have access to any systems that contain or process PHI
  • Whether the vendor will perform functions or activities involving the use or disclosure of PHI on H33’s behalf
  • Whether PHI will be transmitted to or stored by the vendor
  • Whether the vendor provides services that involve access to PHI (e.g., cloud hosting, data analytics, IT support, security monitoring)

If the arrangement involves access to PHI, a BAA must be executed before the vendor is granted access to any H33 systems or data. The Privacy Official and/or HIPAA Security Officer must approve the BAA determination.

5.2 Required BAA Provisions

Every BAA executed by H33 (whether H33 is acting as the covered entity’s business associate or contracting with its own subcontractors) must contain the following provisions, as required by 45 CFR §164.504(e)(2) and §164.314(a)(2):

  1. Permitted Uses and Disclosures: The BAA must establish the permitted and required uses and disclosures of PHI by the business associate. The BAA must not authorize the business associate to use or disclose PHI in a manner that would violate HIPAA if done by the covered entity, except for data aggregation, management and administration of the business associate, and legal responsibilities of the business associate.
  2. Safeguards: The business associate must use appropriate safeguards, including implementing the requirements of the Security Rule (administrative, physical, and technical safeguards), to prevent use or disclosure of PHI other than as provided by the BAA.
  3. Breach Reporting: The business associate must report to H33 (or the covered entity) any use or disclosure of PHI not provided for by the BAA, including breaches of unsecured PHI, within sixty (60) calendar days of discovery.
  4. Subcontractor Requirements: The business associate must ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate under the BAA.
  5. Access to PHI: The business associate must make available PHI in a designated record set to H33 (or the covered entity, or the individual) as necessary to satisfy individual access rights under 45 CFR §164.524.
  6. Amendment of PHI: The business associate must make available PHI for amendment and incorporate any amendments to PHI in a designated record set as required by 45 CFR §164.526.
  7. Accounting of Disclosures: The business associate must make available the information required to provide an accounting of disclosures as required by 45 CFR §164.528.
  8. Books and Records: The business associate must make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.
  9. Return or Destruction of PHI: Upon termination of the BAA, the business associate must return or destroy all PHI received from, or created or received by the business associate on behalf of, H33 (or the covered entity). If return or destruction is not feasible, the BAA must extend the protections of the agreement to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
  10. Termination: The BAA must authorize termination of the contract if the business associate violates a material term of the BAA.
  11. Minimum Necessary: The business associate must limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose.
  12. Mitigation: The business associate must mitigate, to the extent practicable, any harmful effect that is known to result from a use or disclosure of PHI in violation of the BAA.
  13. Agent Clarification: The BAA must clarify whether the business associate is an agent or independent contractor of H33, as this determination affects the allocation of liability.

5.3 BAA Review Process

When a covered entity customer or third-party vendor presents their own BAA for execution:

  1. The Privacy Official reviews the proposed BAA for compliance with all required provisions listed in Section 5.2
  2. Legal counsel reviews the proposed BAA for legal sufficiency, indemnification terms, and liability allocation
  3. Any deficiencies or missing provisions are communicated to the other party for revision
  4. The BAA is not executed until all required provisions are satisfactorily addressed

When H33 presents its own BAA template to a subcontractor or vendor:

  1. The Privacy Official provides H33’s standard BAA template (see Appendix A)
  2. Any requested modifications are reviewed by the Privacy Official and legal counsel
  3. Modifications that would weaken PHI protections or HIPAA compliance are not accepted

5.4 If a Business Associate Refuses to Sign

If a prospective business associate refuses to execute a BAA that contains all required provisions, H33 shall not enter into the contract or arrangement if it would involve the business associate having access to PHI. No exceptions are permitted. If an existing vendor that has not executed a BAA is found to have access to PHI, access must be immediately revoked until a BAA is executed.

5.5 Minimum Necessary Disclosure

When disclosing PHI to a business associate, H33 discloses only the minimum amount of PHI necessary for the business associate to perform its contracted functions. H33 identifies the minimum necessary PHI for each business associate relationship and documents these limitations in the BAA or in supplementary data handling agreements.

6. Termination of Business Associate Contracts

When a BAA or the underlying service agreement is terminated, H33 follows these procedures:

  1. Notification: The Privacy Official is notified of the pending termination at least thirty (30) days in advance, when possible
  2. PHI Inventory: H33 coordinates with the business associate to identify all PHI in the business associate’s possession or control
  3. Return or Destruction: The business associate must return all PHI to H33 or destroy all PHI (including all copies, backups, and archives) in accordance with the BAA terms. The business associate must provide written certification of destruction.
  4. Infeasibility Exception: If return or destruction is infeasible (e.g., PHI is embedded in backup systems that cannot be selectively purged), the BAA protections extend to the retained PHI, and the business associate may use the PHI only for the purposes that make return or destruction infeasible
  5. Retention Period: Records related to the BAA, including the agreement itself, correspondence, PHI inventories, and destruction certifications, are retained for a minimum of six (6) years from the date of termination
  6. Material Breach Termination: If the BAA is terminated due to a material breach by the business associate, H33 reports the breach to the affected covered entity and, if applicable, to HHS

7. BAA Inventory and Monitoring

The Privacy Official maintains a current inventory of all executed BAAs, including:

Data Element Description
Business Associate Name Legal name of the business associate entity
Services Provided Description of the services involving PHI
BAA Execution Date Date the BAA was signed by all parties
BAA Expiration Date Expiration date or “co-terminus with service agreement”
PHI Types Categories of PHI the business associate may access
Review Date Date of most recent BAA review
Status Active, Pending Renewal, Terminated

The BAA inventory is reviewed at least annually to ensure all BAAs are current and that no vendors with PHI access are operating without a BAA.

Appendix A: Sample Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is entered into by and between __________________ (“Covered Entity”) and H33.ai, Inc. (“Business Associate”), effective as of __________________ (“Effective Date”).

Article I — Definitions

Terms used but not otherwise defined in this Agreement shall have the meanings given to such terms in 45 CFR Parts 160 and 164, as amended. The following definitions apply specifically to this Agreement:

  • “Agreement” means this Business Associate Agreement.
  • “Breach” has the meaning given in 45 CFR §164.402.
  • “Business Associate” has the meaning given in 45 CFR §160.103, and in reference to this Agreement means H33.ai, Inc.
  • “Covered Entity” has the meaning given in 45 CFR §160.103, and in reference to this Agreement means the entity identified above.
  • “Designated Record Set” has the meaning given in 45 CFR §164.501.
  • “Individual” has the meaning given in 45 CFR §160.103 and includes a person who qualifies as a personal representative per 45 CFR §164.502(g).
  • “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
  • “Protected Health Information” or “PHI” has the meaning given in 45 CFR §160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
  • “Security Incident” has the meaning given in 45 CFR §164.304.
  • “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
  • “Unsecured PHI” has the meaning given in 45 CFR §164.402.

Article II — Permitted Uses and Disclosures

2.1 Business Associate may use or disclose PHI only as permitted or required by this Agreement, as required by law, or as otherwise permitted by the Privacy Rule.

2.2 Business Associate may use or disclose PHI as necessary to perform services for, or on behalf of, Covered Entity as specified in the underlying service agreement, provided such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

2.3 Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or disclosed only as required by law or for the purpose for which it was disclosed, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

2.4 Business Associate may de-identify PHI in accordance with 45 CFR §164.514(a)–(c) and may use de-identified information for any lawful purpose.

Article III — Obligations of Business Associate

3.1 Safeguards. Business Associate shall use appropriate safeguards, and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

3.2 Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR §164.410, and any Security Incident of which it becomes aware. Reports of Breaches shall be made without unreasonable delay and in no case later than sixty (60) calendar days from discovery.

3.3 Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

3.4 Access. Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.524, within fifteen (15) business days of a request.

3.5 Amendment. Business Associate shall make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR §164.526, within fifteen (15) business days of a request.

3.6 Accounting of Disclosures. Business Associate shall make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528, within thirty (30) calendar days of a request.

3.7 Books and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.

3.8 Minimum Necessary. Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

3.9 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

Article IV — Obligations of Covered Entity

4.1 Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate’s use or disclosure of PHI.

4.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

4.3 Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

Article V — Termination

5.1 Material Breach. A breach by Business Associate of any provision of this Agreement, if such breach is not cured within thirty (30) days of written notice from Covered Entity (or if cure is not possible), shall provide grounds for immediate termination of this Agreement and the underlying service agreement.

5.2 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.

5.3 Survival. The obligations of Business Associate under Article V, Section 5.2 shall survive the termination of this Agreement.

Article VI — Miscellaneous

6.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

6.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

6.3 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

6.4 No Third-Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.

6.5 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflicts of laws principles, except to the extent preempted by federal law.

Appendix B: BAA Checklist

The following checklist is used by the Privacy Official to verify that all required and recommended provisions are included in each BAA before execution.

Required Provisions

Provision CFR Reference
Permitted Uses and Disclosures of PHI §164.504(e)(2)(i)
Minimum Necessary Standard §164.502(b)
Appropriate Safeguards (Administrative, Technical, Physical) §164.504(e)(2)(ii)(A)
Mitigation of Harmful Effects §164.530(f)
Reporting of Unauthorized Uses/Disclosures and Breaches §164.504(e)(2)(ii)(C), §164.410
Subcontractor Requirements (same restrictions as BA) §164.504(e)(2)(ii)(D)
Individual Access to PHI in Designated Record Set §164.504(e)(2)(ii)(E)
Amendment of PHI in Designated Record Set §164.504(e)(2)(ii)(F)
Accounting of Disclosures §164.504(e)(2)(ii)(G)
Books and Records Available to HHS Secretary §164.504(e)(2)(ii)(H)
Permitted Uses for BA Management/Administration §164.504(e)(4)
Permissible Requests by Covered Entity §164.504(e)(2)(i)
Termination Provisions (Material Breach + PHI Return/Destroy) §164.504(e)(2)(iii)

Recommended Provisions

Provision Purpose
Description of Business Activities Clearly define the scope of services and PHI access
Reporting of Privacy/Security Violations Expand reporting beyond breaches to include policy violations
Individual Authorization Procedures Define process for obtaining and verifying authorizations
Notice of Restrictions on PHI Use Mechanism for covered entity to communicate restrictions
Confidentiality Obligations General confidentiality clause beyond HIPAA requirements
Insurance Requirements Cyber liability and professional liability insurance minimums
Preemption Clause Address state law preemption by HIPAA federal requirements
Compliance with Laws General obligation to comply with all applicable laws
Indemnification Allocation of liability for HIPAA violations and breaches

8. Records Retention

All BAAs, BAA-related correspondence, BAA inventories, vendor assessments, termination records, and PHI destruction certifications shall be retained for a minimum of six (6) years from the date of creation or the date of contract termination, whichever is later, per 45 CFR §164.530(j).

9. Review Schedule

This policy shall be reviewed and updated at least annually. The next scheduled review is March 2027. Interim reviews shall be triggered by changes in HIPAA regulations or HHS guidance, audit findings, incidents involving business associate non-compliance, or significant changes to H33’s vendor relationships.

Questions about this policy?

Contact the Privacy Official at security@h33.ai or the Compliance team at compliance@h33.ai.