Home
Features
Pricing
Security
Support
Contact sales
Login
Get started
Contact sales
Login
Get started

BUSINESS ASSOCIATE AGREEMENT (BAA)

BUSINESS ASSOCIATE AGREEMENT (BAA)

Last Updated: 12/21/2025

This Business Associate Agreement (“Agreement” or “BAA”) is entered into by and between:

(1) Covered Entity: User (“Covered Entity”; a user is defined as any individual or entity that creates an account, accesses, or uses SuperVize, whether or not such individual or entity has entered into a paid subscription)., and

(2) Business Associate: SuperVize, LLC (“Business Associate”).

On the Effective Date (the date user/customer account was created, or the date when user/customer began using SuperVize Services)

This BAA governs Business Associate’s handling of Protected Health Information (“PHI”) in connection with Covered Entity’s use of the SuperVize platform and services (“Services”).

This BAA is incorporated into any existing service or subscription agreement between the parties and is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended, and the rules and regulations promulgated thereunder (“HIPAA”) and the provisions of the Health Information Technology for Economic and Clinical Health Act of 2009, as amended, and the rules and regulations promulgated thereunder (“HITECH” and, together with HIPAA and the HIPAA Omnibus Final Rule, the “Regulations”), including, without limitation:

  • HIPAA Privacy Rule (45 C.F.R. Part 160 and Subparts A & E of Part 164)
  • HIPAA Security Rule (45 C.F.R. Part 160 and Subparts A & C of Part 164)
  • HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414)

1. Definitions

Unless otherwise defined in this Agreement, capitalized terms have the meaning set forth in HIPAA regulations.

  • “PHI” / “Protected Health Information” means individually identifiable health information transmitted or maintained in any form or medium.
  • “Electronic PHI” (ePHI) means PHI that is created, received, maintained, or transmitted electronically.
  • “Breach” has the meaning defined in 45 C.F.R. §164.402.
  • “Security Incident” means attempted or successful unauthorized access, use, disclosure, modification, or destruction of information.

2. Permitted Uses and Disclosures by Business Associate

Business Associate may use and disclose PHI only as necessary to:

  1. Provide the Services described in the main Agreement;
  2. Maintain, support, or improve the functionality of the Services;
  3. Carry out proper management and administration;
  4. Perform data aggregation for Covered Entity;
  5. Comply with legal obligations, court orders, or regulatory requirements.

Business Associate will not use PHI to market or sell goods or services, nor will PHI be used for any purpose not permitted by the Regulations.

Business Associate may not de-identify PHI for independent commercial use, but may de-identify data on behalf of the Covered Entity if requested.

3. Responsibilities of Business Associate

Business Associate shall:

3.1 Safeguards

Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, consistent with:

  • The HIPAA Security Rule
  • Industry best practices
  • Written organizational policies

3.2 Mitigation

Mitigate, to the extent practicable, harmful effects caused by improper use or disclosure of PHI.

3.3 Reporting

Business Associate will:

  • Report to Covered Entity any Security Incident or use/disclosure of PHI not permitted under this Agreement;
  • Notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and no later than 30 days after discovery;
  • Provide all information required for Covered Entity’s breach notifications (45 C.F.R. §§ 164.404–410).

3.4 Subcontractors

Business Associate may use subcontractors only if:

  • The subcontractor is bound by a written agreement with restrictions no less stringent than this BAA;
  • The subcontractor agrees to comply with the requirements of the Regulations applicable to business associates.

3.5 Access to PHI

Business Associate will:

  • Make PHI available to the Covered Entity and to individuals (as required by 45 C.F.R. § 164.524);
  • Provide access within 15 business days of request.

3.6 Amendments to PHI

Business Associate will:

  • Make PHI available for amendment as required by 45 C.F.R. § 164.526;
  • Incorporate any amendments at the direction of Covered Entity.

3.7 Accounting of Disclosures

Provide documentation of disclosures of PHI to allow Covered Entity to respond to requests for accounting (45 C.F.R. §164.528).

3.8 Internal Practices

Make internal policies, practices, books, and records related to PHI available to the Secretary of HHS as required under the Regulations.

4. Permitted Uses and Disclosures by Covered Entity

Covered Entity may:

  1. Disclose PHI to Business Associate as necessary for the provision of Services;
  2. Provide Business Associate with instructions consistent with the Regulations;
  3. Rely on Business Associate to maintain compliance with this BAA and relevant laws.

Covered Entity will not provide PHI to Business Associate unless permitted under the Regulations.

5. Prohibitions and Restrictions

Business Associate shall not:

  • Sell PHI;
  • Disclose PHI to third parties except as permitted by this Agreement;
  • Use PHI for any independent purpose;
  • Attempt to re-identify de-identified data;
  • Combine PHI with data received from other clients unless expressly permitted by Covered Entity.

6. Term and Termination

6.1 Term

This BAA remains effective until:

  • The underlying Services Agreement is terminated; and
  • Business Associate has destroyed or returned all PHI as required below.

6.2 Termination for Cause

Covered Entity may terminate this Agreement if Business Associate:

  • Materially breaches this BAA; and
  • Does not cure the breach within 30 days of receiving written notice.

6.3 Return or Destruction of PHI

Upon termination:

  • Business Associate will return or securely destroy all PHI;
  • If return or destruction is infeasible, Business Associate shall continue to protect the PHI according to this BAA and limit further use to those purposes that make return infeasible.

7. Liability

Liability is governed by the main service agreement between the parties.

Nothing in this BAA limits Covered Entity’s rights under the Regulations.

8. Miscellaneous

8.1 Governing Law

This BAA is governed by applicable federal Regulations and the governing law provision of the underlying service agreement (typically California).

8.2 Amendments

The parties will amend this BAA as necessary to comply with changes in the Regulations or applicable law.

8.3 Survival

All obligations relating to PHI survive termination of this Agreement.

IN WITNESS WHEREOF, the parties execute this Business Associate Agreement as of the Effective Date, which occurs upon the User’s creation of a SuperVize account or acceptance of the Agreement through use of the SuperVize Services.

Interested in Seeing SuperVIZE in Action?
Company
Home
Features
Pricing
Security
Legal
Support
Data Processing Addendum
BAA
Acceptable Use Policy
Privacy Policy
Terms & Services
Follow Us
Copyright © 2025 Supervize. All rights reserved.