Business Associate Agreement
This Business Associate Agreement ("BAA") sets out how Sagentica, operating the TrueBuddyAI service ("Business Associate"), handles Protected Health Information on behalf of a HIPAA Covered Entity ("Covered Entity"). It applies to Wellness+ and care-team deployments in which TrueBuddyAI creates, receives, maintains, or transmits Protected Health Information for the Covered Entity.
This page is Sagentica's standard BAA form. It becomes a binding agreement only when executed by an authorized representative of both the Covered Entity and Sagentica. For consumer use by individuals and families who are not Covered Entities, no BAA is required โ the Privacy Policy and Terms of Service govern.
1. Definitions
Capitalized terms not defined here have the meaning given in the HIPAA Rules at 45 CFR Parts 160 and 164. "Protected Health Information" (PHI) means individually identifiable health information handled by Business Associate for Covered Entity. "Electronic PHI" (ePHI), "Security Incident", and "Breach" have the meanings given in the HIPAA Rules.
2. Permitted uses and disclosures
- Business Associate may use and disclose PHI only as necessary to provide the Service to Covered Entity, as permitted by this BAA, or as Required by Law.
- Business Associate will limit uses and disclosures to the minimum necessary to accomplish the intended purpose.
- Business Associate may use PHI for its own proper management and administration and to carry out its legal responsibilities, as permitted under 45 CFR 164.504(e).
3. Prohibited uses
Business Associate will not sell PHI, and will not use or disclose PHI for marketing, fundraising, or any purpose that would violate the HIPAA Rules if done by the Covered Entity.
4. Safeguards
Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, consistent with the HIPAA Security Rule. This includes encryption of ePHI in transit and at rest, access controls, and audit logging.
5. Subcontractors
Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as restrictive as those in this BAA.
6. Reporting
- Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware.
- Business Associate will report any Security Incident and will notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay, and no later than the timeframe required by the HIPAA Rules.
7. Individual rights
Business Associate will make PHI available to enable Covered Entity to meet its obligations regarding individuals' rights of access, amendment, and an accounting of disclosures, as required by 45 CFR 164.524, 164.526, and 164.528.
8. Availability to HHS
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
9. Term and termination
This BAA is effective on the date both parties execute it and continues until the underlying Service ends or it is terminated. Covered Entity may terminate this BAA if Business Associate breaches a material term and fails to cure within a reasonable period after notice.
10. Return or destruction of PHI
On termination, Business Associate will return or destroy all PHI it maintains for Covered Entity, if feasible. Where return or destruction is not feasible, Business Associate will extend the protections of this BAA to that PHI and limit further uses and disclosures for as long as it is retained.
11. Amendment
The parties agree to amend this BAA as necessary for the parties to comply with changes to the HIPAA Rules.
12. Interpretation
Any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules. This BAA does not create any third-party beneficiary rights.
13. Contact
To request an executable copy or discuss a covered deployment: compliance@truebuddyai.com.