Legal · BAA Template
Business Associate Agreement.
This is the standard Business Associate Agreement Conceptual Healthcare Corporation executes with every Covered Entity under 45 CFR Parts 160 and 164. Read it before signing; if anything reads ambiguous, write legal@conceptualhealth.com. Your countersigned copy lives in your enterprise compliance dashboard the moment it's signed. Template version 2026.05. Last reviewed by Privacy Officer: 1 May 2026.
1 · Definitions
Who, what, on whose behalf.
"Business Associate" means Conceptual Healthcare Corporation, its flagship clinic, and any subsidiary providing services to the Covered Entity. "Covered Entity" means the party executing this agreement. "PHI" means Protected Health Information as defined at 45 CFR §160.103, received from or created on behalf of Covered Entity. Other capitalized terms have the meaning given them under HIPAA, the HITECH Act, and implementing regulations.
2 · Permitted uses and disclosures
Treatment, payment, healthcare operations only.
Business Associate may use and disclose PHI solely for the purposes of providing the services in the underlying agreement: treatment coordination, payment processing, and the healthcare operations of Covered Entity. PHI is restricted to that received from or created on behalf of the Covered Entity. The following are prohibited, irrespective of any other permission: sale of PHI; marketing use of PHI; training any artificial-intelligence model on PHI without separate written authorization; re-identification of de-identified data.
3 · Safeguards
Administrative, physical, technical — all of them.
Business Associate implements administrative, physical, and technical safeguards reasonably and appropriately to protect PHI in conformity with the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312, 164.316). Specifically: AES-256-GCM encryption at rest; TLS 1.3 in transit; FIPS 140-3-validated KMS; access reviews quarterly; immutable audit logs anchored to the public CH Chain. Full technical detail at /legal/security-whitepaper/.
4 · Reporting and breach notification
Within one hour. Without exception.
Business Associate will notify Covered Entity of any breach of unsecured PHI within one hour of confirmation — substantially faster than the 60-day statutory maximum at 45 CFR §164.410. Notice will include all information required by §164.410(c) to the extent known at the time, with subsequent updates as additional information becomes available. Business Associate will cooperate with Covered Entity's notification obligations to individuals and to the Secretary of HHS.
5 · Subcontractors
Each one BAA-bound. List public. 30-day notice on change.
Business Associate will not use any subcontractor that receives, creates, or maintains PHI on its behalf unless the subcontractor has signed a written agreement containing the same restrictions and conditions as this BAA. The current subprocessor list is published at /compliance/threaded/#subprocessors and updated within 30 days of any change.
6 · Access, amendment, accounting
10 days. 10 days. Real time in the app.
Business Associate will make PHI available to Covered Entity for the purpose of meeting Covered Entity's obligations under §§164.524 (access) and 164.526 (amendment) within 10 business days of a written request. Accounting of disclosures under §164.528 is exposed in real time to the individual through the patient app and is available to Covered Entity within 30 days of written request. Retention of accounting records: six years.
7 · Audit and attestation
SOC 2 Type II. HITRUST CSF v11. Annual letter.
Business Associate maintains SOC 2 Type II and HITRUST CSF v11 (once those engagements complete) and delivers an annual written attestation of compliance with §164. Covered Entity may conduct one audit per calendar year on 30 days' written notice, scoped to BAA performance and conducted under reasonable confidentiality and security constraints. For status of current attestations, see /trust/attestations/.
8 · Term and termination
Co-terminus with the underlying agreement.
This BAA runs co-terminus with the underlying services agreement. Covered Entity may terminate this BAA for material breach by Business Associate with 30 days' written notice and an opportunity to cure (where cure is feasible). Termination of this BAA terminates the underlying agreement to the extent the agreement requires lawful processing of PHI.
9 · Return or destruction of PHI
Cryptographic shredding within 10 business days.
On termination, Business Associate will return or destroy all PHI in its possession or control. Destruction is performed by cryptographic shredding (overwrite of the data-encryption key) and confirmed in writing within 10 business days. If return or destruction is infeasible (for example, regulatory retention obligations), the protections of this BAA extend to that PHI for as long as Business Associate retains it.
10 · Indemnification and insurance
$10M per occurrence. Covered Entity named on request.
Business Associate maintains cyber-liability and errors-and-omissions insurance with limits of not less than $10,000,000 per occurrence. Covered Entity will be named as an additional insured on the cyber-liability policy on written request. Indemnification provisions follow the underlying services agreement.
11 · Miscellaneous
Florida law. Modifications in writing.
This BAA is governed by the laws of the State of Florida. Modifications require a written amendment signed by both parties. If any provision is held invalid, the remaining provisions stay in effect. This BAA is incorporated into and made part of the underlying services agreement.
12 · Signature block
Pre-signed by the Business Associate. Counter-signed by you.
Business Associate
By: Maria R. Lahti, MD
Title: Chief Medical Officer & Privacy Officer
Date: 1 May 2026
Covered Entity
By: ___________________________
Name: ___________________________
Title: ___________________________
Date: ___________________________
Sign or ask
Sign in to your enterprise dashboard to counter-sign.
Enterprise customers counter-sign from inside the compliance dashboard, where the executed copy lives the moment it's signed. Questions about clauses, alternative-form requests, or any redlines: legal@conceptualhealth.com.