Business Associate Agreement

How providers accept this agreement

Providers accept this Business Associate Agreement by checking the acknowledgment box during account registration. This page is the reference copy of the agreement in effect. Questions: alex@headachevault.com

Business Associate may use and disclose PHI only as necessary to perform the services described in the platform Terms of Service, or as Required by Law.

Business Associate may use PHI for the proper management and administration of Business Associate's operations, or to carry out Business Associate's legal responsibilities.

Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used only for the purpose for which it was disclosed.

Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity, as permitted under 45 CFR 164.504(e)(2)(i)(B).

Business Associate may de-identify PHI in accordance with 45 CFR 164.514(b), provided that de-identified information is no longer PHI and may be used without restriction under this Agreement.

Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI (ePHI), as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).

Minimum Necessary. Business Associate shall use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose.

Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to restrictions and conditions at least as stringent as those that apply to Business Associate under this Agreement, in accordance with 45 CFR 164.504(e)(2)(ii)(D). Current subcontractors with executed BAAs: Anthropic, PBC; Vercel, Inc. Supabase BAA pending execution.

Reporting. Business Associate shall report to Covered Entity: (a) Any Breach of Unsecured PHI without unreasonable delay and no later than 60 days after discovery, in accordance with 45 CFR 164.410; (b) Any Security Incident of which Business Associate becomes aware, without unreasonable delay.

Access. Business Associate shall make available PHI in a designated record set to Covered Entity as necessary to fulfill Covered Entity's obligations under 45 CFR 164.524.

Amendment. Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity pursuant to 45 CFR 164.526.

Accounting. Business Associate shall document and make available information required for Covered Entity to provide an accounting of disclosures as required by 45 CFR 164.528.

Government Access. Business Associate shall make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA.

Employees and Agents. Business Associate shall ensure that members of its workforce with access to PHI are trained on HIPAA requirements and are bound by confidentiality obligations consistent with this Agreement.

Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that would affect Business Associate's use or disclosure of PHI.

Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes affect Business Associate's permitted or required uses or disclosures.

Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.

Term. This Agreement is effective upon Covered Entity's acceptance during account registration and remains in effect until the provider account is terminated or the Agreement is otherwise terminated.

Termination for Cause. Either party may terminate this Agreement immediately upon written notice if the other party materially breaches any provision and fails to cure the breach within 30 days of receiving written notice.

Effect of Termination. Upon termination, Business Associate shall, at Covered Entity's election, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall continue to protect the PHI and limit further use or disclosure. Business Associate shall certify in writing that all PHI has been returned or destroyed.

Regulatory References. A reference in this Agreement to a section of HIPAA means the section as in effect or as amended.

Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the requirements of HIPAA and any other applicable law.

Survival. The obligations of Business Associate under Section 5.3 shall survive termination of this Agreement.

Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.

Governing Law. This Agreement shall be governed by the laws of the Commonwealth of Pennsylvania, without regard to conflict of law provisions, except to the extent preempted by federal law.

Entire Agreement. This Agreement, together with the platform Terms of Service, constitutes the entire agreement between the parties regarding the subject matter herein.

Contact

The Headache Vault, LLC
Attn: Privacy Officer
alex@headachevault.com