— Preview · 2026-05-18-v1

This is the full BAA text you’ll sign during onboarding. Placeholders in curly braces are replaced with your practice details before signing.

HIPAA Business Associate Agreement

Version: 2026-05-18-v1 · Effective: June 17, 2026

This Business Associate Agreement (the “Agreement”) is entered into between {Your practice name} (“Covered Entity”), located at {Your practice address}, and Earle Doudera, doing business as The Bowerbirds, with a place of business in Riverside, California (“Business Associate”).

1. Purpose

The parties acknowledge that Business Associate provides services to Covered Entity that involve the use and disclosure of Protected Health Information (“PHI”), as that term is defined at 45 CFR § 160.103. This Agreement is intended to ensure that Business Associate establishes and maintains appropriate safeguards for PHI as required by the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”).

2. Definitions

Capitalized terms used but not otherwise defined have the meanings ascribed to them in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164 (the “HIPAA Rules”).

3. Permitted Uses and Disclosures

  1. Business Associate may use or disclose PHI only as necessary to perform the services described in the agreement between Covered Entity and Business Associate, or as Required by Law.
  2. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that disclosures are Required by Law or Business Associate obtains reasonable assurances from the receiving party that the PHI will be held confidentially.
  3. Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
  4. Business Associate may de-identify PHI in accordance with 45 CFR § 164.514 and use the de-identified information for product analytics and improvement.
  5. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Rules if so used or disclosed by Covered Entity.
  6. Business Associate shall not sell PHI or use PHI for marketing as those terms are defined in the HIPAA Rules.

4. Obligations of Business Associate

  1. Safeguards. Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement, including those set forth in 45 CFR Part 164, Subpart C (the Security Rule).
  2. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this Agreement.
  3. Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, any Security Incident of which Business Associate becomes aware, and any Breach of Unsecured PHI as defined in 45 CFR § 164.402, without unreasonable delay and no later than thirty (30) calendar days after discovery.
  4. Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to substantially the same restrictions that apply to Business Associate.
  5. Access. Business Associate shall make PHI available to Covered Entity as necessary for Covered Entity to satisfy individuals’ rights of access under 45 CFR § 164.524.
  6. Amendment. Business Associate shall make amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526.
  7. Accounting. Business Associate shall maintain and make available the information required to provide an accounting of disclosures pursuant to 45 CFR § 164.528.
  8. Audit. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Rules.
  9. Minimum Necessary. Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose, consistent with 45 CFR § 164.502(b).

5. Obligations of Covered Entity

  1. Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate’s use or disclosure of PHI.
  2. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to with an individual.
  3. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

6. Term and Termination

  1. This Agreement is effective on the Effective Date above and continues for as long as Business Associate maintains PHI on behalf of Covered Entity.
  2. Either party may terminate this Agreement for cause if the other party has materially breached this Agreement and has not cured the breach within thirty (30) days of written notice.
  3. Upon termination, Business Associate shall return or destroy all PHI received from, or created or received on behalf of, Covered Entity. If return or destruction is infeasible, Business Associate shall continue to extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

7. Miscellaneous

  1. Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.
  2. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the HIPAA Rules.
  3. Survival. The respective rights and obligations of Business Associate regarding the protection of PHI shall survive the termination of this Agreement.
  4. Interpretation. Any ambiguity shall be interpreted to permit compliance with the HIPAA Rules.
  5. Governing Law. This Agreement is governed by the laws of the State of California, without regard to its conflict-of-laws principles.

8. Signatures

By executing this Agreement, each party represents that it has full authority to enter into and be bound by its terms. Each party intends that an electronic signature complying with applicable law shall have the same legal effect as a handwritten signature.

← Back to The Bowerbirds