AuxoHealth
Back to home

Legal

Business Associate Agreement

Our standard BAA — the contract HIPAA requires between Auxo (Business Associate) and your facility (Covered Entity) before we handle any Protected Health Information on your behalf.

Last updated · April 16, 2026

Effective Date: [DATE] Parties: Auxo Health Solutions ("Business Associate") and [CUSTOMER NAME] ("Covered Entity") Version: 1.0 DRAFT

⚠️ DRAFT — COUNSEL REVIEW REQUIRED. This BAA template is based on the HHS Sample Business Associate Agreement Provisions (https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/) and incorporates 2024 and 2025 regulatory updates (Part 2 alignment, reproductive health care final rule). Have counsel review and customize before execution.

Recitals

A. Covered Entity and Business Associate have entered into a Services Agreement (the "Underlying Agreement") under which Business Associate provides software and services to Covered Entity.

B. In connection with the Underlying Agreement, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity, making Business Associate a "business associate" under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 and the Omnibus Final Rule of 2013 (collectively, "HIPAA"), and implementing regulations at 45 CFR Parts 160 and 164.

C. Covered Entity operates (or contracts with a "Part 2 Program" as defined at 42 CFR § 2.11) a substance use disorder treatment program. Records originating in such a program are "Part 2 Records" subject to the additional protections of 42 CFR Part 2.

D. The parties enter into this Business Associate Agreement ("BAA") to comply with HIPAA and to qualify Business Associate as a "Qualified Service Organization" under 42 CFR § 2.11 with respect to Part 2 Records.

1. Definitions

Capitalized terms used but not defined herein have the meanings set out in HIPAA and 42 CFR Part 2. In addition:

  • "Breach" — as defined at 45 CFR 164.402.
  • "Part 2 Records" — records subject to 42 CFR Part 2.
  • "Security Incident" — as defined at 45 CFR 164.304.
  • "Services" — the services performed by Business Associate under the Underlying Agreement.
  • "Subcontractor" — a person or entity to whom Business Associate delegates a function, activity, or service involving PHI.
  • "Unsecured PHI" — PHI not rendered unusable, unreadable, or indecipherable per HHS guidance (45 CFR 164.402, 74 FR 19006, 74 FR 42740, as updated).

2. Permitted Uses and Disclosures

2.1 Performance of Services

Business Associate may use and disclose PHI only (i) to perform the Services as required by the Underlying Agreement, (ii) as expressly permitted by this BAA, (iii) as required by law, or (iv) as expressly directed in writing by Covered Entity.

2.2 Business Associate Operations

Business Associate may use PHI for its own proper management and administration and to carry out its legal responsibilities, provided that any disclosure for such purposes is (i) required by law, or (ii) made after Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used only for the purposes disclosed, and that any Breach of confidentiality will be reported to Business Associate.

2.3 Data Aggregation

Business Associate may provide data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B).

2.4 De-Identification

Business Associate may de-identify PHI per 45 CFR 164.514(a)-(c). De-identified data is not PHI and is not subject to this BAA.

2.5 Prohibitions

Business Associate will not:

  • Use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity
  • Sell PHI without authorization (45 CFR 164.502(a)(5)(ii))
  • Use or disclose PHI for marketing without authorization
  • Use or disclose PHI for fundraising
  • Use PHI to train foundation AI or ML models (any AI subprocessor must contract for zero data retention for Auxo's account)
  • Use or disclose Part 2 Records for any purpose not authorized by 42 CFR Part 2

3. Safeguards

Business Associate will:

(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including compliance with 45 CFR 164.308, 164.310, and 164.312.

(b) Encrypt ePHI at rest (AES-256 or stronger) and in transit (TLS 1.2 or stronger).

(c) Require MFA for all workforce access to ePHI.

(d) Maintain audit logs of access to ePHI for a minimum of six (6) years.

(e) Conduct an annual security risk analysis and maintain a current risk management plan.

(f) Annually test disaster recovery and backup restoration procedures.

(g) Upon Covered Entity's reasonable written request (no more than once per 12 months, unless required by an actual or suspected Breach), provide a written summary or SOC 2 Type II report describing Business Associate's safeguards.

4. Minimum Necessary

Business Associate will limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 CFR 164.502(b) and HHS guidance.

5. Reporting

5.1 Breach Notification

Business Associate will notify Covered Entity without unreasonable delay and in no event later than ten (10) calendar days after Business Associate discovers a Breach of Unsecured PHI. Notice will include, to the extent known:

  • A description of what happened
  • The types of PHI involved
  • A description of individuals affected (or a count and class of individuals if names are not readily available)
  • Steps Business Associate has taken to investigate and mitigate
  • Contact information for Business Associate's Privacy or Security Officer

Business Associate will cooperate with Covered Entity's breach response, including assisting with the HHS breach log, risk assessment under 45 CFR 164.402(2), and notifications to individuals, HHS, and media as required.

5.2 Security Incidents

Business Associate will report Security Incidents involving PHI to Covered Entity within ten (10) calendar days of discovery. Unsuccessful Security Incidents (such as blocked port scans, denied authentication attempts, and pings) are deemed reported by the existence of this paragraph and do not require individual notification.

5.3 Impermissible Use or Disclosure

Business Associate will report any use or disclosure of PHI not permitted by this BAA to Covered Entity within ten (10) calendar days of discovery.

6. Subcontractors

Business Associate will ensure that every Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf has executed a BAA with Business Associate that contains substantially the same restrictions and conditions as this BAA. A current list of Subcontractors is maintained at https://app.auxohealthsolutions.com/legal/sub-processors. Business Associate will notify Covered Entity in advance of adding a Subcontractor that processes PHI.

7. Access, Amendment, and Accounting

7.1 Access (45 CFR 164.524)

Business Associate will, within fifteen (15) business days of a Covered Entity request, make available to Covered Entity (or to an individual as Covered Entity directs) the PHI in Business Associate's designated record set. For Covered Entities subject to Texas Health & Safety Code § 181.102, Business Associate will provide PHI in the electronic format requested by the individual.

7.2 Amendment (45 CFR 164.526)

Business Associate will, within thirty (30) days of a Covered Entity request, make amendments to PHI in the designated record set as directed by Covered Entity.

7.3 Accounting of Disclosures (45 CFR 164.528; 42 CFR § 2.25)

Business Associate will maintain a record of disclosures of PHI (including TPO disclosures for Part 2 Records, per 42 CFR § 2.25) for six (6) years and will provide such records to Covered Entity within thirty (30) days of a request. For Part 2 Records, the accounting period is three (3) years of TPO disclosures.

7.4 Restrictions (45 CFR 164.522; 42 CFR § 2.24)

Business Associate will honor Covered Entity-approved patient restrictions communicated in writing to Business Associate.

8. Access by Covered Entity's Patients

Business Associate does not operate as a Covered Entity and does not publish a Notice of Privacy Practices. Patient rights are exercised through Covered Entity.

9. 42 CFR Part 2 — Part 2 Records

9.1 Qualified Service Organization Agreement

The parties enter this BAA also as the Qualified Service Organization Agreement required by 42 CFR § 2.11. Business Associate acknowledges that:

  • It is fully bound by the provisions of 42 CFR Part 2 regarding the receipt, use, and redisclosure of Part 2 Records
  • It will resist in judicial proceedings any efforts to obtain access to Part 2 Records except as expressly permitted by 42 CFR Part 2

9.2 Consents and Recipient Notice

Business Associate will honor patient consents that meet 42 CFR § 2.31 as communicated to Business Associate by Covered Entity, and will attach the recipient notice required by 42 CFR § 2.32 to outbound disclosures of Part 2 Records.

9.3 Segregation and Tagging

Business Associate will tag Part 2 Records in the Services to enable tracking of applicable consents, redisclosure restrictions, and the prohibition on use in proceedings against the patient under 42 CFR § 2.12(a)(2).

9.4 Prohibited Uses

Business Associate will not use or disclose Part 2 Records in any civil, criminal, administrative, or legislative proceeding against the patient absent the patient's express written consent or a court order meeting the standards of 42 CFR §§ 2.63–2.67.

10. Reproductive Health Care

Consistent with the April 2024 final rule (45 CFR § 164.509), Business Associate will not use or disclose PHI for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care. Business Associate will obtain and maintain attestations required by § 164.509 before disclosures for health oversight, judicial/administrative proceedings, law enforcement, or coroner/medical examiner purposes that potentially relate to reproductive health care.

11. HHS Availability

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for the purpose of determining Covered Entity's compliance with HIPAA.

12. Term and Termination

12.1 Term

This BAA is effective on the Effective Date and continues until the Underlying Agreement terminates or is terminated earlier under Section 12.2.

12.2 Termination for Breach

Covered Entity may terminate this BAA and the Underlying Agreement if it determines that Business Associate has violated a material term of this BAA and Business Associate has failed to cure such violation within thirty (30) days after written notice.

12.3 Return or Destruction of PHI

Upon termination, Business Associate will return or destroy all PHI, including copies held by Subcontractors. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to the retained PHI, limit further uses and disclosures to those purposes making the return or destruction infeasible, and destroy the PHI when reasonably feasible. Data export window is sixty (60) days; active-system deletion is within ninety (90) days after the export window; backup-media destruction is within one hundred eighty (180) days of termination on Business Associate's standard rotation. Business Associate will provide a written certificate of destruction on Covered Entity's request.

13. Miscellaneous

13.1 Compliance with Law

Each party will comply with HIPAA, 42 CFR Part 2, the Texas Medical Records Privacy Act, and other applicable law.

13.2 Regulatory Changes

The parties will amend this BAA as necessary to comply with changes in HIPAA or Part 2, including implementing the finalized HIPAA Security Rule, the 2024 Reproductive Health Care rule, and any pending rules.

13.3 Interpretation

This BAA is to be interpreted in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA and Part 2.

13.4 Conflict

In case of conflict between this BAA and the Underlying Agreement with respect to PHI, this BAA controls.

13.5 Indemnification

Business Associate's indemnification obligations for Breaches of Unsecured PHI are set out in the Underlying Agreement.

13.6 No Third-Party Beneficiaries

No third-party beneficiaries.

Accepted:

Business Associate — Auxo Health Solutions

By: ___________________________ Name: Title: Date:

Covered Entity — [CUSTOMER NAME]

By: ___________________________ Name: Title: Date: