LEGAL
HIPAA Business Associate Agreement
Last Updated
Jan 22, 2026
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into between ("Covered Entity")
And Business Associate: Syntari International, Inc. ("Business Associate")
This BAA supplements and is incorporated into the Master Services Agreement or Terms of Service ("Underlying Agreement") between the parties.
RECITALS
WHEREAS, Covered Entity is a "covered entity" as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and regulations promulgated thereunder;
WHEREAS, Business Associate provides services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI");
WHEREAS, the parties wish to comply with HIPAA and the Health Information Technology for Economic and Clinical Health Act ("HITECH");
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:
DEFINITIONS
Terms used in this BAA shall have the meanings set forth in HIPAA regulations (45 CFR Parts 160 and 164), unless otherwise defined herein.
1.1 "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
1.2 "Designated Record Set" means a group of records maintained by or for Covered Entity that includes medical and billing records, enrollment, payment, claims adjudication, and case or medical management record systems.
1.3 "Electronic Protected Health Information (ePHI)" means PHI that is transmitted or maintained in electronic media.
1.4 "Individual" means the person who is the subject of PHI.
1.5 "Protected Health Information (PHI)" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
1.6 "Required By Law" has the meaning set forth in 45 CFR 164.103.
1.7 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.
1.8 "Subcontractor" means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of Business Associate's workforce.
OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Permitted Uses and Disclosures
Business Associate may use or disclose PHI only as follows:
(a) As necessary to perform services under the Underlying Agreement
(b) As Required By Law
(c) For the proper management and administration of Business Associate, provided:
• Disclosure is Required By Law; or
• Business Associate obtains reasonable assurances from the recipient that:
• PHI will be held confidentially
• PHI will be used or disclosed only as Required By Law or for the purpose for which it was disclosed
• Recipient will notify Business Associate of any Breach
2.2 Prohibited Uses and Disclosures
Business Associate shall NOT:
(a) Use or disclose PHI other than as permitted or required by this BAA
(b) Use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity
(c) Use PHI for marketing purposes without Individual authorization
(d) Sell PHI without Individual authorization
(e) Use or disclose genetic information for underwriting purposes
2.3 Safeguards
Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including:
2.3.1 Administrative Safeguards
Requirement | Implementation |
|---|---|
Security Management | Risk analysis, risk management, sanction policy, information system activity review |
Assigned Responsibility | Designated HIPAA Security Officer and Privacy Officer |
Workforce Security | Authorization and supervision procedures, workforce clearance, termination procedures |
Information Access | Access authorization, access establishment and modification |
Security Awareness | Security training, login monitoring, password management |
Security Incident Procedures | Response and reporting procedures (see Section 2.6) |
Contingency Plan | Data backup, disaster recovery, emergency mode operation |
Evaluation | Periodic technical and non-technical evaluation |
2.3.2 Physical Safeguards
Requirement | Implementation |
|---|---|
Facility Access | Access controls, validation procedures, maintenance records |
Workstation Use | Policies and procedures for proper workstation use |
Workstation Security | Physical safeguards restricting access |
Device and Media Controls | Disposal, media re-use, accountability, data backup |
2.3.3 Technical Safeguards
Requirement | Implementation |
|---|---|
Access Control | Unique user identification, emergency access, automatic logoff, encryption/decryption |
Audit Controls | Hardware, software, and procedural mechanisms to record and examine access |
Integrity Controls | Electronic mechanisms to authenticate ePHI |
Authentication | Procedures to verify identity |
Transmission Security | Integrity controls, encryption for transmission |
2.3.4 Syntari-Specific Security Measures
• Authentication: JWT tokens, TOTP multi-factor authentication, OAuth2 integration
• Access Control: Role-based access control (RBAC) with 50+ granular permissions
• Audit Logging: Syntari Audit Service with 7-year retention, comprehensive event tracking
• Encryption: TLS 1.3 in transit, AES-256 at rest
• Data Protection: DLP service with PII detection, input validation
• Session Management: Automatic session timeout, token revocation
2.4 Minimum Necessary
Business Associate shall limit use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, except when:
(a) Disclosing to or requesting from a health care provider for treatment
(b) Making disclosures to an Individual about their own PHI
(c) Making disclosures authorized by an Individual
(d) Making disclosures to HHS for compliance enforcement
(e) Disclosure is Required By Law
(f) Disclosure is required for compliance with HIPAA
2.5 Subcontractors
Business Associate shall:
(a) Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA
(b) Maintain a list of Subcontractors with access to PHI (see Schedule A)
(c) Be responsible for the acts or omissions of Subcontractors
2.6 Security Incident and Breach Notification
2.6.1 Security Incident Notification
Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Business Associate shall:
• Report successful Security Incidents within 48 hours of discovery
• Provide monthly aggregate reports of unsuccessful Security Incidents upon request
2.6.2 Breach Notification
Business Associate shall report to Covered Entity any Breach of Unsecured PHI within 30 days of discovery. The notification shall include:
(a) Identification of each Individual whose PHI was involved
(b) A description of the nature of the Breach including:
• Types of PHI involved
• Date of Breach (if known)
• Date of discovery
(c) A description of what Business Associate is doing to investigate, mitigate harm, and prevent recurrence
(d) Any other information Covered Entity is required to include in notification to Individuals
2.6.3 Investigation and Mitigation
Business Associate shall:
(a) Conduct a thorough investigation of any Breach
(b) Mitigate harmful effects to the extent practicable
(c) Cooperate with Covered Entity's investigation
(d) Provide additional information as reasonably requested
2.7 Individual Rights
Business Associate shall:
2.7.1 Access (45 CFR 164.524)
Upon Covered Entity's request, make PHI available for access by Individuals within 30 days or as otherwise required.
2.7.2 Amendment (45 CFR 164.526)
Make PHI available for amendment and incorporate amendments upon Covered Entity's instruction.
2.7.3 Accounting of Disclosures (45 CFR 164.528)
Document disclosures of PHI and make information available for accounting:
• Disclosures made during prior six years (or since BAA effective date if shorter)
• For each disclosure: date, recipient name/address, description of PHI, purpose
• Provide within 60 days of request
• First accounting in 12 months at no charge
Business Associate shall maintain systems capable of producing such accounting, including the Syntari Audit Service.
2.7.4 Restrictions (45 CFR 164.522)
Comply with requests for restrictions that Covered Entity has agreed to.
2.8 HHS Access
Business Associate shall make internal practices, books, and records relating to use and disclosure of PHI available to the Secretary of HHS for determining compliance.
2.9 Documentation
Business Associate shall:
(a) Document compliance efforts
(b) Maintain policies and procedures in written form
(c) Retain documentation for 6 years from date of creation or last effective date
(d) Make documentation available to those responsible for implementing procedures
OBLIGATIONS OF COVERED ENTITY
3.1 Notice of Privacy Practices
Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
3.2 Permission Changes
Covered Entity shall notify Business Associate of any changes to or revocation of Individual permissions that may affect Business Associate's use or disclosure of PHI.
3.3 Restrictions
Covered Entity shall notify Business Associate of any restrictions to the use or disclosure of PHI that Covered Entity has agreed to that may affect Business Associate's use or disclosure of PHI.
3.4 Permissible Requests
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
TERM AND TERMINATION
4.1 Term
This BAA shall commence on the Effective Date and continue until the earlier of:
(a) Termination of the Underlying Agreement
(b) Termination as provided herein
4.2 Termination for Breach
Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure within 30 days of written notice, or immediately if cure is not possible.
4.3 Effect of Termination
Upon termination, Business Associate shall:
(a) Return or destroy all PHI in its possession, including PHI held by Subcontractors
(b) Retain no copies of PHI except as necessary for Business Associate's proper management and administration or as Required By Law
(c) If return or destruction is not feasible, extend the protections of this BAA to the PHI and limit further uses and disclosures
4.4 Survival
The obligations of Business Associate under Section 4.3 shall survive termination.
MISCELLANEOUS
5.1 Regulatory References
References to HIPAA regulations mean such regulations as amended from time to time. This BAA shall be interpreted in accordance with HIPAA and HITECH as amended.
5.2 Amendment
This BAA may not be amended except in writing signed by both parties. The parties agree to amend this BAA as necessary to comply with HIPAA requirements.
5.3 No Third-Party Beneficiaries
Nothing in this BAA shall confer upon any person other than the parties any rights or remedies.
5.4 Interpretation
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
5.5 Governing Law
This BAA shall be governed by federal law and, to the extent applicable, the laws of the state specified in the Underlying Agreement.
5.6 Indemnification
Business Associate shall indemnify and hold harmless Covered Entity from any claims, losses, or damages arising from Business Associate's breach of this BAA or violation of HIPAA, except to the extent caused by Covered Entity's acts or omissions.
5.7 Entire Agreement
This BAA, together with the Underlying Agreement, constitutes the entire agreement between the parties with respect to its subject matter.