Business Associate Agreement

This Business Associate Agreement ("BAA") governs TrustRoom's obligations regarding Protected Health Information (PHI) under HIPAA.

Last updated: [Date]

This is a reference copy. The executed BAA is signed electronically during provider onboarding.

1. Definitions

[Content to be added — Define Business Associate, Covered Entity, PHI, Electronic PHI, Security Incident, Breach, and other HIPAA-specific terms.]

2. Obligations of Business Associate

[Content to be added — Use and disclosure limitations, safeguards, reporting obligations, subcontractor requirements, access to PHI, and compliance with HIPAA Security Rule.]

3. Permitted Uses and Disclosures

[Content to be added — Services performed on behalf of Covered Entity, data aggregation, de-identification, management and administration, and legal responsibilities.]

4. Obligations of Covered Entity

[Content to be added — Notice of privacy practices, permissions and restrictions, permissible requests.]

5. Breach Notification

[Content to be added — Notification timelines (60 days per HIPAA), content of notification, cooperation requirements, and mitigation obligations.]

6. Term and Termination

[Content to be added — Term, termination for cause, effect of termination, return or destruction of PHI, and surviving obligations.]

7. Miscellaneous

[Content to be added — Regulatory references, amendment, interpretation, governing law, and no third-party beneficiaries.]