TEMPLATE FOR LEGAL REVIEW — This document is a template Business Associate Agreement prepared for NonoShad, Inc. It must be reviewed and approved by qualified legal counsel before execution. Variable fields for your practice are indicated with [brackets]. This template was last updated April 8, 2026 and should be reviewed periodically to ensure compliance with current HIPAA regulations and applicable state law.
Effective Date: April 8, 2026
This Business Associate Agreement (“BAA” or “Agreement”) is entered into as of April 8, 2026 (the “Effective Date”) by and between:
[Your Practice Name], a [Your State of Incorporation] [Your Entity Type (e.g., professional corporation, LLC)], with its principal place of business at [Your Address] (“Covered Entity”),
and
NonoShad, Inc., a Delaware corporation, with its principal place of business at Address on file (“Business Associate”).
Covered Entity and Business Associate are each referred to herein as a “Party” and collectively as the “Parties.”
WHEREAS, Covered Entity is a “covered entity” as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and the regulations promulgated thereunder at 45 CFR Parts 160 and 164 (collectively, the “HIPAA Rules”);
WHEREAS, Business Associate provides an artificial intelligence-powered voice agent platform (“Platform” or “Services”) that answers telephone calls on behalf of Covered Entity's medical practice, including but not limited to appointment scheduling, patient intake, prescription refill requests, and general office inquiries;
WHEREAS, in the course of providing the Services, Business Associate will Create, Receive, Maintain, or Transmit Protected Health Information on behalf of Covered Entity;
WHEREAS, the Parties desire to enter into this Agreement to comply with the requirements of 45 CFR Section 164.504(e) and to establish the permitted and required uses and disclosures of Protected Health Information by Business Associate;
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1.1 Capitalized terms used in this Agreement and not otherwise defined herein shall have the meanings ascribed to them in the HIPAA Rules, including but not limited to 45 CFR Sections 160.103 and 164.501.
1.2 The following definitions apply to this Agreement:
(a) “Breach” shall have the meaning given to such term under 45 CFR Section 164.402, and shall mean the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under Subpart E of 45 CFR Part 164 that compromises the security or privacy of the Protected Health Information, subject to the exclusions set forth in 45 CFR Section 164.402(1).
(b) “Business Associate” shall have the meaning given to such term under 45 CFR Section 160.103 and, for purposes of this Agreement, refers to NonoShad, Inc.
(c) “Covered Entity” shall have the meaning given to such term under 45 CFR Section 160.103 and, for purposes of this Agreement, refers to the medical practice or healthcare provider identified above.
(d) “Designated Record Set” shall have the meaning given to such term under 45 CFR Section 164.501.
(e) “Electronic Protected Health Information” or “ePHI” shall have the meaning given to the term “electronic protected health information” under 45 CFR Section 160.103, and shall mean Protected Health Information that is transmitted by or maintained in electronic media.
(f) “Individual” shall have the meaning given to such term under 45 CFR Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).
(g) “Platform” means Business Associate's AI-powered voice agent platform, including all voice processing, call recording, transcription, analytics, and related software and infrastructure components used to deliver the Services.
(h) “Protected Health Information” or “PHI” shall have the meaning given to such term under 45 CFR Section 160.103, limited to the information Created, Received, Maintained, or Transmitted by Business Associate on behalf of Covered Entity pursuant to this Agreement.
(i) “Required by Law” shall have the meaning given to such term under 45 CFR Section 164.103.
(j) “Secretary” shall mean the Secretary of the United States Department of Health and Human Services or the Secretary's designee.
(k) “Security Incident” shall have the meaning given to such term under 45 CFR Section 164.304, and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
(l) “Services” means the AI voice agent services provided by Business Associate to Covered Entity as described in the underlying service agreement between the Parties (the “Service Agreement”), including but not limited to: automated telephone answering, appointment scheduling, patient intake, prescription refill request processing, call recording, transcription, and analytics.
(m) “Subcontractor” shall have the meaning given to such term under 45 CFR Section 160.103.
(n) “Unsecured Protected Health Information” shall have the meaning given to such term under 45 CFR Section 164.402, and shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under 42 U.S.C. Section 17932(h)(2).
(a) Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law. [45 CFR 164.504(e)(2)(ii)(A)]
(b) Business Associate shall not use or disclose Protected Health Information in a manner that would violate the requirements of Subpart E of 45 CFR Part 164 if done by Covered Entity, except as provided in Sections 2.2 and 2.3 of this Agreement.
(c) Business Associate shall not use or disclose Protected Health Information for fundraising or marketing purposes without the prior written consent of Covered Entity and, where required, the authorization of the Individual.
(d) Business Associate shall not sell Protected Health Information as defined under 45 CFR Section 164.502(a)(5)(ii).
(e) Business Associate shall not use or disclose Protected Health Information received from Covered Entity for the purpose of training, fine-tuning, or improving Business Associate's artificial intelligence models, machine learning algorithms, or any other general-purpose technology, unless such use involves only de-identified data in compliance with 45 CFR Section 164.514(a)-(c) and Covered Entity provides prior written approval.
(a) Performance of Services. Business Associate is permitted to use and disclose Protected Health Information as necessary to perform the Services for Covered Entity as specified in the Service Agreement, including:
(b) Management and Administration. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that:
(c) De-Identified Data. Business Associate may use Protected Health Information to create de-identified health information in accordance with 45 CFR Section 164.514(a)-(c). De-identified data is not subject to the terms of this Agreement. Business Associate may use such de-identified data for product improvement, benchmarking, and aggregate analytics, provided that Business Associate shall not attempt to re-identify any such data without the prior written consent of Covered Entity.
(d) Minimum Necessary. Business Associate shall, to the extent practicable, limit its use, disclosure, and requests for Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR Section 164.502(b) and the minimum necessary policies and procedures of the HIPAA Rules.
Business Associate may use or disclose Protected Health Information as Required by Law, provided that Business Associate shall limit any such use or disclosure to the requirements of such law and shall promptly notify Covered Entity of any such required disclosure, unless such notification is prohibited by law.
(a) Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (the “Security Rule”) with respect to ePHI, to prevent the use or disclosure of Protected Health Information other than as provided for by this Agreement. [45 CFR 164.504(e)(2)(ii)(B)]
(b) Business Associate shall maintain a comprehensive information security program that includes administrative, physical, and technical safeguards appropriate to the size, complexity, and capabilities of Business Associate, and the nature and scope of its activities.
Business Associate shall implement and maintain, at a minimum, the following technical safeguards:
(a) Encryption at Rest. All ePHI stored by Business Associate, including call recordings, transcriptions, patient data, and backups, shall be encrypted using AES-256 encryption or a successor standard of equivalent or greater strength.
(b) Encryption in Transit. All ePHI transmitted by Business Associate, including voice data, API communications, and data transfers between system components, shall be encrypted using TLS 1.2 or higher.
(c) Access Controls. Business Associate shall implement role-based access controls (“RBAC”) ensuring that access to ePHI is limited to authorized personnel on a need-to-know basis, including unique user identification, automatic logoff, and emergency access procedures.
(d) Audit Logging. Business Associate shall maintain audit logs of all access to, creation, modification, and deletion of ePHI, including user identity, timestamp, and action performed. Audit logs shall be retained for a minimum of six (6) years.
(e) Integrity Controls. Business Associate shall implement mechanisms to authenticate ePHI and to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
(f) Authentication. Business Associate shall implement procedures to verify the identity of any person or entity seeking access to ePHI, including multi-factor authentication for administrative and system-level access.
(g) Transmission Security. Business Associate shall implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network, including all voice-over-IP transmissions.
Business Associate shall:
(a) Designate a security official responsible for the development and implementation of policies and procedures required by the Security Rule;
(b) Implement workforce training on the policies and procedures for the protection of PHI;
(c) Conduct periodic risk assessments and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
(d) Implement policies and procedures to detect, contain, and correct Security Incidents;
(e) Maintain a contingency plan, including data backup and disaster recovery procedures, to ensure the availability of ePHI; and
(f) Perform periodic evaluations of its security program to demonstrate compliance with the Security Rule.
Business Associate shall implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Where Business Associate utilizes cloud infrastructure, Business Associate shall ensure that the cloud service provider maintains appropriate physical safeguards and has entered into a BAA with Business Associate.
(a) Business Associate shall report to Covered Entity any Breach of Unsecured Protected Health Information without unreasonable delay, and in no event later than seventy-two (72) hours after Discovery of such Breach. [45 CFR 164.504(e)(2)(ii)(C); 45 CFR 164.410] For purposes of this Agreement, “Discovery” shall have the meaning set forth in 45 CFR Section 164.404(a)(2), and a Breach shall be treated as discovered as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.
(b) The seventy-two (72) hour notification requirement set forth in Section 4.1(a) is more stringent than the sixty (60) day requirement under 45 CFR Section 164.410(a) and shall be the operative timeframe under this Agreement.
To the extent such information is available at the time of notification, Business Associate shall provide Covered Entity with the following information regarding each Breach, as required by 45 CFR Section 164.404(c):
(a) Identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach;
(b) A description of the nature of the Breach, including the types of Unsecured Protected Health Information involved (e.g., full name, Social Security number, date of birth, diagnosis, treatment information);
(c) A description of what Business Associate has done or is doing to investigate the Breach, mitigate harm to Individuals, and protect against further Breaches;
(d) The date of the Breach and the date of Discovery of the Breach, if known; and
(e) Contact information for Individuals to ask questions or obtain additional information, including a toll-free telephone number, email address, website, or postal address.
If Business Associate is unable to provide all the information specified in Section 4.2 at the time of initial notification, Business Associate shall provide such information promptly as it becomes available, without unreasonable delay.
(a) Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. Successful Security Incidents (i.e., those resulting in unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with Business Associate's information systems) shall be reported within seventy-two (72) hours of Discovery.
(b) The Parties acknowledge that unsuccessful Security Incidents (e.g., pings on a firewall, port scans, unsuccessful log-on attempts, denials of service, and similar incidents that do not result in unauthorized access, use, or disclosure of ePHI) occur with regularity. Business Associate shall provide a summary report of such unsuccessful Security Incidents to Covered Entity upon request, no more frequently than quarterly.
Business Associate shall cooperate with Covered Entity in the investigation of any Breach or Security Incident and in complying with Covered Entity's obligations under 45 CFR Sections 164.404, 164.406, and 164.408, including but not limited to the provision of individual and media notifications.
Unless otherwise agreed in the Service Agreement, each Party shall bear its own costs associated with Breach notification and mitigation, except that Business Associate shall bear all costs arising from a Breach caused by Business Associate's failure to comply with its obligations under this Agreement, including but not limited to notification costs, credit monitoring services, and regulatory fines attributable to Business Associate's acts or omissions.
(a) In accordance with 45 CFR Section 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any Subcontractor that Creates, Receives, Maintains, or Transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such information. [45 CFR 164.504(e)(2)(ii)(D)]
(b) Business Associate shall enter into a written agreement with each such Subcontractor that contains terms no less protective of PHI than those set forth in this Agreement, including the requirement that the Subcontractor implement appropriate safeguards to protect ePHI.
As of the Effective Date, Business Associate uses or may use the following categories of Subcontractors that may Create, Receive, Maintain, or Transmit PHI on behalf of Covered Entity:
(a) Cloud Infrastructure and Hosting. Business Associate utilizes Microsoft Azure (Azure Container Apps, Azure Key Vault) for hosting application infrastructure, data storage, and computing services. All ePHI is stored in data centers located within the United States.
(b) Voice AI Processing. Business Associate utilizes Retell AI for real-time voice synthesis, speech recognition, and natural language processing of telephone calls. Voice data containing PHI is processed through this Subcontractor's systems.
(c) Payment Processing. Business Associate utilizes Stripe for subscription billing and payment processing. Business Associate represents and warrants that no PHI is transmitted to or stored by the payment processor. Payment metadata shall not contain patient names, health information, or other PHI.
(d) Database and Authentication Services. Business Associate utilizes Supabase for database management and authentication services. ePHI may be stored in and transmitted through this Subcontractor's systems.
(e) Email Services. Business Associate utilizes Resend for transactional email delivery. Email communications may contain PHI to the extent directed by Covered Entity.
Business Associate shall notify Covered Entity in writing at least thirty (30) days prior to engaging any new Subcontractor that will Create, Receive, Maintain, or Transmit PHI. Covered Entity shall have the right to object to such new Subcontractor within fifteen (15) days of receiving notice, and the Parties shall negotiate in good faith to resolve any objections.
Business Associate shall be liable for the acts and omissions of its Subcontractors to the same extent as if such acts or omissions were those of Business Associate, to the extent permitted by applicable law.
(a) Business Associate shall make available Protected Health Information in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR Section 164.524. [45 CFR 164.504(e)(2)(ii)(E)]
(b) In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall promptly forward such request to Covered Entity within five (5) business days. Business Associate shall not provide PHI directly to any Individual unless directed to do so by Covered Entity.
(c) Business Associate shall provide PHI in the electronic format requested by Covered Entity or the Individual, if it is readily producible in such format, or in a mutually agreed-upon alternative electronic format.
(a) Business Associate shall make any amendment(s) to Protected Health Information in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR Section 164.526. [45 CFR 164.504(e)(2)(ii)(F)]
(b) Business Associate shall incorporate any amendments within ten (10) business days of receiving a written request from Covered Entity and shall confirm completion in writing.
(a) Business Associate shall make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR Section 164.528. [45 CFR 164.504(e)(2)(ii)(G)]
(b) Business Associate shall maintain a record of all disclosures of PHI made by Business Associate as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR Section 164.528, including:
(c) Business Associate shall maintain such records for a period of at least six (6) years from the date of the disclosure.
To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations. [45 CFR 164.504(e)(2)(ii)(H)]
If Covered Entity notifies Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR Section 164.522, Business Associate shall comply with such restriction.
7.1 Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity's and Business Associate's compliance with the HIPAA Rules. [45 CFR 164.504(e)(2)(ii)(I)]
7.2 Nothing in this Section 7 shall be construed as a waiver by Business Associate of any applicable legal privilege.
During the term of this Agreement, Business Associate shall retain PHI only for as long as necessary to fulfill the purposes for which it was collected and as specified in the Service Agreement. Covered Entity may configure data retention periods through the Platform's administrative settings, subject to any minimum retention periods Required by Law.
(a) Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. [45 CFR 164.504(e)(2)(ii)(J)]
(b) Business Associate shall complete the return or destruction of PHI within thirty (30) days following the effective date of termination, and shall certify in writing to Covered Entity that such return or destruction has been completed.
(c) Destruction of ePHI shall be carried out in accordance with NIST SP 800-88 Guidelines for Media Sanitization or a successor standard, and shall render the PHI permanently unreadable, unretrievable, and indecipherable.
(a) If Business Associate determines that the return or destruction of Protected Health Information is infeasible, Business Associate shall notify Covered Entity in writing of the conditions that make return or destruction infeasible.
(b) To the extent that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to the retained PHI and shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Business Associate shall require all Subcontractors to return or destroy PHI in their possession upon termination of Business Associate's agreement with such Subcontractor, subject to the same timelines and standards set forth in this Section 8.
(a) Business Associate shall ensure that all AI voice agents deployed on behalf of Covered Entity clearly disclose at the beginning of each telephone call that the caller is interacting with an automated AI system, and not a human.
(b) The specific disclosure language shall be configurable by Covered Entity through the Platform, provided that any such language shall, at a minimum, inform the caller that the call is being handled by an AI assistant.
(a) Business Associate represents and warrants that its AI voice agents are not designed or intended to provide medical advice, diagnosis, treatment recommendations, or clinical decision support.
(b) AI voice agents shall be configured to direct callers with medical questions, emergencies, or urgent health concerns to appropriate clinical personnel or emergency services.
(c) Covered Entity acknowledges that it is solely responsible for the clinical content and decision trees configured within the Platform and for ensuring that such content is medically appropriate.
(a) Business Associate shall not store, retain, or use voiceprints, voice signatures, or any other biometric identifiers derived from telephone calls, in compliance with the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Section 503.001), and other applicable state biometric privacy laws.
(b) To the extent that voice data is processed in real-time for speech recognition purposes, such processing shall be transient and no biometric template or identifier shall be derived from or persisted beyond the duration of the call processing.
(a) Covered Entity is responsible for determining whether its jurisdiction requires one-party or all-party consent for the recording of telephone calls and for configuring the Platform's call recording consent notifications accordingly.
(b) Business Associate shall provide configurable mechanisms within the Platform to enable Covered Entity to comply with applicable federal and state call recording consent laws, including the Telephone Consumer Protection Act (“TCPA”) and state wiretapping statutes.
(c) Business Associate shall not be liable for Covered Entity's failure to enable or properly configure call recording consent notifications as required by applicable law.
(a) Business Associate shall maintain documentation of the AI models and algorithms used in the Platform, including version history, and shall make such documentation available to Covered Entity upon reasonable request.
(b) Business Associate shall not use PHI processed through the Platform to train general-purpose AI models without obtaining prior written consent from Covered Entity and, where applicable, authorization from affected Individuals.
This Agreement shall become effective on the Effective Date and shall continue in effect until the earlier of: (a) the termination of the Service Agreement between the Parties; (b) the termination of this Agreement in accordance with this Section 10; or (c) the date on which all PHI has been returned or destroyed in accordance with Section 8.
(a) A non-breaching Party may terminate this Agreement if the other Party has materially breached this Agreement and the breaching Party has not cured such breach within thirty (30) days after receiving written notice of the breach from the non-breaching Party.
(b) If cure is not feasible, the non-breaching Party may immediately terminate this Agreement upon written notice to the breaching Party.
(c) Termination of this Agreement shall also constitute termination of the Service Agreement unless the Service Agreement expressly provides otherwise.
Either Party may terminate this Agreement upon sixty (60) days' written notice to the other Party if changes in applicable law render the terms of this Agreement materially non-compliant or impracticable.
(a) Upon termination of this Agreement, Business Associate shall comply with the data return and destruction obligations set forth in Section 8.
(b) The following provisions shall survive termination of this Agreement: Sections 1, 3 (with respect to PHI retained under Section 8.3), 4, 6, 7, 8, 9.3, 11, 12, and 13.
(a) EXCEPT FOR LIABILITY ARISING FROM (i) A PARTY'S BREACH OF ITS OBLIGATIONS UNDER SECTION 2 (USE AND DISCLOSURE OF PHI), (ii) A PARTY'S INDEMNIFICATION OBLIGATIONS, OR (iii) A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION OR THEORY OF LIABILITY, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
(b) EXCEPT FOR THE EXCLUSIONS SET FORTH IN SECTION 11.1(a), BUSINESS ASSOCIATE'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
(a) Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to Business Associate's material breach of this Agreement, including any Breach of Unsecured PHI caused by Business Associate's failure to comply with its obligations hereunder.
(b) Covered Entity shall indemnify, defend, and hold harmless Business Associate from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to Covered Entity's material breach of this Agreement, or Covered Entity's failure to comply with applicable laws in its use of the Platform, including failure to properly configure call recording consent notifications.
This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles, except to the extent preempted by federal law, including the HIPAA Rules.
Any reference in this Agreement to a section of the HIPAA Rules shall mean the section as in effect or as amended, and for which compliance is required.
(a) The Parties agree to negotiate in good faith to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
(b) No amendment or modification of this Agreement shall be effective unless it is in writing and signed by both Parties.
This Agreement, together with the Service Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements, understandings, or representations relating to the protection of PHI.
If any provision of this Agreement is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.
No failure or delay by either Party in exercising any right or remedy under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise thereof.
All notices required or permitted under this Agreement shall be in writing and shall be delivered personally, sent by certified mail (return receipt requested), or sent by nationally recognized overnight courier service, to the addresses set forth above or to such other address as a Party may designate in writing. Notices shall also be sent via email to:
Neither Party may assign this Agreement without the prior written consent of the other Party, except that Business Associate may assign this Agreement to a successor in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the successor agrees in writing to be bound by the terms of this Agreement.
This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed original signatures for all purposes.
Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules.
IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the Effective Date.
| Organization: | [Your Practice Name] |
| Printed Name: | ______________________________________ |
| Title: | ______________________________________ |
| Signature: | ______________________________________ |
| Date: | ______________________________________ |
| Organization: | NonoShad, Inc. |
| Printed Name: | ______________________________________ |
| Title: | ______________________________________ |
| Signature: | ______________________________________ |
| Date: | ______________________________________ |
[Attach or reference the Service Agreement describing the specific Services to be performed by Business Associate, including the types of PHI to be accessed, the purposes of such access, and any limitations on use.]
[Attach current list of Subcontractors with names, descriptions of services, and dates of executed BAAs. Update as Subcontractors change per Section 5.3.]
NOTICE: This document is a template and does not constitute legal advice. Both Parties should have this Agreement reviewed by qualified legal counsel before execution. HIPAA requirements are subject to change, and this Agreement should be periodically reviewed for continued compliance.