Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into by and between ABA Matrix, LLC (“ABA Matrix,” “Business Associate,” “we,” “us,” or “our”) and the customer entity accepting or executing this BAA (“Customer,” “Covered Entity,” and/or “Business Associate,” “you,” or “your”).

This BAA is incorporated into and forms part of the applicable master services agreement, subscription agreement, order form, statement of work, or terms of service governing Customer’s use of ABA Matrix services (collectively, the “Service Agreement”). If there is a conflict between this BAA and the Service Agreement regarding PHI, this BAA controls.

Effective Date: The date Customer enters into the Service Agreement or the date Customer electronically accepts this BAA, whichever occurs first.

1. Background and Purpose

1.1 Customer is a Covered Entity and/or a Business Associate subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended, including by the Health Information Technology for Economic and Clinical Health Act (“HIPAA” and “HITECH”).

1.2 In the course of providing the Services, ABA Matrix may create, receive, maintain, or transmit PHI on behalf of Customer. To the extent ABA Matrix does so, ABA Matrix is a “Business Associate” of Customer.

1.3 The Parties enter into this BAA to satisfy the requirements of HIPAA and HITECH, including 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e).

2. Definitions

Capitalized terms not otherwise defined have the meanings set forth in HIPAA (45 C.F.R. Parts 160 and 164).

2.1 “PHI” means Protected Health Information as defined at 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by ABA Matrix on behalf of Customer.

2.2 “ePHI” means electronic PHI.

2.3 “Breach” has the meaning at 45 C.F.R. § 164.402.

2.4 “Unsecured PHI” has the meaning at 45 C.F.R. § 164.402.

2.5 “Security Incident” has the meaning at 45 C.F.R. § 164.304.

2.6 “Required by Law” has the meaning at 45 C.F.R. § 164.103.

2.7 “Designated Record Set” has the meaning at 45 C.F.R. § 164.501.

2.8 “Subcontractor” has the meaning at 45 C.F.R. § 160.103 and includes vendors that create, receive, maintain, or transmit PHI on behalf of ABA Matrix.

2.9 “AI Features” means functionalities that use automated techniques (including machine learning, natural language processing, or other algorithmic methods) to generate outputs, recommendations, summaries, classifications, or other assistance within the Services.

2.10 “De-Identified Information” means information that meets the de-identification standard under 45 C.F.R. § 164.514(a)–(c).

3. Permitted Uses and Disclosures by ABA Matrix

3.1 Performance of Services. ABA Matrix may use and disclose PHI as necessary to perform the Services under the Service Agreement, provided that such use or disclosure would not violate HIPAA if done by Customer.

3.2 Minimum Necessary. ABA Matrix will make reasonable efforts to limit PHI used, disclosed, or requested to the minimum necessary to accomplish the intended purpose, as applicable to Business Associates under HIPAA.

3.3 Management and Administration / Legal Responsibilities. ABA Matrix may use PHI for its proper management and administration and to carry out its legal responsibilities. ABA Matrix may disclose PHI for these purposes only if:

  • (a) such disclosure is Required by Law, or
  • (b) ABA Matrix obtains reasonable assurances from the recipient that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient agrees to notify ABA Matrix of any breach of confidentiality of which it becomes aware.

3.4 Data Aggregation. ABA Matrix may use PHI to provide data aggregation services relating to Customer’s health care operations, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), where applicable.

3.5 Reporting Violations of Law. ABA Matrix may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j), where applicable.

3.6 AI Features (Transparency + Limits).

  • (a) Customer acknowledges the Services may include AI Features that process Customer data (which may include PHI) to provide the Services (e.g., summarization, classification, drafting, anomaly detection, workflow assistance).
  • (b) ABA Matrix will not use PHI to train or improve general-purpose AI models for use outside Customer’s Services except: (i) to the extent Customer expressly enables/opts in to such use in writing (including via an admin setting that clearly describes the scope), or (ii) as required by law.
  • (c) ABA Matrix may use De-Identified Information and/or aggregated data derived from Customer data to improve and maintain the Services, provided such use complies with applicable law.
  • (d) If ABA Matrix uses third-party AI providers as Subcontractors that may process PHI, ABA Matrix will ensure such providers are bound by written obligations consistent with this BAA (see Section 6).

4. Obligations of ABA Matrix

4.1 HIPAA Compliance. ABA Matrix will comply with the HIPAA Security Rule with respect to ePHI and, to the extent applicable to Business Associates, the HIPAA Privacy Rule and Breach Notification Rule.

4.2 Safeguards. ABA Matrix will implement and maintain appropriate administrative, physical, and technical safeguards designed to:

  • protect the confidentiality, integrity, and availability of ePHI;
  • prevent uses or disclosures not permitted by this BAA; and
  • comply with 45 C.F.R. Part 164, Subpart C.

Without limiting the foregoing, ABA Matrix will:

  • (a) Encryption in Transit. Encrypt ePHI transmitted over public or untrusted networks using industry-standard encryption protocols, including Transport Layer Security (TLS) version 1.2 or higher (or successor protocols providing equivalent or greater protection).
  • (b) Encryption at Rest. Encrypt ePHI stored within ABA Matrix-controlled production environments using industry-standard encryption algorithms (e.g., AES-256 or equivalent) consistent with NIST guidance.
  • (c) Key Management. Maintain encryption key management practices designed to safeguard encryption keys, including secure generation, storage, rotation, and access controls, consistent with industry best practices.
  • (d) Access Controls. Maintain logical access controls designed to restrict access to PHI to authorized personnel based on role-based access principles.

4.3 Security Incidents and Breach Reporting.

  • (a) Reportable Events. ABA Matrix will report to Customer any: (i) use or disclosure of PHI not permitted by this BAA; (ii) Security Incident that results in unauthorized access, acquisition, use, or disclosure of PHI; and (iii) Breach of Unsecured PHI.
  • (b) Timing. ABA Matrix will provide notice without unreasonable delay and in no event later than twenty-five (25) business days after discovery of a Breach of Unsecured PHI, or sooner if required by law or to allow Customer to meet its legal obligations.
  • (c) Content. Notice will include, to the extent reasonably available: a description of what happened (including dates), the types of PHI involved, known affected individuals (or categories/approximate counts where identities are not yet confirmed), mitigation steps taken, and information reasonably necessary for Customer’s notifications. ABA Matrix will supplement information as it becomes available.
  • (d) Unsuccessful Attempts. Customer acknowledges that attempted but unsuccessful Security Incidents (e.g., pings, scans, unsuccessful login attempts, or similar activity) occur routinely. Notice of such unsuccessful events is deemed provided and does not require individual reporting unless otherwise required by law or unless such activity results in unauthorized access to PHI.

4.4 Mitigation and Cooperation. ABA Matrix will, to the extent practicable, mitigate harmful effects of any impermissible use/disclosure or Breach and will reasonably cooperate with Customer’s investigation and response.

4.5 Access, Amendment, Accounting (Designated Record Set). To the extent ABA Matrix maintains PHI in a Designated Record Set for Customer:

  • (a) Access: ABA Matrix will make PHI available to Customer (or as directed by Customer to an Individual) as needed for Customer to comply with 45 C.F.R. § 164.524.
  • (b) Amendment: ABA Matrix will make amendments as directed by Customer in accordance with 45 C.F.R. § 164.526.
  • (c) Accounting: ABA Matrix will provide information needed for Customer to provide an accounting of disclosures under 45 C.F.R. § 164.528.
  • (d) Direct Requests: If ABA Matrix receives an Individual request directly, ABA Matrix will promptly forward it to Customer unless the Service Agreement clearly authorizes ABA Matrix to fulfill such request on Customer’s behalf.

4.6 Disclosure to HHS. ABA Matrix will make its internal practices, books, and records relating to the use and disclosure of PHI received from or created on behalf of Customer available to the Secretary of HHS for purposes of determining Customer’s compliance with HIPAA, as required by 45 C.F.R. § 164.504(e)(2)(ii)(H).

4.7 Documentation. ABA Matrix will maintain policies and procedures as reasonably necessary to comply with this BAA and applicable HIPAA requirements.

5. Obligations of Customer

5.1 Permissible Requests. Customer will not request ABA Matrix to use or disclose PHI in any manner that would violate HIPAA if done by Customer, unless such use/disclosure is specifically permitted for Business Associates under HIPAA.

5.2 Customer Safeguards. Customer is responsible for implementing appropriate administrative, physical, and technical safeguards for systems and workflows under Customer’s control.

5.3 Secure Communications. Customer will not submit PHI through support channels or communications that Customer knows (or reasonably should know) are not designated for secure transmission.

5.4 Notices/Restrictions. Customer will notify ABA Matrix of any relevant limitation(s) in Customer’s notice of privacy practices, authorization changes/revocations, or restrictions on use/disclosure that may affect ABA Matrix’s performance, to the extent applicable.

6. Subcontractors

6.1 ABA Matrix will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of ABA Matrix agrees in writing to restrictions and safeguards at least as protective as those in this BAA, as required by 45 C.F.R. §§ 164.502(e)(1)(ii), 164.308(b), and 164.314(a).

7. Term and Termination

7.1 Term. This BAA remains in effect for as long as ABA Matrix provides Services involving PHI to Customer, and until all PHI is returned or destroyed or, if not feasible, protected as set forth below.

7.2 Termination for Cause. If either Party believes the other has materially breached this BAA, the non-breaching Party will provide written notice and a reasonable opportunity to cure. If cure is not possible or is not timely cured, the non-breaching Party may terminate this BAA and, where applicable, the Service Agreement provisions involving PHI.

7.3 Return/Destruction of PHI. Upon termination or expiration of the Service Agreement (or the applicable Services):

  • (a) Customer will have the opportunity to export its data as described in the Service Agreement (if applicable).
  • (b) ABA Matrix will return or securely destroy PHI that it maintains on behalf of Customer, where feasible, within a commercially reasonable timeframe.
  • (c) If return or destruction is not feasible, ABA Matrix will (i) continue to protect the PHI in accordance with this BAA, (ii) limit further use/disclosure to the purpose(s) that make return/destruction infeasible, and (iii) return or destroy PHI when feasible.

8. Liability and Allocation of Risk

8.1 Service Agreement Controls. Except to the extent prohibited by applicable law, any limitation of liability, disclaimers, or allocation of risk in the Service Agreement applies to this BAA.

8.2 No HIPAA Waiver. Nothing in the Service Agreement or this BAA is intended to waive any rights or obligations that cannot be waived under HIPAA/HITECH.

8.3 Cyber Liability Insurance. ABA Matrix shall maintain commercially reasonable cyber liability and/or technology errors and omissions insurance coverage during the term of the Service Agreement, including coverage for data breaches, network security incidents, and privacy liability. Such coverage shall be maintained in amounts consistent with industry standards for similarly situated service providers. Upon written request, ABA Matrix will provide a certificate of insurance evidencing such coverage.

9. Miscellaneous

9.1 Regulatory Changes. The Parties agree to amend this BAA as necessary to comply with changes in applicable HIPAA/HITECH law.

9.2 Interpretation. Any ambiguity will be resolved to permit compliance with HIPAA.

9.3 No Third-Party Beneficiaries. No person other than the Parties has rights under this BAA.

9.4 Survival. Sections relating to protection, permitted use/disclosure limits, reporting, and return/destruction/retention of PHI survive termination.

9.5 Notices. Notices under this BAA will be delivered in accordance with the notice provisions of the Service Agreement. If not specified, notices may be sent to Customer’s account administrator email on file and to ABA Matrix at: security@abamatrix.com.

9.6 Counterparts / Electronic Acceptance. This BAA may be accepted electronically and in counterparts.