Business Associate Agreement (Template)

This is a template, not the binding agreement. The version executed for each customer is countersigned via DocuSign and supersedes anything published here. Wherever this template uses bracketed placeholders (e.g. [ESUS_LEGAL_ENTITY], [CUSTOMER_LEGAL_ENTITY]), the final version replaces them with the actual identifying information for both parties.

Pending attorney review. This draft is published in good faith for prospects evaluating the platform. Before being executed with a paying customer it must be reviewed by counsel licensed in the relevant jurisdiction. Nothing on this page is legal advice.

1. Preamble

This Business Associate Agreement (“Agreement”) is entered into between:

• [CUSTOMER_LEGAL_ENTITY] — the “Covered Entity” (or, where applicable, the upstream Business Associate engaging the Subcontractor) — having a principal place of business at [CUSTOMER_ADDRESS]; and
• [ESUS_LEGAL_ENTITY] — “Business Associate” or “ESUS” — operating the ESUS Health platform (https://api.esus.health and https://console.esus.health), having a principal place of business at [ESUS_ADDRESS].

The parties acknowledge that, in the course of providing the ESUS Health Service to the Covered Entity, the Business Associate creates, receives, maintains, or transmits Protected Health Information (“PHI”) on the Covered Entity’s behalf. This Agreement establishes the permitted and required uses and disclosures of such PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the regulations promulgated thereunder (45 C.F.R. Parts 160 and 164, the “HIPAA Rules”).

2. Definitions

Terms used but not otherwise defined in this Agreement have the meanings given to them in the HIPAA Rules. In particular:

• Breach has the meaning set forth at 45 C.F.R. § 164.402.
• Designated Record Set has the meaning set forth at 45 C.F.R. § 164.501.
• Electronic Protected Health Information (“ePHI”) has the meaning set forth at 45 C.F.R. § 160.103.
• Individual has the meaning set forth at 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
• Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
• Protected Health Information (“PHI”) has the meaning set forth at 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
• Required by Law has the meaning set forth at 45 C.F.R. § 164.103.
• Secretary means the Secretary of the United States Department of Health and Human Services or his or her designee.
• Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
• Subcontractor has the meaning set forth at 45 C.F.R. § 160.103.
• Unsecured PHI has the meaning set forth at 45 C.F.R. § 164.402.

3. Obligations and Activities of Business Associate

Business Associate agrees to:

3.1 Use and disclosure limits. Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

3.2 Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as permitted by this Agreement. Without limiting the foregoing, Business Associate shall maintain at least the controls described in Section 7 (“Technical and Organizational Measures”).

3.3 Breach reporting. Report to Covered Entity any use or disclosure of PHI not permitted under this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI required to be reported under 45 C.F.R. § 164.410, without unreasonable delay and in no case later than seventy-two (72) hours after Business Associate’s discovery. The notice will include, to the extent then known, the information required under 45 C.F.R. § 164.410(c).

3.4 Subcontractors. Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to substantially the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement. The current list of Subcontractors with access to PHI is published at https://esus.health/legal/sub-processors and updated when material changes occur.

3.5 Access requests. Make available PHI in a Designated Record Set to Covered Entity, or to an Individual at Covered Entity’s direction, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524, within fifteen (15) business days of a written request.

3.6 Amendment requests. Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under that section.

3.7 Internal practices, books, and records. Make available, upon reasonable notice, Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity to the Secretary, for purposes of determining Covered Entity’s compliance with the Privacy Rule.

3.8 Accounting of disclosures. Maintain, and make available to Covered Entity within fifteen (15) business days of a written request, the information required to provide an accounting of disclosures to an Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

3.9 Compliance with the Covered Entity’s obligations. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

4. Permitted Uses and Disclosures by Business Associate

4.1 Service performance. Business Associate may use or disclose PHI only as necessary to perform the services set forth in the Service Agreement between the parties (the “Underlying Services Agreement”), and as required by law.

4.2 Internal management. Business Associate may use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate may disclose PHI for the same purposes only if (a) the disclosure is Required by Law, or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient notifies Business Associate of any breach of confidentiality.

4.3 Aggregation and de-identification. Business Associate may use PHI to provide Data Aggregation services to the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c); de-identified data is no longer PHI and is not subject to this Agreement.

4.4 Prohibited uses. Business Associate shall not (a) sell PHI, (b) use or disclose PHI for marketing communications without prior written authorization from the Individual or Covered Entity, or (c) use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.

5. Provisions for Covered Entity

5.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent such limitation may affect Business Associate’s use or disclosure of PHI.

5.2 Changes in or revocation of permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent such changes may affect Business Associate’s use or disclosure of PHI.

5.3 Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI.

6. Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except to the extent Business Associate will use or disclose PHI for, and the Agreement includes provisions for, data aggregation or management and administration as permitted under Sections 4.2 and 4.3.

7. Technical and Organizational Measures

Business Associate maintains the following safeguards as part of its standard service. Material changes that lower the protection level will be communicated to Covered Entity at least thirty (30) days in advance.

• Encryption in transit. All API traffic is served over TLS 1.2+ with HSTS, certificate pinning at the load balancer, and rejection of unencrypted connections.
• Encryption at rest. Database volumes use disk-level encryption (AES-256). Sensitive PHI fields are additionally encrypted at the application layer with versioned keys stored in HashiCorp Vault and rotated on a defined schedule.
• Access control. Authentication uses Argon2id-hashed passwords plus optional MFA, JWT-based sessions with refresh rotation, API keys with per-scope authorization, and SMART on FHIR / OAuth 2.0 with PKCE for third-party applications. Authorization is enforced via Attribute-Based Access Control (ABAC) policies per resource and PostgreSQL Row-Level Security per tenant.
• Audit logging. Every PHI access and modification is recorded to an append-only audit log, integrity-tagged with HMAC, retained for a minimum of six (6) years, and accessible to Covered Entity via the audit API.
• Backup and disaster recovery. Logical database backups are produced daily, encrypted with GPG, and uploaded to S3-compatible object storage in a separate credential boundary. Restore procedures are documented and tested at least quarterly. Stated targets: RPO ≤ 24 hours, RTO ≤ 8 hours.
• Vulnerability management. Dependencies are continuously scanned; security advisories with a CVSS ≥ 7.0 are remediated within thirty (30) days.
• Personnel. Personnel with access to PHI complete HIPAA awareness training annually and sign confidentiality agreements as a condition of employment or engagement.
• Sub-processors. A current list of sub-processors with access to PHI is maintained at https://esus.health/legal/sub-processors. Material additions are notified to Covered Entity at least thirty (30) days in advance.
• Incident response. A documented incident response plan is exercised annually. Suspected breaches trigger the notification process described in Section 3.3.

8. Term and Termination

8.1 Term. This Agreement is effective on the date last signed below and continues in effect until the termination of the Underlying Services Agreement, or until terminated for cause as set out below, whichever is earlier.

8.2 Termination for cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall provide Business Associate written notice of the breach and a thirty (30) day cure period. If Business Associate does not cure the breach within that period, Covered Entity may terminate this Agreement and the Underlying Services Agreement, if feasible.

8.3 Effect of termination.

(a) Return or destruction. Except as provided in (b), upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity, or destroy, all PHI received from, or created, maintained, or received by Business Associate on behalf of, Covered Entity. Business Associate shall retain no copies of the PHI.

(b) Where return or destruction is infeasible. If Business Associate determines in good faith that returning or destroying the PHI is infeasible, Business Associate shall provide Covered Entity with notification of the conditions making return or destruction infeasible. Upon such notification, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

9. Miscellaneous

9.1 Regulatory references. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

9.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

9.3 Survival. The respective rights and obligations of Business Associate under Sections 3.3 (Breach Reporting), 3.7 (Internal Practices), 3.8 (Accounting of Disclosures), 4.4 (Prohibited Uses), and 8.3 (Effect of Termination) shall survive the termination of this Agreement.

9.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules.

9.5 Order of precedence. In the event of a conflict between this Agreement and the Underlying Services Agreement with respect to the handling of PHI, the terms of this Agreement control.

9.6 No third-party beneficiaries. Nothing in this Agreement is intended to create rights in any party other than Covered Entity, Business Associate, and the Secretary of HHS in the exercise of his or her regulatory authority.

9.7 Governing law. This Agreement is governed by the laws of [GOVERNING_JURISDICTION], without regard to its conflict-of-law provisions, except to the extent preempted by U.S. federal law including the HIPAA Rules.

10. Signatures

Executed copies of this Agreement are countersigned by an authorized representative of each party. The signed PDF, not this published template, is the operative instrument.

Party	Name	Title	Date
Covered Entity	[CUSTOMER_SIGNER_NAME]	[CUSTOMER_SIGNER_TITLE]	[CUSTOMER_SIGN_DATE]
Business Associate ([ESUS_LEGAL_ENTITY])	[ESUS_SIGNER_NAME]	[ESUS_SIGNER_TITLE]	[ESUS_SIGN_DATE]

---

Adapted from: U.S. Department of Health & Human Services, Sample Business Associate Agreement Provisions (public domain, available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html).