Legal · HIPAA

Business Associate Agreement.

A starting-point BAA template for healthcare customers. Download, have your counsel review and mark up, then return a signed PDF to legal@cloakapi.io.

Template version 1.0 · Effective 2026-05-04 · Not approved by HHS/OCR

Important disclaimer. This document is a template only. It is not legal advice and has not been approved by HHS, OCR, or any regulatory body. Have your counsel review and customise all bracketed fields before signing. CloakAPI is structurally outside the HIPAA Business Associate definition (see our structural-non-BA primer); this BAA is offered for contractual completeness where your procurement process requires it.

Counter-signature flow

Download this page (File → Save as… or Ctrl+P → Save as PDF), mark it up, and email the signed PDF to legal@cloakapi.io. CloakAPI will countersign and return within 5 business days.

Print / Save PDF

HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA" or "Agreement") is entered into as of [EFFECTIVE DATE] ("Effective Date") by and between:

Covered Entity: [FULL LEGAL NAME OF COVERED ENTITY], a [STATE / JURISDICTION] [entity type], with its principal place of business at [ADDRESS] ("Covered Entity"); and

Business Associate: CloakAPI AS, a Norwegian private limited company (org. no. 933 720 411), with its principal place of business at Oslo, Norway ("Business Associate").

This BAA is incorporated into and forms part of the Master Services Agreement or Terms of Service ("Underlying Agreement") between the parties. In the event of conflict between this BAA and the Underlying Agreement on matters of HIPAA compliance, this BAA governs.

1. Definitions

Capitalised terms not defined below have the meanings given in HIPAA, HITECH, and their implementing regulations (45 C.F.R. Parts 160 and 164).

1.1 Breach

The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402.

1.2 Business Associate

Has the meaning given in 45 C.F.R. § 160.103. The parties acknowledge that CloakAPI's architecture is designed such that plaintext PHI is tokenised client-side before transmission, so that CloakAPI infrastructure processes only pseudonymised tokens and does not access PHI in its original form. This BAA is entered into for contractual completeness; execution of this BAA does not constitute an admission by CloakAPI that it meets the regulatory definition of a Business Associate with respect to any particular customer deployment.

1.3 Covered Entity

Has the meaning given in 45 C.F.R. § 160.103.

1.4 Electronic Protected Health Information (ePHI)

PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 C.F.R. § 160.103.

1.5 HIPAA Rules

The Privacy Rule (45 C.F.R. Part 164, Subparts A and E), Security Rule (45 C.F.R. Part 164, Subparts A and C), Breach Notification Rule (45 C.F.R. Part 164, Subpart D), and Enforcement Rule (45 C.F.R. Part 160, Subparts C, D, and E), as amended by HITECH and the Omnibus Rule.

1.6 Protected Health Information (PHI)

Individually identifiable health information created, received, maintained, or transmitted by CloakAPI on behalf of Covered Entity, as defined in 45 C.F.R. § 160.103, excluding information excluded from the definition therein.

1.7 Required by Law

Has the meaning given in 45 C.F.R. § 164.103.

1.8 Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.

1.9 Subcontractor

A person to whom CloakAPI delegates a function, activity, or service, other than in the capacity of a member of CloakAPI's workforce, where such delegation involves the creation, receipt, maintenance, or transmission of PHI.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as follows:

  1. Service performance. To perform the services described in the Underlying Agreement on behalf of Covered Entity.
  2. Operations of Business Associate. For the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that: (i) such use or disclosure is Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that person notifies Business Associate of any Breach.
  3. Data aggregation. To provide data aggregation services relating to the healthcare operations of Covered Entity, if so specified in the Underlying Agreement.
  4. De-identification. To de-identify PHI in accordance with 45 C.F.R. § 164.514(b), after which the resulting information is no longer PHI and is not subject to this BAA.

2.2 Prohibited Uses and Disclosures

Business Associate shall not:

  1. Use or disclose PHI other than as permitted under this BAA or Required by Law.
  2. Use PHI for marketing (as defined by HIPAA) without prior written authorisation from the individual.
  3. Sell PHI without prior written authorisation from the individual.
  4. Use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity.

2.3 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided for by this BAA, including the safeguards required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to ePHI. Specific safeguards include, without limitation:

  • Encryption of ePHI in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Access controls and audit logging for systems that process ePHI.
  • Annual workforce security training.
  • Incident response procedures meeting the requirements of 45 C.F.R. § 164.308(a)(6).
  • A risk analysis and risk management program meeting the requirements of 45 C.F.R. § 164.308(a)(1).

2.4 Mitigation

Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.

2.5 Reporting

  1. Breach notification. Business Associate shall notify Covered Entity without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of a Breach of Unsecured PHI, in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible, the information specified in 45 C.F.R. § 164.410(c).
  2. Security incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware without unreasonable delay.
  3. Non-permitted disclosures. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA without unreasonable delay.
  4. All notifications shall be made to: [COVERED ENTITY PRIVACY OFFICER NAME, EMAIL, PHONE].

2.6 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate under this BAA, through a written contract that complies with 45 C.F.R. § 164.308(b) and § 164.502(e). A current list of CloakAPI's sub-processors is available at cloakapi.io/legal/subprocessors.

2.7 Access to PHI

Business Associate shall, within fifteen (15) business days of a written request from Covered Entity, make available to Covered Entity PHI maintained in a Designated Record Set to the extent required for Covered Entity to meet its obligations under 45 C.F.R. § 164.524.

2.8 Amendment of PHI

Business Associate shall, within fifteen (15) business days of a written request from Covered Entity, make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 C.F.R. § 164.526.

2.9 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity information required for Covered Entity to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, within thirty (30) business days of Covered Entity's written request.

2.10 Access by HHS

Business Associate shall make its internal practices, books, and records, including policies and procedures and PHI, available to the Secretary of HHS for purposes of determining Covered Entity's compliance with the HIPAA Rules, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(I).

2.11 Minimum Necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 45 C.F.R. § 164.502(b).

3. Obligations of Covered Entity

3.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its current Notice of Privacy Practices and shall notify Business Associate of any changes to the Notice that affect Business Associate's permitted or required uses and disclosures.

3.2 Authorisations and Permissions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction affects Business Associate's use or disclosure of PHI.

3.3 Adequate Permissions

Covered Entity represents and warrants that it has obtained all necessary authorisations, consents, and permissions to provide PHI to Business Associate as required under applicable law, including the HIPAA Rules.

3.4 Appropriate Use

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.

4. Permitted Uses of PHI by Business Associate

In addition to the uses described in Section 2.1, Business Associate may use PHI:

  1. For the proper management and administration of Business Associate, provided that such use is Required by Law or the PHI is used only in the context of providing the agreed services.
  2. To provide data aggregation services relating to the healthcare operations of Covered Entity, if specified in the Underlying Agreement.
  3. To report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).

5. Term and Termination

5.1 Term

This BAA shall be effective as of the Effective Date and shall remain in effect until the earlier of: (a) termination of the Underlying Agreement; or (b) termination pursuant to this Section 5.

5.2 Termination for Cause

Either party may terminate this BAA, and thereby the Underlying Agreement, immediately upon written notice if the other party materially breaches a provision of this BAA and fails to cure the breach within thirty (30) calendar days of receiving written notice of the breach.

5.3 Effect of Termination — Return or Destruction of PHI

Upon termination of this BAA for any reason, Business Associate shall:

  1. If feasible, return to Covered Entity or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form.
  2. Retain no copies of such PHI after return or destruction, and certify in writing to Covered Entity that all PHI has been returned or destroyed within thirty (30) calendar days of termination.
  3. If return or destruction is not feasible, extend the protections of this BAA to such PHI and limit further use or disclosure of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate maintains the PHI. Business Associate shall notify Covered Entity in writing of the reasons why return or destruction is not feasible.

5.4 Survival

The obligations of Business Associate under Section 5.3 shall survive the termination of this BAA.

6. Miscellaneous

6.1 Amendment

The parties agree to amend this BAA to the extent necessary to allow either party to comply with any changes in applicable law, including the HIPAA Rules, upon reasonable written notice. If the parties are unable to agree on an amendment within sixty (60) days, either party may terminate this BAA on thirty (30) days' written notice.

6.2 Interpretation

This BAA shall be construed as broadly as necessary to implement and comply with the HIPAA Rules. Any ambiguity in this BAA shall be resolved in favour of a meaning that permits Covered Entity to comply with the HIPAA Rules.

6.3 No Third-Party Beneficiaries

Nothing in this BAA shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.

6.4 Governing Law

This BAA shall be governed by the laws of [STATE / JURISDICTION — to be agreed; default: laws of Norway, with HIPAA obligations governed by U.S. federal law], except that HIPAA compliance obligations shall in all cases be governed by U.S. federal law.

6.5 Entire Agreement

This BAA, together with the Underlying Agreement, constitutes the entire agreement between the parties with respect to HIPAA compliance and supersedes all prior negotiations, representations, or agreements relating to its subject matter.

6.6 Counterparts / Electronic Signature

This BAA may be executed in counterparts, each of which shall be deemed an original. Electronic signatures (including PDF) are binding.

7. Signature Block

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date.

COVERED ENTITY
[FULL LEGAL NAME]

Authorised Signature
Printed Name
Title
Date

BUSINESS ASSOCIATE
CloakAPI AS

Authorised Signature
Printed Name
Title
Date

This is a template only and does not constitute legal advice. The parties should obtain independent legal counsel before executing this Agreement. This template has not been approved or reviewed by HHS, OCR, or any government agency.

Related documents