Business Associate Agreement (BAA)
Contract-ready draft for legal review. Replace bracketed placeholders during redline.
Drafting Placeholders
[COVERED_ENTITY_NAME], [EFFECTIVE_DATE], [BREACH_NOTICE_WINDOW_DAYS], [CURE_PERIOD_DAYS], [GOVERNING_STATE], [VENUE_COUNTY_STATE]
1. Definitions
Capitalized terms have the meaning assigned under HIPAA, HITECH, and applicable state privacy law. Covered Entity means [COVERED_ENTITY_NAME]. Business Associate means NyxCitadel, Inc. Effective Date means [EFFECTIVE_DATE].
2. Scope of Services and PHI Use
Business Associate may create, receive, maintain, and transmit PHI solely to perform services described in the Master Services Agreement and as otherwise permitted by law. Any use or disclosure outside this scope requires prior written authorization from Covered Entity.
3. Safeguards
Business Associate will implement and maintain appropriate administrative, technical, and physical safeguards to protect PHI, including encryption in transit and at rest, access controls, logging, and workforce security training reasonably aligned to the risk profile.
4. Breach and Security Incident Notification
Business Associate will notify Covered Entity without unreasonable delay, and no later than [BREACH_NOTICE_WINDOW_DAYS] calendar days after discovery of a Breach of Unsecured PHI. Notice will include known facts, impact summary, mitigation steps, and remediation plan.
5. Subcontractors
Business Associate will ensure each subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to restrictions and safeguards materially equivalent to this Agreement.
6. Access, Amendment, and Accounting Support
Business Associate will provide reasonable cooperation and information necessary for Covered Entity to meet its obligations related to access, amendment, and accounting of disclosures under applicable law.
7. Return or Destruction of PHI
Upon termination, Business Associate will return or destroy PHI where feasible. If return or destruction is infeasible, Business Associate will continue protections and limit further uses/disclosures to those making return or destruction infeasible.
8. Term and Termination
This Agreement is effective as of the Effective Date and remains in force while Business Associate performs services involving PHI. Material breach not cured within [CURE_PERIOD_DAYS] days after written notice permits termination by non-breaching party.
9. Governing Law and Venue
This Agreement is governed by the laws of [GOVERNING_STATE], without regard to conflict-of-law principles, except where superseded by federal privacy law. Venue is [VENUE_COUNTY_STATE].
10. Signature Blocks
Covered Entity
Name: [AUTHORIZED_SIGNER_NAME]
Title: [AUTHORIZED_SIGNER_TITLE]
Signature: ________________________
Date: ________________________
Business Associate (NyxCitadel, Inc.)
Name: [NYXCITADEL_SIGNER_NAME]
Title: [NYXCITADEL_SIGNER_TITLE]
Signature: ________________________
Date: ________________________