How it worksPricingFAQGet pilot access

Legal

Business Associate Agreement

This Business Associate Agreement ("BAA") is made and entered into as of the date you accept it through the Services (the "Customer Acceptance Date") by and between you, on behalf of the practice or other entity identified in your account ("Customer"), and oseight, LLC ("oseight," the "Business Associate," or "BA"). This BAA is incorporated into the oseight Terms of Service (the "Agreement"). This BAA applies only to the extent Customer is a Covered Entity or Business Associate under HIPAA and makes PHI available to oseight in connection with the Services.

Effective date: May 17, 2026

RECITALS

  • Customer may be a Covered Entity or Business Associate under HIPAA.
  • In connection with BA providing services to Customer under the Agreement, BA may create, receive, maintain, or transmit PHI on behalf of Customer.
  • The parties intend to protect the privacy and security of PHI in accordance with HIPAA.
  • The purpose of this BAA is to satisfy applicable requirements of HIPAA, including 45 C.F.R. 164.308(b), 164.314(a), 164.502(e), and 164.504(e).

NOW, THEREFORE, the parties agree as follows:

I. DEFINITIONS

Capitalized terms not defined in this BAA have the meanings set forth in HIPAA and HITECH. "Breach" has the meaning in 45 C.F.R. 164.402. "Business Associate," "Covered Entity," "Designated Record Set," and "Protected Health Information" or "PHI" have the meanings in 45 C.F.R. 160.103. "Minimum Necessary" means the minimum necessary standard under 45 C.F.R. 164.502(b). "Routine Unsuccessful Security Incident" means an unsuccessful attempt to access, use, disclose, modify, or destroy electronic PHI or interfere with systems that does not result in unauthorized access, use, disclosure, modification, destruction, or interference, such as pings, port scans, automated scans, unsuccessful login attempts, denial-of-service attempts that do not materially affect systems containing PHI, or similar events. "Security Incident" has the meaning in 45 C.F.R. 164.304. "Subcontractor" has the meaning in 45 C.F.R. 160.103. "Unsecured PHI" has the meaning in 45 C.F.R. 164.402.

II. PERMITTED USES AND DISCLOSURES OF PHI

Except as otherwise limited in this BAA or the Agreement, BA may:

  1. Use and disclose PHI to perform services for or on behalf of Customer as permitted by the Agreement.
  2. Use PHI for proper management and administration of BA or to fulfill BA's legal responsibilities.
  3. Disclose PHI as Required by Law.
  4. Disclose PHI for BA management, administration, or legal responsibilities only if the disclosure is Required by Law or BA obtains reasonable assurances that the recipient will keep the PHI confidential, use or further disclose it only as Required by Law or for the purpose for which it was disclosed, and notify BA of any known confidentiality breach.
  5. Use or disclose PHI only in a manner that would not violate Subpart E of 45 C.F.R. Part 164 if done by Customer, except for BA management, administration, legal-responsibility, and de-identification uses expressly permitted by this BAA.
  6. De-identify PHI in accordance with 45 C.F.R. 164.514(a)-(c), using the safe harbor method or expert determination method as applicable, and use or disclose de-identified data for analytics and service improvement. BA will document the method used to de-identify PHI, will not re-identify de-identified data except as needed to validate de-identification, will not publish or disclose customer-identifiable or small-cell benchmarking without Customer's consent, and will not sell PHI.
  7. Use, disclose, and request the minimum necessary PHI to accomplish the intended purpose, except where the HIPAA minimum necessary standard does not apply.

III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

BA agrees to:

  1. Use or disclose PHI only as permitted by this BAA, the Agreement, or as Required by Law.
  2. Implement administrative, physical, and technical safeguards consistent with 45 C.F.R. 164.308, 164.310, and 164.312.
  3. Report to Customer any use or disclosure of PHI not provided for by this BAA, any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of PHI or material interference with systems containing PHI, and any Breach of Unsecured PHI without unreasonable delay and in no event later than five (5) business days after discovery. Routine Unsuccessful Security Incidents are deemed reported by this BAA; BA will provide aggregate information about them upon Customer's reasonable written request.
  4. For any Breach of Unsecured PHI, include in BA's notice, to the extent available, the identity of each individual whose Unsecured PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed, the types of PHI involved, a brief description of what happened, mitigation and investigation status, and other available information Customer needs to satisfy 45 C.F.R. 164.404(c). BA will provide additional information promptly as it becomes available.
  5. Mitigate, to the extent practicable, harmful effects known to BA from a use or disclosure of PHI not provided for by this BAA or from a Security Incident or Breach involving PHI.
  6. Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on BA's behalf agrees in writing to the same restrictions, conditions, and requirements that apply to BA with respect to PHI. BA will not permit a Subcontractor to create, receive, maintain, or transmit PHI on BA's behalf unless such written agreement is in place, and BA will maintain a current list of such Subcontractors and make it available to Customer upon reasonable written request.
  7. Make PHI in a Designated Record Set available to Customer within ten (10) business days after Customer's written request as necessary to satisfy Customer's obligations under 45 C.F.R. 164.524. If an individual requests access directly from BA, BA may direct the individual to Customer unless the Agreement requires a different process.
  8. Make amendments to PHI in a Designated Record Set as directed or agreed to by Customer within ten (10) business days after Customer's written request as necessary to satisfy Customer's obligations under 45 C.F.R. 164.526.
  9. Maintain and provide information necessary for Customer to meet its obligations under 45 C.F.R. 164.528 within ten (10) business days after Customer's written request.
  10. To the extent BA carries out one or more of Customer's obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Customer in the performance of those obligations.
  11. Make BA's internal practices, books, and records relating to PHI available to the Secretary of HHS for purposes of determining Customer's compliance with HIPAA.

IV. OBLIGATIONS OF CUSTOMER

Customer agrees to:

  1. Determine whether Customer is a Covered Entity or Business Associate under HIPAA. This BAA does not make Customer a Covered Entity or Business Associate if HIPAA does not otherwise apply.
  2. Notify BA of any limitations in Customer's notice of privacy practices that affect BA's use or disclosure of PHI.
  3. Provide BA with any changes or revocations of authorization that affect BA's use or disclosure of PHI.
  4. Notify BA of any restriction to use or disclosure of PHI that Customer has agreed to under 45 C.F.R. 164.522.
  5. Ensure that Customer has obtained required notices, consents, or authorizations for PHI that Customer provides to BA.
  6. Not request BA to use or disclose PHI in a way that would violate HIPAA if done by Customer.

V. TERM AND TERMINATION

This BAA is effective on the Customer Acceptance Date and remains in effect until terminated by either party in accordance with the Agreement. Customer may terminate this BAA if BA is in material breach and fails to cure within a reasonable time, or immediately if cure is not feasible.

VI. MISCELLANEOUS

  1. Return or Destruction of PHI. Upon termination, BA will return or destroy PHI received from Customer, or created, maintained, or received by BA on behalf of Customer, if feasible. BA will retain no copies except PHI that BA must retain for its proper management, administration, legal responsibilities, or backup-retention practices. For retained PHI, BA will extend the protections of this BAA, use or disclose the PHI only for the purpose for which it was retained, return or destroy it when no longer needed, and require Subcontractors to do the same where feasible.
  2. Amendment for Legal Compliance. The parties will amend this BAA as necessary to comply with HIPAA, HITECH, or other applicable law.
  3. No Third-Party Beneficiaries. Nothing in this BAA creates rights in any third party.
  4. Survival. BA's obligations regarding PHI survive termination for as long as BA retains PHI.
  5. Regulatory References. A reference in this BAA to a HIPAA citation means the citation as amended or recodified.
  6. Interpretation. This BAA will be interpreted in a manner consistent with HIPAA. If any provision is invalid, the remainder will remain in effect.
  7. Order of Precedence. If there is a conflict between this BAA and the Agreement regarding PHI, this BAA controls.

VII. CONTACT

Questions about this BAA: support@oseight.com.