Global HandsAttestyx™by Global Hands, Inc.
Sign inGet started
How It WorksFor GrantorsFor GranteesTransparencyRegistry
Sign inGet started
SAMPLE - DRAFT FOR COUNSEL REVIEW. Not yet executed by Global Hands, Inc. (Operator) or JIL Sovereign Technologies, Inc. (Licensor); not binding on any party.
For Grantors

Business Associate Agreement (BAA)

HIPAA BAA for grant programs that incidentally encounter PHI.

Effective: 2026-05-04Last updated: 2026-05-04Version 1.0 (sample)

1. Purpose

This Business Associate Agreement (“BAA”) is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), and the implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”). It applies to Operator's services to Foundations whose grant programs systematically involve Protected Health Information (“PHI”).

2. Definitions

“Protected Health Information” or “PHI” has the meaning given in 45 C.F.R. § 160.103. Other terms used but not defined in this BAA have the meanings ascribed to them in HIPAA.

3. Permitted Uses and Disclosures of PHI

Operator may use or disclose PHI only as permitted or required by this BAA, the MSA, or as required by law. Specifically, Operator may use and disclose PHI:

  • To perform the services described in the MSA and applicable Order Form.
  • For the proper management and administration of Operator or to carry out its legal responsibilities.
  • To provide Data Aggregation services as defined in 45 C.F.R. § 164.501.

4. Safeguards

Operator implements administrative, physical, and technical safeguards required by 45 C.F.R. §§ 164.308, 164.310, and 164.312 to protect the confidentiality, integrity, and availability of PHI. Specific safeguards are described in the Information Security Policy.

5. Reporting

Operator will report to Foundation any use or disclosure of PHI not permitted by this BAA of which it becomes aware without unreasonable delay, and in any event no later than 5 business days after discovery. Operator will report any Security Incident or Breach (as those terms are defined in HIPAA) without unreasonable delay and not later than 60 calendar days after discovery.

6. Subcontractors

Operator will require any subcontractor that creates, receives, maintains, or transmits PHI on its behalf to enter into a written agreement at least as restrictive as this BAA.

7. Access, Amendment, and Accounting

Operator will, within 30 days of a Foundation request, make PHI available to Foundation as required by 45 C.F.R. § 164.524 (Individual access), § 164.526 (amendment), and § 164.528 (accounting of disclosures). Operator will also make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services as required by 45 C.F.R. § 164.504(e)(2)(ii)(I).

8. Breach Notification

Operator will notify Foundation in writing of any Breach of Unsecured PHI within 5 business days of discovery. Notification will include all information required under 45 C.F.R. § 164.410.

9. Term and Termination

This BAA is effective concurrent with the MSA and terminates upon termination of the MSA, except that obligations regarding PHI survive until the PHI is returned, destroyed, or extended protections are no longer feasible. Foundation may terminate this BAA for material breach by Operator that is not cured within 30 days of notice, or immediately if cure is not feasible.

10. Return or Destruction

Upon termination, Operator will, where feasible, return or destroy all PHI received from or created on behalf of Foundation. Where return or destruction is not feasible, Operator will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.