Attestyxby JIL Sovereign
Sign inSign up free
How it worksTiersPricingAPIGrantsProofMandate
Sign inSign up free
SAMPLE - DRAFT FOR COUNSEL REVIEW. Not yet executed by JIL Sovereign Technologies, Inc. or binding on any party.
For Grantors

Business Associate Agreement (BAA)

HIPAA BAA for grant programs that incidentally encounter PHI.

Effective: 2026-05-04Last updated: 2026-05-04Version 1.0 (sample)

1. Purpose

This Business Associate Agreement (“BAA”) is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), and the implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”). It applies to Operating Co's services to Foundations whose grant programs systematically involve Protected Health Information (“PHI”).

2. Definitions

“Protected Health Information” or “PHI” has the meaning given in 45 C.F.R. § 160.103. Other terms used but not defined in this BAA have the meanings ascribed to them in HIPAA.

3. Permitted Uses and Disclosures of PHI

Operating Co may use or disclose PHI only as permitted or required by this BAA, the MSA, or as required by law. Specifically, Operating Co may use and disclose PHI:

  • To perform the services described in the MSA and applicable Order Form.
  • For the proper management and administration of Operating Co or to carry out its legal responsibilities.
  • To provide Data Aggregation services as defined in 45 C.F.R. § 164.501.

4. Safeguards

Operating Co implements administrative, physical, and technical safeguards required by 45 C.F.R. §§ 164.308, 164.310, and 164.312 to protect the confidentiality, integrity, and availability of PHI. Specific safeguards are described in the Information Security Policy.

5. Reporting

Operating Co will report to Foundation any use or disclosure of PHI not permitted by this BAA of which it becomes aware without unreasonable delay, and in any event no later than 5 business days after discovery. Operating Co will report any Security Incident or Breach (as those terms are defined in HIPAA) without unreasonable delay and not later than 60 calendar days after discovery.

6. Subcontractors

Operating Co will require any subcontractor that creates, receives, maintains, or transmits PHI on its behalf to enter into a written agreement at least as restrictive as this BAA.

7. Access, Amendment, and Accounting

Operating Co will, within 30 days of a Foundation request, make PHI available to Foundation as required by 45 C.F.R. § 164.524 (Individual access), § 164.526 (amendment), and § 164.528 (accounting of disclosures). Operating Co will also make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services as required by 45 C.F.R. § 164.504(e)(2)(ii)(I).

8. Breach Notification

Operating Co will notify Foundation in writing of any Breach of Unsecured PHI within 5 business days of discovery. Notification will include all information required under 45 C.F.R. § 164.410.

9. Term and Termination

This BAA is effective concurrent with the MSA and terminates upon termination of the MSA, except that obligations regarding PHI survive until the PHI is returned, destroyed, or extended protections are no longer feasible. Foundation may terminate this BAA for material breach by Operating Co that is not cured within 30 days of notice, or immediately if cure is not feasible.

10. Return or Destruction

Upon termination, Operating Co will, where feasible, return or destroy all PHI received from or created on behalf of Foundation. Where return or destruction is not feasible, Operating Co will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.