Skip to content

Business Associate Agreement (BAA)

Pursuant to HIPAA Security Rule 45 CFR §164.504(e)

1. Parties

Covered Entity (Client): - Name: [CLIENT HEALTHCARE ORGANIZATION] - Address: [CLIENT ADDRESS] - Phone: [CLIENT PHONE] - Authorized Representative: [NAME, TITLE]

Business Associate (Processor): - BeDefended S.r.l. - Address: Italy - Email: privacy@bedefended.com - HIPAA Compliance Officer: privacy@bedefended.com

2. Recitals

2.1 Purpose

Covered Entity engages Business Associate to perform penetration testing and security vulnerability assessment on Covered Entity's information systems as part of a comprehensive security program to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI).

2.2 HIPAA Applicability

This BAA is required because the services involve potential exposure to, use of, or disclosure of Protected Health Information (PHI) as defined in 45 CFR §160.103.

3. Definitions

Term Definition
PHI Protected Health Information - any health information in medical records and billing records created/received by Covered Entity
ePHI PHI that is stored, processed, or transmitted electronically
Security Breach Unauthorized acquisition, use, disclosure or loss of ePHI that compromises confidentiality, integrity, availability
Safeguards Technical, administrative, organizational measures to protect PHI
Permitted Uses Uses of PHI disclosed by Covered Entity necessary to perform testing services
Permitted Disclosures Disclosure of PHI to subcontractors on Business Associate's behalf (with written authorization)

4. Permitted Uses & Disclosures (45 CFR §164.504(e)(1)(ii))

4.1 Permitted Uses

Business Associate may use ePHI ONLY for: - Performing penetration testing, vulnerability scanning per engagement scope - Identifying and documenting security weaknesses - Creating evidence/findings reports for Covered Entity - Responding to data breach investigations per Section 6

4.2 Prohibited Uses

Business Associate SHALL NOT: - ❌ Use ePHI for any other purpose - ❌ Disclose ePHI except as permitted in Section 4.3 - ❌ De-identify ePHI for data mining/marketing - ❌ Sell or license ePHI to third parties - ❌ Combine ePHI with data from other sources for analysis beyond testing scope

4.3 Permitted Disclosures

Business Associate may disclose ePHI: 1. To Covered Entity — In testing reports, findings documentation 2. To Covered Entity's authorized staff — For remediation purposes 3. To subcontractors — Only with written authorization (Section 7) 4. To law enforcement — If required by law and with Covered Entity consent 5. To regulatory authorities — If required for HIPAA enforcement/investigation

4.4 Data Subject Access

If a patient requests access to their PHI that may appear in testing reports: 1. Covered Entity requests such data from Business Associate 2. Business Associate provides within 5 business days 3. Covered Entity handles subject access per their policies

5. Safeguards (45 CFR §164.504(e)(2)(ii)(B))

5.1 Administrative Safeguards

Workforce Security (45 CFR §164.308(a)(3))

  • Background Checks: All staff handling ePHI undergo background screening before access
  • Authorization: Only designated pentester staff authorized to access ePHI
  • Supervision: HIPAA Compliance Officer reviews all ePHI-related activities
  • Termination: Upon termination, access to ePHI systems revoked immediately; confidentiality obligations continue indefinitely

Workforce Training (45 CFR §164.308(a)(5))

  • Annual Training: All staff receive HIPAA training covering:
  • PHI definition and identification
  • Confidentiality, integrity, availability principles
  • Permitted uses/disclosures
  • Breach notification requirements
  • Sanctions for non-compliance

Authorization & Supervision

  • Access Control: RBAC limiting access to ePHI by role (pentester vs. analyst vs. client-facing)
  • Audit Controls: All access to ePHI logged with timestamp, user ID, action taken, IP address
  • Approval Process: Formal approval required before ePHI can be used in testing

Security Management Process (45 CFR §164.308(a)(1))

  • Risk Assessment: Annual HIPAA risk assessment conducted
  • Risk Mitigation Plan: Documented remediation plan for identified risks
  • Sanctions Policy: Non-compliance with HIPAA triggers disciplinary action (reprimand, termination)
  • Information System Activity Review: Quarterly review of audit logs for unauthorized access patterns

Disaster Recovery & Contingency (45 CFR §164.308(a)(7))

  • Backup: Daily automated backups of ePHI (encrypted, tested monthly)
  • Disaster Recovery Plan: Recovery Time Objective (RTO) 4 hours, Recovery Point Objective (RPO) 1 hour
  • Contingency Operations: Manual fallback procedures if automated systems fail
  • Business Continuity: Engagement data stored in secondary location with auto-failover

5.2 Physical Safeguards

Facility Access Controls (45 CFR §164.310(a)(1))

  • Visitor Log: All visitors to data center logged with time, purpose, escort
  • Authorized Access Only: Card-key entry to server room; only staff with ePHI responsibilities granted access
  • Surveillance: CCTV monitoring of server room entrance (14-day retention)

Workstation Security (45 CFR §164.310(b))

  • Workstation Use Policies: Only authorized staff use workstations with ePHI access
  • Workstation Configuration: Screen locks after 15 minutes of inactivity; biometric/multi-factor authentication required
  • Physical Safeguards: Workstations in locked rooms; anti-theft cable locks

Device & Media Controls (45 CFR §164.310(d))

  • No USB Storage: USB drives, external drives prohibited; encrypted cloud transfer only
  • Mobile Device Management: Phones/laptops accessing ePHI must have MDM enrollment + encryption
  • Media Destruction: Hard drives with ePHI wiped per NIST SP 800-88 guidelines before disposal

5.3 Technical Safeguards

Access Control (45 CFR §164.312(a)(2))

  • Unique User Identification: Each staff member has unique username; no shared credentials
  • Emergency Access Procedures: Break-glass procedure for emergency access (logged, reviewed within 24 hours)
  • Encryption: All ePHI encrypted with AES-256 (FIPS-140-2 validated algorithms)

Audit Controls (45 CFR §164.312(b))

  • Logging: All ePHI access logged: timestamp, user, action (read/write/delete), IP, user-agent
  • Log Retention: Logs retained minimum 2 years
  • Review Frequency: Monthly review for unauthorized access; quarterly reporting to Covered Entity

Integrity (45 CFR §164.312(c)(1))

  • Mechanisms: No alteration/unauthorized modification allowed
  • Digital Signatures: ePHI in reports signed with BeDefended private key for authenticity verification
  • Change Control: All changes to ePHI handling processes logged and approved by HIPAA Officer

Transmission Security (45 CFR §164.312(e)(1))

  • Encryption in Transit: All ePHI transmitted via TLS 1.3 or equivalent
  • HTTPS Only: No unencrypted HTTP; HSTS preload enabled
  • VPN: Staff accessing ePHI remotely must use VPN with certificate-based authentication
  • Network Isolation: ePHI systems isolated from internet-facing systems via firewall/DMZ

Encryption & Decryption (45 CFR §164.312(a)(2)(iv))

  • Algorithm: AES-256-GCM (NIST-approved)
  • Key Management:
  • Keys stored in AWS KMS or HSM
  • Key rotation annually
  • Separate keys per engagement (no cross-engagement decryption)

6. Breach Notification (45 CFR §164.410)

6.1 Definition of Breach

Unauthorized acquisition, use, access, or disclosure of ePHI unless: - ✓ Reasonable assurance that PHI was not acquired/viewed - ✓ Encrypted or rendered useless (NIST SP 800-111 encryption standards met) - ✓ Access limited to authorized personnel with need-to-know

6.2 Notification Timeline

Business Associate MUST notify Covered Entity without unreasonable delay:

Phase Timeline Action
Detection < 4 hours Confirm breach; assess scope, categories, risk
Notification to Covered Entity < 24 hours Email + phone to Covered Entity contact; include: nature, scope, measures taken
Covered Entity → Affected Individuals < 72 hours Covered Entity responsible; BeDefended provides notice template
Covered Entity → HHS & Media < 60 days Covered Entity's responsibility; BA provides supporting documentation

6.3 Notification Content

Business Associate's notification to Covered Entity includes: 1. Breach Description: Date discovered, date suspected to have occurred 2. Scope: Types of ePHI affected (diagnosis codes, SSN, etc.), number of records 3. Risk Assessment: Likelihood that PHI was acquired/viewed by unauthorized person 4. Measures Taken: Containment, system monitoring, investigation findings 5. Point of Contact: BeDefended staff member available for questions (24/7 during incident)

6.4 Investigation & Cooperation

  • Business Associate conducts forensic investigation
  • Findings shared with Covered Entity within 10 days
  • Business Associate cooperates with HHS/state authorities if required

7. Subcontractors & Sub-processors (45 CFR §164.504(e)(1)(ii)(A))

7.1 Authorization Requirement

Business Associate SHALL NOT disclose ePHI to subcontractors without: 1. Prior written authorization from Covered Entity 2. Written subcontractor agreement (see Section 7.2)

7.2 Subcontractor Requirements

Each subcontractor must have a written agreement that: - ✓ Requires subcontractor to use ePHI only for permitted purposes - ✓ Prohibits further disclosure except per agreement - ✓ Imposes same safeguards as this BAA - ✓ Authorizes Covered Entity to audit subcontractor HIPAA compliance - ✓ Includes termination clause requiring return/destruction of ePHI

7.3 Current Subcontractors

As of execution date, the following subcontractors may have ePHI access:

Subcontractor Purpose ePHI Access Agreement Status
AWS (encrypted backup) Data backup/recovery Encrypted (keys held by BeDefended) BAA signed
GitHub (private repo) Code/infrastructure (no PHI in code) None directly Standard services agreement

Notification: Covered Entity will be notified 15 days in advance of any new subcontractor engaging ePHI.

8. Owned Data & Copies

8.1 Data Ownership

All ePHI disclosed to Business Associate remains property of Covered Entity. Business Associate has no ownership interest.

8.2 Restrictions on Copies

  • Single Copy Only: Findings report provided to Covered Entity
  • Engagement Database: Testing logs retained by Business Associate for 1 year, then deleted
  • No Backup Copies: ePHI not backed up to secondary systems (encrypted backups per Section 5 are recovery copies, not "extra" copies)

9. Return or Destruction (45 CFR §164.504(e)(2)(ii)(j))

9.1 Upon Engagement Completion

Within 30 days of engagement completion date, Business Associate shall:

Option A: Destruction (Recommended) - All ePHI deleted via NIST SP 800-88 secure deletion (multi-pass overwrite) - Written certification of destruction provided to Covered Entity - Destruction logged with date, method, personnel involved

Option B: Return - All ePHI encrypted with Covered Entity's public key - Data returned on encrypted portable drive via secure courier - Chain of custody documented

Option C: Indefinite Retention (Requires Written Consent) - ePHI retained for ongoing monitoring/compliance audit purposes - Covered Entity must provide written authorization - Standard BAA safeguards continue indefinitely

9.2 Certification

BeDefended shall provide written certification: - What was destroyed/returned: Specific categories of ePHI - How: Method used (secure deletion, encryption, etc.) - When: Date of completion - Who: Personnel involved (e.g., "HIPAA Officer John Doe") - Verification: Hash/checksum verification of deletion if applicable

10. Covered Entity Obligations

10.1 Provide Notice

Covered Entity shall inform Business Associate in writing of: - Any changes to uses/disclosures of ePHI - Any amendments to Covered Entity's privacy/security policies - Restrictions on ePHI use/disclosure

10.2 Authorization & Cooperation

Covered Entity shall: - Grant Business Associate access to audit findings for safeguard assessment - Cooperate in breach investigation - Authorize disclosures to law enforcement if legally required - Provide list of authorized staff who may receive testing reports

10.3 Indemnification (Covered Entity)

Covered Entity indemnifies Business Associate if: - Breach is caused by Covered Entity's failure to follow HIPAA rules - Covered Entity misrepresents scope of ePHI disclosed - Covered Entity fails to restrict use per authorization

11. Termination

11.1 Term

  • Effective Date: [DATE AGREEMENT SIGNED]
  • Engagement Period: [ENGAGEMENT START] to [ENGAGEMENT END]
  • Termination: Automatic upon completion of engagement, or earlier by written notice

11.2 Immediate Termination For Cause

Either party may terminate immediately if: - Material breach of this BAA not cured within 30 days of notice - Business Associate violates HIPAA Security Rule (45 CFR §164.300+) - Covered Entity determines Business Associate incapable of safeguarding ePHI

11.3 Effect of Termination

Upon termination: 1. No Further ePHI Use: Business Associate ceases all use of ePHI 2. Return/Destruction: All ePHI returned or destroyed per Section 9 3. Confidentiality Continues: Staff confidentiality obligations continue indefinitely 4. Audit Rights: Covered Entity may audit Business Associate for 2 additional years to verify compliance 5. Exception: Retained ePHI per Section 9, Option C remains subject to BAA terms

12. Dispute Resolution & Governing Law

12.1 Governing Law

This BAA governed by: - Federal Law: HIPAA (45 CFR §160, §164), HITECH Act (42 USC §17921-17953) - State Law: Laws of [CLIENT STATE/COUNTRY], to the extent consistent with HIPAA

12.2 Jurisdiction

  • Disputes: Submitted to mediation (60 days) before litigation
  • Venue: [CLIENT STATE/COUNTRY] courts have exclusive jurisdiction
  • Contact: privacy@bedefended.com for dispute notification

12.3 Regulatory Cooperation

  • Business Associate cooperates with HHS Office for Civil Rights (OCR) investigations
  • Business Associate authorized Covered Entity to disclose Business Associate's practices to OCR

13. Required Reports & Audits

13.1 Quarterly Security Report

Business Associate provides Covered Entity quarterly report including: - Number of access incidents (unauthorized access attempts) - Any breaches detected/reported - Audit log review findings - Staff training completion rates

13.2 Annual HIPAA Audit

Covered Entity may conduct annual audit including: - On-site inspection of technical safeguards - Review of audit logs (30-day sampling) - Interview of HIPAA Officer & staff - Testing of encryption, access controls, backup procedures - Subcontractor audit (with written notice)

Audit Cost: Covered Entity bears cost

14. Sanctions & Enforcement

14.1 Non-Compliance Sanctions

Breach of BAA may result in: - Financial Penalties: Up to $1.50 per record/violation (HHS enforcement) - Civil Liability: Actual damages per 42 USC §17988 - Criminal Penalties: Fines + imprisonment (up to 10 years) for willful neglect per 42 USC §17934

14.2 Remediation

If non-compliance discovered: 1. Notification: Within 10 days 2. Remediation Plan: Within 15 days 3. Implementation: Remediate within 30 days 4. Verification: Provide evidence of remediation to Covered Entity

15. Entire Agreement

This BAA: - Constitutes entire agreement regarding ePHI - Supersedes prior agreements/understandings - May be amended only by written agreement signed by both parties - Survives termination of underlying engagement agreement

16. Signature

For the Covered Entity:

Name: _________

Title: _________

Authorized Signature: _________

Date: _________

For the Business Associate (BeDefended):

Name: _________

Title: HIPAA Compliance Officer

Authorized Signature: _________

Date: _________

Document Version: 1.0 | HIPAA Compliant: Yes | Effective Date: 2026-03-17