Appendix A: In-House Health Platform Business Associate Agreement (“BAA”)
Last updated: January 15, 2026
This Business Associate Agreement (“BAA”) is entered into as date of last signature to the MSA or services agreement (“Effective Date”) between Customer (for the BAA, referred to as “Covered Entity”) and In-House (for the BAA, referred to as “Business Associate”). If and only to the extent that (i) Customer is a covered entity or business associate (each as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)) and (ii) In-House is a business associate as defined in the HIPAA, this BAA supplements the MSA or relevant services agreement between Customer and In-House (hereinafter, “Agreement”) and is intended to and shall be interpreted to satisfy the requirements for business associate agreements as set forth in HIPAA. If either (i) Customer is not a covered entity or business associate (each as defined under HIPAA) or (ii) In-House Health is not a business associate as defined under HIPAA, this BAA shall be void notwithstanding any other terms to the contrary.
1. Definitions. Except as provided below in this Section 1, terms used in this BAA, whether capitalized or not, shall have the same meaning as ascribed to those terms in HIPAA, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164 as they shall be amended (collectively the “HIPAA Rules”).
1.1. Business Associate shall have the same meaning as the term “business associate” in 45 CFR § 160.103, and in reference to the party to this agreement, shall mean In-House Health.
1.2. Covered Entity shall have the same meaning as the term “covered entity” in 45 CFR § 160.103, and in reference to the party to this agreement, shall mean Customer.
1.3. HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules as 45 CFR Part 160 and Part 164.
1.4. Protected Health Information or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information received from, or created or received by Business Associate on behalf of Covered Entity in order to provide the relevant services under the Agreement.
2. Obligations and Activities of Business Associate
2.1. Business Associate agrees to not use or disclose PHI other than as permitted or required by this BAA or as required by law.
2.2. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by this BAA.
2.3. Business Associate agrees to report to Covered Entity, within thirty (30) calendar days after discovery by Business Associate, the following: (i) any use or disclosure of PHI not permitted by this BAA or the HIPAA Rules of which Business Associate becomes aware (including but not limited to Breaches of unsecured PHI as required by 45 CFR § 164.410), and (ii) any successful security incidents as required by 45 CFR § 164.314 (collectively, the “Incidents”). In any case, Covered Entity shall provide the required notices under 45 CFR § 164.404 and Covered Entity will be solely responsible for the costs associated with providing such required notices. The Parties acknowledge that Business Associate is periodically subject to attempted but unsuccessful attempts to access its information system (e.g., typical “pings” or port scans), but that such unsuccessful attempts are trivial, routine, and do not constitute a material threat to the security of PHI. The Parties agree that further notice of such trivial but unsuccessful attempts (i.e., unsuccessful security incidents) shall not be required.
2.4. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information as required by 45 CFR §§ 164.308(b)(2)-(3) and 502(e)(1)-(2). Business Associate may fulfill this requirement by having the subcontractors execute an agreement that incorporates the material terms of this BAA.
2.5. Make available to Covered Entity any PHI as necessary to enable Covered Entity to satisfy its obligations to provide an individual with access to certain PHI under 45 CFR § 164.524.
2.6. Make available to Covered Entity any PHI for amendment and incorporate any amendments to PHI as necessary to enable Covered Entity to satisfy its obligations under 45 CFR § 164.526.
2.7. Make information concerning Business Associate’s or subcontractors’ disclosures of PHI available to Covered Entity as necessary to enable Covered Entity to render an accounting of disclosures pursuant to 45 CFR § 164.528.
2.8. To the extent Business Associate is to carry out Covered Entity’s obligations under 45 CFR Part 164, Subpart E, comply with the requirements of the 45 CFR Part 164, Subpart E, that apply to Covered Entity in the performance of such obligations.
2.9. Make Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI hereunder available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate. Business Associate may use or disclose PHI as follows:
3.1. As necessary to perform the services under the Agreement.
3.2. As required by applicable law.
3.3. For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures for these purposes (i) are required by law, or (ii)(a) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and (ii)(b) the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4. To provide data aggregation services relating to the health care operations of Covered Entity as defined in 45 CFR § 164.501.
3.5. To de-identify any PHI, provided that such de-identification is performed in accordance with the standards and implementation specifications set forth in the HIPAA Rules.
4. Obligations of Covered Entity
4.1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity represents and warrants that, prior to execution of this BAA or the Agreement, and at all times during the BAA, Covered Entity has obtained or will obtain any consent or authorization required by HIPAA Rules or other law necessary for Business Associate to perform its duties pursuant to this BAA.
4.2. Covered Entity shall notify Business Associate of (i) any agreement by Covered Entity with an individual concerning the use or disclosure of the individual’s PHI, to the extent that such agreement may affect Business Associate’s use or disclosure of PHI, and (ii) any restriction on the use or disclosure of PHI to which Covered Entity has agreed or with which is required to abide under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5. Term and Termination
5.1. This BAA shall be effective as of the Effective Date and shall terminate (i) upon termination of the Agreement, (ii) upon thirty (30) days prior written notice to the other party due to a material breach of this BAA by the other party. The breaching party shall have the opportunity to cure the breach during the 30-day notice period. If the breaching party fails to cure the breach within the 30-day notice period, the non-breaching party may declare the BAA terminated by providing written notice at the end of the 30-day period, or (iii) when all PHI provided by Covered Entity to Business Associate, is destroyed or returned to Covered Entity.
5.2. Upon termination of this BAA for any reason, Business Associate shall, with respect to PHI received from Covered Entity, or created, maintained, used, or received by Business Associate or its subcontractors on behalf of Covered Entity: if feasible, return all PHI to Covered Entity or, if Covered Entity agrees, destroy such PHI. If the return or destruction of PHI is not feasible, continue to extend the protections of this BAA and the HIPAA Rules to such information and not use or further disclose the information in a manner that is not permitted by this BAA or the HIPAA Rules.
6. Miscellaneous. Any ambiguity in this BAA shall be resolved to permit the parties hereto to comply with the HIPAA Rules. A reference in this BAA to a section in the HIPAA Rules or other laws or regulations means the section as in effect or as amended. This BAA supplements the Agreement. The terms and conditions of the Agreement shall continue to apply to the extent not inconsistent with this BAA. If there is a conflict between this BAA and the Agreement, this BAA shall control. To the extent Business Associate receives, stores, processes, or otherwise deals with Substance Use Disorder Records as defined in 42 CFR Part 2 on behalf of Covered Entity, the parties agree to comply with 42 CFR Part 2, to the extent applicable. This BAA may be amended by the parties in writing and shall be amended as is necessary to comply with the requirements of the HIPAA Rules.