Business Associate Agreement (Sample)

Effective on execution. This template is provided for review only. Use of ForensAssess with Protected Health Information requires a counter-signed BAA on your customer record. Email legal@forensassess.com to execute.

1. Definitions

Terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR §§ 160.103 and 164.501. "Covered Entity" means the customer; "Business Associate" means ForensAssess, LLC ("ForensAssess"); "PHI" means Protected Health Information as defined under HIPAA and accessed, created, received, maintained, or transmitted by ForensAssess on behalf of Covered Entity.

2. Permitted Uses and Disclosures

ForensAssess will use and disclose PHI solely to perform the services described in the underlying ForensAssess subscription or pay-per-use agreement (the "Services"), and as required by law. ForensAssess will not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

3. Safeguards

ForensAssess will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity. Current safeguards include: TLS 1.3 in transit; AES-256 at rest with per-tenant KMS keys; 30-day input retention with automated deletion; Zero Data Retention configuration with downstream LLM providers; SOC 2 Type I (in process).

4. Subcontractors

ForensAssess will require any subcontractor that creates, receives, maintains, or transmits PHI on behalf of ForensAssess to agree in writing to substantially the same restrictions and conditions that apply to ForensAssess with respect to such information. The current list of subprocessors is maintained at forensassess.com/legal/subprocessors.

5. Reporting

ForensAssess will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any security incident of which it becomes aware. Notice of a reportable breach will be provided without unreasonable delay and in no case later than thirty (30) calendar days after discovery.

6. Access, Amendment, and Accounting

ForensAssess will make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR §§ 164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures), within fifteen (15) business days of a written request.

7. Term and Termination

This Agreement is effective as of the date of execution and continues until the underlying services agreement is terminated. Upon termination, ForensAssess will return or destroy all PHI received from, or created or received by ForensAssess on behalf of, Covered Entity that ForensAssess still maintains, in accordance with 45 CFR § 164.504(e)(2)(ii)(J).

8. Miscellaneous

This Agreement is governed by the laws of the State of Florida. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement. This Agreement amends and supplements the underlying services agreement; in the event of conflict, this Agreement controls with respect to the handling of PHI.

This template is provided for convenience and does not constitute legal advice. ForensAssess is not your attorney. Counsel should review and tailor this template to your circumstances before execution.