Business associate agreement
August 8, 2025
This Business Associate Agreement is incorporated by reference into Dilato’s Terms of Use and applies automatically to HIPAA “Covered Entities” that use Dilato’s services to process PHI. By using the services, the Covered Entity agrees to the terms of this BAA.
This Business Associate Agreement (“Agreement”) is entered into by and between:
Dilato Applications Inc. (“Business Associate”) and
The Customer (“Covered Entity”),
to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This Agreement sets forth the terms and conditions under which Business Associate will receive, create, maintain, use, or disclose Protected Health Information (“PHI”) in the course of providing services to Covered Entity, in accordance with 45 CFR §§164.502(e) and 164.504(e). The parties agree as follows:
1. Definitions
Protected Health Information (PHI) – Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103. For purposes of this Agreement, PHI includes Electronic PHI (ePHI) and excludes information that has been de-identified in accordance with 45 CFR § 164.514.
HIPAA Rules – The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164. Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (e.g., Breach, Unsecured PHI, Minimum Necessary, Required by Law).
Recognized Security Practices (RSP) – The “recognized security practices” described in Section 13412 of the Health Information Technology for Economic and Clinical Health Act (HITECH), as amended by Public Law 116-321 (the 2021 HIPAA Safe Harbor Law). RSP may include, but is not limited to, standards, guidelines, best practices, methodologies, procedures, and processes developed under § 2(c)(15) of the National Institute of Standards and Technology Act, the NIST Cybersecurity Framework, NIST SP 800-53 control families, or the Health Industry Cybersecurity Practices (HICP), provided they have been fully implemented for at least the preceding twelve (12) months.
Covered Entity – The HIPAA-covered health plan, health care provider, or health care clearinghouse that is a party to this Agreement.
Business Associate – Dilato Applications Inc., which provides services to Covered Entity involving the use or disclosure of PHI, and is therefore subject to the obligations of a business associate under the HIPAA Rules.
2. Permitted Uses and Disclosures of PHI
2.1 Service Provision: Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI only as necessary to perform the services for Covered Entity as described in any underlying services agreement, and as permitted or required by this Agreement or by law (Business Associate Contracts | HHS.gov). Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by Covered Entity (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute) (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute). All uses and disclosures shall be subject to the “minimum necessary” standard, meaning Business Associate will request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose, in accordance with 45 CFR §§164.502(b) and 164.514(d).
2.2 Internal Management and Legal Requirements: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities only to the extent permitted by 45 CFR §164.504(e)(4). Any disclosure for such purposes is only allowed if (a) required by law, or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and the recipient notifies Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached (per 45 CFR §164.504(e)(4)(ii)).
2.3 No Other Use or Disclosure: Business Associate shall not use or further disclose PHI other than as permitted by this Agreement or as required by law (Business Associate Contracts | HHS.gov). Business Associate is prohibited from using PHI for any independent commercial purpose or for the benefit of any party other than Covered Entity, except as specifically authorized by this Agreement. For clarity, Business Associate shall not sell, aggregate, or otherwise use Covered Entity’s PHI for marketing, advertising, artificial intelligence training, or other unauthorized purposes.
3. Safeguards and Security Measures
3.1 Safeguards: Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. These safeguards shall prevent any use or disclosure of PHI other than as provided for by this Agreement (Business Associate Contracts | HHS.gov). In particular, Business Associate will comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C) for all electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute). This includes, but is not limited to, implementing access controls, encryption, audit controls, risk analyses, and security policies and procedures as required by 45 CFR §§164.306 – 164.318. Business Associate attests that it will implement Recognized Security Practices (as defined in 42 U.S.C. § 17937) and will maintain these practices for the term of this Agreement.
3.2 Reporting Security Incidents: Business Associate will identify and respond to suspected or known Security Incidents (as defined at 45 CFR §164.304) and will mitigate, to the extent practicable, any harmful effects of such incidents. Minor unsuccessful attempts at unauthorized access (e.g. pings or firewall probes) need not be reported, consistent with HIPAA guidance. However, any successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations (i.e. a security incident that results in actual compromise of PHI) shall be treated as either an unauthorized disclosure or a potential Breach and must be reported to Covered Entity as described in Section 5 below.
4. PHI Storage, Retention, and Destruction
4.1 Temporary Storage Limitation: Business Associate only stores PHI temporarily during processing and service delivery. PHI will not be stored by Business Associate for longer than necessary to comply with legal requirements or explicit instructions of the Covered Entity. This transient retention policy means that any PHI received or created by Business Associate on behalf of Covered Entity will temporarily reside on Business Associate’s systems, barring exceptional circumstances.
4.2 Secure Disposal or De-Identification: Upon the expiration of the above period, Business Associate shall promptly and securely destroy the PHI. Destruction shall render PHI unusable, unreadable, and indecipherable to unauthorized individuals. If Covered Entity or the individual user (data subject) has explicitly requested that the PHI be retained in de-identified form for that user’s benefit, Business Associate may instead de-identify the PHI in compliance with 45 CFR §164.514, such that it is no longer considered PHI. Any de-identification will be done using the “Safe Harbor” method outlined in the HIPAA Rules, to ensure removal of all identifiers. After de-identification, Business Associate will either provide the de-identified data to the requesting party or retain it solely for permitted uses as described in Section 6.
4.3 Documentation of Destruction: Upon request, Business Associate will provide documentation or certification to Covered Entity verifying that PHI has been destroyed or de-identified in accordance with the above procedures.
5. Breach Notification and Reporting Obligations
5.1 Reporting of Unauthorized Uses/Disclosures: In accordance with 45 CFR §164.504(e)(2)(ii)(C) and §164.410, Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any incident that constitutes a Breach of Unsecured PHI (Business Associate Contracts | HHS.gov) (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute). Such report will be made without unreasonable delay and in later than twenty-four (24) hours after discovery by Business Associate. This 24-hour breach notification requirement is a material term of this Agreement and is more stringent than the default HIPAA standard to ensure Covered Entity can timely meet its own Breach notification obligations.
5.2 Content of Breach Notice: If a Breach of Unsecured PHI is discovered, Business Associate’s notice to Covered Entity shall include, to the extent known at the time of the notice:
- a. A brief description of the incident, including the date of the Breach and the date of discovery;
- b. A description of the types of PHI involved (such as whether full name, Social Security number, date of birth, address, account numbers, medical information, etc. were involved);
- c. The identity of each individual whose PHI has been (or is reasonably believed to have been) accessed, acquired, or disclosed (if available); and
- d. Any steps Business Associate has taken or will take to investigate the Breach, mitigate harm to individuals, and protect against future incidents.
Business Associate shall supplement the information in the notice as it becomes available and cooperate with Covered Entity in investigating the Breach and providing any additional notices to affected individuals, HHS, or (if required) the media, in accordance with the HIPAA Breach Notification Rule (45 CFR §§164.400-414).
5.3 Security Incident Reporting: In addition to Breaches, Business Associate will notify Covered Entity within a reasonable time of any security incidents that do not rise to the level of a Breach but still involve unauthorized manipulation or possible compromise of PHI. The parties may agree on specific reporting timelines and formats for minor incidents in related documentation or standard operating procedures.
6. Use of De-Identified Information
6.1 Authorization to De-Identify: Covered Entity authorizes Business Associate to de-identify PHI only as needed to fulfill Section 4.2 (when the user or Covered Entity requests de-identification of their data) or for other expressly permitted purposes under this Agreement. Any de-identification of PHI by Business Associate shall strictly follow the requirements of 45 CFR §164.514(a)-(c) (Business Associate Contracts | HHS.gov), ensuring the removal of all individually identifying information such that the data is no longer PHI. Business Associate shall maintain documentation of its de-identification process as required by 45 CFR §164.514(b).
6.2 Permitted Uses of De-Identified Data: Business Associate may use or disclose de-identified data only to enhance or personalize the services for the specific individual user (the data subject) who originally provided the PHI. This may include, for example, using de-identified information to improve the accuracy or relevance of insights, recommendations, or analytical results for that same individual. Under no circumstances shall Business Associate use de-identified data derived from Covered Entity’s PHI for any purpose that is not tailored to the benefit of the individual to whom that data pertains. In particular, Business Associate is prohibited from using or combining de-identified data from multiple individuals or multiple covered entities for general analytics, product development, research, or broader machine learning training that would improve or benefit the Business Associate’s services in general. All de-identified data remains subject to this contractual use restriction, even though it is no longer regulated as PHI under HIPAA. The parties have agreed to this limitation to protect the privacy interests of individuals and to align with Covered Entity’s policies. (Per HHS guidance, parties to a BAA should explicitly specify the permitted uses of de-identified information by the business associate (Business Associate Contracts | HHS.gov).)
6.3 No Re-Identification: Business Associate shall not attempt to re-identify any information that has been de-identified, nor shall it disclose any code or mechanism that could allow de-identified data to be re-associated with a particular individual, except as allowed by 45 CFR §164.514(c) for a limited data set or as otherwise permitted by law with Covered Entity’s prior written approval.
7. Obligations of Business Associate
Business Associate agrees to the following ongoing obligations, which are designed to ensure full compliance with applicable HIPAA requirements and protection of PHI:
7.1 Compliance with Privacy Rule Obligations: To the extent Business Associate is required under this Agreement to carry out any obligation of Covered Entity under the HIPAA Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation (per 45 CFR §164.504(e)(2)(ii)(H)). For example, if tasked with assisting Covered Entity with requests for access, amendment, or accounting of disclosures, Business Associate shall cooperate as outlined below.
7.2 Access to PHI: As Business Associate does not maintain a Designated Record Set and cannot link stored notes to individual patients, Business Associate shall promptly forward any requests received directly from individuals seeking access to their PHI to Covered Entity for handling, in accordance with HIPAA.
7.3 Amendment of PHI: As Business Associate does not maintain a Designated Record Set and cannot identify individual patient records, Business Associate shall not directly amend PHI. If Business Associate receives a request for amendment directly from an individual or from Covered Entity, Business Associate shall promptly forward the request to Covered Entity for handling, in accordance with HIPAA requirements under 45 CFR §164.526.
7.4 Accounting of Disclosures: Given that Business Associate does not have the ability to identify individual patient records, Business Associate will document and retain records of disclosures of PHI made in an identifiable form, if any. Upon request, Business Associate shall provide Covered Entity, within 30 days, details of any identifiable disclosures made by Business Associate or its subcontractors, to enable Covered Entity to respond to an individual’s request for an accounting of disclosures pursuant to 45 CFR §164.528. Any direct requests from individuals received by Business Associate for accounting of disclosures shall be promptly forwarded to Covered Entity for handling.
7.5 Government Access to Records: Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from (or created or received on behalf of) Covered Entity available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining Covered Entity’s compliance with the HIPAA Rules (Business Associate Contracts | HHS.gov). Business Associate shall promptly inform Covered Entity of any HHS request and shall provide Covered Entity with a copy of any information disclosed, unless legally prohibited.
7.6 Mitigation and Cooperation: In the event of any improper use or disclosure of PHI, Security Incident, or Breach, Business Associate shall immediately take steps to mitigate any harmful effects known to it. Business Associate will cooperate with Covered Entity’s investigation and remediation efforts, and will assist in Covered Entity’s compliance with any breach notification requirements, as described in Section 5.
7.7 Subcontractors and Agents: Business Associate shall ensure that any subcontractors, agents, or vendors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement (Business Associate Contracts | HHS.gov). This includes, but is not limited to, cloud service providers, data storage providers, and AI/machine-learning service providers that handle PHI for or with Business Associate. Dilato maintains executed Business Associate Agreements (or comparable Data Processing Agreements) with all such third-party service providers handling PHI, and will provide evidence of such agreements to Covered Entity upon request. Business Associate shall remain responsible and liable for any actions of its subcontractors or agents that would constitute a violation of this Agreement or HIPAA, as if the actions were performed by Business Associate.
7.8 Minimum Necessary and Confidentiality: Business Associate will restrict access to PHI to only those personnel (workforce members) who need the information to perform services under this Agreement. It will train its workforce on HIPAA obligations and ensure that each person with access to PHI is subject to appropriate confidentiality and security obligations. Business Associate will apply the “minimum necessary” standard to all uses, disclosures, and requests for PHI, as described in Section 2.1.
7.9 Offshoring: PHI may be processed and temporarily stored in the United States or Canada, both of which have stringent privacy protections. Business Associate has conducted a risk assessment of offshoring PHI to Canada, confirming that its data protection framework aligns with HIPAA’s security and privacy requirements. As the offshore provider, Business Associate ensures that all HIPAA-mandated safeguards, including encryption, access controls, audit logging, and breach response protocols, are implemented and maintained. Business Associate further guarantees that all contractual protections required under HIPAA apply to PHI, regardless of its processing location.
8. Obligations of Covered Entity
8.1 Provision of Notice of Privacy Practices: Covered Entity shall provide Business Associate with any limitations in its Notice of Privacy Practices, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
8.2 Restrictions and Consents: Covered Entity shall notify Business Associate of any changes in, or revocations of, permission by an individual to use or disclose PHI, and any confidential communications requests or restrictions on the use/disclosure of PHI that Covered Entity has agreed to (per 45 CFR §164.522), if such changes or restrictions may impact Business Associate’s permitted uses or disclosures. Business Associate will comply with any known agreed-upon restrictions on the use or disclosure of PHI.
8.3 Permissible Requests: Covered Entity shall not request or require Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity (except as may be expressly allowed for Business Associate’s management and administration or legal responsibilities, per 45 CFR §164.504(e)(4)).
8.4 Breach Notifications by Covered Entity: In the event Covered Entity detects a Breach or security incident that implicates the services provided by Business Associate, Covered Entity will promptly inform Business Associate so that both parties can coordinate response efforts and comply with notification obligations.
9. Termination
9.1 Termination for Cause: Covered Entity may terminate this Agreement (and any underlying services agreements, if appropriate) if it determines that Business Associate has violated a material term of this Agreement and failed to cure the breach or end the violation within a reasonable time after receiving written notice from Covered Entity (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute). In certain cases, immediate termination may be warranted if cure is not possible. Business Associate acknowledges that any material violation of the obligations herein constitutes a material breach of contract. If termination is not feasible, Covered Entity is required to report the violation to HHS as provided in 45 CFR §164.504(e)(1)(ii).
9.2 Obligations Upon Termination: Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute). Business Associate shall not retain any copies of the PHI. This requirement applies to PHI in the possession of subcontractors or agents of Business Associate as well; Business Associate must ensure all such PHI is returned to Covered Entity or destroyed.
- a. Return of PHI: Unless otherwise agreed in writing, Business Associate will return all PHI to Covered Entity in a format reasonably requested by Covered Entity. The return will occur within 30 days of termination or expiration of the Agreement (or the underlying service relationship), at no additional cost.
- b. Destruction of PHI: In cases where return of PHI is not feasible or not desired by Covered Entity, Business Associate will destroy PHI using secure methods. Business Associate will provide a certification of destruction upon Covered Entity’s request.
- c. If Return/Destruction Not Feasible: If Business Associate can demonstrate that returning or destroying certain PHI is not feasible, Business Associate shall provide written notification to Covered Entity of the conditions that make return or destruction infeasible. In such event, Business Associate shall extend the protections of this Agreement to the retained PHI and will limit further uses and disclosures of that PHI to those purposes that make its return or destruction infeasible, for as long as Business Associate maintains the PHI (45 CFR § 164.504 - Uses and disclosures: Organizational requirements. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute). This provision shall survive termination of the Agreement.
9.3 Effect of Termination on Underlying Services: The parties agree that if the Business Associate is also a party to an underlying services agreement with Covered Entity (such as a software subscription or services contract), any termination provisions in that agreement related to HIPAA compliance or breach of this BAA shall apply. In case of conflict, the terms of this BAA with respect to PHI handling and HIPAA compliance will govern.
9.4 Survival: Sections 3 (Safeguards), 5 (Breach Notice), 7.5 (Government Access), and the six-year audit-log retention duty stay in force for seven (7) years after this Agreement ends—or as long as any PHI remains in Business Associate’s possession, whichever is longer..
10. Miscellaneous
10.1 Regulatory Compliance and Updates: This Agreement will be updated as necessary to ensure compliance with any changes to the HIPAA Rules or other applicable federal laws or regulations relating to the privacy and security of PHI. Dilato may amend this Agreement from time to time to reflect such updates, and any such amendment will be effective upon posting or other reasonable notice to the Covered Entity. Following any final revisions to the HIPAA Security Rule, the parties will amend this Agreement within the one-year transition period and implement technical safeguards within 240 days, unless HHS extends or shortens these periods. This Agreement is intended to satisfy the requirements of HIPAA and its implementing regulations, including the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and does not incorporate or address obligations under state privacy laws or non-U.S. data protection laws.
10.2 Interpretation: Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA. In the event of an inconsistency between the provisions of this Agreement and any other agreement between the parties (including any service agreement), the provisions of this Business Associate Agreement shall control with respect to the subject matter of PHI privacy and security. The parties acknowledge that this Agreement is required by HIPAA and agree that it shall be interpreted in a manner consistent with the HIPAA Rules.
10.3 No Third Party Beneficiaries: Nothing in this Agreement is intended to confer upon any person (other than the parties and their respective successors or permitted assigns) any rights, remedies, or liabilities. Individuals whose PHI is used or disclosed under this Agreement are not third-party beneficiaries of the Agreement.
10.4 Indemnification: Business Associate shall indemnify and hold harmless the Covered Entity (and its directors, officers, and employees) from and against any claims, losses, liabilities, penalties, fines, or costs (including reasonable attorneys’ fees) arising from Business Associate’s breach of this Agreement or its negligence or wrongful acts or omissions in relation to PHI.
10.5 Governing Law: This Agreement is governed by the same laws (state jurisdiction) that govern the underlying services agreement between the parties, except to the extent that HIPAA preempts state law. However, the privacy and security obligations herein are based on federal HIPAA requirements, and the parties intend to comply with HIPAA irrespective of any conflicting state laws.
10.6 Entire Agreement: This Agreement supersedes all prior discussions or understandings regarding the subject matter and constitutes the entire agreement between the parties with respect to the privacy and security of PHI. In the event that any provision of this Agreement is held invalid or unenforceable, the remainder of the Agreement shall not be affected and each remaining provision shall be valid and enforceable to the fullest extent permitted by law.
10.7 Counterparts: This Agreement may be executed in counterparts (including electronically), each of which will be deemed an original and all of which together shall constitute one and the same instrument.