Back to home

Business Associate Agreement (BAA)

Last updated: March 24, 2026

Ready to execute this BAA?

Email contact@synthesisbenefits.com with your practice name and NPI number. We will prepare and countersign a BAA for your practice.

This Business Associate Agreement (“Agreement”) is entered into by and between [PRACTICE NAME] (“Covered Entity”) and Synthesis Benefits L.L.C. (“Business Associate”), effective as of the date of last signature below. This Agreement supplements and is made part of the underlying service agreement between the parties (the “Service Agreement”).

1. Definitions

The following terms have the meanings set forth below. Terms not otherwise defined here have the same meaning as those terms in 45 CFR Parts 160 and 164.

  • Breach means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information, as defined in 45 CFR §164.402.
  • Designated Record Set means a group of records maintained by or for a Covered Entity that comprises the medical records and billing records about individuals maintained by or for a covered health care provider, or other records used in whole or in part to make decisions about individuals, as defined in 45 CFR §164.501.
  • Individual means the person who is the subject of the Protected Health Information, and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
  • Protected Health Information (PHI) means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, as defined in 45 CFR §160.103.
  • Required by Law means a mandate contained in law that compels an entity to make a use or disclosure of Protected Health Information and that is enforceable in a court of law, as defined in 45 CFR §164.103.
  • Secretary means the Secretary of the United States Department of Health and Human Services or the Secretary’s designee.
  • Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR §164.304.
  • Subcontractor means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.
  • Unsecured PHI means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under 42 USC §17932(h)(2).

2. Permitted Uses and Disclosures

Business Associate may use or disclose Protected Health Information only as follows:

  • (a) To perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by the Covered Entity.
  • (b) For the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that any disclosures are Required by Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and the person will notify the Business Associate of any Breach of which it becomes aware.
  • (c) To provide data aggregation services relating to the health care operations of the Covered Entity pursuant to 45 CFR §164.504(e)(2)(i)(B).
  • (d) To report violations of law to appropriate federal and state authorities, consistent with 45 CFR §164.502(j)(1).

Business Associate shall not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity, except as permitted under this Section. Business Associate may de-identify Protected Health Information in accordance with 45 CFR §164.514.

3. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law.
  • Implement appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 (the Security Rule) with respect to electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement.
  • Report to the Covered Entity any Breach of Unsecured PHI or any Security Incident of which the Business Associate becomes aware, within 24 hours of discovery.
  • In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate under this Agreement, by entering into a written agreement with each such Subcontractor.
  • Make Protected Health Information available to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45 CFR §164.524 (Individual’s right of access), within 15 business days of a request.
  • Make amendments to Protected Health Information in a Designated Record Set as directed by the Covered Entity pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy the Covered Entity’s obligations under that section.
  • Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45 CFR §164.528.
  • To the extent the Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
  • Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
  • Return or destroy all Protected Health Information received from, or created or received by the Business Associate on behalf of, the Covered Entity upon termination of this Agreement, in accordance with Section 5 below.

4. Obligations of Covered Entity

Covered Entity agrees to:

  • Notify the Business Associate of any limitation(s) in the Covered Entity’s notice of privacy practices under 45 CFR §164.520, to the extent that such limitation may affect the Business Associate’s use or disclosure of Protected Health Information.
  • Notify the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect the Business Associate’s use or disclosure of Protected Health Information.
  • Notify the Business Associate of any restriction on the use or disclosure of Protected Health Information that the Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect the Business Associate’s use or disclosure of Protected Health Information.

5. Term and Termination

This Agreement is effective as of the date of the last signature below and shall remain in effect for the duration of the Service Agreement, unless sooner terminated as provided herein.

  • Termination for breach. Upon the Covered Entity’s knowledge of a material breach of this Agreement by the Business Associate, the Covered Entity may provide an opportunity for the Business Associate to cure the breach within 30 days. If the Business Associate does not cure the breach or end the violation within the cure period, the Covered Entity may terminate this Agreement and the Service Agreement.
  • Obligations upon termination. Upon termination of this Agreement for any reason, the Business Associate shall return or destroy all Protected Health Information received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity, within 90 days. This provision applies to Protected Health Information that is in the possession of Subcontractors of the Business Associate.
  • Infeasibility of return or destruction. If the Business Associate determines that returning or destroying the Protected Health Information is infeasible, the Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such Protected Health Information.

6. Breach Notification

Business Associate shall notify the Covered Entity of any Breach of Unsecured Protected Health Information within 24 hours of discovery of the Breach. Such notification shall include, to the extent possible:

  • The identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach.
  • A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security number, date of birth, diagnosis, or other types).
  • A description of what the Business Associate has done or will do to investigate the Breach, mitigate harm to the Individuals, and protect against any further Breaches.
  • Contact procedures for Individuals or the Covered Entity to ask questions or learn additional information about the Breach.

For more details, see our Breach Notification Policy.

7. Miscellaneous

  • Amendment. This Agreement may not be modified or amended except in a writing signed by both parties.
  • Survival. The obligations of the Business Associate under Sections 3 and 6 of this Agreement shall survive the termination of this Agreement with respect to any Protected Health Information retained by the Business Associate.
  • Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. In the event of a conflict between the provisions of this Agreement and the mandatory provisions of the HIPAA Rules, the HIPAA Rules shall control.
  • No third-party beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
  • Governing law. This Agreement shall be governed by the laws of the Commonwealth of Massachusetts, without regard to its conflict of laws principles.

8. Signatures

IN WITNESS WHEREOF, the parties have executed this Agreement as of the dates written below.

Covered Entity

[PRACTICE NAME]

Authorized Signature

Printed Name & Title

Date

Business Associate

Synthesis Benefits L.L.C.

Authorized Signature

Printed Name & Title

Date

Contact

For questions about this Business Associate Agreement or to request execution, contact:

Synthesis Benefits
Email: contact@synthesisbenefits.com