Flowstack Logo
Flowstack Logo

Business Associate Agreement (BAA)

Effective Date: ________________

This Business Associate Agreement ("Agreement") is entered into between ________________ ("Covered Entity") and Leadev Software Inc., a Canadian corporation doing business as Flowstack ("Business Associate"), collectively referred to as the "Parties."

RECITALS

WHEREAS, Covered Entity wishes to disclose certain information to Business Associate pursuant to the terms of the underlying service agreement(s) between the parties (the "Service Agreement");

WHEREAS, Covered Entity may disclose to Business Associate certain Protected Health Information ("PHI") that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations;

WHEREAS, the Parties desire to ensure compliance with HIPAA, HITECH, and their implementing regulations;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1. DEFINITIONS

Terms used but not defined in this Agreement shall have the same meaning as those terms in 45 CFR Parts 160 and 164 ("HIPAA Regulations"). Specific definitions include:

  • "Breach": The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule.
  • "Protected Health Information" or "PHI": Individually identifiable health information transmitted or maintained in any form or medium.
  • "Security Incident": The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
  • "Unsecured PHI": PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through approved methods.

2. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1 Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as follows:

  • As necessary to perform services for Covered Entity under the Service Agreement
  • For the proper management and administration of Business Associate
  • As required by law
  • As otherwise permitted by this Agreement

2.2 Safeguards

Business Associate shall:

  • Implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of PHI
  • Ensure any agent or subcontractor agrees to the same restrictions and conditions
  • Implement Security Rule requirements under 45 CFR Part 164, Subpart C
  • Encrypt PHI in accordance with HIPAA guidance

2.3 Reporting Obligations

Business Associate shall report to Covered Entity:

  • Any use or disclosure of PHI not permitted by this Agreement within 10 business days
  • Any Security Incident within 72 hours of discovery
  • Any Breach of Unsecured PHI without unreasonable delay and within 60 days

2.4 Access to PHI

Upon request, Business Associate shall:

  • Provide access to PHI in accordance with 45 CFR 164.524
  • Make PHI available for amendment per 45 CFR 164.526
  • Document disclosures and make information available per 45 CFR 164.528

2.5 Availability for Audit

Business Associate shall make its practices, books, and records available to the Secretary of Health and Human Services for determining compliance.

2.6 Minimum Necessary

Business Associate shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose.

2.7 Data Ownership

All PHI shall remain the property of Covered Entity. Business Associate acquires no ownership rights or interests in PHI.

3. OBLIGATIONS OF COVERED ENTITY

Covered Entity shall:

  • Notify Business Associate of any limitations in its Notice of Privacy Practices
  • Notify Business Associate of any changes in permitted uses or disclosures
  • Notify Business Associate of any restrictions on use or disclosure
  • Not request Business Associate to use or disclose PHI in violation of HIPAA

4. SUBCONTRACTORS

4.1 Requirements

Business Associate may disclose PHI to subcontractors only if:

  • The subcontractor agrees in writing to the same restrictions as Business Associate
  • The subcontractor implements appropriate safeguards
  • Business Associate ensures subcontractor compliance

4.2 Current Subcontractors

Business Associate currently uses the following subcontractors that may have access to PHI:

  • Cloud Infrastructure Providers (AWS, Azure, GCP)
  • [Other subcontractors to be listed]

5. BREACH NOTIFICATION

5.1 Discovery and Notification

Upon discovery of a Breach, Business Associate shall:

  • Notify Covered Entity without unreasonable delay, but no later than 60 days
  • Provide all available information about the Breach
  • Cooperate in Covered Entity's Breach analysis and notification process

5.2 Breach Information

Notification shall include:

  • Nature of the Breach and PHI involved
  • Identification of affected individuals
  • Date of Breach and discovery
  • Steps individuals should take
  • Business Associate's investigation and mitigation efforts

5.3 Mitigation

Business Associate shall mitigate any harmful effects of a Breach to the extent practicable.

6. TERM AND TERMINATION

6.1 Term

This Agreement shall commence on the Effective Date and continue until terminated.

6.2 Termination

This Agreement may be terminated:

  • When all PHI has been destroyed or returned
  • By Covered Entity immediately if Business Associate breaches a material term
  • By either party with 30 days written notice

6.3 Effect of Termination

Upon termination, Business Associate shall:

  • Return or destroy all PHI within 60 days
  • Retain no copies of PHI
  • If return or destruction is not feasible, extend protections and limit further uses

6.4 Survival

Obligations of Business Associate under Section 6.3 shall survive termination.

7. INDEMNIFICATION

Business Associate agrees to indemnify and hold harmless Covered Entity from any claim, loss, or damage, including reasonable attorneys' fees, arising from Business Associate's breach of this Agreement or violation of HIPAA.

8. MISCELLANEOUS

8.1 Amendment

This Agreement may not be amended except by written agreement of both parties. The parties agree to amend this Agreement as necessary to comply with changes in HIPAA regulations.

8.2 Interpretation

Any ambiguity shall be resolved in favor of a meaning that permits compliance with HIPAA.

8.3 Governing Law

This Agreement shall be governed by the laws of Alberta, Canada, to the extent not preempted by HIPAA.

8.4 No Third-Party Beneficiaries

Nothing in this Agreement confers any rights on any third parties.

8.5 Counterparts

This Agreement may be executed in counterparts, each of which shall be deemed an original.

9. BUSINESS ASSOCIATE CONTACT

Privacy Officer:
Leadev Software Inc.
16548 21 AVE SW
Edmonton, AB T6W 5K3
Canada
Email: legal@leadevs.com
Phone: [To be provided]

10. EXECUTION

COVERED ENTITY:

Signature
Name (Print)
Title
Date

BUSINESS ASSOCIATE:

Signature
Name (Print)
Title
Date

EXHIBIT A: DESCRIPTION OF SERVICES

[To be completed with specific services provided under the Service Agreement that involve PHI]

EXHIBIT B: SPECIFIC SAFEGUARDS

Business Associate implements the following specific safeguards for PHI:

1. Technical Safeguards:

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Multi-factor authentication
  • Role-based access controls
  • Audit logging and monitoring

2. Physical Safeguards:

  • Data center security (SOC 2 certified facilities)
  • Restricted access to systems
  • Secure disposal procedures

3. Administrative Safeguards:

  • HIPAA training for all staff
  • Background checks
  • Confidentiality agreements
  • Incident response procedures
  • Regular risk assessments

This Business Associate Agreement is a template and should be reviewed by legal counsel before execution.