Back to Home

Business Associate Agreement

Last updated: April 17, 2026

REQUIRED BEFORE PHI ACCESS

This Business Associate Agreement ("BAA") must be executed in writing and signed by both parties before Wiebe Consulting is granted access to any systems, files, recordings, or communications containing Protected Health Information ("PHI"). This page presents the template terms. The executable version is provided via email upon request.

How to Execute a BAA

Email ben@wiebe-consulting.com with the subject "BAA Request" and include your clinic name, jurisdiction, and the scope of PHI you anticipate sharing. We'll return a countersigned BAA within 2 business days.

1. Parties

This Business Associate Agreement is entered into between Wiebe Consulting Inc., a corporation organized under the laws of Canada ("Business Associate"), and the client identified in the executed signature page ("Covered Entity"), pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder, including 45 C.F.R. Parts 160 and 164 (the "HIPAA Rules").

This BAA supplements the parties' underlying engagement agreement (including any Master Service Agreement or Terms of Service). In the event of a conflict, this BAA governs with respect to the use and disclosure of PHI, and the engagement agreement governs all other matters (including fees, limitations of liability, dispute resolution, and governing law).

2. Definitions

Capitalized terms used but not otherwise defined in this BAA shall have the meanings assigned to them in the HIPAA Rules. For convenience:

  • "PHI" means Protected Health Information as defined in 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • "ePHI" means electronic PHI.
  • "Breach" has the meaning assigned in 45 C.F.R. § 164.402.
  • "Security Incident" has the meaning assigned in 45 C.F.R. § 164.304.
  • "Subcontractor" means a person to whom Business Associate delegates a function, activity, or service involving PHI, other than in the capacity of a member of the workforce of Business Associate.
  • "Required by Law" has the meaning assigned in 45 C.F.R. § 164.103.

3. Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as follows:

  • To perform the revenue, retention, operations, and marketing consulting services described in the parties' underlying engagement (the "Services").
  • For the proper management and administration of Business Associate, and to carry out its legal responsibilities.
  • To provide Data Aggregation services relating to the health care operations of Covered Entity, if specifically authorized in writing.
  • As Required by Law.

Business Associate shall apply the "minimum necessary" standard (45 C.F.R. § 164.502(b)) to all uses and disclosures of PHI and shall request only the minimum PHI reasonably necessary to accomplish the intended purpose.

4. Prohibited Uses

Business Associate shall NOT:

  • Use or disclose PHI for marketing purposes (as defined in 45 C.F.R. § 164.501) without Covered Entity's written authorization and a valid HIPAA authorization from the individual.
  • Sell PHI under any circumstances (45 C.F.R. § 164.502(a)(5)(ii)).
  • De-identify PHI without the prior written consent of Covered Entity.
  • Use PHI to train any machine learning, artificial intelligence, or large-language models outside HIPAA-eligible enterprise services that (a) are specifically authorized in writing by Covered Entity, and (b) are covered by a BAA with Business Associate.
  • Disclose PHI to any third party (including subcontractors) without a written agreement containing restrictions substantially similar to those in this BAA.

5. Safeguards

Business Associate shall implement commercially reasonable administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) to protect the confidentiality, integrity, and availability of ePHI, including, as appropriate:

  • Administrative: workforce training, role-based access, documented policies and procedures, designated security officer, periodic risk assessment.
  • Physical: locked workspace, device-level encryption, secure destruction of media containing PHI.
  • Technical: encryption at rest and in transit (AES-256 / TLS 1.2+), unique user IDs, automatic logoff, multi-factor authentication for remote access, audit logging, anti-malware controls.

6. Subcontractors and AI Tools

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA, and has executed a BAA with Business Associate. Current PHI-capable Subcontractors include:

  • Google Workspace (Google LLC) — email, documents, calendar, under Google Cloud BAA.
  • Zoom Video Communications, Inc. — video meetings and recordings, under Zoom BAA.

Consumer AI Tools Prohibited for PHI

Consumer-grade generative AI tools including ChatGPT (OpenAI consumer tier), Claude.ai (Anthropic consumer tier), and similar services are NOT covered by a BAA and shall NOT be used to process, summarize, transcribe, or analyze PHI. Where AI is useful in delivering the Services, Business Associate will either (a) de-identify data in accordance with 45 C.F.R. § 164.514 before any AI processing, or (b) use only HIPAA-eligible enterprise AI tiers that have executed a BAA with Business Associate and are identified in writing to Covered Entity as PHI-capable tools.

7. Reporting

Business Associate shall report to Covered Entity:

  • Any use or disclosure of PHI not permitted by this BAA.
  • Any Security Incident of which Business Associate becomes aware. The parties acknowledge that unsuccessful Security Incidents (e.g., pings, port scans, unsuccessful log-on attempts) occur routinely and no individual notification is required. The parties agree that this Section constitutes ongoing notice of such routine, unsuccessful Security Incidents, and no additional reporting is required for them.
  • Any Breach of Unsecured PHI, as required by 45 C.F.R. § 164.410, without unreasonable delay and in no case later than sixty (60) calendar days after discovery.

8. Breach Notification Contents

A Breach notification from Business Associate shall include, to the extent known: the identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed; the nature of the Breach; the types of PHI involved; the date of discovery; and the steps Business Associate is taking to investigate, mitigate harm, and prevent further Breaches. Business Associate shall cooperate with Covered Entity in meeting Covered Entity's obligations under 45 C.F.R. § 164.414.

9. Access to PHI

To the extent (if at all) Business Associate maintains a Designated Record Set on behalf of Covered Entity (which the parties acknowledge is not the typical case for these Services), Business Associate shall, within fifteen (15) business days of a written request, provide access to PHI in that Designated Record Set to Covered Entity (or, at Covered Entity's direction, to the individual) to enable Covered Entity to meet its obligations under 45 C.F.R. § 164.524.

10. Amendment of PHI

To the extent (if at all) Business Associate maintains a Designated Record Set on behalf of Covered Entity (which the parties acknowledge is not the typical case for these Services), Business Associate shall make PHI in that Designated Record Set available for amendment and shall incorporate any amendments as directed by Covered Entity, in accordance with 45 C.F.R. § 164.526.

11. Accounting of Disclosures

To the extent (if at all) Business Associate maintains a Designated Record Set on behalf of Covered Entity (which the parties acknowledge is not the typical case for these Services), Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall provide this information to Covered Entity within thirty (30) days of a written request.

12. Availability to the Secretary

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

13. Obligations of Covered Entity

Covered Entity shall:

  • Notify Business Associate of any limitation(s) in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
  • Notify Business Associate of any changes in, or revocation of, an individual's authorization to use or disclose PHI.
  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522.
  • Not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity directly.

14. Term and Termination

This BAA shall be effective on the date of last signature and shall continue until terminated. Either party may terminate for cause upon thirty (30) days' written notice if the other party has breached a material term of this BAA and has not cured within the notice period. Covered Entity may terminate immediately if Business Associate has committed a material breach that is not curable.

15. Return or Destruction of PHI

Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity, and shall retain no copies. If return or destruction is infeasible, Business Associate shall extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. Business Associate shall provide written certification of destruction upon request.

16. Indemnification and Liability

Business Associate shall indemnify and hold harmless Covered Entity from and against any claims, damages, losses, and expenses (including reasonable attorneys' fees) arising from Business Associate's material, uncured breach of this BAA or gross negligence in handling PHI, subject to the aggregate liability cap and other limitations set forth in the parties' underlying engagement agreement. Nothing in this BAA is intended to increase either party's liability beyond what is provided in that agreement. The parties agree that direct damages from a Breach shall not be deemed consequential damages excluded under the Terms of Service.

17. Miscellaneous

  • Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
  • Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with HIPAA Rules.
  • Survival. The respective rights and obligations of Business Associate under Sections 3, 4, 7, 15, and 16 shall survive termination.
  • No Third-Party Beneficiaries. There are no intended third-party beneficiaries of this BAA.
  • Interpretation. Any ambiguity shall be resolved in favor of a meaning that permits compliance with the HIPAA Rules.

18. Contact

Privacy and security matters, including requests to execute a BAA, shall be directed to:

Wiebe Consulting Inc.
Attn: Ben Wiebe, Privacy & Security Officer
Email: ben@wiebe-consulting.com

For matters relating to Clinic OS Pro (our SaaS product), see the separate BAA at clinicospro.com/legal/baa.