Legalv1.0 · Updated 2026-05-08 · 8 pages

HIPAA Business Associate Agreement

Standard BAA template for covered entities and business associates using WorkSwarm with electronic Protected Health Information (ePHI).

Contents

  1. About This Document
  2. 1. Definitions
  3. 2. Permitted Uses and Disclosures
  4. 3. Safeguards
  5. 4. Breach Notification
  6. 5. Individual Rights
  7. 6. Sub-contractors
  8. 7. Term and Termination
  9. 8. Miscellaneous
  10. 9. Contact

About This Document

This Business Associate Agreement (BAA) template governs WorkSwarm's handling of electronic Protected Health Information (ePHI) when used by HIPAA Covered Entities or their Business Associates. This BAA is an addendum to the Master Service Agreement. It applies when Customer's use of the Platform involves ePHI. Execution requires countersignature. WorkSwarm's HIPAA-compliant deployment is available on the Enterprise tier with dedicated infrastructure.

1. Definitions

Capitalized terms not defined herein have the meanings set forth in HIPAA (45 CFR Parts 160 and 164). "Business Associate" means WorkSwarm, Inc. "Covered Entity" means the Customer. "Protected Health Information" (PHI) means individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. "Electronic Protected Health Information" (ePHI) means PHI maintained in or transmitted by electronic media. "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI. "Breach" has the meaning set forth in 45 CFR § 164.402.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only:
  • As necessary to perform services under the MSA, as specified in the applicable Order Form.
  • As required by applicable law, with prior notice to Covered Entity where permitted.
  • For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient.
  • To report violations of law to appropriate authorities consistent with 45 CFR § 164.502(j)(1).
  • Business Associate shall not use or disclose PHI for any purpose not expressly permitted by this BAA or the MSA.
  • Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.

3. Safeguards

Business Associate shall:
  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as detailed in the HIPAA Security Rule Control Map.
  • Ensure that any agent or sub-contractor to whom Business Associate provides ePHI agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA.
  • Implement access controls ensuring only authorized workforce members access ePHI, consistent with the minimum necessary standard.
  • Encrypt all ePHI at rest (AES-256-GCM) and in transit (TLS 1.3). Encryption keys managed per FIPS 140-2 Level 3 standards.
  • Maintain immutable audit logs of all ePHI access, modification, and disclosure for a minimum of 6 years.
  • Conduct annual risk assessments and penetration tests. Quarterly vulnerability scans.

4. Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI:
  • Timeline: Without unreasonable delay and no later than 30 days after discovery of the Breach.
  • Content: Identification of each individual affected, description of the Breach, types of information involved, steps Business Associate is taking, mitigation measures for individuals.
  • Investigation: Business Associate shall promptly investigate any Security Incident or Breach, mitigate harmful effects, and document outcomes.
  • Cooperation: Business Associate shall cooperate with Covered Entity's Breach notification obligations under 45 CFR §§ 164.404-408.
  • Risk assessment: Business Associate shall perform a four-factor risk assessment per HHS guidance to determine whether the incident constitutes a Breach requiring notification.
  • Documentation: All Breach assessments and notifications documented and retained for 6 years.

5. Individual Rights

Business Associate shall support Covered Entity in fulfilling individual rights:
RightBAA ObligationSLA
Access (§ 164.524)Make ePHI available to Covered Entity within 10 business daysAutomated: 48 hours. Complex: 10 business days.
Amendment (§ 164.526)Make amendments to ePHI as directed by Covered Entity5 business days
Accounting of disclosures (§ 164.528)Maintain and provide accounting of disclosures for 6 years10 business days
Restriction requests (§ 164.522)Implement restrictions as directed by Covered Entity5 business days
Confidential communications (§ 164.522)Support alternative communication methods as directed5 business days

6. Sub-contractors

Business Associate shall ensure that any sub-contractor that creates, receives, maintains, or transmits ePHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA. Current sub-contractors with potential ePHI access: AWS (infrastructure), as specified in the Sub-processor Register. LLM providers (Anthropic, Google) do NOT receive ePHI. All prompts are stripped of PHI identifiers before transmission to LLM providers. This is enforced at the application layer with automated PII detection.

7. Term and Termination

  • Term: This BAA is effective for the duration of the MSA and terminates when the MSA terminates.
  • Termination for cause: Either party may terminate this BAA if the other party materially breaches and fails to cure within 30 days.
  • Effect of termination: Business Associate shall return or destroy all PHI. If return or destruction is not feasible, protections of this BAA extend to retained PHI. Business Associate shall limit further uses and disclosures to the purposes that make return or destruction infeasible.
  • Certification: Business Associate shall certify in writing that all PHI has been returned or destroyed, or specify the reasons return or destruction is not feasible.

8. Miscellaneous

  • Regulatory references: References to HIPAA sections include any amendments. If the HIPAA regulations are amended in a way that changes the obligations of Business Associate, this BAA shall be amended accordingly.
  • No third-party beneficiaries: Nothing in this BAA creates any right in any individual who is not a party.
  • Interpretation: Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
  • Insurance: Business Associate maintains cyber liability insurance covering HIPAA breach response costs with minimum coverage of $5 million per occurrence.
  • Governing law: This BAA is governed by applicable federal law (HIPAA) and the laws of the state specified in the MSA for non-federal matters.

9. Contact

For HIPAA BAA execution or ePHI handling inquiries: HIPAA Compliance: hipaa@workswarm.ai Legal Team: legal@workswarm.ai Trust Center: trust@workswarm.ai

Disclaimer:This document is provided for informational purposes and represents WorkSwarm's current security posture and planned controls. Legal templates are provided as starting points and should be reviewed by your legal counsel before execution. Certification timelines are targets and subject to change based on auditor availability and assessment outcomes.

HIPAA Business Associate Agreement

8 pages · PDF