CaseMgmt
HIPAA Compliance

Business Associate Agreement

Version 1.0 — Effective February 28, 2026

1. Definitions

This Business Associate Agreement (“BAA”) is entered into between the entity subscribing to CaseMgmt services (“Covered Entity”) and CaseMgmt (“Business Associate”). This BAA supplements and is made part of the CaseMgmt Terms of Service.

  • “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended.
  • “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act.
  • “PHI” means Protected Health Information as defined under HIPAA.
  • “ePHI” means Electronic Protected Health Information.
  • “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI.
  • “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA which compromises the security or privacy of the PHI.

2. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law
  • Use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, consistent with the requirements of the HIPAA Security Rule
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Security Incident or Breach
  • In accordance with 45 CFR 164.502(e)(1)(ii), require any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree to the same restrictions and conditions that apply to Business Associate under this BAA
  • Make available PHI in accordance with 45 CFR 164.524, to the extent Business Associate has PHI in a Designated Record Set
  • Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR 164.526
  • Make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528
  • Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with HIPAA
  • At termination of this BAA, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is not feasible, extend the protections of this BAA to the PHI retained

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI:

  • As necessary to perform services under the Terms of Service, including but not limited to: case management, referral tracking, billing, document management, call transcription, and AI-generated clinical summaries
  • For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances that the information will be held confidentially
  • To provide data aggregation services relating to the health care operations of Covered Entity, using de-identified data in accordance with 45 CFR 164.514(a)-(c)
  • As required by law

4. Obligations of Covered Entity

Covered Entity agrees to:

  • Notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI
  • Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's permitted uses and disclosures
  • Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity
  • Obtain necessary consents and authorizations from individuals as required by applicable law prior to furnishing PHI to Business Associate

5. Security Safeguards

Business Associate shall implement and maintain the following safeguards to protect ePHI:

Administrative Safeguards

  • Designated security officer responsible for HIPAA compliance
  • Workforce access management and authorization procedures
  • Security awareness and training programs
  • Security incident response and reporting procedures
  • Contingency planning including data backup and disaster recovery

Physical Safeguards

  • Facility access controls through AWS data center security
  • Workstation use and security policies
  • Device and media controls for hardware containing ePHI

Technical Safeguards

  • Unique user identification and authentication (role-based access control)
  • Automatic session timeout and single-session enforcement
  • 256-bit AES encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Comprehensive audit controls and activity logging
  • Data integrity verification mechanisms

6. Breach Notification

Business Associate shall report to Covered Entity any Breach of unsecured PHI without unreasonable delay and in no case later than 72 hours after discovery of the Breach. Such notification shall include:

  • The nature of the Breach, including the types of PHI involved
  • The identity of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
  • A description of what Business Associate is doing to investigate the Breach, mitigate harm, and prevent future occurrences
  • Contact information for individuals to ask questions or obtain additional information

7. Subcontractors

Business Associate may engage the following categories of subcontractors to assist in providing services, each bound by agreements containing substantially similar obligations as this BAA:

  • Amazon Web Services (AWS) — Cloud infrastructure and hosting (BAA in place)
  • Stripe — Payment processing
  • Deepgram — Speech-to-text transcription services
  • Anthropic (Claude AI) — AI-powered clinical summary generation
  • Amazon Chime SDK — HIPAA-eligible video/audio communication

Business Associate shall maintain an up-to-date list of subcontractors and shall notify Covered Entity of any material changes to its subcontractor list.

8. Term and Termination

This BAA shall be effective upon Covered Entity's acceptance and shall remain in effect for the duration of the Terms of Service between the parties. Upon termination of the Terms of Service:

  • Business Associate shall return or destroy all PHI within 90 days of termination
  • If return or destruction is not feasible, Business Associate shall extend protections of this BAA to retained PHI and limit further uses and disclosures to purposes that make return or destruction infeasible
  • The obligations of Business Associate under this Section shall survive the termination of this BAA

Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure the breach within 30 days of receiving written notice.

9. Miscellaneous

  • Governing Law: This BAA shall be governed by the laws of the State of Texas and applicable federal law, including HIPAA and the HITECH Act
  • Amendment: This BAA may be amended only by written agreement of both parties. Notwithstanding the foregoing, Business Associate may update this BAA as necessary to comply with changes in HIPAA regulations with 30 days' notice to Covered Entity
  • Survival: The obligations of Business Associate regarding the protection of PHI shall survive termination of this BAA
  • Interpretation: Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA and the HITECH Act
  • No Third-Party Beneficiaries: Nothing in this BAA shall confer upon any person other than the parties any rights, remedies, obligations, or liabilities

10. Contact Information

For questions about this Business Associate Agreement, HIPAA compliance, or to report a security concern, please contact:

CaseMgmt — Privacy & Compliance

Email: privacy@casemgmt.io

Website: casemgmt.io/security

Important: This BAA template is provided as a starting framework. While it covers the key requirements of HIPAA and the HITECH Act, we recommend having your legal counsel review this agreement to ensure it meets your organization's specific compliance requirements.