Business Associate Agreement
Last updated: June 25, 2026 · Effective date: June 25, 2026
This Business Associate Agreement (“BAA” or “Agreement”) supplements and is incorporated into the Terms of Service between NextChair (“Business Associate”) and the practice, clinic, or other organization that accepts it (“Covered Entity”). It is entered into to comply with the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”), as amended. Covered Entity accepts this BAA by clicking to accept, by executing it, or by submitting Protected Health Information to the Service. You must accept this BAA before submitting any Protected Health Information to the Service.
In the event of a conflict between this BAA and the Terms of Service with respect to Protected Health Information, this BAA controls. Capitalized terms used but not defined here have the meanings given in HIPAA.
1. Definitions
“Protected Health Information” or “PHI” means individually identifiable health information, as defined at 45 C.F.R. § 160.103, that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity under the Terms of Service. “Electronic PHI” or “ePHI” means PHI transmitted by or maintained in electronic media. The terms “Breach,” “Covered Entity,” “Business Associate,” “Data Aggregation,” “Designated Record Set,” “Disclosure,” “Health Care Operations,” “Individual,” “Minimum Necessary,” “Required By Law,” “Secretary,” “Security Incident,” “Subcontractor,” “Unsecured PHI,” and “Use” have the meanings given them in 45 C.F.R. Parts 160 and 164.
2. Permitted uses and disclosures by Business Associate
Business Associate may Use or Disclose PHI only as follows:
- to perform the functions, activities, and services described in the Terms of Service for, or on behalf of, Covered Entity, provided that such Use or Disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity (except as permitted under paragraphs below);
- as Required By Law;
- for the proper management and administration of Business Associate, or to carry out its legal responsibilities, provided that Disclosures are permitted only if Required By Law, or if Business Associate obtains reasonable written assurances from the recipient that the PHI will be held confidentially and Used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed, and the recipient notifies Business Associate of any breach of confidentiality;
- to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, to the extent permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); and
- to de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c), and to Use de-identified information, which is not PHI and is not subject to this BAA.
Business Associate will not Use or Disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as set forth above. Business Associate will make reasonable efforts to Use, Disclose, and request only the Minimum Necessary PHI to accomplish the intended purpose. Business Associate will not Use or Disclose PHI for marketing, will not sell PHI, and will not Use PHI to train advertising or general-purpose AI models, except as expressly permitted by Covered Entity in writing and in compliance with HIPAA.
3. Obligations of Business Associate
Business Associate agrees that it will:
- Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA. These safeguards include encryption of PHI in transit and at rest, role-based access controls, tenant isolation, audit logging, and workforce confidentiality obligations.
- Mitigation. Mitigate, to the extent practicable, any harmful effect known to Business Associate of a Use or Disclosure of PHI in violation of this BAA.
- Reporting. Report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, any Security Incident, and any Breach of Unsecured PHI, in accordance with Section 4.
- Subcontractors. In accordance with 45 C.F.R. §§ 164.308(b)(2) and 164.502(e)(1)(ii), ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions, conditions, and safeguards at least as restrictive as those that apply to Business Associate under this BAA.
- Access. Make available PHI in a Designated Record Set to Covered Entity, or as directed by Covered Entity to an Individual, as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524, within fifteen (15) business days of a written request.
- Amendment. Make any amendment to PHI in a Designated Record Set as directed by or agreed to by Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity's obligations, within fifteen (15) business days of a written request.
- Accounting of disclosures. Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.528, within thirty (30) business days of a written request.
- Covered Entity obligations. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of those obligations.
- HHS access. Make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.
- Records. Document Disclosures of PHI and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures.
4. Reporting of breaches and security incidents
Business Associate will report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery, and will provide the information reasonably available to enable Covered Entity to meet its notification obligations under 45 C.F.R. §§ 164.400–414, including, to the extent known: a description of what occurred; the types of PHI involved; the Individuals affected; the steps Individuals should take; and the steps Business Associate is taking to investigate, mitigate, and prevent recurrence. The parties acknowledge that this Section constitutes notice of the ongoing occurrence of unsuccessful Security Incidents (such as pings, port scans, and failed log-in attempts) that result in no unauthorized access to, or Use or Disclosure of, PHI, for which no additional individual notice is required.
5. Obligations of Covered Entity
Covered Entity will: (a) notify Business Associate of any limitation in its Notice of Privacy Practices, of any changes to or revocation of an Individual's permission to Use or Disclose PHI, and of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, in each case to the extent it may affect Business Associate's Use or Disclosure of PHI; (b) obtain any consent, authorization, or permission required under applicable law before submitting PHI to the Service; and (c) not request Business Associate to Use or Disclose PHI in any manner that would not be permitted under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as permitted under Section 2 for Business Associate's management and administration, Data Aggregation, or de-identification. Covered Entity is responsible for implementing appropriate privacy and security safeguards in its own systems and for the configuration choices it makes within the Service.
6. Term and termination
Term. This BAA is effective as of the date Covered Entity accepts it and remains in effect until all PHI provided by, or created or received by Business Associate on behalf of, Covered Entity is destroyed or returned, or, if return or destruction is infeasible, until the protections of this BAA are extended to such PHI in accordance with this Section.
Termination for cause. If Covered Entity determines that Business Associate has materially breached this BAA, Covered Entity may provide written notice and an opportunity to cure within thirty (30) days; if Business Associate does not cure, Covered Entity may terminate this BAA and the Terms of Service. Likewise, Business Associate may terminate if it determines Covered Entity has materially breached a material term. Either party may terminate immediately if cure is not possible.
Effect of termination. Upon termination, Business Associate will, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains, and will retain no copies. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to such PHI, limit further Uses and Disclosures to those purposes that make return or destruction infeasible, and cease all other Uses and Disclosures, for as long as Business Associate maintains the PHI. Covered Entity may export its data through the Service prior to termination as described in the Terms of Service.
7. Miscellaneous
Regulatory references. A reference to a section of HIPAA means the section as in effect or as amended. Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with HIPAA and other applicable law; Business Associate may update this BAA with notice to account owners, and continued use of the Service after the effective date constitutes acceptance. Survival. Business Associate's obligations with respect to PHI survive termination for as long as Business Associate retains PHI. No third-party beneficiaries.Nothing in this BAA confers any rights on any person other than the parties, their respective successors, and permitted assigns. Interpretation. Any ambiguity in this BAA will be resolved to permit the parties to comply with HIPAA.
8. Ontario practices (PHIPA)
Where Covered Entity is a health information custodian subject to Ontario's Personal Health Information Protection Act, 2004 (“PHIPA”), NextChair acts as the custodian's agent and service provider (and, where applicable, a health information network provider under O. Reg. 329/04). In that capacity, NextChair will: collect, use, and disclose personal health information only as permitted by the custodian and as necessary to provide the Service; not use or disclose it other than as permitted by PHIPA and authorized by the custodian; take steps that are reasonable in the circumstances to ensure personal health information is protected against theft, loss, and unauthorized use or disclosure, and that records are protected against unauthorized copying, modification, or disposal; notify the custodian at the first reasonable opportunity of any unauthorized use, disclosure, theft, or loss; and, where acting as a health information network provider, make available a plain-language description of its services, including the safeguards in place. The HIPAA terms above and the PHIPA terms in this Section are intended to operate together; where Covered Entity is subject to only one regime, the terms for the other regime do not apply to it.
9. Contact
Questions about this BAA, or to provide a notice required under it: legal@nextchair.co · Security and breach notices: security@nextchair.co