Business Associate Agreement (BAA) Policy
This policy outlines HiBoop's standard terms for processing Protected Health Information (PHI) and Personal Health Information (PHI/PI) on behalf of Covered Entities in the United States and Health Information Custodians in Canada.
HiBoop Inc. ("Business Associate" or "Processor") acknowledges its obligations to protect the privacy and security of health data entrusted to it by healthcare providers ("Covered Entity" or "Custodian"). This policy applies to all services provided by HiBoop involving PHI.
01 Definitions
- Protected Health Information (PHI): Individually identifiable health information as defined by HIPAA (US) and PHIPA/PIPEDA (Canada), including demographic data, medical history, test results, and insurance information.
- Covered Entity / Custodian: The healthcare provider, clinic, or organization using HiBoop to provide care.
- Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
- Breach: The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.
02 Permitted Uses & Disclosures of PHI
HiBoop may use or disclose PHI only as necessary to perform services described in the Master Service Agreement, and only for the following purposes:
- Treatment, Payment & Operations (TPO): Processing, storing, and transmitting assessment data to support clinical treatment, care coordination, and practice operations on behalf of the Covered Entity.
- Management & Administration: Using PHI for HiBoop’s own management, administration, or to carry out legal responsibilities, provided any disclosure to a third party is required by law or the third party gives reasonable written assurances of confidentiality.
- Data Aggregation: Providing data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). Aggregated datasets are de-identified per 45 CFR § 164.514 and are never linked back to individual patients.
- Required by Law: Disclosing PHI as required by applicable federal or state/provincial law, including to the U.S. Department of Health and Human Services (HHS) for compliance investigations.
03 Obligations of Business Associate
HiBoop shall implement appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. This includes encryption at rest and in transit, access controls, and audit logs.
Subcontractors
HiBoop shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of HiBoop agree to the same restrictions and conditions that apply to HiBoop with respect to such information.
04 Obligations of the Covered Entity
- Provide Notice of Privacy Practices: Covered Entity shall notify HiBoop of any limitation in its Notice of Privacy Practices to the extent such limitation may affect HiBoop’s use or disclosure of PHI.
- Notify of Permission Changes: Covered Entity shall notify HiBoop of any changes in, or revocation of, permission by an individual to use or disclose PHI.
- Security Incident Notification: Covered Entity shall promptly notify HiBoop of any security incidents involving PHI that originate from the Covered Entity’s systems or personnel.
05 Reporting & Breach Notification
HiBoop commits to reporting any Security Incident or Breach to the Covered Entity within 24 hours of discovery, exceeding the standard regulatory requirements of 60 days (HIPAA) or "as soon as feasible" (PIPEDA).
06 Authorized Sub-processors
HiBoop uses the following sub-processors that may process PHI in the course of service delivery.
| Sub-processor | Purpose | Data Location | Compliance |
|---|---|---|---|
| Google Firebase / Cloud | Hosting, Database, Functions | US-Central1 / Montreal | HIPAA BAA ✓ |
07 Jurisdictional Specifics
United States (HIPAA)
This agreement serves as a formal HIPAA Business Associate Agreement. HiBoop adheres to the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. Data Residency: US-Central1 (Iowa)
Canada (PIPEDA / PHIPA)
HiBoop acts as an “Information Manager” under PHIPA (Ontario) and equivalent provincial health information acts. Data Residency: Northamerica-Northeast1 (Montreal)
08 Term & Termination
- Term: This Agreement shall be effective as of the date of the Master Service Agreement and shall terminate when all PHI provided by Covered Entity to HiBoop is destroyed or returned.
- Effect of Termination: Upon termination, HiBoop shall return or destroy all PHI received from Covered Entity.