ClientCare
TermsPrivacyBAA

Business Associate Agreement

Last Updated: February 15, 2026

This Business Associate Agreement ("BAA") is entered into between the healthcare organization creating an account on ClientCare.pro ("Covered Entity") and Client Care LLC, a Delaware limited liability company ("Business Associate"), effective as of the date of electronic acceptance ("Effective Date").

This BAA supplements and is incorporated into the Terms of Service between the parties. In the event of a conflict between this BAA and the Terms of Service regarding the handling of Protected Health Information, this BAA shall control.

1. Definitions

Capitalized terms used but not otherwise defined in this BAA shall have the meanings assigned to them in the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, "HIPAA"), including:

  • "Protected Health Information" ("PHI") has the meaning set forth in 45 CFR 160.103.
  • "Electronic Protected Health Information" ("ePHI") has the meaning set forth in 45 CFR 160.103.
  • "Breach" has the meaning set forth in 45 CFR 164.402.
  • "Security Incident" has the meaning set forth in 45 CFR 164.304.
  • "Required by Law" has the meaning set forth in 45 CFR 164.103.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Terms of Service, or as Required by Law. Specifically, Business Associate may use and disclose PHI solely for the following purposes:

  • Performing eligibility verification with Medicare and Medicaid programs;
  • Screening staff against OIG/LEIE and SAM.gov exclusion databases;
  • Generating compliance reports and risk assessments;
  • Displaying data on the Covered Entity's dashboard;
  • Providing customer support related to the Service;
  • As otherwise authorized by the Covered Entity in writing.

2.2 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 CFR Part 164, Subpart C. These safeguards include but are not limited to:

  • Encryption of ePHI at rest (AES-256) and in transit (TLS 1.3);
  • Multi-factor authentication for all user access;
  • Row-level security for database tenant isolation;
  • Immutable audit logging of all access to ePHI;
  • Regular risk assessments and vulnerability scanning;
  • Workforce training on HIPAA privacy and security requirements.

2.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of Unsecured PHI or Security Incident, without unreasonable delay and in no event later than sixty (60) calendar days after discovery of such Breach or Security Incident.

2.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially similar restrictions and conditions as those that apply to Business Associate under this BAA, including implementing reasonable and appropriate safeguards to protect ePHI. Current subcontractors that may process PHI include:

  • Google Cloud Platform (infrastructure and hosting);
  • Stedi, Inc. (eligibility verification transactions);
  • Firebase/Google (authentication services).

2.5 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within fifteen (15) business days of a request from Covered Entity, make available PHI to Covered Entity as necessary to allow Covered Entity to fulfill its obligations to provide individuals with access to their PHI under 45 CFR 164.524.

2.6 Amendment of PHI

Business Associate shall, within fifteen (15) business days of a request from Covered Entity, make any amendments to PHI as directed by Covered Entity pursuant to 45 CFR 164.526.

2.7 Accounting of Disclosures

Business Associate shall maintain a record of disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall provide such information to Covered Entity within fifteen (15) business days of request.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

2.9 Minimum Necessary

Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR 164.502(b) and 164.514(d).

3. Obligations of Covered Entity

Covered Entity shall:

  • Provide Business Associate with only the minimum PHI necessary for Business Associate to perform its obligations under the Terms of Service;
  • Notify Business Associate of any limitations in Covered Entity's notice of privacy practices that may affect Business Associate's use or disclosure of PHI;
  • Notify Business Associate of any restrictions on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR 164.522;
  • Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.

4. Term and Termination

4.1 Term

This BAA shall be effective as of the Effective Date and shall remain in effect for the duration of the Terms of Service, unless earlier terminated as provided herein.

4.2 Termination for Cause

Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA, provided that the terminating party gives written notice of the violation and affords the other party thirty (30) days to cure the violation. If the violation is not cured within the cure period, the terminating party may terminate both this BAA and the Terms of Service.

4.3 Effect of Termination

Upon termination of this BAA, Business Associate shall, at Covered Entity's election, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) days. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate retains the PHI.

5. General Provisions

Regulatory References. Any reference in this BAA to a section of HIPAA shall mean the section as in effect or as amended from time to time, and for which compliance is required.

Amendment. This BAA may not be modified except by a written amendment signed by both parties or, with respect to changes required by HIPAA, upon thirty (30) days' written notice by Business Associate.

Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA.

No Third-Party Beneficiaries. Nothing in this BAA shall confer upon any person or entity other than the parties and their permitted successors and assigns any rights, remedies, obligations, or liabilities.

6. Electronic Acceptance

By providing your name and checking the acceptance box during the ClientCare.pro onboarding process, you represent that you are authorized to execute this BAA on behalf of the Covered Entity. Electronic acceptance constitutes a valid and binding signature under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act (UETA).

A record of your acceptance, including the name provided, email address, timestamp, and IP address, will be maintained by Business Associate for compliance purposes.

7. Contact Information

Client Care LLC
HIPAA Privacy and Security Officer
Email: hipaa@clientcare.pro
Website: https://clientcare.pro