Ultimo aggiornamento: 27 ottobre 2025
This BUSINESS ASSOCIATE AGREEMENT (the "BAA") is made and entered into as of by and between the business or person agreeing to this BAA as a user of the Vera Health services ("Client") and Veracity-Health Inc., a Delaware corporation with an address at 2261 Market Street, Suite 22644, San Francisco, California 94114 USA ("Vera Health"). In this BAA, Client and Vera Health are each a "Party" and, collectively, are the "Parties."
(a) Client is either a "covered entity" or "business associate" of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, "HIPAA") and, as such, is required to comply with HIPAA's provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);
(b) The Parties have entered into or will enter into an Agreement (defined below) under which Vera Health provides or will provide certain specified services to Client ("Services");
(c) In providing Services, Vera Health may have access to Protected Health Information from the Client ("PHI");
(d) By providing the services pursuant to the Agreement and receiving PHI, Vera Health may become a "business associate" of the Client as such term is defined under HIPAA;
(e) Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the "Privacy Rule"); and
(f) Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Vera Health pursuant to the terms of this Agreement, HIPAA and other applicable laws.
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Client to Vera Health under the Agreement in reliance on this BAA, the Parties agree as follows:
1.1 For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in HIPAA, the Privacy Rule, pertinent law, or the Agreement.
(a) "Affiliate" means a subsidiary or affiliate of Client that is, or has been, considered a covered entity, as defined by HIPAA.
(b) "Agreement" means one or more agreements under which Vera Health provides or will provide Services to Client. If no other agreement exists, the Agreement will be the Vera Health Terms of Services (https://www.verahealth.ai/terms).
(c) "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
(d) "Breach Notification Rule" means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
(e) "Data Aggregation" means, with respect to PHI created or received by Vera Health in its capacity as the "business associate" under HIPAA of Client, the combining of such PHI by Vera Health with the PHI received by Vera Health in its capacity as a business associate of one or more other "covered entity" under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of "data aggregation" in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
(f) "Designated Record Set" has the meaning given to such term under the Privacy Rule.
(g) "De-Identify" means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
(h) "Effective Date" means the date on which the Parties agree to this BAA, either by signing the BAA or affirming agreement to its terms through any legally sufficient manner.
(i) "Electronic PHI" means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
(j) "Health Care Operations" has the meaning given to that term in 45 CFR §164.501.
(k) "HHS" means the U.S. Department of Health and Human Services.
(l) "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
(m) "Individual" has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
(n) "Protected Health Information" or "PHI" has the meaning given to the term "protected health information" in 45 CFR §§164.501 and 160.103, limited to the information created or received by Vera Health from or on behalf of Client pursuant to the Agreement.
(o) "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
(p) "Security Rule" means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
(q) "Unsecured Protected Health Information" or "Unsecured PHI" means any "protected health information" as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
(r) "Unsuccessful Security Incident" means activities such as pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denials of service, and any combination of the foregoing, so long as no such incident results in unauthorized access, use, disclosure, modification, or destruction of PHI.
2.1 Except as otherwise provided in this BAA, Vera Health may use or disclose PHI as reasonably necessary to provide the Services, and to undertake other activities of Vera Health permitted or required of Vera Health by this BAA, the Agreement, or as required by law.
2.2 Except as otherwise limited by this BAA or federal or state law, Client authorizes Vera Health to use the PHI in its possession for the proper management and administration of Vera Health's business and to carry out its legal responsibilities. Vera Health may disclose PHI for its proper management and administration, provided that (i) the disclosures are permitted or required by law; or (ii) Vera Health obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Vera Health immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
2.3 Vera Health will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Vera Health will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act's implementing regulations adopted by HHS, for each use or disclosure of PHI.
2.4 All de-identified information created by Vera Health in compliance with the Agreement will belong exclusively to Vera Health, provided that Client will not hereby be prevented from itself creating and using its own de-identified information.
2.5 Upon request, Vera Health will make available to Client any of Client's PHI that Vera Health or any of its agents or subcontractors have in their possession.
2.6 Vera Health may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
2.7 Subject to the other requirements and limitations of this BAA, the business records of Vera Health and all other records, electronic or otherwise, created or maintained by Vera Health in performance of the Agreement will be and remain the property of Vera Health, even though they may reflect PHI.
3.1 Vera Health will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA. Vera Health agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Client. Vera Health agrees to take reasonable steps so that the actions or omissions of its employees or agents do not cause Vera Health to breach the terms of this BAA. Such steps include, without limitation, providing adequate training to its employees on compliance consistent with this BAA.
4.1 Vera Health will report to Client in writing any: (i) use or disclosure of PHI not permitted by this BAA of which it becomes aware, or (ii) Security Incident affecting Electronic PHI of Client of which it becomes aware. Vera Health agrees to report any such event within five business days of becoming aware of the event.
4.2 This Section 4.2 constitutes notice by Vera Health to Client of the ongoing existence, occurrence, or attempts of Unsuccessful Security Incidents, for which no additional notice to Client is required.
4.3 Vera Health will notify Client in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Vera Health will reimburse Client for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Client as a result of a Breach committed by Vera Health.
5.1 Vera Health will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Vera Health of any use or disclosure of PHI by Vera Health or its agents or subcontractors in violation of the requirements of this BAA.
6.1 Vera Health will require that any of its agents or subcontractors that have access to, or to which Vera Health provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI consistent with this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Vera Health or, through Vera Health, on behalf of Client.
7.1 Upon request, Vera Health will provide Client with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards-based third-party audit report. Covered entity agrees not to re-disclose Vera Health's audit report.
8.1 Upon request, Vera Health agrees to furnish Client with copies of the PHI maintained by Vera Health in a Designated Record Set in the time and manner designated by Client to enable Client to respond to an Individual's request for access to PHI under 45 CFR §164.524.
8.2 In the event any Individual or personal representative requests access to the Individual's PHI directly from Vera Health, Vera Health within ten business days, will forward that request to Client. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual's right to obtain access to PHI shall be the sole responsibility of Client.
8.3 Upon request and instruction from Client, Vera Health will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Vera Health as directed by Client in accordance with procedures established by 45 CFR §164.526. Any request by Client to amend such information will be completed by Vera Health within 15 business days of Client's request.
8.4 In the event that any Individual requests that Vera Health amend such Individual's PHI or record in a Designated Record Set, Vera Health within ten business days will forward this request to Client. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual's right to request an amendment of PHI will be the sole responsibility of Client.
9.1 Vera Health will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Vera Health also will make available information related to such disclosures as would be required for Client to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528.
9.2 Vera Health will furnish to Client information collected in accordance with this Section 9, within ten business days after written request by Client, to permit Client to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Client elects to provide an Individual with a list of its business associates, Vera Health will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
9.3 In the event an Individual delivers the initial request for an accounting directly to Vera Health, Vera Health will within ten business days forward such request to Client.
10.1 Vera Health will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Client's and Vera Health's compliance with HIPAA, and this BAA.
11.1 With regard to the use or disclosure of Protected Health Information by Vera Health, Client agrees to:
(a) Notify Vera Health of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Vera Health's use or disclosure of PHI.
(b) Notify Vera Health of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Vera Health's use or disclosure of PHI.
(c) Notify Vera Health of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Vera Health's use or disclosure of PHI.
(d) Except for data aggregation or management and administrative activities of Vera Health, Client shall not request Vera Health to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Client.
Vera Health's data stewardship does not confer data ownership rights on Vera Health with respect to any data shared with it under the Agreement, including any and all forms thereof.
13.1 This BAA will become effective on the Effective Date, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.
13.2 Client may terminate immediately this BAA, the Agreement, and any other related agreements if Client makes a determination that Vera Health has breached a material term of this BAA and Vera Health has failed to cure that material breach, to Client's reasonable satisfaction, within 30 days after written notice from Client. Client may report the problem to the Secretary of HHS if termination is not feasible.
13.3 If Vera Health determines that Client has breached a material term of this BAA, then Vera Health will provide Client with written notice of the existence of the breach and shall provide Client with 30 days to cure the breach. Client's failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Vera Health. Vera Health may report the breach to HHS.
13.4 Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Vera Health will be returned to Client or destroyed by Vera Health. Vera Health will not retain any copies of such information. This provision will apply to PHI in the possession of Vera Health's agents and subcontractors. If return or destruction of the PHI is not feasible, in Vera Health's reasonable judgment, Vera Health will furnish Client with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Vera Health will extend the protections of this BAA to such information for as long as Vera Health retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 13.4 will survive any termination of this BAA.
14.1 This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.
14.2 Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
14.3 A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
14.4 The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30-days' prior written notice to the other Party.
All notices, requests and demands or other communications to be given under this BAA to a Party will be made as provided in the Agreement.
This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.