HIPAA Business Associate Agreement (BAA)

Version 1.3 • Effective Date: June 23 2025 • Last Updated: July 28 2025

Acceptance of Agreement by Electronic Means

By checking the box labeled “I agree to the Business Associate Agreement,” you:

  1. acknowledge that you have read and understood this Agreement;

  2. represent and warrant that you have the authority to bind your organization; and

  3. agree to these terms on behalf of your organization.

Your action constitutes a legally binding agreement between your organization (“Covered Entity”) and Expected Health, Inc. (“Business Associate”).

Parties

  • Business Associate: Expected Health, Inc., a Texas corporation, 5900 Balcones Dr STE 100, Austin, TX 78731

  • Covered Entity: The healthcare provider organization identified during account creation on the Expected Health Platform, on whose behalf the individual accepts this Agreement.

This BAA governs all Protected Health Information (“PHI”) exchanged through the Expected Health Referral Management Platform (“Platform”).

1. Definitions

Terms not defined here have the meanings set forth in HIPAA and the HITECH Act.

Term Definition
Business Associate Expected Health, Inc.
Covered Entity The provider organization whose representative accepts this Agreement.
PHI Health information that identifies an individual, as defined in 45 C.F.R. §160.103.
Services Referral transmission, status tracking, secure messaging, results delivery, records retrieval, analytics dashboards, and related patient-coordination features provided via the Platform.
Uploaded Content Has the meaning given in the Terms of Service.

2. Scope & Applicability

This Agreement applies to all PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity while providing the Services.
The accepting individual affirms authority to bind the organization; this BAA covers all current and future users from the same organization.

3. Permitted Uses & Disclosures

Business Associate may:

  • (a) use PHI to perform the Services;

  • (b) share PHI with clinics, labs, payers, or other providers as necessary to complete referrals, obtain prior authorizations, or return results;

  • (c) contact patients on Covered Entity’s behalf for scheduling, intake, or follow-up;

  • (d) send transactional, care‑related SMS/text messages to patients at Covered Entity’s direction

  • (e) create de-identified data in accordance with 45 C.F.R. § 164.514(b) for internal analytics, quality-improvement, academic or scientific research, product development, and commercial or partnership purposes; Such de-identified data is not PHI and may be used or disclosed by Business Associate without further restriction.

  • (f) disclose PHI to authorized legal representatives when Covered Entity has supplied a valid HIPAA authorization, subpoena, or court order; and

  • (g) use or disclose PHI as required by law, or for Business Associate’s proper management, provided any disclosure is subject to 45 C.F.R. § 164.504(e)(4)

  • (h) maintain Uploaded Content (including PHI) in a secure, encrypted repository to support continuity of care, fulfillment of authorized future requests, account-level history and dashboards, audit and compliance, and other functions described in the Terms of Service. Retention is subject to the safeguards and Minimum Necessary requirements of this Agreement and applicable law.

4. Obligations of Business Associate

Business Associate shall:

  1. Safeguards. Implement administrative, physical, and technical safeguards, including encryption in transit and at rest and access controls.

  2. Minimum Necessary. Limit uses and disclosures to the minimum PHI necessary.

  3. Breach Notification. Report to Covered Entity any Breach or Security Incident without unreasonable delay and in no case later than 60 calendar days after discovery, supplying the information required by 45 C.F.R. § 164.410.

  4. Access & Amendment. Provide Covered Entity with access to PHI in a Designated Record Set to enable individual rights of access or amendment.

  5. Accounting of Disclosures. Maintain disclosure logs and provide an accounting as required by 45 C.F.R. § 164.528.

  6. Downstream BAAs. Ensure every subcontractor that handles PHI executes a HIPAA-compliant BAA and agrees to the same obligations; Business Associate remains responsible for their performance.

  7. HHS Access. Make books, records, and internal practices relating to PHI available to the Secretary of Health and Human Services for compliance review.

5. Obligations of Covered Entity

Covered Entity shall:

  • not request Business Associate to use or disclose PHI in a manner inconsistent with HIPAA;
  • configure and use the Platform in accordance with Business Associate’s HIPAA Implementation Guide and ensure that only Minimum Necessary PHI is transmitted;
  • obtain and document all patient consents or authorizations required for lawful use of the Services;
  • with respect to SMS/text communications, represent and warrant that it has obtained and documented any consent required under applicable law (including the TCPA) before directing Business Associate to send such messages, maintain such records, and promptly relay and honor opt-out requests.

6. Termination

  • (a) Automatic. This BAA terminates when the underlying Services agreement terminates.

  • (b) Breach. Either party may terminate with 15 days’ notice if the other party materially breaches this BAA and fails to cure.

  • (c) Return/Destruction. Within 60 days after termination, Business Associate will return or securely destroy PHI in accordance with the parties’ instructions and the requirements of this Agreement. Where return or destruction is infeasible – including, without limitation, where PHI is retained as part of the Platform’s records repository, audit logs, backups, or de-identified datasets – Business Associate will extend the protections of this Agreement to the retained PHI and limit further use or disclosure to those purposes that make return or destruction infeasible.

  • (d) Survival. Obligations under Sections 3–6 survive termination for as long as Business Associate retains PHI.

7. Miscellaneous

  • Governing Law. This Agreement is governed by HIPAA and, to the extent not pre-empted, the laws of the State of Texas.

  • Successors & Assigns. This Agreement is binding on the parties and their successors and assigns.

  • Severability. If any provision is unenforceable, the remainder remains in effect.

  • Counterparts. This Agreement may be executed electronically and in counterparts.

8. Acceptance & Future Users

This Agreement becomes effective upon electronic acceptance during account creation. It binds the accepting organization and all subsequent users from that organization who access the Platform.

9. Document Control

Version 1.3 — Last Updated July 28, 2025. Expected Health may update this BAA prospectively; material changes will be provided to Covered Entity for review and will not apply retroactively without consent where required by law.

End of Business Associate Agreement