Standard BAA Template
This Business Associate Agreement ("Agreement") is entered into by and between the subscribing law firm ("Covered Entity") and LexiFlow Technologies Inc ("Business Associate"). Execution of a BAA is a prerequisite for processing Protected Health Information (PHI) through the LexiFlow Platform.
To request a fully executed BAA, contact privacy@lexiflow.co.
Article 1: Definitions
Capitalized terms not defined herein shall have the meaning given in HIPAA and HITECH Act regulations (45 CFR § 160.103).
- "Breach" shall have the meaning given in 45 CFR § 164.402.
- "De-Identification Standard" means the standard set forth in 45 CFR § 164.514(a)-(b).
- "Electronic Protected Health Information" (ePHI) means PHI transmitted by or maintained in electronic media.
- "HIPAA Rules" means HIPAA Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160, 162, and 164.
- "PHI" means Protected Health Information as defined in 45 CFR § 160.103.
- "Platform Services" means AI-powered lead intake, qualification, medical merit review, chronology generation, and related services.
- "Subcontractor" means any person or entity to whom BA delegates any function involving PHI, including cloud infrastructure, AI/LLM providers, and data storage services.
Article 2: Permitted Uses and Disclosures
BA may use and disclose PHI only for:
- Providing Platform Services to CE as described in the Terms of Service
- Data management, administration, and de-identification
- Compliance with legal obligations
- As otherwise permitted by the HIPAA Privacy Rule for Business Associates
Article 3: Prohibited Uses
BA shall not:
- Use PHI in a manner that violates HIPAA or HITECH
- Sell PHI or use it for marketing purposes
- Use PHI for AI model training without prior de-identification
- Disclose PHI to third parties except as authorized or required by law
Article 4: Safeguards
BA shall implement administrative, physical, and technical safeguards to prevent unauthorized access, use, or disclosure of PHI, including:
- Encryption at Rest: AES-256
- Encryption in Transit: TLS 1.2+
- Access Controls: Role-based access, unique user IDs, automatic timeout
- Audit Controls: Immutable logging of all PHI access events
- Network Security: VPC isolation, WAF, DDoS protection
Article 5: Subcontractors
BA shall require all Subcontractors that receive PHI to agree to the same restrictions and conditions as in this Agreement. Current Subcontractors with BAA: AWS, OpenAI, Anthropic, Twilio, Stripe, MongoDB.
Article 6: Breach Notification
BA shall notify CE within 48 hours of discovery of any Breach of unsecured PHI. Notification shall include: nature of the Breach, PHI involved, identity of affected individuals (if known), mitigation steps, and corrective action plan.
Article 7: Access and Amendment
BA shall make PHI available to CE for access and amendment as required by 45 CFR § 164.524 and § 164.526. BA shall respond to CE requests within 30 days.
Article 8: Accounting of Disclosures
BA shall document disclosures of PHI and provide an accounting to CE within 30 days of request, as required by 45 CFR § 164.528.
Article 9: Data Retention and Destruction
Upon termination of this Agreement, BA shall return or destroy all PHI in its possession within 30 days, except where retention is required by law. BA shall confirm destruction in writing. Audit logs shall be retained for 6 years minimum per HIPAA requirements.
Article 10: Termination
CE may terminate this Agreement immediately upon notice of BA's material breach. BA may terminate upon CE's material breach. Within 30 days of termination, all PHI shall be returned or destroyed.
Article 11: Regulatory Compliance
BA shall comply with all applicable HIPAA Rules and HITECH Act requirements. BA shall make its internal practices, books, and records relating to PHI available to the Secretary of HHS for investigation purposes.
Article 12: Miscellaneous
This Agreement shall be governed by the laws of the State of Florida. If any provision is held invalid, the remainder shall continue in full force and effect. This Agreement may be executed in counterparts.
Request a Signed BAA
To request a fully executed Business Associate Agreement specific to your firm, please contact:
| privacy@lexiflow.co | |
| Subject | BAA Request — [Your Firm Name] |
| Include | Firm name, primary contact, estimated monthly volume |
This template is provided for informational purposes. Each BAA is individually executed between LexiFlow and the subscribing law firm.