Business Associate Agreement

Last updated: April 18, 2026

In plain English: This is the HIPAA Business Associate Agreement ("BAA") that US medical, dental, and other covered-entity practices can sign with ExperClinic before transmitting protected health information through the platform. By default the ExperClinic platform is not HIPAA-compliant. A countersigned BAA establishes the additional safeguards, breach-notification obligations, and record-keeping duties required under HIPAA.

How to execute this BAA: Email [email protected] from the email address on your ExperClinic account. We'll send you a PDF version for signature. Once countersigned, we'll flag your account as covered under a BAA, and you can begin routing PHI through the Service.

This Business Associate Agreement is between Mark Guirgis, doing business as ExperClinic ("Business Associate" or "ExperClinic") and the customer identified on the ExperClinic Service ("Covered Entity" or "you"). It supplements the Terms of Service and Data Processing Addendum (together, the "Agreement") and is effective as of the date both parties execute it.

1. Definitions

Capitalized terms used but not defined here have the meaning given them in the HIPAA Rules. For convenience:

"HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, as amended.
"PHI" means Protected Health Information as defined in 45 CFR 160.103, limited to information created or received by Business Associate on behalf of Covered Entity.
"Breach" and "Unsecured PHI" have the meanings given in 45 CFR 164.402.
"Designated Record Set" has the meaning at 45 CFR 164.501.
"Individual" has the meaning at 45 CFR 160.103 and includes a person who qualifies as a personal representative under 45 CFR 164.502(g).
"Security Incident" has the meaning at 45 CFR 164.304.
"Subcontractor" means a third party to whom Business Associate delegates any function involving the use or disclosure of PHI.

2. Permitted uses and disclosures of PHI

2.1 Service-related uses

Business Associate may use or disclose PHI only as necessary to perform the Service for Covered Entity, as set out in the Agreement, and as required by law. Permitted activities include:

Transmitting SMS review requests, appointment reminders, and two-way patient conversations on behalf of Covered Entity.
Receiving and storing patient feedback and message content.
Processing scheduling, reactivation, and analytics data.
Sending operational email notifications to Covered Entity's staff about the Service.

2.2 Management and administration

Business Associate may use PHI for its own proper management and administration, and to carry out its legal responsibilities, only if the disclosure is required by law, or if Business Associate obtains reasonable assurances from the receiving party that the PHI will be kept confidential and only used or disclosed as required by law or as permitted by the receiving party.

2.3 Aggregation

Business Associate may de-identify PHI in accordance with 45 CFR 164.514(b), and may aggregate de-identified data across Covered Entities for purposes of improving the Service, provided that the resulting data no longer identifies any Individual.

2.4 Prohibited uses

Business Associate will not use or disclose PHI other than as permitted by this BAA, the Agreement, or as required by law. Business Associate will not sell PHI, and will not use or disclose PHI for marketing purposes other than as permitted by 45 CFR 164.506.

3. Obligations of Business Associate

Business Associate will:

(a) Safeguards. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI it creates, receives, maintains, or transmits, as required by the HIPAA Security Rule (45 CFR 164.308, 164.310, 164.312, 164.316).
(b) Report. Report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, including Breaches of Unsecured PHI and any Security Incident.
(c) Breach notification. Notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery. The notification will include, to the extent possible, the identification of each Individual affected, a description of what happened, the types of PHI involved, any steps Individuals should take, and what Business Associate is doing in response.
(d) Subcontractors. Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA. A current list of Subcontractors appears in the Data Processing Addendum, Annex III.
(e) Access. Within 30 days of a written request, make PHI in a Designated Record Set available to Covered Entity (or, at Covered Entity's direction, to an Individual) to the extent necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
(f) Amendment. Make amendments to PHI in a Designated Record Set as directed or agreed to by Covered Entity under 45 CFR 164.526, within 30 days of a written request.
(g) Accounting of disclosures. Maintain and make available to Covered Entity the information required to provide an accounting of disclosures to an Individual under 45 CFR 164.528, within 30 days of a written request.
(h) Compliance with Covered Entity obligations. To the extent Business Associate carries out any obligation of Covered Entity under the Privacy Rule, comply with the requirements of the Privacy Rule that would apply to Covered Entity in performing that obligation.
(i) Government access. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

4. Obligations of Covered Entity

Covered Entity will:

(a) Notice. Provide Business Associate with notice of any limitation in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
(b) Individual permissions. Notify Business Associate of any changes in, or revocation of, an Individual's permission to use or disclose PHI, to the extent such changes affect Business Associate's permitted uses and disclosures.
(c) Restrictions. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522.
(d) Permissible requests. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5. Term and termination

5.1 Term

This BAA is effective on the date countersigned by both parties and continues until the Agreement ends or until terminated as described below.

5.2 Termination for cause

Covered Entity may terminate this BAA and the Agreement if Business Associate has materially breached this BAA and has failed to cure the breach within 30 days after written notice. Business Associate has the same right in the reverse.

5.3 Effect of termination

On termination, Business Associate will, if feasible, return or destroy all PHI received from or created on behalf of Covered Entity within 90 days. If return or destruction is not feasible, Business Associate will continue to protect the PHI under this BAA and limit further uses and disclosures to the purposes that make return or destruction infeasible. Business Associate will document in writing any reasons for infeasibility.

6. Subcontractors and sub-processors

ExperClinic engages the Sub-processors listed in Annex III of the DPA to provide the Service. Each Sub-processor has executed a written agreement requiring protections equivalent to those in this BAA. If ExperClinic changes its Sub-processor list in a way material to the handling of PHI, it will give Covered Entity at least 30 days notice and a chance to object.

7. Compliance and audits

Given the size of ExperClinic's operation, audit obligations are satisfied by providing, on request, up-to-date information about our security practices, Sub-processor list, and incident response procedures. Covered Entity may request additional audit information once per calendar year, at its own expense, subject to reasonable confidentiality protections.

8. Indemnification

Each party will indemnify and hold the other harmless from any third-party claim, loss, penalty, or expense (including reasonable legal fees) arising out of its own breach of this BAA. Nothing in this Section 8 alters either party's liability to Individuals under HIPAA or applicable state law, which remains direct.

9. Miscellaneous

Regulatory changes. The parties will amend this BAA as reasonably necessary to comply with changes to the HIPAA Rules or the Health Information Technology for Economic and Clinical Health ("HITECH") Act.
Interpretation. Any ambiguity in this BAA will be resolved in favor of a meaning that permits Business Associate and Covered Entity to comply with the HIPAA Rules.
No third-party beneficiaries. Nothing in this BAA is intended, nor will be construed, to confer any rights on any third party other than the parties hereto.
Order of precedence. In the event of any conflict between this BAA and the Agreement, this BAA prevails with respect to the handling of PHI.
Governing law. This BAA is governed by the laws of the Province of Ontario, Canada, and applicable US federal law, including the HIPAA Rules.
Amendments. Any amendment must be in writing and signed by both parties.

10. Signatures

This BAA is executed by PDF exchange. ExperClinic will countersign and return a copy within five business days of receiving a signed BAA from Covered Entity. The effective date is the date on which both parties have signed.

For ExperClinic:
Mark Guirgis, doing business as ExperClinic
Signature: _________________________
Date: _________________________

For Covered Entity:
Entity name: _________________________
Authorized signatory: _________________________
Title: _________________________
Signature: _________________________
Date: _________________________

Disclaimer: This BAA is an operational template based on the standard language in HHS's model BAA provisions. It is not legal advice for your practice. Before executing, you should have your own HIPAA counsel review it against your specific privacy practices and any state-law overlays (for example, stricter patient-consent regimes in California, Texas, or New York). ExperClinic cannot provide legal advice on your obligations under HIPAA.