Legal

Business Associate Agreement

Last updated: February 2026

1. Overview

This Business Associate Agreement ("BAA") is entered into between the customer ("Covered Entity") and Rymeda, Inc. ("Business Associate") pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 USC §1320d et seq., the HIPAA Privacy Rule at 45 CFR Part 164 Subpart E, the HIPAA Security Rule at 45 CFR Part 164 Subpart C, the HIPAA Breach Notification Rule at 45 CFR Part 164 Subpart D, and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), 42 USC §17921 et seq.

This BAA supplements the Terms of Service, Privacy Policy, and Data Processing Agreement, and governs the use and disclosure of Protected Health Information ("PHI") by Business Associate on behalf of Covered Entity.

2. Definitions

Capitalized terms not defined herein shall have the meanings assigned under 45 CFR §160.103 and §164.501.

  • Protected Health Information (PHI) — individually identifiable health information as defined in 45 CFR §160.103, including electronic PHI ("ePHI").
  • Covered Entity — the customer that is a health plan, healthcare clearinghouse, or healthcare provider who transmits health information electronically in connection with a covered transaction, as defined in 45 CFR §160.103.
  • Business Associate — Rymeda, Inc., which performs functions or activities on behalf of, or provides services to, Covered Entity involving the use or disclosure of PHI, as defined in 45 CFR §160.103.
  • Security Incident — the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations, as defined in 45 CFR §164.304.
  • Breach — the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.

3. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law (45 CFR §164.504(e)(2)(i)).
  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 CFR §164.308, §164.310, and §164.312.
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach, as specified in Section 7 below.
  • Ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions as set forth in this BAA, as required by 45 CFR §164.502(e)(1)(ii). See the current Subprocessor List.
  • Make PHI available to Covered Entity or the individual as required to satisfy Covered Entity's obligations under 45 CFR §164.524 (access) and §164.526 (amendment).
  • Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance (45 CFR §164.504(e)(2)(ii)(H)).
  • Maintain PHI for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, in compliance with 45 CFR §164.530(j).

4. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely to perform functions, activities, or services for or on behalf of Covered Entity as specified in the Terms of Service, provided such use or disclosure does not violate the HIPAA Privacy Rule.

  • Business Associate may use PHI for the proper management and administration of Business Associate or to carry out legal responsibilities, provided disclosures are required by law or Business Associate obtains reasonable assurances from the recipient (45 CFR §164.504(e)(4)).
  • Business Associate may de-identify PHI in accordance with 45 CFR §164.514(a)-(c) for analytics and platform improvement purposes.
  • Business Associate shall not use or disclose PHI for marketing purposes or sell PHI without written authorization from the individual, as required under 42 USC §17936.

5. Obligations of Covered Entity

Covered Entity agrees to:

  • Provide Business Associate with any limitations in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent such limitation may affect Business Associate's use or disclosure of PHI.
  • Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI.
  • Notify Business Associate of any restriction on the use or disclosure of PHI agreed to in accordance with 45 CFR §164.522.
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.

6. Security Standards

Business Associate implements security measures consistent with 45 CFR Part 164, Subpart C, including:

  • AES-256 encryption for ePHI at rest and TLS 1.3 for ePHI in transit.
  • Role-based and attribute-based access controls enforcing the principle of least privilege.
  • Immutable, append-only audit trails for all PHI access and modifications.
  • Automated PHI detection and redaction pipeline before data reaches processing layers.
  • Complete tenant data isolation with separate compute, storage, and network boundaries.
  • Regular risk assessments, vulnerability scanning, and penetration testing.

For full details on our security posture, see our Security page.

7. Breach Notification

Business Associate shall report any Breach of unsecured PHI to Covered Entity without unreasonable delay, and in no event later than sixty (60) calendar days after discovery of the Breach, in accordance with 45 CFR §164.410.

The notification shall include: (a) the nature of the Breach, including types of PHI involved; (b) the individuals whose PHI was or is believed to have been affected; (c) the date of the Breach and date of discovery; (d) a description of investigation actions taken; and (e) mitigation steps taken or proposed.

California-Specific Requirements: For California residents, Business Associate shall additionally comply with Cal. Civ. Code §1798.82 (SB 446) breach notification requirements and shall report to the California Attorney General when a breach affects more than 500 California residents. Business Associate shall also comply with the Confidentiality of Medical Information Act ("CMIA"), Cal. Civ. Code §56 et seq., including notification provisions under Cal. Civ. Code §56.36.

8. Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, as required by 45 CFR §164.502(e)(1)(ii) and 42 USC §17934(b).

A current list of subprocessors is maintained at the Subprocessor List page. Business Associate will provide Covered Entity with thirty (30) days' advance written notice before engaging a new subprocessor that will have access to PHI, as further described in the Data Processing Agreement.

9. Term and Termination

This BAA is effective upon execution and remains in effect for the duration of the Terms of Service or until terminated as follows:

  • Either party may terminate this BAA if the other party materially breaches a term and fails to cure within thirty (30) days of written notice.
  • Covered Entity may terminate this BAA immediately if Business Associate has breached a material term and cure is not possible.
  • Upon termination, Business Associate shall return or destroy all PHI in its possession, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the retained PHI and limit further use or disclosure to the purposes that make return or destruction infeasible.
  • PHI shall be retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, in accordance with 45 CFR §164.530(j), regardless of termination.

10. Governing Law

This BAA shall be governed by federal HIPAA regulations and, to the extent not preempted, the laws of the State of California. California-specific provisions, including the CMIA (Cal. Civ. Code §56 et seq.) and breach notification laws (Cal. Civ. Code §1798.82), shall apply where they provide greater protection than HIPAA.

11. Contact

For questions regarding this BAA or to report a security incident: