Business Associate Agreement
Last Updated: June 15, 2026
This Business Associate Agreement (“BAA”) is entered into by and between Lance Health Inc. (“Business Associate”) and the entity on whose behalf the individual accepting this BAA accepts this BAA (“Customer”), which is acting as either a covered entity or a business associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The parties are entering into this BAA to assist Customer in complying with HIPAA, and to set forth Business Associate’s obligations under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Data Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Regulations”) and applicable State law.
This BAA applies to any Protected Health Information Business Associate receives from Customer, or creates, receives or maintains on behalf of Customer, under its agreements with Customer, including any terms of service posted to its website, order form, master services agreement, or other written agreement between the parties governing the Services (collectively, the “Services Agreement”).
AGREEMENT
Definitions. Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth under the HIPAA Regulations, as amended from time to time.
“Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of the HIPAA Regulations, provided that it is limited to such protected health information that is received by Business Associate from, or created, received, maintained, or transmitted by Business Associate on behalf of Customer.
“Security Incident” shall have the meaning given to the term “security incident” at 45 CFR § 164.304, as applied to the electronic Protected Health Information created, received, maintained, or transmitted by Business Associate from or on behalf of Customer.
“Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of Protected Health Information.
Permitted Uses and Disclosures. Business Associate may use and disclose Customer’s Protected Health Information to provide Customer with the services under the Services Agreement. Except as expressly provided below, this BAA does not authorize Business Associate to make any use or disclosure of Protected Health Information that Customer would not be permitted to make under Subpart E of 45 CFR Part 164.
Obligations of Business Associate. Business Associate will:
Not use or further disclose Customer’s Protected Health Information except as permitted by the Services Agreement or this BAA, or as required by law;
Use appropriate safeguards, and comply, where applicable, with the Security Rule with respect to electronic Protected Health Information, to prevent use or disclosure of Customer’s Protected Health Information other than as provided for by the Services Agreement or this BAA. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Customer;
Report to Customer any use or disclosure of Customer’s Protected Health Information not provided for by the Services Agreement or this BAA of which it becomes aware, including breaches of unsecured Protected Health Information as required by the Data Breach Notification Rule (45 CFR § 164.410), and any Security Incident of which Business Associate becomes aware without unreasonable delay, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given;
Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree in writing to substantially similar, and no less restrictive, restrictions and conditions as those that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic Protected Health Information;
To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, make any Protected Health Information in a Designated Record Set available to Customer to enable Customer to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524;
To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, make any Protected Health Information in a Designated Record Set available for amendment and incorporate any amendments to Protected Health Information as directed by Customer pursuant to 45 CFR § 164.526;
Make available to Customer the information concerning disclosures that Business Associate makes of Customer’s Protected Health Information required to enable Customer to provide an accounting of disclosures in accordance with 45 CFR § 164.528;
To the extent that Business Associate carries out Customer’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations; and
Make Business Associate’s internal practices, books, and records relating to Business Associate’s use and disclosure of Protected Health Information received from Customer, or created or received by Business Associate on behalf of Customer, available to the Secretary of the United States Department of Health and Human Services for purposes of determining Customer’s compliance with the HIPAA Regulations, subject to attorney-client and other applicable legal privileges.
Proper Management and Administration of Business Associate. Business Associate may use Customer’s Protected Health Information for the proper management and administration of Business Associate or to carry out Business Associate’s own legal responsibilities. Business Associate may disclose Protected Health Information for these purposes if Business Associate is required to do so by law, or if Business Associate obtains reasonable assurances from the recipient of the information that (1) it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (2) the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the information is breached.
Data Aggregation. Business Associate may use Customer’s Protected Health Information for data aggregation, as permitted by the Privacy Rule.
De-identification. Business Associate may de-identify Customer’s Protected Health Information, in compliance with the requirements of 45 CFR § 164.514. Business Associate may use and disclose de-identified information for its business purposes, provided that Business Associate will not attempt to re-identify such information, use such information to identify Customer or any Individual, or disclose such information in a manner that identifies Customer or any Individual.
No Training of Artificial Intelligence Models. Notwithstanding anything to the contrary in this BAA, Business Associate shall not, and shall not permit any subcontractor to, use Customer’s Protected Health Information to train, fine-tune, retrain, or otherwise develop any artificial intelligence model, foundation model, large language model, or other machine learning model. With respect to information that Business Associate has properly de-identified in accordance with the De-identification section above, Business Associate may use such de-identified information for internal service evaluation, quality assurance, benchmarking, security monitoring, fraud detection, and aggregate analytics that support the services Business Associate provides to its customers; provided, however, that Business Associate shall not use such de-identified information to train, fine-tune, retrain, or otherwise develop any foundation model, large language model, or other general-purpose artificial intelligence model that is intended for, or made available for, use beyond the services Business Associate provides to its customers.
Customer Obligations. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Customer agrees:
Customer shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by Customer (except to the extent permitted by HIPAA for a business associate).
Customer is responsible for maintaining a notice of privacy practices, as required by HIPAA, to the extent applicable to Customer.
Customer represents and warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under any applicable law to provide Protected Health Information to Business Associate and for Business Associate to provide the services.
Customer shall notify Business Associate in writing of any limitations in an applicable notice of privacy practices, to the extent that such limitations may affect Business Associate’s use or disclosure of Protected Health Information.
Customer shall notify Business Associate in writing of any changes in, or revocation of, authorization by an Individual to use or disclose Protected Health Information, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of Protected Health Information.
Customer shall notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Customer has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
Term and Termination. This BAA shall continue in effect until the earlier of (1) expiration of the Services Agreement or (2) termination by either party pursuant to this section of this BAA. Termination of this BAA terminates the Services Agreement to the extent the Services require Protected Health Information.
Business Associate may immediately terminate the Services Agreement and/or this BAA if Customer is in material breach or default of any obligation in this BAA. Business Associate may, but does not have the duty to, provide Customer with an opportunity to cure any material breach of this BAA or end the violation within thirty (30) days. Business Associate may immediately suspend the services or terminate this BAA if Business Associate determines in good faith that continued performance would create a material legal, security, or compliance risk, or if Customer has misused the services or Protected Health Information.
Customer may terminate this BAA if Business Associate has violated a material term of this BAA and has not cured such violation within thirty (30) days after written notice, unless cure is not feasible.
Upon expiration or termination of this BAA, Business Associate shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Services Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this BAA, as determined by the Business Associate, then Business Associate shall extend the protections of this BAA, without limitation, to such Protected Health Information and limit any further use or disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.
No Third-Party Relationships. This BAA is between the parties hereto. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Business Associate and Customer and any respective successors and assigns.
Governing Law and Dispute Resolution. This BAA shall be governed by, and construed in accordance with, the laws of the State of New York, exclusive of conflict of law rules. Except for actions seeking injunctive or other equitable relief, actions to enforce this BAA, or other claims expressly carved out from arbitration under the Services Agreement, any dispute, claim, or controversy arising out of or relating to this BAA shall be resolved through final and binding arbitration administered by JAMS in New York, New York in accordance with the dispute resolution provisions of the Services Agreement. Any court action permitted under this section may be brought only in the state or federal courts located in New York, New York, and each party irrevocably submits to the exclusive jurisdiction of such courts for these purposes.
Notices. All notices hereunder shall be in writing, and either delivered by hand, or sent by mail, or delivered in such other manner as the parties may agree upon, to the address set forth in the Services Agreement. Each party reserves the right to change address for receiving notice during the term of this BAA upon written notice to the other parties.
Relationship to Services Agreement. Subject to Business Associate’s obligation to comply with this BAA with respect to Protected Health Information, any limitations and exclusions of liability in the Services Agreement apply to claims arising out of or relating to this BAA. Nothing in the Services Agreement limits any equitable remedy that cannot be waived under applicable law.