Legal
Version 1.2 — Effective April 5, 2026
Version: 1.2
Effective Date: April 5, 2026
Last Updated: April 5, 2026
WHEREAS, [Covered Entity Name], a [state] [entity type] ("Covered Entity"), provides [describe services, e.g., home health services] and is a "covered entity" under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq. and its implementing regulations (collectively, "HIPAA");
WHEREAS, Ordo Compliance, Inc., a Delaware corporation ("Business Associate"), provides compliance management, Medicare compliance tracking, and credential verification services that involve the creation, receipt, maintenance, transmission, and use of protected health information ("PHI");
WHEREAS, Covered Entity and Business Associate previously entered into a Master Service Agreement dated [date] (the "Service Agreement") for the provision of such services;
WHEREAS, Covered Entity wishes to engage Business Associate to provide the services described in the Service Agreement, and such engagement necessarily involves Business Associate's access to, use of, and disclosure of PHI;
WHEREAS, Covered Entity and Business Associate recognize that Business Associate, in performing its obligations under the Service Agreement, is acting as a "business associate" under HIPAA and subject to the requirements of the Privacy Rule (45 CFR Part 164, Subpart E) and the Security Rule (45 CFR Part 164, Subpart C), as amended by the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. § 17921 et seq.) (the "HITECH Act");
NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Covered Entity and Business Associate agree as follows:
2.1 Breach means the unauthorized acquisition, access, use, or disclosure of Unsecured Protected Health Information that compromises the security or privacy of such information. A Breach does not include: (a) an unintentional acquisition, access, or use of Unsecured PHI by an employee or agent of Business Associate if made in the course of authorized duties; (b) an inadvertent internal disclosure to another authorized employee or agent of Business Associate; (c) unauthorized acquisition, access, or use if Business Associate has a reasonable belief that the person could not reasonably have obtained the information; or (d) a disclosure where Business Associate has implemented technical safeguards that render the Unsecured PHI unusable, unreadable, or indecipherable to unauthorized persons. Breach is as defined in 45 CFR § 164.402.
2.2 Business Associate means Ordo Compliance, Inc., or any successor entity providing services on behalf of Covered Entity.
2.3 Covered Entity means the organization identified as such in the Service Agreement, which is a covered entity under HIPAA.
2.4 Designated Record Set means the group of records maintained by Business Associate that contains PHI and includes: (a) medical records and billing records maintained by or for Business Associate that are used, in whole or in part, by or for the Covered Entity to make decisions about individuals; or (b) other records maintained by Business Associate that are used to make decisions about individuals.
2.5 Electronic Protected Health Information (ePHI) means PHI that is stored electronically or in electronic format, or transmitted over an electronic medium, and includes PHI contained in Business Associate's cloud infrastructure, databases, and systems.
2.6 Individual means the natural person who is the subject of PHI.
2.7 Minimum Necessary means the PHI and access thereto that is reasonably necessary to accomplish the intended purpose of any permitted use, disclosure, access, or request. With respect to Security Rule requirements, Minimum Necessary has the meaning given in 45 CFR § 164.308(d).
2.8 Notice of Privacy Practices means the notice issued by Covered Entity that describes how PHI may be used and disclosed by Covered Entity.
2.9 Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 164, Subpart E.
2.10 Protected Health Information (PHI) means any information in a medical record or health plan that can be used to identify an individual, as defined in 45 CFR § 160.103, including but not limited to: staff credentials, compliance records, uploaded documents, operational data, home health aide training records, Medicare data, biographical information, health status information, and payment information. PHI includes both electronic and non-electronic formats.
2.11 Required By Law means a mandate contained in law that compels an entity to make a use or disclosure of PHI and is enforceable in a court of law.
2.12 Secretary means the Secretary of the U.S. Department of Health and Human Services or, with respect to a component of the Department of Veterans Affairs, the Secretary of Veterans Affairs.
2.13 Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
2.14 Security Rule means the Standards for the Administrative, Physical, and Technical Safeguards of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.
2.15 Subcontractor means any entity that: (a) receives, creates, maintains, uses, or transmits PHI on behalf of Business Associate, or (b) provides data hosting, storage, processing, or other services to Business Associate in connection with the Service Agreement. Subcontractors include, but are not limited to, cloud service providers, data storage providers, disaster recovery providers, and audit/compliance service providers.
2.16 Unsecured Protected Health Information means PHI that is not secured by a technology standard or method that meets or exceeds the standards set forth in 45 CFR § 164.402(b), as follows: (a) encryption of ePHI in accordance with NIST standards (e.g., AES-256 encryption or equivalent); (b) destruction of data such that the PHI cannot be recovered; and (c) with respect to paper records, destruction methods that prevent reconstruction of the information.
2.17 Use means, with respect to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, the sharing, employment, application, utilization, examination, or analysis of such information within an entity.
2.18 Use or Disclosure means, with respect to information received by Business Associate, the release, transfer, provision of access to, division, transmission, or any other form of out-of-entity disclosure, except that the term does not include a release of information effected by an individual.
2.19 HIPAA Effective Date means the effective date of any HIPAA Privacy or Security Rule or amendment thereto that is legally binding.
2.20 Terms not defined herein shall have the meanings assigned to them in the Privacy Rule, Security Rule, or HITECH Act, as applicable. In the event of any conflict between the definitions in this Agreement and those in the HIPAA Rules or HITECH Act, the definitions in HIPAA or HITECH shall control.
Business Associate may use or disclose PHI only: (a) to perform services, functions, or activities on behalf of Covered Entity as described in the Service Agreement, including compliance management, staff credentialing, Medicare compliance monitoring, and related administrative functions; (b) for the proper management and administration of Business Associate, provided the use or disclosure does not violate the HIPAA Privacy Rule; or (c) to carry out legal responsibilities as required by law.
Business Associate shall restrict uses and disclosures of PHI for management and administration purposes to:
Any use or disclosure under this Section 3.2 must be limited to the Minimum Necessary and must not violate the Privacy Rule.
Business Associate shall disclose PHI on behalf of Covered Entity only: (a) as required by law; (b) as authorized by a valid authorization from the Individual; or (c) as otherwise permitted by the Service Agreement or this Agreement. When Business Associate discloses PHI to another entity on behalf of Covered Entity, Business Associate shall ensure that the receiving entity agrees in writing to comply with applicable HIPAA restrictions on use and disclosure, unless such restrictions are prohibited by law.
Business Associate shall apply the Minimum Necessary standard to all requests for, uses of, and disclosures of PHI. Business Associate shall:
Business Associate may aggregate PHI with other information (whether de-identified or from other sources) and use or disclose the aggregated data for the purposes of service improvement, benchmarking, and analytics, provided:
Business Associate may de-identify PHI in accordance with 45 CFR § 164.514. De-identified information is no longer subject to this Agreement. Business Associate shall:
Notwithstanding anything to the contrary, Business Associate shall NOT use or disclose PHI for marketing purposes, to sell PHI, or for any purpose other than those explicitly permitted in this Agreement or the Service Agreement, without prior written authorization from Covered Entity.
Business Associate shall not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if Covered Entity used or disclosed the PHI in the same manner.
Business Associate shall implement and maintain administrative, physical, and technical safeguards appropriate to the nature of PHI and the risks associated with its use and disclosure, consistent with the Security Rule at 45 CFR Part 164, Subpart C.
Business Associate shall implement the following administrative safeguards:
Business Associate shall implement the following physical safeguards:
Business Associate shall implement the following technical safeguards, consistent with current industry standards, NIST guidelines, and accepted best practices for the protection of ePHI:
The specific security technologies, configurations, and standards referenced in this section reflect current industry best practices as of the Effective Date. Business Associate reserves the right to update specific technologies and implementations as industry standards evolve, provided that the updated measures maintain or exceed the level of protection described herein.
(a) Identification of Subcontractors: Business Associate shall maintain a current list of all Subcontractors that receive, access, create, maintain, or use ePHI on its behalf. Business Associate shall provide Covered Entity with a list of Subcontractors upon request and shall provide thirty (30) days' written notice prior to adding or replacing any Subcontractor that has access to ePHI.
(b) Subcontractor Agreements: Business Associate shall enter into a written agreement with each Subcontractor that:
(c) Primary Subcontractor: Business Associate has retained Amazon Web Services, Inc. (AWS) as a primary subcontractor for cloud infrastructure, data hosting, and storage services. AWS has executed a Business Associate Agreement with Business Associate that requires AWS to comply with this Agreement and HIPAA. Business Associate remains fully liable to Covered Entity for all Subcontractor performance.
(d) Subcontractor Liability: Business Associate shall be directly liable to Covered Entity for any breaches or non-compliance by Subcontractors, and shall ensure that all Subcontractor obligations are enforced through the subcontracting agreements and ongoing monitoring.
(e) Data Residency: Business Associate shall store all ePHI exclusively within data centers located in the United States. Business Associate shall not transfer, store, or process ePHI outside the United States without prior written consent from Covered Entity.
Business Associate shall promptly notify Covered Entity of:
(a) Availability of Records: Business Associate shall, at the request of Covered Entity, make available to Covered Entity all PHI in the Designated Record Set that is maintained by or on behalf of Business Associate, in a format reasonably usable by Covered Entity.
(b) Timeline: Business Associate shall provide access to requested PHI within fifteen (15) business days of Covered Entity's request.
(c) Format: Business Associate shall provide PHI in the form and format requested by Covered Entity, if such format is readily producible by Business Associate's systems. If not readily producible, Business Associate shall provide PHI in a mutually agreeable format.
(d) Assistance with Individual Access Rights: Business Associate shall cooperate with Covered Entity in responding to Individual requests for access to their own PHI under 45 CFR § 164.524, including providing ePHI in a timely manner to enable Covered Entity to meet the 30-day statutory deadline.
(a) Incorporation of Amendments: Business Associate shall incorporate amendments to PHI as requested by Covered Entity, as required by 45 CFR § 164.526.
(b) Timeline: Business Associate shall incorporate amendments within fifteen (15) business days of Covered Entity's request.
(c) Notification: Business Associate shall notify Covered Entity of any amendments it receives directly from Individuals, and shall assist Covered Entity in tracking and coordinating amendments.
(d) Coordination with Subcontractors: Business Associate shall ensure that all Subcontractors are notified of amendments and incorporate them in their systems.
(a) Record Maintenance: Business Associate shall maintain and make available records of all disclosures of PHI made on behalf of Covered Entity, as required by 45 CFR § 164.528. Records shall include:
(b) Preservation of Records: Business Associate shall preserve accounting records for at least six (6) years.
(c) Provision of Accounting: Upon Covered Entity's request, Business Associate shall provide Covered Entity with a complete accounting of disclosures within thirty (30) calendar days of the request. The accounting shall be in a format mutually agreed upon by the parties or in a format specified by Covered Entity.
(d) Scope Limitations: Accounting shall be limited to disclosures made in the twelve (12) months prior to the request, except as otherwise required by law. Accounting shall exclude disclosures made for treatment, payment, health care operations, and other purposes as permitted by the Privacy Rule without accounting requirements.
Business Associate shall, at the request of Secretary:
Business Associate shall take all reasonable steps to mitigate any harmful effects of any use or disclosure of PHI that is in violation of this Agreement or HIPAA. Such steps shall include:
(a) Upon Termination or Request: Upon termination of the Service Agreement or upon Covered Entity's request, Business Associate shall, at Covered Entity's election, either return or destroy all PHI (including ePHI and any copies or extracts thereof) maintained by Business Associate or its Subcontractors, except as provided in Section 4.9(b) below.
(b) Retention for Legal Purposes: Notwithstanding Section 4.9(a), Business Associate may retain the minimum amount of PHI necessary to comply with legal obligations (such as tax law, records retention laws, or litigation holds). Retained PHI shall remain subject to all safeguards and restrictions in this Agreement, and shall be destroyed as soon as legally permissible, but no later than the date when the legal obligation expires or is satisfied.
(c) Certification: Within thirty (30) days of returning or destroying PHI, Business Associate shall provide Covered Entity with written certification that all PHI has been returned or destroyed in accordance with this Section, including the methods used, dates of destruction, and confirmation that the PHI is unrecoverable.
(d) Subcontractor Destruction: Business Associate shall ensure that all Subcontractors return or destroy PHI in accordance with this Section and shall provide Covered Entity with evidence of such return or destruction.
In addition to the requirements set forth in Section 3.4, Business Associate shall:
Covered Entity shall:
Covered Entity shall:
Covered Entity acknowledges that it is responsible for compliance with HIPAA with respect to its own operations and the services it provides to Individuals. Business Associate's obligations under this Agreement do not diminish Covered Entity's obligations under HIPAA. Covered Entity shall:
(a) Effective Date: This Agreement shall be effective upon electronic acceptance by both parties and shall continue coterminous with the Service Agreement between Covered Entity and Business Associate.
(b) Continued Application: All obligations regarding the handling, protection, return, or destruction of PHI shall continue following termination of the Service Agreement, regardless of the termination date of the Service Agreement itself.
(a) Covered Entity Termination Rights: Covered Entity may terminate this Agreement and the Service Agreement if Business Associate materially breaches any provision of this Agreement. Covered Entity shall provide Business Associate with written notice specifying the breach and providing a period of thirty (30) calendar days for Business Associate to cure the breach, unless:
(b) Business Associate Termination Rights: Business Associate may terminate this Agreement upon thirty (30) days' written notice if Covered Entity materially breaches its obligations under Section 5 of this Agreement and fails to cure such breach within thirty (30) calendar days of notice.
(c) Immediate Termination for Non-Curable Breaches: Notwithstanding subsection (a), Covered Entity may immediately terminate this Agreement without a cure period if Business Associate has:
(a) Return or Destruction of PHI: Upon expiration or termination of this Agreement for any reason, Business Associate shall, at Covered Entity's election: (i) return to Covered Entity all PHI (including ePHI and copies) in the possession or control of Business Associate or its Subcontractors within thirty (30) calendar days; or (ii) destroy all PHI (including ePHI and copies) in the possession or control of Business Associate or its Subcontractors within thirty (30) calendar days.
(b) Destruction Standards: Destruction of PHI shall be accomplished in such a manner that the information cannot be recovered, in accordance with NIST standards or equivalent methods. Business Associate shall use methods such as:
(c) Infeasibility of Return/Destruction: If return or destruction is infeasible (as determined by Business Associate and confirmed by Covered Entity), Business Associate shall:
(d) Certification: Within thirty (30) days of returning or destroying PHI, Business Associate shall provide Covered Entity with written certification that all PHI has been returned or destroyed in accordance with this Section, including the methods used, dates of destruction, and confirmation that the PHI is unrecoverable.
(e) Survival of Obligations: The obligations of Business Associate with respect to confidentiality, security, and protection of PHI shall survive termination of this Agreement indefinitely with respect to any PHI retained by Business Associate or its Subcontractors.
(a) Breach: A Breach is an event that meets the definition in Section 2.1 of this Agreement — the unauthorized acquisition, access, use, or disclosure of Unsecured PHI that compromises the security or privacy of the information, except where Business Associate has implemented technical safeguards that render the information unusable, unreadable, or indecipherable.
(b) Security Incident: A Security Incident is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations in an information system (as defined in 45 CFR § 164.304). Not all Security Incidents constitute Breaches. A Security Incident that does not result in acquisition, access, use, or disclosure of Unsecured PHI is not a Breach (e.g., an unsuccessful brute-force attack, a failed malware attempt detected by antivirus software, or an anomalous login attempt immediately detected and blocked).
(c) Distinction: Business Associate shall distinguish between Breaches and Security Incidents in all communications. Breaches require notification to Covered Entity, Individuals, and potentially HHS and media outlets. Security Incidents require logging and may require reporting in aggregate, but do not trigger individual breach notifications unless they constitute a Breach.
(a) Breach Notification Timeline: Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and no later than thirty (30) calendar days after discovery of the Breach.
(b) Discovery Definition: For purposes of this Agreement, "discovery" means the first day a Business Associate employee, agent, or system becomes aware of a Breach or the day that a reasonable security assessment would have revealed a Breach. Business Associate shall implement procedures to detect and identify Breaches in a timely manner.
(c) Security Incidents: Security Incidents that do not constitute Breaches shall be logged and reported to Covered Entity in aggregate on a reasonable schedule, but no less frequently than quarterly.
Business Associate's notification to Covered Entity shall include, to the extent available:
(a) Timing: Covered Entity shall notify affected Individuals of the Breach without unreasonable delay and, to the extent practicable, no later than sixty (60) calendar days after discovery, in accordance with 45 CFR § 164.404.
(b) Content: Covered Entity shall include in Individual notifications the information described in Section 7.3 above, as well as information regarding credit monitoring services and identity theft protection, if Business Associate is providing such services.
(c) Substitute Notice: If Covered Entity has insufficient contact information for an Individual, Covered Entity and Business Associate shall consider reasonable substitute notice methods (e.g., email, phone, social media) or make reasonable efforts to obtain updated contact information.
(d) Business Associate's Cooperation: Business Associate shall cooperate with Covered Entity in preparing and delivering Individual notifications, including providing draft language, verifying affected Individual information, and assisting with distribution.
(a) Large Breaches: If a Breach affects more than five hundred (500) Individuals, Covered Entity, with Business Associate's cooperation, shall notify prominent media outlets serving the Individuals' geographical area without unreasonable delay and no later than sixty (60) calendar days after discovery of the Breach, in accordance with 45 CFR § 164.406.
(b) HHS Notification: Covered Entity, with Business Associate's cooperation, shall notify Secretary of the Breach in accordance with 45 CFR § 164.408:
(c) HHS Notification Content: HHS notification shall include: (i) the date of the Breach; (ii) a description of the Breach and the types of PHI involved; (iii) the number of Individuals affected; (iv) a brief description of Business Associate's response; (v) contact information for additional information; and (vi) Covered Entity's determination of whether Covered Entity notified Individuals pursuant to 45 CFR § 164.404 or § 164.407.
(d) Business Associate's Obligation: Business Associate shall provide Covered Entity with all information necessary to make HHS and media notifications, including the information specified in Section 7.3 above.
(a) Investigation: Upon discovery of a Breach, Business Associate shall immediately:
(b) Root Cause Analysis: Business Associate shall conduct a thorough root cause analysis to identify the underlying technical, administrative, or operational failures that led to the Breach, and shall share findings with Covered Entity.
(c) Corrective Measures: Business Associate shall implement promptly all reasonable corrective measures to prevent similar Breaches, including:
(d) Harm Mitigation Services: Business Associate shall offer, at its expense, appropriate credit monitoring or identity theft protection services to affected Individuals for a period of not less than twelve (12) months from the Breach discovery date, unless Covered Entity assumes this obligation.
(e) Business Associate's Cooperation: Business Associate shall fully cooperate with Covered Entity, affected Individuals, law enforcement, regulators, and third parties in:
(f) Privileged Communications: Business Associate's investigation, corrective measures, and communications with legal counsel regarding the Breach shall be conducted in a manner designed to preserve attorney-client privilege and work product protection where applicable, and in coordination with Covered Entity's legal counsel where appropriate.
(a) Logging: Business Associate shall log and maintain records of all Security Incidents, including those that do not rise to the level of a Breach. Incident logs shall include the date, time, nature, and description of the Security Incident, the potential impact, and the response taken.
(b) Retention: Business Associate shall retain Security Incident logs for a minimum of six (6) years and shall make such logs available to Covered Entity and Secretary upon request.
(c) Aggregate Reporting: Business Associate shall report to Covered Entity, on a quarterly basis or upon request, a summary of Security Incidents that have been detected and the remediation steps taken, even if such Security Incidents do not constitute Breaches.
(d) Trending and Analysis: Business Associate shall analyze Security Incident data for trends, patterns, and repeat issues, and shall share analytical findings with Covered Entity to inform improvements to safeguards and response procedures.
(a) Business Associate Responsibility: Business Associate shall bear all costs associated with:
(b) Shared or Covered Entity Responsibility: Costs not caused by Business Associate's non-compliance (e.g., Breaches caused by Covered Entity's negligence, loss of devices provided by Covered Entity, etc.) may be negotiated between the parties.
(c) Limitation: Notwithstanding the foregoing, the parties acknowledge that actual costs associated with Breach notification and mitigation are often substantial and may exceed normal business insurance coverage. The parties agree to negotiate in good faith regarding any costs that exceed expectations.
(a) Amendments: The parties acknowledge that HIPAA and related regulations may be amended or that new HIPAA rules may be issued. If the Secretary issues amendments to the Privacy Rule, Security Rule, Breach Notification Rule, or related rules that affect Business Associate's obligations under this Agreement, the parties agree to negotiate in good faith to amend this Agreement to comply with such new requirements within a reasonable time following the effective date of such new rules.
(b) Anticipated Changes: The parties acknowledge that HHS has indicated a possible review of the HIPAA Security Rule in 2025-2026 to modernize security standards and address emerging threats (such as ransomware, cloud security, and artificial intelligence risks). Both parties agree to monitor regulatory developments and to engage in timely amendments if such changes become effective.
(c) Enhanced Security Standards: The parties agree that the security standards described in Section 4.1 of this Agreement reflect current industry best practices as of the Effective Date. If regulatory requirements or industry standards substantially change, the parties agree to reassess and update these requirements accordingly.
(d) Compliance Deadline: If new HIPAA requirements are issued, Business Associate shall comply with such requirements by the date specified in the regulatory requirement, or by mutual agreement of the parties, whichever is sooner.
(a) California SB 446: Business Associate acknowledges that California Assembly Bill 446 (effective January 1, 2026) requires consumer notification of security breaches within thirty (30) days, which is faster than the federal HITECH Act timeline of sixty (60) days. If Covered Entity serves California residents, Business Associate shall comply with the 30-day California timeline in addition to federal requirements.
(b) Other State Laws: Business Associate shall comply with all applicable state breach notification laws, which may impose varying timelines and notification requirements. Covered Entity shall inform Business Associate of all states in which it operates, so that Business Associate can apply the most stringent applicable timeline.
(a) HIPAA Supremacy: This Agreement is governed by the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subpart C), the Breach Notification Rule (45 CFR Part 164, Subpart D), and the HITECH Act (42 U.S.C. § 17921 et seq.). To the extent any provision of this Agreement conflicts with HIPAA or HITECH, the requirements of HIPAA and HITECH shall control.
(b) State Law: Except as preempted by HIPAA and HITECH, this Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its choice of law provisions.
(c) Construction: Any ambiguity in this Agreement shall be interpreted in a manner that furthers HIPAA compliance and the protection of Individual privacy and security. Headings and captions are for convenience only and do not affect interpretation.
(d) Severability: If any provision of this Agreement is held to be invalid or unenforceable under HIPAA or applicable law, such provision shall be severed, and the remaining provisions shall remain in full force and effect. The parties shall negotiate in good faith to replace any severed provision with a valid and enforceable provision that achieves the original intent of the severed provision.
This Agreement is entered into solely for the benefit of Covered Entity and Business Associate. No third party, including any Individual whose PHI is subject to this Agreement, shall have any right or cause of action under this Agreement, except as expressly provided by HIPAA or HITECH Act.
This Agreement, together with the Service Agreement, constitutes the entire agreement between the parties with respect to the use, disclosure, and safeguarding of PHI. No oral statements, representations, or agreements outside of this written Agreement shall be binding upon the parties. This Agreement supplements the Service Agreement and does not modify, amend, or supersede the Service Agreement except as expressly provided herein.
This Agreement may be amended, modified, or supplemented only by a written instrument signed by authorized representatives of both Covered Entity and Business Associate. No course of dealing, course of performance, or trade practice shall be deemed to amend this Agreement.
(a) Delivery Methods: All notices, requests, and demands required under this Agreement shall be in writing and shall be delivered by:
(b) Addresses: Notices shall be sent to the addresses specified below, unless the receiving party has provided updated contact information:
For Covered Entity: [Name, Address, Email, Phone]
For Business Associate:
Ordo Compliance, Inc.
[Address]
Attention: Legal Department / Chief Compliance Officer
Email: legal@ordocompliance.com
Phone: [Phone]
(c) Effective Date of Notice: Notices shall be effective upon receipt.
(d) Breach Notification Exception: Notwithstanding the above, Business Associate may provide Breach notifications to Covered Entity via telephone or email if necessary to meet the notification timeline in Section 7.2.
This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Execution and delivery by facsimile, email (PDF), or other electronic means shall have the same force and effect as delivery of manually executed originals. Electronic signatures shall be valid and binding for all purposes.
(a) No Assignment by Business Associate: Business Associate shall not assign, transfer, delegate, or subcontract its rights or obligations under this Agreement without the prior written consent of Covered Entity. Any attempted assignment without consent shall be void.
(b) Permitted Assignments: Notwithstanding subsection (a), Business Associate may assign this Agreement to a successor entity in the event of a merger, acquisition, or sale of substantially all assets, provided that (i) the successor entity assumes all of Business Associate's obligations under this Agreement; (ii) Business Associate notifies Covered Entity of the assignment at least thirty (30) days in advance; and (iii) Covered Entity has the right to terminate this Agreement if it does not consent to the successor entity.
(c) Covered Entity Flexibility: Covered Entity may assign this Agreement to a successor covered entity (e.g., in the event of a merger or acquisition of Covered Entity) without Business Associate's prior consent, provided Covered Entity notifies Business Associate of the assignment.
No waiver of any provision of this Agreement shall be effective unless in writing and signed by the waiving party. Failure of either party to enforce any right or provision shall not constitute a waiver of such right or provision. A waiver by either party of a breach of this Agreement shall not constitute a waiver of any other breach.
The obligations of Business Associate with respect to the safeguarding, return, and destruction of PHI, as well as breach notification and compliance with HIPAA, shall survive the termination of this Agreement for any reason and shall continue indefinitely with respect to any PHI retained by Business Associate or its Subcontractors.
Business Associate is an independent contractor and is not an employee, agent, or partner of Covered Entity. Business Associate shall not represent itself as an agent of Covered Entity except as necessary to perform the services described in the Service Agreement. Business Associate shall not incur any obligation on behalf of Covered Entity without express written authorization.
Both parties shall comply with all applicable federal, state, and local laws and regulations in performing their respective obligations under this Agreement, including HIPAA, HITECH, state breach notification laws, state privacy laws, and state-specific regulations applicable to health care providers.
By executing this Agreement, each party represents and warrants that: (a) it is duly authorized to enter into this Agreement; (b) the person executing this Agreement on its behalf has authority to bind the party; and (c) this Agreement constitutes a valid and binding obligation of the party, enforceable according to its terms.
FOR COVERED ENTITY:
By: ___________________________________
Name: _________________________________
Title: __________________________________
Organization: ___________________________
Date: ___________________________________
FOR BUSINESS ASSOCIATE:
By: ___________________________________
Name: _________________________________
Title: __________________________________
Organization: Ordo Compliance, Inc.
Date: ___________________________________
As of the Effective Date of this Agreement, the primary subcontractors that will have access to ePHI are:
| Subcontractor Name | Service Provided | Data Handled | BAA Signed |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud Infrastructure, Data Hosting, Storage, Backup | All ePHI | Yes |
| [Other Subcontractor Name] | [Service Description] | [Data Handled] | Yes/No |
Note: Business Associate shall provide an updated Subcontractor List to Covered Entity upon request and shall provide thirty (30) days' written notice prior to adding any new Subcontractor with access to ePHI.
Ordo Compliance, Inc.
privacy@ordocompliance.com
Version 1.2 — Effective April 5, 2026
Existing customers sign this agreement electronically during onboarding at /baa/.