Accreditation Now Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into between Customer (“Covered Entity”) and Accreditation Now (“Business Associate”).
1. PURPOSE
This BAA governs the use and disclosure of Protected Health Information (“PHI”) by Business Associate when providing services to Covered Entity through the Accreditation Now platform.
2. DEFINITIONS
Terms used in this BAA shall have the same meaning as defined under HIPAA, including but not limited to “PHI”, “Breach”, and “Security Incident”.
3. PERMITTED USES AND DISCLOSURES
Business Associate may use and disclose PHI solely as necessary to provide the services offered through the platform and as otherwise permitted by law.
Business Associate shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with HIPAA.
Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.
4. SAFEGUARDS
Business Associate will implement reasonable and appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of PHI in accordance with the HIPAA Security Rule.
- Encryption of data at rest and in transit where appropriate
- Access controls to limit PHI exposure
- System activity logging and monitoring
- Measures to protect against reasonably anticipated threats or hazards
5. REPORTING
Business Associate will report to Covered Entity any known unauthorized use or disclosure of PHI or any Breach of Unsecured PHI without unreasonable delay after discovery.
6. SUBCONTRACTORS
Business Associate may use third-party service providers (including cloud hosting providers such as Microsoft Azure) to support the services.
Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, including entering into Business Associate Agreements where applicable.
7. ACCESS, AMENDMENT, AND ACCOUNTING
To the extent required by HIPAA, Business Associate will make PHI available to Covered Entity as necessary to satisfy Covered Entity’s obligations regarding access, amendment, and accounting of disclosures.
8. CUSTOMER RESPONSIBILITIES
Covered Entity agrees to:
- Use the platform in compliance with HIPAA and applicable laws
- Limit PHI access to authorized users
- Avoid storing PHI in areas not designated for such use
- Configure and manage user access appropriately
9. TERMINATION
Upon termination of services, Business Associate will, to the extent feasible, delete or return PHI in accordance with its standard data retention policies, unless retention is required by law.
If Business Associate determines that it is not feasible to return or destroy PHI, it will extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
10. COMPLIANCE WITH HIPAA
The parties agree to comply with all applicable provisions of HIPAA. Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA.
11. NO DATA OWNERSHIP
Business Associate does not claim ownership of PHI. All PHI remains the property of Covered Entity.
12. AMENDMENT
This BAA may be updated from time to time. Continued use of PHI-enabled features constitutes acceptance of the current version.
13. ENTIRE AGREEMENT
This BAA is incorporated into the platform Terms of Service and governs PHI-related obligations between the parties.
Version: 1.0
Last Updated: April 22, 2026
