Business Associate Agreement
Last Updated: January 2026
This Business Associate Agreement (“BAA”) is required for customers processing Protected Health Information (PHI). Contact sales@thinkhive.ai to execute this agreement.
1. Purpose
This BAA establishes the terms under which ThinkHive (“Business Associate”) may receive, create, maintain, or transmit Protected Health Information (“PHI”) on behalf of Customer (“Covered Entity”) in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
2. Definitions
Terms used in this BAA have the meanings set forth in HIPAA and its implementing regulations:
| Term | Definition |
|---|---|
| PHI | Protected Health Information as defined in 45 CFR § 160.103 |
| ePHI | Electronic Protected Health Information |
| Covered Entity | Entity subject to HIPAA (healthcare provider, health plan, clearinghouse) |
| Business Associate | Entity that handles PHI on behalf of a Covered Entity |
| Security Incident | Attempted or successful unauthorized access to ePHI |
| Breach | Unauthorized acquisition, access, use, or disclosure of PHI |
3. Permitted Uses and Disclosures
3.1 Permitted Uses
Business Associate may use or disclose PHI only:
- As necessary to perform services under the Terms of Service
- As required by law
- For proper management and administration
- To report violations of law
3.2 Prohibited Uses
Business Associate shall NOT:
- Use or disclose PHI except as permitted by this BAA
- Use PHI for marketing purposes
- Sell PHI
- Use PHI in ways that violate the minimum necessary standard
4. Safeguards
4.1 Administrative Safeguards
Business Associate will:
- Designate a Security Officer
- Conduct workforce training
- Implement access management procedures
- Maintain security policies and procedures
- Perform regular risk assessments
4.2 Physical Safeguards
Business Associate will:
- Ensure data centers have appropriate physical security
- Control access to facilities containing ePHI
- Maintain workstation and device security
4.3 Technical Safeguards
Business Associate will:
- Implement access controls (unique user IDs, automatic logoff)
- Use encryption for ePHI in transit and at rest
- Implement audit controls and logging
- Maintain data integrity controls
- Ensure secure transmission of ePHI
5. Specific Security Measures
ThinkHive implements the following for HIPAA compliance:
| Measure | Implementation |
|---|---|
| Encryption | AES-256 at rest, TLS 1.3 in transit |
| Access Control | Role-based access, MFA required |
| Audit Logging | Comprehensive PHI access logging |
| Data Isolation | Tenant-level data segregation |
| Backup | Encrypted backups with retention |
| Incident Response | Documented procedures |
6. Breach Notification
6.1 Notification Requirements
Business Associate will notify Covered Entity of any Breach:
- Without unreasonable delay
- Within 10 business days of discovery
- Including all information required by 45 CFR § 164.410
6.2 Notification Contents
Breach notifications will include:
- Description of the breach
- Types of PHI involved
- Identification of affected individuals (if known)
- Steps taken to mitigate harm
- Investigation status
6.3 Security Incidents
Business Associate will report Security Incidents that do not rise to the level of Breach within 30 days via quarterly security reports.
7. Subcontractors
7.1 Requirements
Business Associate will ensure that any subcontractors handling PHI:
- Agree to the same restrictions in this BAA
- Implement appropriate safeguards
- Report breaches and security incidents
7.2 HIPAA-Compliant Subcontractors
| Subcontractor | Service | BAA Status |
|---|---|---|
| Google Cloud | Infrastructure | ✓ BAA in place |
| Neon | Database | ✓ BAA in place |
Note: AI analysis features (OpenAI, Anthropic) are disabled for accounts with BAA in place unless explicitly enabled with appropriate safeguards.
8. Individual Rights
Business Associate will assist Covered Entity in responding to individual requests for:
8.1 Access
- Provide PHI within 10 business days of request
- In format requested if readily producible
8.2 Amendment
- Process amendment requests within 10 business days
- Incorporate approved amendments
8.3 Accounting of Disclosures
- Maintain records of disclosures
- Provide accounting within 30 days of request
8.4 Restrictions
- Honor restrictions agreed to by Covered Entity
9. Audit Rights
9.1 Internal Practices
Covered Entity may:
- Request documentation of policies and procedures
- Request results of recent audits or assessments
- Request evidence of training programs
9.2 Government Audits
Business Associate will:
- Make practices available to HHS for compliance review
- Cooperate with government audits
- Provide requested documentation
10. Term and Termination
10.1 Term
This BAA takes effect upon execution and continues until:
- Termination of the underlying service agreement
- Termination for breach
10.2 Termination for Breach
If Business Associate breaches this BAA:
- Covered Entity may provide opportunity to cure (30 days)
- If not cured, Covered Entity may terminate
- If cure not feasible, immediate termination permitted
10.3 Effect of Termination
Upon termination:
- Business Associate will return or destroy all PHI
- If return/destruction not feasible, protections continue indefinitely
- Business Associate will certify destruction upon request
11. Amendments
This BAA will be amended as necessary to comply with:
- Changes to HIPAA regulations
- HHS guidance
- Changes in applicable law
12. Miscellaneous
12.1 No Third-Party Beneficiaries
This BAA does not create rights in third parties.
12.2 Regulatory References
References to HIPAA include all amendments and implementing regulations.
12.3 Interpretation
Any ambiguity shall be resolved in favor of HIPAA compliance.
13. Execution
To Execute This BAA: Contact sales@thinkhive.ai with:
- Your organization name
- Covered Entity status
- Primary contact for HIPAA matters
- Planned use case for PHI
Contact
For BAA-related matters:
- Sales: sales@thinkhive.ai
- Security: security@thinkhive.ai
- HIPAA Compliance: hipaa@thinkhive.ai