Business Associate Agreement
Effective Date: March 31, 2026 | Last Updated: March 31, 2026
This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between Modern Village LLC, a California limited liability company ("Business Associate"), and you, a covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 ("Covered Entity"). This BAA applies to healthcare providers who use the Modern Village platform to deliver services to patients and families.
1. Introduction
This Agreement supplements and is made a part of the service agreement(s) ("Principal Agreements") between Business Associate and Covered Entity, under which Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity.
The parties agree to comply with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations, including but not limited to 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").
2. Definitions
Capitalized terms used but not defined in this Agreement shall have the same meaning as in the HIPAA Rules. For purposes of this Agreement:
- "Protected Health Information" (PHI) has the same meaning as defined in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
- "Electronic Protected Health Information" (ePHI) has the same meaning as defined in 45 CFR § 160.103.
- "Breach" has the same meaning as defined in 45 CFR § 164.402.
- "Security Incident" has the same meaning as defined in 45 CFR § 164.304.
- "Required By Law" has the same meaning as defined in 45 CFR § 164.103.
3. Obligations of Business Associate
Business Associate agrees to:
3.1 Permitted Uses and Disclosures
- Not use or further disclose PHI other than as permitted or required by this Agreement, the Principal Agreements, or as Required By Law
- Use PHI only to provide the services described in the Principal Agreements, including facilitating telehealth sessions, processing bookings, sending appointment communications, and operating the AI coaching platform
3.2 Safeguards
- Use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI
- Comply with the HIPAA Security Rule (Subpart C of 45 CFR Part 164) with respect to ePHI
- Implement and maintain encryption of ePHI in transit (TLS) and at rest (AES-256)
- Maintain access controls ensuring only authorized personnel can access PHI
- Maintain audit logs recording access to ePHI
- Implement automatic session termination after periods of inactivity
3.3 Subcontractors
- Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this Agreement
- Current subcontractors who may process PHI include: Supabase (database hosting), Cloudflare (API infrastructure), Resend (email delivery), Anthropic (AI processing), and Doxy.me (telehealth video)
3.4 Reporting
- Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 CFR § 164.410
- Report any Security Incident of which Business Associate becomes aware
- Provide such reports without unreasonable delay and in no case later than 60 days after discovery of the Breach
3.5 Access and Amendment
- Make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations to provide individuals with access to their PHI under 45 CFR § 164.524
- Make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity under 45 CFR § 164.526
3.6 Accounting of Disclosures
- Make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528
- Maintain records of disclosures for a period of 6 years from the date of the disclosure
3.7 Government Access
- Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules
4. Permitted Uses and Disclosures by Business Associate
Business Associate may use and disclose PHI as follows:
- To provide services to Covered Entity as specified in the Principal Agreements
- For the proper management and administration of Business Associate, provided that such disclosures are Required By Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially
- To de-identify PHI in accordance with 45 CFR § 164.514(a)-(c), provided that de-identified information is used only for aggregate analytics and quality improvement purposes
- To report violations of law to appropriate federal and state authorities, consistent with 45 CFR § 164.502(j)(1)
5. Obligations of Covered Entity
Covered Entity agrees to:
- Notify Business Associate of any limitations in Covered Entity's Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI
- Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI
- Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522
- Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity
6. Term and Termination
6.1 Term
This Agreement is effective as of the date Covered Entity begins using the Platform and shall remain in effect for the duration of the Principal Agreements, unless earlier terminated as provided herein.
6.2 Termination for Cause
Either party may terminate this Agreement if the other party materially breaches any provision of this Agreement and fails to cure such breach within 30 days of receiving written notice of the breach.
6.3 Effect of Termination
- Upon termination, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form
- If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI
- Business Associate shall retain no copies of the PHI except as necessary for legal compliance
7. Breach Notification
In the event of a Breach of Unsecured PHI, Business Associate shall:
- Notify Covered Entity without unreasonable delay and in no case later than 60 days after discovery of the Breach
- Include in such notification: the nature of the Breach, the types of PHI involved, the identity of each individual affected (if known), the steps Business Associate has taken to mitigate harm, and the steps Business Associate recommends Covered Entity take
- Cooperate with Covered Entity in investigating the Breach and fulfilling Covered Entity's notification obligations under 45 CFR §§ 164.404-408
8. Indemnification
Business Associate shall indemnify, defend, and hold harmless Covered Entity from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from Business Associate's breach of this Agreement or the HIPAA Rules, except to the extent caused by Covered Entity's own negligence or willful misconduct.
9. Miscellaneous
9.1 Amendment
The parties agree to amend this Agreement as necessary to comply with changes in the HIPAA Rules or other applicable law.
9.2 Survival
The obligations of Business Associate under Sections 3, 6.3, 7, and 8 shall survive the termination of this Agreement.
9.3 Interpretation
Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
9.4 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the State of California and applicable federal law, including the HIPAA Rules.
10. Contact
To execute this BAA or for questions about our HIPAA compliance practices, please contact:
Modern Village LLC
Privacy Officer: Jorrel Patterson
Email: hello@modernvillage.app
Website: modernvillage.app
To initiate the BAA process, Providers should email hello@modernvillage.app with the subject line "BAA Request" and include your organization name, NPI number, and contact information.