HIPAA Business Associate Agreement
Last updated: April 9, 2026 · Version: 1.0-20260409
1. Scope and Purpose
CloudFran Technologies, Inc. acts as a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), when handling Protected Health Information ("PHI") on behalf of Covered Entities who subscribe to Meditropia. The BAA governs the permitted uses and disclosures of PHI, safeguards for PHI, breach notification, and other obligations under the HIPAA Privacy, Security, and Breach Notification Rules.
2. Permitted Uses and Disclosures
Business Associate may use or disclose PHI only as necessary to perform the services described in the subscription agreement (scheduling, patient communications, billing, intake, and analytics) or as required by law. Business Associate will not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by the Covered Entity.
3. Safeguards
Business Associate implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (ePHI). These include: encryption of PHI at rest and in transit (AES-256, TLS 1.3), role-based access controls, audit logging of PHI access, workforce training on HIPAA, background checks for personnel with PHI access, and documented incident response procedures.
4. Subcontractors
Business Associate will enter into written BAAs with any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, ensuring that the subcontractor agrees to the same restrictions and conditions that apply to Business Associate. Current subprocessors for PHI handling include Microsoft Azure (cloud hosting with BAA), Twilio (HIPAA-eligible configuration), and SendGrid (HIPAA-eligible configuration).
5. Breach Notification
Business Associate will notify the Covered Entity of any Breach of Unsecured PHI without unreasonable delay, and in no case later than 60 calendar days after discovery of the Breach, as required by 45 CFR § 164.410. The notification will include the identity of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach.
6. Individual Rights
Business Associate will make PHI available to the Covered Entity as necessary to satisfy the Covered Entity's obligations to provide access to PHI, amend PHI, and provide an accounting of disclosures under HIPAA. Business Associate will respond to Covered Entity requests within 30 days where feasible.
7. Termination and Return of PHI
Upon termination of the subscription agreement, Business Associate will return or destroy all PHI received from, created by, or received by Business Associate on behalf of the Covered Entity, including PHI in the possession of subcontractors. If return or destruction is not feasible, Business Associate will extend the protections of the BAA to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
8. Minimum Necessary
Business Associate will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 CFR § 164.502(b) and the Covered Entity's own minimum-necessary policies.
9. Execution
A separate HIPAA Business Associate Agreement is provided for execution during Meditropia subscription onboarding. It must be signed by an authorized representative of the Covered Entity before any PHI is transmitted through the Platform. The executed BAA supersedes this reference summary in any case of conflict.