A fully executed BAA is required for all Vasl Health healthcare and school-based organizational deployments. Execution takes place before platform access is granted. Request BAA execution below — our legal team responds within one business day.
Request BAA Execution →This Business Associate Agreement ("BAA" or "Agreement") is entered into between Vasl Health, Inc., a Delaware Public Benefit Corporation ("Business Associate" or "BA"), and the organization executing this Agreement ("Covered Entity" or "CE"), effective as of the date of full execution.
Covered Entity is a Covered Entity as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the regulations promulgated thereunder at 45 C.F.R. Parts 160 and 164 (the "HIPAA Rules"), including the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Business Associate performs certain services for Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI"). This Agreement sets forth the terms and conditions under which Business Associate will handle PHI in connection with services provided to Covered Entity.
Terms used but not defined in this Agreement shall have the meanings given in the HIPAA Rules. Key defined terms include:
Has the meaning given at 45 C.F.R. § 164.402 — the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of PHI.
Vasl Health, Inc., acting in its capacity as a Business Associate as defined at 45 C.F.R. § 160.103.
Individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, as defined at 45 C.F.R. § 160.103.
The emotional health platform services provided by Vasl Health, Inc. to Covered Entity as described in the executed Service Agreement, including the Vasl Language Analysis Platform (VLAP), member care coordination, coaching services, and related organizational reporting.
Business Associate may use and disclose PHI as necessary to perform the Services described in the executed Service Agreement between the parties, and as required by law.
Except as otherwise limited by this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate. Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the recipient that the information will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed.
Business Associate may create de-identified data from PHI in accordance with 45 C.F.R. § 164.514(b) and may use such de-identified data for platform improvement, research, and aggregate reporting purposes without restriction under this Agreement.
Business Associate's Vasl Language Analysis Platform (VLAP) processes member language in-memory. Verbatim member language is not retained as PHI after processing — only a dimensional signal profile is generated and retained. This in-memory processing architecture constitutes a technical safeguard under the HIPAA Security Rule and is not configurable by Covered Entity or its administrators.
Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall use appropriate safeguards and, as applicable, comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
Business Associate shall, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
Business Associate shall notify Covered Entity without unreasonable delay and in no case later than 60 days following discovery of a Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410. Notification shall include, to the extent possible, the identification of individuals whose PHI may have been involved, and any other available information required by 45 C.F.R. § 164.404(c).
Business Associate shall, to the extent Business Associate maintains a designated record set, make available PHI in accordance with 45 C.F.R. § 164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures). Business Associate shall provide requested information in a timely manner to allow Covered Entity to meet its obligations under the HIPAA Rules.
Business Associate shall make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI received from or on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices to the extent such limitation may affect Business Associate's use or disclosure of PHI.
Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by individuals to use or disclose their PHI, to the extent such changes affect Business Associate's permitted uses and disclosures.
Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by, to the extent such restriction affects Business Associate's use or disclosure of PHI.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
This Agreement shall be effective as of the date of full execution and shall continue until terminated as set forth herein or until the termination of the underlying Service Agreement between the parties.
Covered Entity may immediately terminate this Agreement and the underlying Service Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement and Business Associate has not cured the breach within 30 days of receiving written notice. Business Associate may terminate this Agreement if it determines that Covered Entity has violated a material term of this Agreement and such breach is not cured within 30 days of written notice.
The obligations of Business Associate under Section 3.6 (Return or Destruction of PHI) shall survive termination of this Agreement. The parties' obligations with respect to PHI created or received prior to termination shall continue as necessary to comply with the HIPAA Rules.
A reference in this Agreement to a section in the HIPAA Rules means the section in effect or as amended.
The parties agree to take such action as is reasonably necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules. Amendments must be in writing and executed by authorized representatives of both parties.
This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with those requirements. The parties agree that if there is a conflict between this Agreement and the Service Agreement as to PHI, the terms of this Agreement shall govern.
This Agreement shall be governed by the laws of the State of Maryland, except to the extent preempted by federal law. Any disputes arising under this Agreement shall be resolved in accordance with the dispute resolution provisions of the underlying Service Agreement.
This Agreement, together with the Service Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, representations, or understandings between the parties relating to PHI.
For BAA execution, amendments, or compliance inquiries: legal@vaslhealth.com. For HIPAA-specific questions: hipaa@vaslhealth.com.
This BAA is executed electronically via DocuSign or by return of a signed PDF to legal@vaslhealth.com. Vasl Health countersigns and returns a fully executed copy. Digital signatures are legally binding under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).
IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the date of last signature below.
Vasl Health, Inc.
A Delaware Public Benefit Corporation
Organization Name: ___________________________
Address: ___________________________