Effective Date: January 1, 2026
This Business Associate Agreement (“BAA”) is entered into by and between Same Time Next Week LLC (“Business Associate” or “Therhappy”) and the Healthcare Provider (“Covered Entity”), collectively referred to as the “Parties.” This BAA supplements and is incorporated into the Terms of Service and Privacy Policy for the Therhappy platform (the “Services”).
1. Purpose
This BAA ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act, and regulations at 45 CFR Parts 160 and 164 (“HIPAA Rules”). It governs the use, disclosure, and protection of Protected Health Information (“PHI”) by Business Associate on behalf of Covered Entity.
2. Definitions
- PHI: Individually identifiable health information transmitted or maintained in any form, relating to the past, present, or future physical or mental health of an individual.
- Electronic PHI (ePHI): PHI in electronic form.
- Security Incident: Attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI.
- Required by Law: Uses or disclosures mandated by law or regulation.
3. Obligations and Responsibilities of Business Associate
Business Associate agrees to:
- Use or disclose PHI only as permitted by this BAA, HIPAA Rules, and Covered Entity instructions.
- Implement administrative, physical, and technical safeguards to protect PHI,
including but not limited to:
- Access controls and role-based permissions
- Encryption in transit (TLS) and at rest (AES-256 or equivalent)
- Multi-factor authentication (MFA) for all accounts accessing PHI
- Audit logs and monitoring of access to PHI
- Regular security assessments and penetration testing
- High availability, redundancy, and disaster recovery procedures
- Mitigate, to the extent practicable, any harmful effects known to Business Associate of unauthorized PHI use or disclosure.
- Report Security Incidents and breaches of PHI promptly to Covered Entity in accordance with HIPAA breach notification rules.
- Ensure that any subcontractors or agents accessing PHI agree in writing to the same restrictions and safeguards imposed on Business Associate.
- Provide access, amendment, and accounting of disclosures to PHI as required by HIPAA and within a reasonable timeframe.
4. Permitted Uses and Disclosures
Business Associate may:
- Use PHI solely to provide the Services to Covered Entity as authorized in the Terms of Service.
- Disclose PHI to third-party service providers or subcontractors strictly for provision of Services, subject to written agreements ensuring HIPAA compliance.
- Use de-identified or aggregated PHI for analytics, research, or service improvement in accordance with HIPAA de-identification standards.
- Use or disclose PHI as Required by Law or as specifically permitted in this BAA.
5. Prohibited Uses and Disclosures
Business Associate may not:
- Use PHI for marketing, fundraising, or any purpose unrelated to the Services without explicit authorization.
- Sell PHI to third parties.
- Disclose PHI in a manner that violates HIPAA or other applicable laws.
6. Security and Safeguards
Business Associate will implement reasonable and appropriate safeguards to protect PHI, including administrative, technical, and physical measures consistent with HIPAA. This includes:
- Maintaining access controls, audit logging, and monitoring
- Encrypting data in transit and at rest
- Multi-factor authentication for all accounts accessing PHI
- High availability, redundancy, and disaster recovery procedures
- Regular security assessments and penetration testing
7. Breach Notification
Business Associate will report any confirmed or suspected breach of PHI promptly to Covered Entity, including:
- Nature of the breach
- PHI involved
- Steps taken to mitigate harm
- Recommendations for affected individuals
Notifications will be made in accordance with HIPAA rules and applicable state law.
8. Subcontractors and Agents
Business Associate will ensure that any subcontractors, agents, or third parties handling PHI agree in writing to the same restrictions, safeguards, and obligations as Business Associate under this BAA.
9. Term and Termination
This BAA is effective as of the Effective Date and continues until terminated by either party upon written notice.
Upon termination, Business Associate will, at Covered Entity’s discretion:
- Return all PHI to Covered Entity
- Or securely destroy all PHI, including backups, if return is not feasible
10. Amendment
This BAA may be amended to comply with changes in HIPAA, HITECH, or other applicable laws. Any amendment will be in writing and signed by both Parties.
11. Indemnification and Liability
Business Associate shall indemnify and hold harmless Covered Entity from any claims, liabilities, or penalties resulting from Business Associate’s unauthorized use or disclosure of PHI or failure to comply with HIPAA and this BAA.
12. Governing Law and Venue
This BAA is governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of laws principles. Any legal action shall be brought exclusively in the state or federal courts located in Florida.
13. Miscellaneous
- This BAA supersedes any prior HIPAA-related agreements between the Parties.
- If any provision is found invalid, the remaining provisions remain in effect.
- Headings are for convenience only and do not affect interpretation.
14. Contact Information
Same Time Next Week LLC
Operating Therhappy
Email: legal@therhappy.com