Business Associate Agreement
Effective Date: July 2, 2026
This Business Associate Agreement ("BAA") is entered into between the customer identified in the applicable order form or account registration ("Covered Entity") and Quaspar Inc. ("Business Associate" or "Quaspar"), and is incorporated into the agreement between the parties governing Quaspar's services (the "Agreement"). This BAA applies to the extent Quaspar creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity in connection with the Services.
1. Definitions
Capitalized terms used but not defined in this BAA have the meanings given in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 C.F.R. Parts 160 and 164, as amended, including by the HITECH Act (collectively, "HIPAA"). "PHI" means Protected Health Information, and for purposes of this BAA is limited to PHI that Quaspar creates, receives, maintains, or transmits on behalf of Covered Entity. "Electronic PHI" or "ePHI" means PHI transmitted or maintained in electronic media.
2. Permitted Uses and Disclosures
2.1 Quaspar may use and disclose PHI only: (a) to perform the Services and its obligations under the Agreement; (b) as permitted or required by this BAA; or (c) as Required by Law.
2.2 Quaspar may use PHI for its proper management and administration and to carry out its legal responsibilities, and may disclose PHI for such purposes if the disclosure is Required by Law or Quaspar obtains reasonable assurances from the recipient that the PHI will be held confidentially, used only as required by law or for the purpose disclosed, and that the recipient will notify Quaspar of any breach of confidentiality.
2.3 Quaspar may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). De-identified data is not PHI and is not subject to this BAA.
2.4 Quaspar may use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5 Quaspar will not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as permitted above. Quaspar will not sell PHI or use or disclose PHI for marketing purposes.
2.6 Minimum Necessary. Quaspar will request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose.
3. Safeguards
Quaspar will: (a) use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided by this BAA; and (b) with respect to ePHI, comply with the applicable requirements of the Security Rule (45 C.F.R. Part 164, Subpart C), including implementing safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.
4. Reporting
4.1 Quaspar will report to Covered Entity: (a) any use or disclosure of PHI not permitted by this BAA of which it becomes aware; (b) any Security Incident of which it becomes aware, provided that this section constitutes notice of, and no further reporting is required for, Unsuccessful Security Incidents (such as pings, port scans, and denial-of-service attempts that do not result in unauthorized access to ePHI); and (c) any Breach of Unsecured PHI as required by 45 C.F.R. § 164.410.
4.2 Quaspar will report a Breach of Unsecured PHI without unreasonable delay and in no case later than ten (10) business days after discovery. The report will include, to the extent known: the identity of each Individual whose Unsecured PHI was or is reasonably believed to have been involved, a description of what happened, the types of PHI involved, and steps taken to mitigate and prevent recurrence, with supplemental information provided as it becomes available.
5. Subcontractors
Quaspar will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Quaspar agrees in writing to restrictions and conditions at least as restrictive as those that apply to Quaspar under this BAA, including compliance with the Security Rule for ePHI, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2).
6. Individual Rights
6.1 Access. Quaspar will, within fifteen (15) business days of a written request from Covered Entity, make available PHI in a Designated Record Set (to the extent Quaspar maintains one) to enable Covered Entity to meet its obligations under 45 C.F.R. § 164.524.
6.2 Amendment. Quaspar will, within fifteen (15) business days of a written request from Covered Entity, make amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.
6.3 Accounting. Quaspar will document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528, and will provide such information to Covered Entity within fifteen (15) business days of a written request.
6.4 If an Individual contacts Quaspar directly regarding access, amendment, or accounting, Quaspar will forward the request to Covered Entity within five (5) business days.
7. Government Access
Quaspar will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.
8. Covered Entity Obligations
Covered Entity will: (a) not request Quaspar to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity; (b) notify Quaspar of any limitations in its notice of privacy practices, any changes in or revocation of an Individual's authorization, and any restriction on use or disclosure agreed to under 45 C.F.R. § 164.522, in each case to the extent such changes affect Quaspar's use or disclosure of PHI; and (c) obtain any consents or authorizations required for Quaspar to provide the Services.
9. Term and Termination
9.1 This BAA takes effect on the Effective Date and remains in effect until the Agreement terminates or this BAA is terminated as provided below.
9.2 Either party may terminate this BAA and the Agreement if the other party materially breaches this BAA and fails to cure within thirty (30) days of written notice, or immediately if cure is not possible.
9.3 Return or Destruction. Upon termination, Quaspar will return or destroy all PHI, if feasible, and retain no copies. If return or destruction is infeasible, Quaspar will extend the protections of this BAA to the retained PHI, limit further uses and disclosures to the purposes that make return or destruction infeasible, and destroy the PHI when it becomes feasible.
10. Miscellaneous
10.1 Regulatory references. References to HIPAA provisions mean those provisions as amended from time to time.
10.2 Amendment. The parties will amend this BAA as necessary to comply with changes in HIPAA. If the parties cannot agree on a required amendment, either party may terminate the affected Services.
10.3 Interpretation. Any ambiguity will be resolved to permit compliance with HIPAA. In the event of a conflict between this BAA and the Agreement regarding PHI, this BAA controls.
10.4 No third-party beneficiaries. Nothing in this BAA confers rights on any third party.
10.5 Survival. Obligations under Section 9.3 survive termination.
Covered Entity
Signature: ______________________ Name: ______________________ Title: ______________________ Date: ______________________
Quaspar Inc.
Signature: ______________________ Name: ______________________ Title: Chief Executive Officer Date: ______________________