BAA
Last updated: May 27, 2026
Business Associate Addendum
THIS BUSINESS ASSOCIATE ADDENDUM (“BAA”), BY AND BETWEEN OFFCALL, INC., A DELAWARE CORPORATION (“OFFCALL” AND “BUSINESS ASSOCIATE”) AND THE INDIVIDUAL WHO ACCEPTS AND AGREES TO THIS BAA (“COVERED ENTITY”, “YOU” AND “YOUR”), IS EFFECTIVE AS OF YOUR ACCEPTANCE TO THIS BAA (“EFFECTIVE DATE”).
WHEREAS, Prime and Subcontractor are Business Associates under HIPAA;
WHEREAS, the parties desire to comply with their obligations under HIPAA to ensure the integrity and confidentiality of Protected Health Information;
NOW THEREFORE, for and in consideration of the recitals above and the mutual covenants and conditions herein contained, [Prime] and Subcontractor enter into this Addendum to provide a full statement of their respective responsibilities.
1. Definitions. All capitalized terms not defined herein shall have the meaning ascribed to them by HIPAA.
(a) Business Associate shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
(b) Covered Entity shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
(c) Breach shall mean the unlawful or unauthorized access to, viewing, acquisition, use or disclosure of PHI.
(d) HIPAA Rules shall mean the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-005) and the rules, guidance and regulations promulgated thereunder, as amended from time to time, including 45 Code of Federal Regulations, Parts 160 and 164.
(e) Patient shall have the same meaning as the term “individual” under HIPAA and shall include a person who qualifies as a personal representative.
(f) Protected Health Information or PHI shall have the meaning given to such term under HIPAA and shall include any information, whether oral or recorded in any form or medium, limited to the information created or received by Subcontractor from or on behalf of Prime (i) that relates to the past, present or future physical or mental health condition of the patient, the provision of health care to patient, or the past, present or future payment for the provision of health care to patient; and (ii) that identifies the patient or with respect to which there is a reasonable basis to believe the information can be used to identify the Patient.
(g) Secretary shall mean the Secretary of the U.S. Department of Health and Human Services or her/his designee.
(h) Security Incident shall mean any accidental, malicious or natural act that: (i) Results in a Breach of any PHI or credit card information; or (ii) Adversely impacts the functionality of the [Prime]’s network; or (iii) Permits unauthorized access to the [Prime]’s network; or (iv) Involves the loss or loss of control of a [Prime]’s owned or managed information technology resource; or (v) Involves the use of [Prime]’s technology resources for illegal purposes or to launch attacks against other individuals or organizations; or (vi) Impacts the integrity of the [Prime]’s files or databases including, but not limited to: (1) interface failures; (2) inadequate testing or change control procedures; or (3) other failures which result in the deletion or unauthorized changes to an electronic database.
(i) State shall mean the state in which the [Prime] is located.
(j) Subpart E shall mean 45 Code of Federal Regulations, Part 164, Subpart E, which consists of Sections 164.500 et seq., as amended from time to time.
2. Permitted Uses and Disclosures by Subcontractor
(a) Subcontractor shall not use or disclose PHI in a manner that would violate HIPAA if done by [Prime]. To the extent Subcontractor is to carry out one or more of [Prime]’s obligations under Subpart E of 45 CFR Part 164, Subcontractor shall comply with the requirements of Subpart E that apply to [Prime] in the performance of such obligations.
(b) Minimum Necessary. Subcontractor shall use only the minimum amount of PHI necessary to perform the specified functions, activities or services, in accordance with the minimum necessary standard. In the event of inadvertent access by Subcontractor to more than the minimum necessary amount of [Prime]’s PHI, Subcontractor will: (i) treat all such PHI in accordance with the [Master Agreement, this Agreement, and this Addendum]; (ii) promptly notify [Prime], in accordance with paragraph 3(d) below, of such access; (iii) erase, delete, and/or return such PHI as quickly as possible; and (iv) take all necessary actions to prevent further unauthorized access to PHI beyond the minimum necessary amount.
(d) Compliance with State Laws. Subcontractor may use, disclose and access PHI only as permitted by State law, unless such State law is contrary to HIPAA and is preempted by HIPAA in accordance with 45 Code of Federal Regulations Sections 160.201 et seq.
3. Obligations of Subcontractor
(a) Use. Subcontractor shall not use or disclose PHI other than as permitted or required by [the Master Agreement, the Agreement, this Addendum,] or as required by law.
(b) Safeguards. Subcontractor shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by [the Master Agreement, the Agreement, and this Addendum]. Subcontractor shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, security, integrity and availability of PHI that it receives, maintains, transmits or creates on behalf of [Prime] and that comply with the requirements of HIPAA.
(c) Mitigation. Subcontractor shall promptly mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Subcontractor in violation of the [the Master Agreement, the Agreement, and this Addendum]
(d) Notify [Prime]. Subcontractor shall promptly notify [Prime] of any Security Incident or Breach via telephone call and/or email in the most expedient time possible, and not to exceed seventy-two (72) hours in the event of a Breach, following Subcontractors initial awareness of such Security Incident or Breach. Notwithstanding any notice provisions in the Master Agreement or the Agreement, such notice shall be made to the [Prime] HIPAA Compliance Officer by means of phone call to +1 510 764-8903 and by email to compliance@offcall.com Subcontractor shall cooperate in good faith with [Prime] in the investigation of any Breach or Security Incident.
(e) Breach Notification. Following notification to [Prime] of a Breach, Subcontractor shall promptly cooperate with [Prime] in determining which entity shall provide any required Breach notification. If the parties agree that Subcontractor shall provide any required Breach notification, Subcontractor shall provide such notification timely and provide [Prime] with documentation of Subcontractors’s actions, including documentation of the names and addresses of those to whom the notifications were provided.
(f) Amendments. Subcontractor shall promptly make amendment(s) to PHI requested [Prime] and shall do so in the time and manner requested by [Prime] to enable compliance with HIPAA and State Law, as applicable. If Patient requests an amendment to his or her PHI, directly from Subcontractor, the Subcontractor shall promptly notify [Prime]’s HIPAA Compliance Officer of such request and await the HIPAA Compliance Officer’s denial or approval of the request.
(g) Internal Records. Subcontractor shall promptly make its internal practices, books, records, including its policies and procedures, relating to the use, disclosure, or security of PHI that the Subcontractor received from, maintained or created for or on behalf of [Prime], available to Prime], or the Secretary, in a time and manner designated by [Prime] or the Secretary, to enable these parties to determine compliance with HIPAA.
(h) Accountings. Subcontractor shall document all disclosures of PHI and information related to such disclosures as required under HIPAA in order that it may provide an accounting of such disclosures as [Prime] directs. Subcontractor shall: (i) Provide an accounting as required under HIPAA to those Patients who direct their requests to Subcontractor; or (ii) Provide the accounting information required under HIPAA to [Prime], if so requested by [Prime], in the time and manner specified by [Prime].
(i) Preservation. Subcontractor shall cooperate with [Prime] and its staff to preserve and protect the confidentiality of PHI accessed or used pursuant to the Agreement and shall not disclose or testify about such information during or after the termination of the Agreement, except as required by law.
(j) HIPAA Compliance. Subcontractor shall comply with 45 Code of Federal Regulations Part 164, Subpart C with respect to electronic PHI. The written policies and procedures and documentation required to be maintained by Subcontractor shall be made available to [Prime], upon [Prime]’s request.
(k) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Subcontractor agree to the same restrictions, conditions, and requirements that apply to the Subcontractor with respect to such information;
4. Effect of Breach of Obligations. If Subcontractor breaches any of its obligations, [Prime] shall have the option to do the following:
(a) Cure. Provide the Subcontractor with an opportunity to cure the breach, to the extent curable, and end the violation within a reasonable time specified by [Prime]. If Subcontractor does not cure the breach or end the violation as and within the time specified by [Prime], or if the breach is not curable, [Prime] may terminate its obligations to Subcontractor, including, but not limited to, its future payment obligations and obligations to provide information, materials, equipment or resources to Subcontractor; or
(b) Termination. Immediately terminate the Agreement, if [Prime] reasonably determines that Subcontractor (1) has acted with gross negligence in performing its obligations; (2) is in violation of the law; (3) willfully has violated or is violating the privacy and security provisions of this Addendum or HIPAA; or (4) is unable to provide, if requested, written assurances to [Prime] of its ability to protect the confidentiality and security of the PHI. Such termination of the Agreement shall be without prejudice to other legal remedies available to[Prime].
5. Effect of Termination
(a) Disposition of PHI. Upon termination of the [Master Agreement and/or the Agreement] and subject to Section 5(b) below, Subcontractor shall promptly return to [Prime] a copy of all PHI, and shall take all reasonable steps to promptly destroy all other PHI held by Subcontractor by: (i) shredding; (ii) securely erasing, or (iii) otherwise modifying the information in those records to make it unreadable or indecipherable through any means. At [Prime]’s request, the Subcontractor shall certify in writing that it has complied with the requirements of this Section.
(b) Infeasible; Survival. If the return or destruction of PHI presents the Subcontractor with business difficulty, the obligations of the Subcontractor under this Addendum shall survive the termination of this Agreement. Subcontractor shall limit the further use or disclosure of all PHI to the purposes that make its return or destruction infeasible.
6. Credit Monitoring. In the event that either party is required by law to notify individuals whose PHI was inappropriately accessed, used, or disclosed by Subcontractor and the PHI contains: (i) the individual’s first initial or first name, last name, and social security number; (ii) the individual’s first initial or first name, last name, and driver’s license or state identification card; (iii) the individual’s first initial or first name, last name, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; and/or (iv) the individual’s first initial or first name, last name, and PHI, then Subcontractor and [Prime] shall work together to structure a credit monitoring offering commensurate to the risk posed by the breach and Subcontractor shall, in any event, pay the costs of credit monitoring for one (1) year for such individuals and the costs and fees related to timely notification in accordance with law.
7. Amendment. The parties agree to promptly modify or amend this Addendum to permit parties to comply with any new laws, rules or regulations that might modify the terms and conditions herein.
8. General. The Agreement, including this Addendum and attachments hereto are intended to be construed in harmony with each other, but in the event that any provision in this Addendum conflicts with the provisions of the [Master Agreement or Agreement], or their other attachments, the provisions in this Addendum shall be deemed to control and such conflicting provision or part thereof shall be deemed removed and replaced with the governing provision herein to the extent necessary to reconcile the conflict, except that the indemnity and insurance provisions of this Addendum (if any) and [the Master Agreement and Agreement] are to be read as separate, concurrent obligations such that Subcontractor shall comply with each obligation and one shall not replace the other.
9. Audits. Upon reasonable notice to Subcontractor, [Prime] shall have the right to inspect and audit Subcontractor’s privacy and security controls relating to Subcontractor’s compliance with the terms of the Master Agreement, the Agreement, this Addendum, and HIPAA. Subcontractor may impose reasonable restrictions upon [Prime]’s access to Subcontractor’s premises information systems, including but not limited to limiting access only to those information systems which contain [Prime]’s PHI and limiting access to ensure Subcontractor’s compliance with existing confidentiality obligations to its other customers. Such audits shall occur no more often than once per year or after any Breach or Security Incident and only upon a good faith belief by [Prime] that Subcontractor is not in compliance with its obligations under the Master Agreement, the Agreement, this Addendum, or HIPAA relating to [Prime]’s PHI. All audits shall be conducted with the least interruption to Subcontractor’s normal business operations as feasible. [Prime] as the case may be, shall be responsible for all costs incurred in order to perform the audit.
10. Indemnity. Subcontractor shall promptly and fully defend, indemnify and hold harmless [Prime], their affiliates and their respective officers, directors, agents and employees (Indemnified Parties) against any claim, demand, liability, loss, fine, penalty, assessment, cost, judgment, award or attorney’s fees (including the reasonable costs of in-house counsel), related to (i) the breach of this Addendum by Subcontractor, (ii) the negligent acts or omissions of Subcontractor or any employee or agent of Subcontractor, (iii) any related Breach, Security Incident or any cost of notification or remediation relating to notifications required by law, (iv) any wrongful termination or any other claim or action against or [Prime] with respect to the actual or constructive termination by Subcontractor of any agent, Subcontractor or personnel employed or contracted by Subcontractor, whether or not providing services under the Agreement and (v) any action to enforce this Section (collectively, Claims). The Claims covered by this Section shall include Claims made or recovered against the Indemnified Parties and Claims issued in favor of a third party. This Section shall survive the expiration or termination of this Addendum.