Last updated · April 2026
Business Associate Agreement

Executed before any PHI flows.

The Famaash BAA is HIPAA-compliant and ready for execution. Below is the structure. Redlined version is available on request, signed within 48 hours of NDA.

HIPAA-required provisions

Every Famaash BAA contains the provisions required by 45 CFR 164.504(e), without exception.

These include permitted uses, safeguard obligations, breach notification, subcontractor flow-down, individual-rights support, accounting of disclosures, and the effect of termination on PHI. The HIPAA-required provisions are non-negotiable by statute.

Permitted uses and disclosures

Famaash uses or discloses PHI only as permitted under this agreement and applicable law.

  • Service performancePHI is used only as necessary to perform services described in the SOW.
  • ManagementPHI may be used for our own proper management and administration.
  • LegalPHI may be disclosed as required by law, with prompt notice to the covered entity where permitted.

Safeguards

Three categories of safeguards apply, mirroring the HIPAA Security Rule.

  • AdministrativeWorkforce training, role-based access, sanction policy, periodic risk assessment.
  • PhysicalFacility access controls, workstation security, device and media controls.
  • TechnicalEncryption, audit controls, integrity controls, transmission security.

Subcontractors

Every subcontractor that creates, receives, maintains, or transmits PHI on behalf of Famaash signs a BAA with Famaash before onboarding.

The current subprocessor list is reviewed annually and shared on request, under NDA.

Breach notification

Notification SLA is 60 days from discovery of a reportable breach, with substantive notice provided well within that window in practice.

Notification includes the nature of the breach, the PHI involved, the steps taken to mitigate harm, and the corrective action put in place.

Term and termination

The BAA runs concurrently with the underlying engagement.

Either party may terminate for material breach following a 30-day cure period. Either party may terminate immediately if cure is not feasible.

Effect of termination on PHI

On termination, Famaash returns or destroys all PHI in its possession, including PHI held by subcontractors.

Where return or destruction is infeasible, protections are extended for as long as Famaash retains the PHI, with use limited to the purposes that make return or destruction infeasible.

Contact

Email trust@famaash.com for the redlined BAA or any HIPAA question.

Redlined version

Signed within 48 hours of NDA.

Request a redlined BAA