Business Associate Agreement (HIPAA)
Template BAA for US medical Customers activating the HIPAA tier.
Draft template — not legal advice
This document is a starting-point template generated for the MoldLean launch. Before publishing or relying on it commercially, have it reviewed by a qualified attorney in your jurisdiction. Dates and versions below are placeholders.
BAAs are not executed by default
MoldLean does not execute a BAA automatically on signup. The HIPAA tier must be explicitly enabled for your organization and a signed BAA must be on file before any PHI is uploaded. Uploading PHI without an active BAA is a material breach of our Terms of Service.
This Business Associate Agreement (“BAA”) supplements the MoldLean Terms of Service and any order form between the Covered Entity (or upstream Business Associate) identified in the signature block (“Covered Entity”) and Armenta & Marquez Dental Technologies (“Business Associate” or “MoldLean”). It is intended to comply with the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH, and its regulations at 45 CFR Parts 160 and 164 (the “HIPAA Rules”). In case of conflict with the Terms of Service or any order form, this BAA prevails with respect to PHI.
1. Definitions
Capitalized terms have the meanings in the HIPAA Rules: Breach (45 CFR §164.402); Designated Record Set (45 CFR §164.501); ePHI (45 CFR §160.103); Individual; PHI; Required by Law (45 CFR §164.103); Secretary; Security Incident (45 CFR §164.304); Subcontractor; Unsecured PHI (45 CFR §164.402).
2. Permitted uses and disclosures
2.1 Performance of the Service
Business Associate may use and disclose PHI only as necessary to perform the services in the Terms and any order form (the “Service”).
2.2 Specific permitted uses
- For the proper management and administration of Business Associate (45 CFR §164.504(e)(4)).
- Disclosure to a third party for those purposes only if Required by Law or with reasonable assurances of confidentiality and breach notification.
- De-identification per 45 CFR §164.514(a)-(c); de-identified data is no longer PHI.
2.3 Prohibited uses and disclosures
Business Associate shall not:
- Use or disclose PHI other than as permitted or Required by Law.
- Violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.
- Sell PHI or use PHI for marketing in violation of §164.502.
- Use PHI to train machine-learning models that incorporate identifiable PHI.
3. Safeguards
3.1 General
Business Associate shall use appropriate administrative, physical and technical safeguards and comply with Subpart C of 45 CFR Part 164 (Security Rule) with respect to ePHI.
3.2 Administrative
Designated Security Officer; workforce training at hire and annually; risk analysis; sanction policy; activity review; contingency plan.
3.3 Physical
HIPAA-tier workloads run in subcontractor facilities (AWS) with HITRUST or SOC 2 Type II attestations and an executed BAA; workstation security policies; device controls.
3.4 Technical
Unique user IDs; automatic session logoff; mandatory 2FA for staff with ePHI access; TLS 1.3 in transit; AES-256-GCM at rest; audit controls (immutable log retained at least 6 years); integrity controls; organization-scoped encryption keys for the HIPAA tier.
3.5 Tenant isolation
HIPAA-tier workloads run on infrastructure logically separated from the default tier with separate object storage buckets, processing workers and audit log streams.
4. Reporting
4.1 Unauthorized use or disclosure
Business Associate shall report any use or disclosure not provided for by this BAA, including Breaches of Unsecured PHI per 45 CFR §164.410 and any Security Incident.
4.2 Timing
Notice without unreasonable delay and in no case later than 60 days after discovery. MoldLean targets initial notice within 24 hours of confirmation and a full incident report within 30 days.
4.3 Content
To the extent known: what happened, types of Unsecured PHI involved, Individuals affected, mitigation steps, contact for questions.
4.4 Security Incidents
Unsuccessful Security Incidents (pings, port scans, DoS without penetration) are reported on an aggregated basis in periodic security reports.
4.5 Mitigation
Business Associate will mitigate, to the extent practicable, any harmful effect known to it of a violation of this BAA.
5. Subcontractors
Business Associate shall enter a written agreement with any Subcontractor that creates, receives, maintains or transmits PHI, imposing obligations no less protective than this BAA, per 45 CFR §164.504(e), §164.502(e)(1)(ii) and §164.308(b)(2). Current Subcontractors that may handle PHI:
| Subcontractor | Role | BAA status |
|---|---|---|
| Amazon Web Services, Inc. | Compute and storage for the HIPAA tier | Executed |
| Cloudflare, Inc. | DNS and edge — no PHI in payload; enterprise BAA where required | Subject to confirmation |
| Paddle.com Market Ltd | Payment processing — no clinical PHI | N/A — no PHI |
| Resend, Inc. | Transactional email — transactional metadata only | Subject to BAA addendum |
| Functional Software, Inc. (Sentry) | Error tracking — PHI scrubbed | BAA on Business plan |
At least 30 days notice before engaging any new Subcontractor that will handle PHI.
6. Access to PHI (45 CFR §164.524)
If Business Associate maintains PHI in a Designated Record Set, it shall make such PHI available to Covered Entity (or directly to the Individual if so directed) within 15 business days of written request. Covered Entity Admins also have direct access via the application and via the self-service export API.
7. Amendment of PHI (45 CFR §164.526)
Business Associate shall make any amendments as directed by Covered Entity.
8. Accounting of disclosures (45 CFR §164.528)
Business Associate shall maintain and make available the information required for an accounting of disclosures. Audit logs are retained at least 6 years from the date of creation.
9. Internal records availability
Business Associate shall make its internal practices, books and records available to the Secretary for compliance determinations.
10. Term and termination
10.1 Term
Effective on the date of last signature; continues until terminated or the underlying Service agreement terminates.
10.2 Termination for cause
Covered Entity may terminate this BAA and the underlying Service agreement effective immediately if Business Associate materially breaches and does not cure within 30 calendar days of written notice.
10.3 Effect of termination
Business Associate shall return or destroy all PHI it still maintains. If infeasible for any portion, the protections of this BAA extend to that PHI indefinitely. Live object storage is purged within 72 hours; primary database records within 30 days; audit logs are retained for the HIPAA-mandated 6-year period under continued confidentiality and security controls; backups purge on next rotation cycle. Written certificate of destruction available on request.
10.4 Survival
The obligations under section 10.3 survive termination.
11. Miscellaneous
- References to HIPAA Rules sections mean the section as in effect or amended.
- The parties agree to amend this BAA as necessary for compliance with the HIPAA Rules and any other applicable law.
- Ambiguity shall be resolved to permit compliance with the HIPAA Rules.
- No third-party beneficiaries.
- Notices: to Business Associate at legal@moldlean.com and to the postal address on file; to Covered Entity at the privacy contact listed in the signature block.
12. Signature block
The signature block is provided in the markdown source at legal/baa-template.md and on the executed PDF version we send to Customers who activate the HIPAA tier. Contact legal@moldlean.com to begin the HIPAA tier onboarding process.