# HIPAA Business Associate Agreement Template

> **Customization required.** This template is provided for policy operations and counsel review. Replace every `NEXQ-reviewed value`, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Owner:** NEXQ privacy, security, and legal operations  
**Applies to:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This BAA template is for situations where NEXQ creates, receives, maintains, or transmits PHI for a HIPAA covered entity or another business associate.

## 1. Parties
Covered Entity / Customer: Applicable covered entity or customer identified in the signed agreement  
Business Associate: NEXQ  
Effective date: September 18, 2024

## 2. Permitted uses and disclosures
Business Associate may use or disclose PHI only to perform services for Covered Entity, as required by law, for management/administration and legal responsibilities where permitted, for de-identified data if allowed, and as otherwise authorized in writing.

## 3. Safeguards
Business Associate will use appropriate administrative, physical, and technical safeguards to protect ePHI and prevent unauthorized uses or disclosures of PHI.

## 4. Reporting
Business Associate will report to Covered Entity any use or disclosure not provided for by this BAA, security incident, or breach of unsecured PHI as required by HIPAA and the agreement.

## 5. Subcontractors
Business Associate will ensure subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions that apply to Business Associate.

## 6. Access, amendment, and accounting
Business Associate will assist Covered Entity with individual rights to access, amendment, and accounting of disclosures as required by HIPAA.

## 7. Books and records
Business Associate will make internal practices, books, and records relating to PHI available to the Secretary of HHS as required by HIPAA.

## 8. Return or destruction
Upon termination, Business Associate will return or destroy PHI if feasible. If infeasible, protections continue and further uses/disclosures are limited to purposes that make return or destruction infeasible.

## 9. Termination
Covered Entity may terminate for material breach if Business Associate fails to cure within the agreed period, subject to the agreement.

## 10. Minimum necessary
Business Associate will request, use, and disclose only the minimum necessary PHI for the permitted purpose, except as otherwise permitted by HIPAA.

## 11. No sale or marketing
Business Associate will not sell PHI or use/disclose PHI for marketing without required authorization and agreement terms.

## 12. Regulatory updates
The parties will amend this BAA as needed to comply with changes in HIPAA or related regulations.
