Legal
Oct 20, 2025
Business Associate Agreement (“BAA”)
Table of Contents
This Business Associate Agreement (“BAA”) is a public template. If you are a Covered Entity or Business Associate under HIPAA and intend to use Pivot with PHI, this BAA governs our handling of PHI on your behalf. It supplements and forms part of your master agreement with Pivot (e.g., the Master Services Agreement, Order Form, or Terms of Service, the “Agreement”). If you need a countersigned copy, contact [email protected].
This BAA is entered into by and between the customer (the “Covered Entity”) and Pivot Technologies Holdings Inc., a Delaware corporation with its principal office at 2219 Main St Unit #371, Santa Monica, CA 90405, United States (the “Business Associate” or “Pivot”). Capitalized terms not defined here have the meanings in HIPAA or the Agreement.
2.1 Business Associate may use and disclose PHI solely: (a) to perform the Services described in the Agreement for or on behalf of Covered Entity; (b) for proper management and administration of Business Associate; and (c) to carry out legal responsibilities of Business Associate, provided disclosures are required by law or made subject to a duty of confidentiality.
2.2 Business Associate will limit PHI to the minimum necessary to accomplish the intended purpose.
2.3 Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as permitted in this BAA.
Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by the HIPAA Security Rule, including the measures in Annex B (Security Measures).
Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, including execution of a BAA where required.
5.1 Security Incidents: Business Associate will report to Covered Entity any Security Incident of which it becomes aware that results in unauthorized access, use, disclosure, modification, or destruction of PHI without unreasonable delay.
5.2 Breaches: Business Associate will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and no later than 10 business days after discovery. The notice will include, to the extent known at the time: (a) identification of affected individuals; (b) a description of what happened; (c) the types of PHI involved; (d) steps individuals should take to protect themselves; (e) what Business Associate is doing to investigate, mitigate, and prevent recurrence; and (f) a contact point.
Business Associate will mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI by Business Associate or its Subcontractors in violation of this BAA and will cooperate with Covered Entity in any required notifications or remediation.
7.1 Access: To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make PHI available to Covered Entity so that Covered Entity can respond to an individual’s request for access under 45 C.F.R. §164.524.
7.2 Amendment: Business Associate will make PHI in a Designated Record Set available for amendment and incorporate any amendments as directed by Covered Entity under 45 C.F.R. §164.526.
7.3 Accounting: Business Associate will document disclosures of PHI as necessary for Covered Entity to respond to an individual’s request for an accounting under 45 C.F.R. §164.528 and provide such information upon request by Covered Entity.
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.
Upon termination or expiration of the Agreement, Business Associate will, at Covered Entity’s choice, return or destroy all PHI that Business Associate still maintains in any form and retain no copies. If return or destruction is infeasible (e.g., due to backup media or legal holds), Business Associate will extend the protections of this BAA and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
Business Associate will maintain documentation required by HIPAA and this BAA for at least six (6) years and will provide reasonable information necessary to demonstrate compliance to Covered Entity upon request, subject to confidentiality and security requirements.
11.1 Term: This BAA becomes effective on the Effective Date and remains in effect until the Agreement terminates or expires.
11.2 Termination for Cause: Covered Entity may terminate this BAA if it determines that Business Associate has materially breached this BAA and Business Associate has not cured the breach within 30 days after receiving written notice.
11.3 Effect of Termination: Section 9 applies to PHI upon termination.
Business Associate may de‑identify PHI in accordance with 45 C.F.R. §164.514(a)–(b). De‑identified data is not PHI, and Business Associate may use such de‑identified data for lawful purposes, including analytics and service improvement, provided that Business Associate will not attempt to re‑identify the data and will use industry‑standard safeguards to prevent re‑identification.
13.1 Precedence: In the event of a conflict between this BAA and the Agreement, this BAA controls with respect to PHI.
13.2 No Third‑Party Beneficiaries: Nothing in this BAA creates any third‑party beneficiary rights.
13.3 Amendment: The parties will amend this BAA to comply with changes to HIPAA and applicable law.
13.4 Governing Law: This BAA is governed by the law specified in the Agreement, except as preempted by HIPAA.
Services: Pivot collaboration platform (spaces/rooms/posts/files, messaging, video, analytics, admin, audit logs).
Types of PHI: As determined by Covered Entity; may include demographic information, treatment or billing information, and other identifiers if uploaded.
Data Subjects: Patients and individuals whose PHI is entered by or on behalf of Covered Entity.
Permitted Users: Authorized workforce members of Covered Entity and their agents.
Administrative Safeguards: Risk analysis and management; workforce training; access authorization and supervision; security incident procedures; contingency planning (data backup, disaster recovery, emergency mode); periodic evaluations.
Physical Safeguards: Facility access controls (inherited from cloud provider), workstation use and security, device and media controls including media sanitization.
Technical Safeguards: Unique user identification; multi‑factor authentication for admin access; role‑based access; automatic logoff; encryption (TLS 1.2+ in transit; AES‑256 at rest); integrity controls; audit controls and centralized logging; transmission security; API scoping and rate limiting.
Business Associate may use the Subcontractors listed at /legal/subprocessors for HIPAA‑eligible services. Business Associate will maintain BAAs (or equivalent) with HIPAA‑relevant Subcontractors and will update the list as required. Covered Entity may subscribe to updates.
Train workforce members and maintain internal policies required by HIPAA.