Legal

Business Associate Agreement

Effective date: June 28, 2026  ·  45 CFR § 164.504(e) & § 164.314(a) Compliant

How this BAA takes effect: This Agreement forms part of the Clarvera Terms of Service and takes effect automatically upon Customer's acceptance of the Terms of Service when Customer is a Covered Entity or Business Associate under HIPAA. No separate signature is required. Customer may also execute this BAA separately by emailing legal@shinzox.com.

This Business Associate Agreement ("BAA") is entered into by and between Shinzox Group Limited (trading as Clarvera), a company incorporated in England and Wales ("Business Associate"), and the Customer identified in the Clarvera account or Order Form ("Covered Entity"). This BAA governs Business Associate's handling of Protected Health Information (PHI) disclosed to or created by Business Associate on behalf of Covered Entity in connection with the Clarvera Service, in compliance with HIPAA, HITECH, and their implementing regulations at 45 CFR Parts 160 and 164.

Parties

Business Associate: Shinzox Group Limited (trading as Clarvera) — provider of the Clarvera cloud-hosted credentialing and provider data management platform.

Covered Entity: The organisation identified as "Customer" in the Clarvera account registration or Order Form, acting as a Covered Entity or Business Associate under HIPAA.

1. Definitions

Capitalised terms not otherwise defined in this BAA have the meanings given to them under HIPAA. In addition:

"Breach" has the meaning given in 45 CFR § 164.402.

"ePHI" means PHI that is transmitted by or maintained in electronic media as defined in 45 CFR § 160.103.

"PHI" has the meaning given in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

"Required By Law" has the meaning given in 45 CFR § 164.103.

"Security Incident" has the meaning given in 45 CFR § 164.304.

"Service" means the Clarvera cloud platform and associated services provided to Covered Entity under the Terms of Service.

"Subcontractor" means a person or entity that performs functions or activities on behalf of Business Associate that involve the creation, receipt, maintenance, or transmission of PHI.

"Unsecured PHI" has the meaning given in 45 CFR § 164.402.

2. Obligations of Business Associate

Business Associate agrees to:

(a) Not use or disclose PHI other than as permitted or required by this BAA or Required By Law;

(b) Use appropriate safeguards, and comply with 45 CFR Part 164 Subpart C with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA;

(c) Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, any Security Incident, and any Breach of Unsecured PHI in accordance with Section 7;

(d) Ensure that Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this BAA;

(e) Make available PHI in a Designated Record Set to Covered Entity to fulfill its obligations under 45 CFR § 164.524;

(f) Make any amendments to PHI in a Designated Record Set as directed by Covered Entity in accordance with 45 CFR § 164.526;

(g) Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528;

(h) To the extent Business Associate carries out Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations;

(i) Make its internal practices, books, and records available to the Secretary of HHS when required for purposes of determining compliance with HIPAA;

(j) Implement and maintain a written information security programme that satisfies the requirements of the HIPAA Security Rule (45 CFR §§ 164.302–164.318).

3. Permitted Uses and Disclosures

3.1 General

Business Associate may only use or disclose PHI: (a) as necessary to perform the Service for Covered Entity; (b) as Required By Law; or (c) as otherwise permitted under this BAA.

3.2 Management and Administration

Business Associate may use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities, provided that: (a) such use is Required By Law; or (b) Business Associate obtains reasonable assurances from the recipient that PHI will be held confidential and the recipient will notify Business Associate of any Breach.

3.3 De-identified Data

Business Associate may use PHI to create de-identified health information in accordance with 45 CFR § 164.514(b) and may use and disclose such de-identified information for any lawful purpose.

3.4 Data Aggregation

Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B), strictly for Covered Entity's healthcare operations.

3.5 Prohibitions

Business Associate shall not: (a) use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity; (b) use PHI for marketing without a valid HIPAA-compliant authorisation; (c) sell PHI without a valid HIPAA-compliant authorisation; or (d) disclose PHI to any subcontractor that has not agreed in writing to restrictions at least as protective as this BAA.

4. Required Disclosures

Business Associate shall disclose PHI: (a) to Covered Entity upon request; and (b) to the Secretary of HHS when required to determine compliance with HIPAA. Business Associate shall make reasonable efforts to disclose only the minimum PHI necessary.

5. Subcontractors

Business Associate shall ensure that all Subcontractors that handle PHI agree, by written contract, to the same restrictions and conditions that apply under this BAA. Business Associate shall, upon request, provide Covered Entity with a list of Subcontractors that handle PHI. Business Associate remains responsible for Subcontractor acts and omissions to the same extent as if Business Associate performed those functions directly.

6. Safeguards

Business Associate shall:

(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI in accordance with 45 CFR §§ 164.308, 164.310, and 164.312;

(b) Maintain all PHI encrypted at rest with AES-256 encryption using a per-Covered-Entity AWS KMS key, not shared across tenants;

(c) Enforce TLS 1.3 for all PHI in transit, rejecting TLS 1.0 and 1.1 at the load balancer;

(d) Enforce multi-factor authentication (MFA) for all access to systems containing ePHI, with no opt-out permitted;

(e) Enforce role-based access controls ensuring only personnel with a business need can access PHI;

(f) Maintain PHI audit logs on an append-only (WORM) basis with no UPDATE or DELETE privileges for any application database role, retained for a minimum of six (6) years;

(g) Conduct a HIPAA Security Rule Risk Analysis at least annually and implement a Risk Management Plan addressing identified risks;

(h) Require that all workforce members with access to PHI receive HIPAA training appropriate to their role before handling PHI, and at least annually thereafter;

(i) Implement a written breach notification and incident response procedure consistent with 45 CFR § 164.410;

(j) Require break-glass authorisation, tied to an open support ticket, for any Clarvera staff access to Covered Entity's PHI — with every such access logged and reported to the Covered Entity's designated administrator.

7. Reporting — Security Incidents and Breaches

7.1 Security Incidents

Business Associate shall report to Covered Entity any successful Security Incident involving PHI of Covered Entity of which Business Associate becomes aware, as promptly as practicable and without unreasonable delay. Business Associate acknowledges, per 45 CFR § 164.314(a)(2)(i)(C), that it addresses attempted but unsuccessful Security Incidents (e.g., pings, port scans, denial of service attempts) through its ongoing security programme and that such incidents do not require individual incident-level notification.

7.2 Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) days after discovery, in accordance with 45 CFR § 164.410. The notification shall include, to the extent known, the information required by 45 CFR § 164.410(c). Business Associate shall cooperate fully with Covered Entity in fulfilling Covered Entity's breach notification obligations.

7.3 Mitigation

Business Associate shall take prompt and reasonable steps to mitigate the effects of any known Security Incident or Breach and shall document all mitigation efforts.

8. Rights of Covered Entity

8.1 Access

Business Associate shall, within fifteen (15) business days of a written request, make available PHI in a Designated Record Set to enable Covered Entity to fulfill its obligations under 45 CFR § 164.524.

8.2 Amendment

Business Associate shall, within fifteen (15) business days of a written request, make available PHI for amendment and incorporate any amendments as directed by Covered Entity in accordance with 45 CFR § 164.526.

8.3 Accounting

Business Associate shall maintain and make available to Covered Entity, within fifteen (15) business days of a written request, the information necessary for Covered Entity to provide an accounting of disclosures of PHI as required by 45 CFR § 164.528, for the period required (currently six (6) years from the date of disclosure).

8.4 Audit Rights

Upon reasonable advance notice (not less than thirty (30) days), and no more than once per calendar year absent a Breach or reasonable cause, Covered Entity may audit Business Associate's HIPAA compliance. Business Associate may satisfy audit obligations by providing relevant third-party audit reports (e.g., SOC 2 Type II) in lieu of an on-site inspection.

9. Minimum Necessary

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum PHI necessary to accomplish the purpose for which the use, disclosure, or request is made, consistent with 45 CFR § 164.514(d). This does not apply to disclosures to or requests by a healthcare provider for treatment, disclosures to the individual, or disclosures Required By Law.

10. De-identification

If Covered Entity requests de-identification services, Business Associate shall de-identify PHI in accordance with 45 CFR § 164.514(a)–(b) (Expert Determination or Safe Harbor method) and shall document the method used and make such documentation available to Covered Entity upon request.

11. Obligations of Covered Entity

Covered Entity agrees to:

(a) Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to, to the extent such restrictions may affect Business Associate's use or disclosure of PHI;

(b) Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity;

(c) Obtain any individual authorisations or other permissions required for Business Associate to perform its obligations under this BAA;

(d) Promptly notify Business Associate of any known or suspected Security Incident that may affect Business Associate's systems or PHI;

(e) Not disclose PHI to Business Associate subject to restrictions beyond those in this BAA without prior written notice and Business Associate's agreement.

12. Term

This BAA is effective as of the date Covered Entity accepts the Clarvera Terms of Service and remains in effect throughout the Subscription Term and any renewals, unless terminated earlier pursuant to Section 13.

13. Termination for Cause

Either party may terminate this BAA and the Terms of Service if the other party is in material breach of a material provision of this BAA and fails to cure within thirty (30) days of written notice. If Business Associate determines that cure is not feasible, Business Associate shall report the breach to the Secretary of HHS. Either party may terminate immediately upon written notice if the other party engages in a pattern of conduct constituting a material breach that cannot be cured.

14. Effect of Termination

Upon termination of this BAA, Business Associate shall, at Covered Entity's election: (a) return all PHI (including copies) to Covered Entity within thirty (30) days; or (b) destroy all PHI and certify in writing that all such PHI has been destroyed. If return or destruction is infeasible (e.g., due to legal retention requirements), Business Associate shall: (i) notify Covered Entity in writing, stating the specific reasons; (ii) extend the protections of this BAA to such PHI; and (iii) limit further use or disclosure to those purposes that make return or destruction infeasible. Business Associate may retain PHI in encrypted WORM audit logs as Required By Law (including HIPAA's 6-year documentation requirement at 45 CFR § 164.530(j)).

15. Survival

The obligations of Business Associate under Section 14 survive the termination or expiration of this BAA for the period required by law or regulation, and in any event for no less than six (6) years following the date of creation of the relevant PHI.

16. Regulatory References

A reference in this BAA to a section in HIPAA means the section as in effect or as amended from time to time. This BAA shall be interpreted consistent with HIPAA, HITECH, and any subsequent HHS regulations. If an amendment to HIPAA requires a corresponding amendment to this BAA, the parties shall promptly negotiate in good faith to update this BAA.

17. Interpretation

Any ambiguity in this BAA shall be resolved in favour of a meaning that permits Covered Entity to comply with HIPAA. The more stringent standard applies in any case of conflict between this BAA and applicable law. This BAA is governed by the laws of the State of New York, without regard to conflict of law principles.

18. Miscellaneous

Entire Agreement. This BAA, together with the Terms of Service, constitutes the entire agreement regarding PHI handling and supersedes all prior agreements on the same subject.

Order of Precedence. In the event of any conflict between this BAA and the Terms of Service regarding PHI, this BAA governs.

Severability. If any provision of this BAA is held invalid or unenforceable, the remaining provisions continue in full force and effect.

No Third-Party Beneficiaries. Nothing in this BAA creates any rights in third parties (including patients/individuals), except as required by HIPAA.

Amendment. Clarvera reserves the right to amend this BAA to comply with changes to HIPAA or other applicable law, with at least thirty (30) days' written notice of material amendments.

Electronic Execution. This BAA may be accepted electronically. Electronic execution has the same legal effect as a handwritten signature.

Contact. Questions regarding this BAA: legal@shinzox.com.