Business Associate Agreement

HIPAA Compliance for Covered Entities & Business Associates

HIPAA Compliant HITECH Act Compliant Omnibus Rule Compliant
⚠️ IMPORTANT HIPAA NOTICE - ONLINE DEPLOYMENT
By using OWNIT' cloud-based software services (hosted on Reputed Tier III Data Center, Gravelines, France) that store, process, or transmit Protected Health Information, you hereby acknowledge and agree that this Business Associate Agreement (BAA) is automatically incorporated into your agreement with OWNIT. This BAA satisfies the HIPAA requirement for a written contract between Covered Entities and Business Associates as mandated by 45 CFR § 164.502(e) and 45 CFR § 164.504(e).
Online / Cloud Deployment Specifications

Data Storage Location: Reputed Tier III Data Center, Gravelines Data Center, Gravelines, France (EU Region)

Data Routing: All traffic passes through Cloudflare CDN (DDoS protection, WAF) - no PHI stored at Cloudflare

OWN IT Role: Business Associate (Data Processor) - Processes and stores PHI on behalf of Covered Entity

Encryption: AES-256 at rest, TLS 1.3 in transit

Certifications: HDS (French healthcare hosting), ISO 27001, SOC 2 Type II

SECTION 1

1. Parties to This Agreement

Covered Entity (CE): The healthcare provider, clinic, hospital, optical shop, dental practice, or any HIPAA-covered entity that uses OWNIT' cloud services and creates, receives, maintains, or transmits Protected Health Information (PHI).

Business Associate (BA): OWNIT, acting as a Business Associate that performs functions on behalf of the Covered Entity involving the use or disclosure of PHI, including data processing, data storage on Reputed Tier III Data Center, Gravelines, and software application services.

Effective Date: The date on which the Covered Entity first accesses, uses, or subscribes to any OWNIT cloud-based service that involves PHI.

SECTION 2

2. Permitted Uses and Disclosures of PHI (Online Deployment)

Business Associate MAY use or disclose PHI:

  • To perform services for Covered Entity: As necessary to provide cloud software services including data storage on Reputed Tier III Data Center, Gravelines, application hosting, technical support, maintenance, and related functions
  • For Management and Administration: As required for BA's internal management and administrative purposes, including legal compliance, auditing, and dispute resolution
  • To De-identify Information: To create de-identified health information in accordance with 45 CFR § 164.514(a)-(c)
  • As Required by Law: To comply with legal obligations, provided BA notifies Covered Entity prior to such disclosure unless prohibited by law
  • For Data Aggregation: To combine PHI from multiple Covered Entities for permissible health care operations (in aggregated, anonymized form)

Business Associate SHALL NOT use or disclose PHI:

  • In any manner not permitted by this BAA or required by law
  • For any purpose that would violate HIPAA if done by Covered Entity
  • To sell PHI or use PHI for marketing purposes without Covered Entity's explicit authorization
  • To use PHI for underwriting, eligibility determinations, or rate setting (unless permitted by HIPAA)
SECTION 3

3. Business Associate Obligations - Online Deployment (OWNIT)

3.1 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI, including:

  • Encryption: AES-256 encryption for PHI at rest on Reputed Tier III Data Center, Gravelines servers; TLS 1.3 encryption for PHI in transit
  • Access Controls: Role-based access, unique user IDs, automatic logoff, multi-factor authentication
  • Audit Controls: Comprehensive logging of all access to and modifications of PHI
  • Physical Security: Reputed Tier III Data Center, Gravelines data center with 24/7 monitoring, biometric access, CCTV surveillance
  • Transmission Security: All PHI transmitted through Cloudflare with DDoS protection and WAF

3.2 Reporting Requirements

Business Associate shall report to Covered Entity within 24 hours of discovery:

  • Any Security Incident involving PHI (including successful and unsuccessful attempts)
  • Any Breach of Unsecured PHI (as defined by HIPAA Breach Notification Rule)
  • Any unauthorized use or disclosure of PHI
  • Any violation of this BAA by BA or its subcontractors

3.3 Subcontractors

Current subcontractors for online deployment:

  • Reputed Tier III Data Center, SAS (Gravelines, France): Primary data hosting - HDS certified, ISO 27001
  • Cloudflare, Inc.: CDN, DDoS protection, WAF (no PHI storage)

3.4 Data Backup & Disaster Recovery

  • Daily encrypted backups of all PHI stored on Reputed Tier III Data Center, Gravelines infrastructure
  • 30-day backup retention period
  • Geographically redundant backups within EU (no PHI transferred outside EU)
  • Regular disaster recovery testing (quarterly)
  • 99.9% uptime SLA for production systems
SECTION 4

4. Reputed Tier III Data Center, Gravelines Data Center Infrastructure (Online Deployment)

  • Location: Gravelines, France (EU Region)
  • HDS Certification: French healthcare data hosting (Hébergement de Données de Santé)
  • ISO 27001: Information Security Management certified
  • ISO 27017: Cloud security certified
  • ISO 27018: Cloud privacy certified
  • Physical Security: 24/7 on-site guards, biometric access, CCTV
  • Data Residency: All PHI stored exclusively within EU
  • Resilience: N+1 power redundancy, multiple fiber routes
  • Certification Documentation: Available upon request
SECTION 5

5. Breach Notification Procedures (Online Deployment)

In the event of a Breach of Unsecured PHI stored on Reputed Tier III Data Center, Gravelines infrastructure, Business Associate shall:

  1. Notify Covered Entity IMMEDIATELY (within 24 hours of discovery)
  2. Provide Breach Details: Description, categories of data, number of affected individuals, steps taken to mitigate
  3. Cooperate Fully with Covered Entity's investigation and breach response
  4. Remediate the security vulnerability that caused the Breach
  5. Document the Breach and all response actions for a minimum of 6 years
SECTION 6

6. Data Deletion & Return (Online Deployment)

Upon termination of services or Covered Entity's written request, Business Associate shall:

  • Return all PHI to Covered Entity in structured electronic format (CSV, JSON, XML) OR securely delete all PHI from Reputed Tier III Data Center, Gravelines infrastructure
  • Data deletion shall be completed within 30 days of termination
  • Provide written certification of data deletion within 14 days after completion
⚠️ IMPORTANT HIPAA NOTICE - OFFLINE / ON-PREMISE DEPLOYMENT
For offline/on-premise deployment, the Clinic's software is installed on the Clinic's own servers or local infrastructure. OWNIT does NOT store, process, or have any access to Protected Health Information (PHI). The Covered Entity (Clinic) is the sole Data Controller and Data Processor. This BAA serves as an acknowledgment that no PHI is shared with OWN IT.
Offline / On-Premise Deployment Specifications

Data Storage Location: Clinic's own servers, local workstations, or clinic-managed cloud infrastructure

Data Access by OWN IT: NONE - OWN IT has no ability to access, view, retrieve, or process any clinic data

OWN IT Role: Software Licensor Only - Provides the application code and updates

Data Transmission: No clinic data is ever transmitted to OWN IT infrastructure (including Reputed Tier III Data Center,)

Clinic Responsibility: Full responsibility for all PHI security, backups, access controls, and HIPAA compliance

SECTION 1

1. Parties & Scope of This Agreement (Offline Deployment)

Covered Entity (CE): The healthcare provider, clinic, hospital, optical shop, or any HIPAA-covered entity that installs and uses OWNIT' offline/on-premise software on its own infrastructure.

Business Associate (BA): OWNIT, acting solely as a software licensor. BA does NOT create, receive, maintain, or transmit any PHI because all data remains on Covered Entity's infrastructure.

Key Distinction: In offline deployment, no PHI is ever shared with OWN IT. Therefore, the standard HIPAA BAA requirements for data handling do NOT apply. This agreement serves as acknowledgment that the Covered Entity is solely responsible for all PHI.

SECTION 2

2. Data Responsibility & Ownership (Offline Deployment)

Covered Entity (Clinic) Solely Responsible For:

  • All PHI Storage: All patient data, medical records, prescriptions, and Protected Health Information resides exclusively on Clinic's infrastructure
  • Data Security: Implementing and maintaining appropriate administrative, physical, and technical safeguards for PHI
  • Access Controls: Managing user access to the software and PHI
  • Backup & Disaster Recovery: Performing regular backups and maintaining disaster recovery procedures
  • Breach Detection & Notification: Detecting, investigating, and notifying affected individuals and HHS of any Breach
  • Patient Rights: Responding to patient access, amendment, and accounting requests
  • HIPAA Compliance: Full compliance with all HIPAA Privacy, Security, and Breach Notification Rules

OWNIT (Offline) Provides:

  • Software License: The right to use the application software on Clinic's infrastructure
  • Software Updates: Periodic updates, patches, and new versions of the software
  • Technical Support: Assistance with software installation, configuration, and troubleshooting (without accessing PHI)
  • Documentation: User manuals, installation guides, and technical documentation
SECTION 3

3. Confirmation of No PHI Access (Offline Deployment)

OWNIT certifies and acknowledges that in offline/on-premise deployment:

  • No Data Transmission: The software does not transmit any PHI to OWN IT servers (including Reputed Tier III Data Center, Gravelines or any other OWN IT infrastructure)
  • No Remote Access: OWN IT personnel do not have remote access to Clinic's servers or PHI
  • No Data Storage: OWN IT does not store, backup, or retain any Clinic PHI
  • Support Without PHI: Technical support is provided based on anonymized error logs or screen sharing (with Clinic's explicit permission and without viewing PHI)
  • No Subprocessors: OWN IT does not engage any subprocessors that handle Clinic PHI in offline deployment
✅ KEY TAKEAWAY: In offline deployment, OWNIT is NOT a Business Associate under HIPAA because no PHI is ever shared with or processed by OWN IT. This agreement serves as documentation of this fact for Covered Entity's compliance records.
SECTION 4

4. Software Security Features Provided (Offline Deployment)

While OWN IT does not handle PHI, the software includes security features to assist Clinic with HIPAA compliance:

  • Role-Based Access Control: Ability to define user roles and permissions within the software
  • Audit Logging: Built-in audit trails of user activity within the application
  • Encryption Support: Software supports database encryption (Clinic responsible for implementation)
  • Secure Authentication: Password policies, lockout controls, and session management
  • Automatic Logoff: Configurable idle session timeout

Note: Clinic is responsible for configuring and maintaining these security features according to its HIPAA Security Rule requirements.

COMMON SECTION

Covered Entity Obligations (Clinic/Healthcare Provider)

Applicable to BOTH online and offline deployments:

  • Obtain Patient Consents: Covered Entity shall obtain all required consents and authorizations from patients for the use and disclosure of PHI as required by HIPAA Privacy Rule (45 CFR § 164.506, 164.508).
  • Provide Notice of Privacy Practices: Covered Entity shall provide patients with Notice of Privacy Practices.
  • Mitigate Harmful Effects: Covered Entity shall take reasonable steps to mitigate any harmful effects of a Breach.
  • Respond to Patient Requests: Covered Entity shall respond to patient requests for access, amendment, accounting of disclosures, and electronic copies of PHI under 45 CFR § 164.524, 164.526, 164.528.
COMMON SECTION

Term and Termination

Term: This BAA shall take effect on the Effective Date and shall remain in effect for as long as Covered Entity uses any OWNIT service (online or offline).

Termination for Cause: Either party may terminate this BAA immediately upon written notice if the other party materially breaches this BAA and fails to cure within 30 days.

Effect of Termination (Online): Business Associate shall return or delete all PHI from Reputed Tier III Data Center, Gravelines infrastructure.

Effect of Termination (Offline): No PHI is held by Business Associate, so no action required regarding data.

COMMON SECTION

Indemnification & Limitation of Liability

Online Deployment: Business Associate shall indemnify Covered Entity from claims arising from BA's breach of this BAA or violation of HIPAA/HITECH regulations. BA's total liability shall not exceed fees paid in the 12 months preceding the claim.

Offline Deployment: Since BA never accesses PHI, BA's liability is limited to software performance issues and excludes any PHI-related claims. Covered Entity assumes all liability for PHI security and HIPAA compliance.

BY USING OUR SERVICES, YOU ACCEPT THIS BAA

Use of any OWNIT software (either online cloud deployment OR offline on-premise deployment) constitutes Covered Entity's binding acceptance of all terms in this Business Associate Agreement applicable to your chosen deployment method.

BUSINESS ASSOCIATE (OWNIT)
OWNIT
By using the service - Electronic Acceptance
Effective Date of Service Activation

COVERED ENTITY (Your Clinic)
By using the service - Electronic Acceptance
Clinic Administrator
Date of First Service Use

HIPAA Business Associate Agreement

This BAA satisfies the requirements of 45 CFR § 164.502(e) and 45 CFR § 164.504(e) for written contracts between Covered Entities and Business Associates.

For questions or to request a signed copy of this BAA, contact: [email protected]

Online: Data stored on Reputed Tier III Data Center, Gravelines, France | Offline: Data stored at Clinic | Printable PDF available upon request