Business Associate Agreement (BAA)

Effective Date: [To be filled when executed] Between: [Covered Entity Name] ("Covered Entity") And: JE Vectors LLC, d/b/a Nquiry ("Business Associate")

RECITALS

WHEREAS, Covered Entity is a "Covered Entity" as defined by the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder (collectively, "HIPAA");

WHEREAS, Business Associate provides investigation management services that may involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI");

WHEREAS, the parties wish to enter into this Business Associate Agreement ("BAA") to comply with the requirements of HIPAA;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

1. Definitions

1.1 Terms used in this BAA shall have the same meaning as those terms defined in HIPAA, including but not limited to:

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.
"Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium.
"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
"Subcontractor" means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.

2. Permitted Uses and Disclosures

2.1 Business Associate may use or disclose PHI only:

a) As necessary to perform services under the underlying Services Agreement;

b) As Required by Law;

c) For the proper management and administration of Business Associate, provided that:

The disclosure is Required by Law; or
Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any Breach;

d) To provide Data Aggregation services relating to the health care operations of Covered Entity;

e) To de-identify PHI in accordance with 45 CFR 164.514(a)-(c).

2.2 Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as specifically permitted in Section 2.1.

3. Safeguards

3.1 Administrative Safeguards. Business Associate shall implement administrative safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including:

Designated security official
Workforce security policies and procedures
Security awareness and training program
Security incident procedures
Contingency plan
Evaluation procedures

3.2 Physical Safeguards. Business Associate shall implement physical safeguards, including:

Facility access controls
Workstation use and security policies
Device and media controls

3.3 Technical Safeguards. Business Associate shall implement technical safeguards, including:

Access controls (unique user identification, emergency access, automatic logoff, encryption)
Audit controls
Integrity controls
Transmission security (encryption, integrity controls)

3.4 Documentation. Business Associate shall maintain documentation of safeguards as required by HIPAA.

4. Breach Notification

4.1 Discovery and Investigation. Business Associate shall investigate any suspected Breach of unsecured PHI and determine:

The nature and extent of the PHI involved
The unauthorized person who used the PHI or to whom it was disclosed
Whether the PHI was actually acquired or viewed
The extent to which the risk to the PHI has been mitigated

4.2 Notification Timeline. Business Associate shall notify Covered Entity of any Breach of unsecured PHI without unreasonable delay, and in no event later than thirty (30) calendar days after discovery of the Breach.

4.3 Notification Content. The notification shall include, to the extent known:

a) Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;

b) Description of what happened, including the date of the Breach and the date of discovery;

c) Description of the types of unsecured PHI involved;

d) Any steps individuals should take to protect themselves;

e) Description of what Business Associate is doing to investigate, mitigate harm, and prevent future Breaches.

4.4 Security Incidents. Business Associate shall report Security Incidents to Covered Entity within five (5) business days of discovery.

5. Subcontractors

5.1 Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

5.2 Current Subcontractors with access to PHI:

Subcontractor	Service	HIPAA Status
Amazon Web Services	Cloud infrastructure	BAA in place
Anthropic	AI processing	BAA available

6. Individual Rights

6.1 Access. Business Associate shall make PHI available to Covered Entity within ten (10) business days of a request, to enable Covered Entity to fulfill its obligations under 45 CFR 164.524.

6.2 Amendment. Business Associate shall make PHI available for amendment and incorporate amendments as directed by Covered Entity within ten (10) business days.

6.3 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as necessary for Covered Entity to respond to requests for accounting, and shall provide such information within ten (10) business days of a request.

7. HHS Access

Business Associate shall make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

8. Term and Termination

8.1 Term. This BAA shall be effective as of the Effective Date and shall remain in effect until terminated.

8.2 Termination for Cause. Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure the breach within thirty (30) days of written notice.

8.3 Effect of Termination. Upon termination:

a) Business Associate shall return or destroy all PHI received from Covered Entity, or created or received on behalf of Covered Entity, if feasible;

b) If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible;

c) Business Associate shall retain no copies of PHI except as necessary for continued protection.

8.4 Survival. The obligations of Business Associate under Sections 3, 4, and 8.3 shall survive termination of this BAA.

9. General Provisions

9.1 Amendment. This BAA may not be amended except by written agreement signed by both parties. The parties agree to negotiate in good faith any amendments necessary to comply with changes in HIPAA.

9.2 No Third-Party Beneficiaries. Nothing in this BAA shall confer any rights upon any person other than the parties and their respective successors and assigns.

9.3 Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA.

9.4 Governing Law. This BAA shall be governed by the laws of the State of [State], without regard to conflict of laws principles, except to the extent preempted by HIPAA.

9.5 Entire Agreement. This BAA, together with the Services Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof.

10. Notices

All notices under this BAA shall be in writing and sent to:

Covered Entity: [Name] [Address] [Email]

Business Associate: Nquir, Inc. Attn: Privacy Officer [Address] privacy@nquiry.ai

Signature Block

COVERED ENTITY:

Signature: ******___****** Name: ******___****** Title: ******___****** Date: ******___******

BUSINESS ASSOCIATE (Nquir, Inc.):

Signature: ******___****** Name: Joe Etherage Title: Founder & CEO Date: ******___******

Exhibit A: Nquir Security Measures

Nquir implements the following HIPAA-compliant safeguards:

Administrative Safeguards

Designated Security Officer
Workforce security training
Access authorization procedures
Security incident response plan
Contingency and disaster recovery plans
Regular security assessments

Physical Safeguards

AWS data centers with SOC 2, ISO 27001, FedRAMP certifications
Physical access controls at all facilities
Environmental controls (power, cooling, fire suppression)

Technical Safeguards

Encryption at Rest: AES-256 for all stored data
Encryption in Transit: TLS 1.3 for all communications
Access Controls: Role-based access, MFA required
Audit Logging: Comprehensive logging of all access and changes
Automatic Logoff: Session timeout after inactivity
PHI Detection: AWS Bedrock Guardrails for PHI/PII detection

Audit Controls

CloudWatch logging and monitoring
Security event alerting
Log retention (minimum 6 years)
Regular access reviews

END OF BUSINESS ASSOCIATE AGREEMENT

RECITALS​

1. Definitions​

2. Permitted Uses and Disclosures​

3. Safeguards​

4. Breach Notification​

5. Subcontractors​

6. Individual Rights​

7. HHS Access​

8. Term and Termination​

9. General Provisions​

10. Notices​

Signature Block​

Exhibit A: Nquir Security Measures​

Administrative Safeguards​

Physical Safeguards​

Technical Safeguards​

Audit Controls​