Clinic OS Pro

Business Associate Agreement

HIPAA Business Associate Agreement for US Healthcare Providers

Last Updated: January 9, 2026 | Effective Date: January 9, 2026

Electronic Signature & Acceptance

This Business Associate Agreement ("BAA") becomes legally binding when you:

  1. Check the "I agree to the Business Associate Agreement" checkbox during account setup
  2. Type your name in the signature field
  3. Click the "Sign Agreement" button

Your electronic signature has the same legal effect as a handwritten signature. A copy of your signed BAA is available in Settings → Legal Documents. For a countersigned PDF copy, email ben@wiebe-consulting.com.

Who Needs This Agreement

This BAA is required for US healthcare providers ("Covered Entities" under HIPAA) before they can connect their EMR, import patient data, or use messaging features in Clinic OS Pro. No BAA = No PHI access.

This Business Associate Agreement ("BAA") is entered into by and between:

  • Covered Entity: The healthcare practice or clinic accepting this agreement ("You" or "Covered Entity")
  • Business Associate: Wiebe Consulting Inc., operating Clinic OS Pro ("We," "Us," or "Business Associate")

This BAA supplements and is incorporated into the Terms of Service (the "Agreement").

1. Definitions

Terms used in this BAA have the meanings set forth in the HIPAA Rules (45 CFR Parts 160 and 164). The following definitions apply:

  • "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended
  • "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164
  • "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form
  • "Electronic Protected Health Information" or "ePHI" means PHI transmitted or maintained in electronic form
  • "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI
  • "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations

2. Scope of PHI

2.1 PHI We Process

Through Clinic OS Pro, we may access and process the following limited PHI:

  • Patient names
  • Patient email addresses
  • Patient phone numbers
  • Appointment dates and times
  • Visit counts and visit history
  • Plan of care status (planned vs. completed visits)
  • No-show and cancellation flags
  • Treatment program type (e.g., "Sports Rehab," "Post-Op")

2.2 PHI We Do NOT Process

We explicitly DO NOT access, store, or process:

  • Medical diagnoses or ICD/CPT codes
  • Clinical notes, SOAP notes, or treatment documentation
  • Imaging studies, lab results, or test results
  • Prescription or medication information
  • Insurance policy numbers or detailed billing codes
  • Social Security Numbers
  • Genetic information
  • Mental health or substance abuse treatment records

3. Permitted Uses and Disclosures

3.1 Service Provision

Business Associate may use and disclose PHI only as necessary to perform services under the Agreement, including:

  • Storing and displaying patient contact information
  • Generating task lists for patient outreach
  • Sending communications on your behalf (email and SMS)
  • Calculating revenue metrics and generating reports
  • Providing customer support related to patient data

3.2 Management and Administration

Business Associate may use PHI for its proper management and administration, provided that disclosures are required by law or Business Associate obtains reasonable assurances regarding confidentiality from any third party.

3.3 Aggregated and De-Identified Data

Business Associate may de-identify PHI in accordance with 45 CFR 164.514(b) and use de-identified data for any lawful purpose. Business Associate may create and use aggregated data that does not identify any individual.

3.4 Prohibited Uses

Business Associate shall NOT:

  • Use or disclose PHI for marketing purposes (except as permitted by HIPAA)
  • Sell PHI
  • Use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity

4. Safeguards

4.1 Administrative Safeguards

  • Designated security and privacy officer
  • Workforce training on HIPAA requirements
  • Access management and role-based permissions
  • Policies and procedures for handling PHI
  • Regular risk assessments

4.2 Physical Safeguards

  • Data hosted in secure, access-controlled data centers (Vercel, AWS)
  • No PHI stored on local devices or removable media

4.3 Technical Safeguards

  • Encryption in Transit: TLS 1.2 or higher (HTTPS only)
  • Encryption at Rest: AES-256 encryption for database storage
  • Access Controls: Unique user IDs, automatic session timeouts
  • Audit Logging: Comprehensive logs of data access and modifications
  • Multi-Factor Authentication: Available for all user accounts

5. Subcontractors

Business Associate may engage subcontractors to assist in performing services. Business Associate shall:

  • Enter into written agreements with subcontractors that provide the same protections as this BAA
  • Ensure subcontractors agree to the same restrictions and conditions regarding PHI
  • Maintain a list of subcontractors that access PHI (see Subprocessors)

5.1 Current Subcontractors with BAAs

  • Vercel: Application hosting and infrastructure
  • Neon: PostgreSQL database hosting
  • Twilio: SMS messaging services
  • Resend: Email delivery services

6. Breach Notification

24-Hour Notification

We will notify you within 24 hours of discovering a Breach of unsecured PHI.

6.1 Breach Notification Process

Upon discovering a Breach, Business Associate shall:

  1. Notify Covered Entity within 24 hours of discovery
  2. Provide written notice including:
    • Description of the Breach
    • Date of the Breach and date of discovery
    • Types of PHI involved
    • Individuals affected (if known)
    • Steps taken to investigate and mitigate
    • Contact information for follow-up
  3. Cooperate with Covered Entity's investigation
  4. Assist with required notifications to affected individuals and regulators

6.2 Security Incidents

Business Associate shall report Security Incidents (including unsuccessful attempts) within 72 hours of discovery. Routine unsuccessful security incidents (e.g., automated port scans, failed login attempts) may be reported in aggregate.

7. Covered Entity Obligations

Covered Entity agrees to:

  • Only provide the minimum necessary PHI required for Business Associate to perform services
  • Obtain any required patient authorizations before sharing PHI
  • Notify Business Associate of any restrictions on use or disclosure of PHI
  • Notify Business Associate of any changes to patient authorization status
  • Not request Business Associate to use or disclose PHI in violation of HIPAA

8. Individual Rights

Business Associate shall:

  • Access: Make PHI available to Covered Entity within 10 business days to fulfill patient access requests
  • Amendment: Make amendments to PHI as directed by Covered Entity
  • Accounting: Maintain records and provide information for accounting of disclosures
  • Restrictions: Honor restrictions on use and disclosure as communicated by Covered Entity

9. Term and Termination

9.1 Term

This BAA is effective upon your acceptance and remains in effect for the duration of the Agreement.

9.2 Termination for Cause

Either party may terminate this BAA if the other party materially breaches the BAA and fails to cure the breach within 30 days of written notice.

9.3 Effect of Termination

Upon termination:

  • Business Associate shall return or destroy all PHI in its possession
  • If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the remaining PHI and limit further uses and disclosures
  • Business Associate shall certify destruction in writing upon request

9.4 Survival

The obligations of Business Associate regarding confidentiality and safeguarding of PHI shall survive termination of this BAA.

10. Miscellaneous

10.1 Amendment

The parties agree to amend this BAA as necessary to comply with changes in HIPAA or its implementing regulations.

10.2 Interpretation

This BAA shall be interpreted in a manner consistent with HIPAA. In the event of a conflict between this BAA and the Agreement, this BAA shall govern with respect to PHI.

10.3 No Third-Party Beneficiaries

This BAA does not create any third-party beneficiary rights in any individual, including patients.

10.4 Regulatory Changes

If new HIPAA regulations are issued that require modification of this BAA, the parties shall negotiate in good faith to amend this BAA accordingly.

Contact Information

For questions about this BAA or to report a potential Breach:

Wiebe Consulting Inc.
HIPAA Privacy Officer
Email: ben@wiebe-consulting.com

Document Version: 2.0
Last Reviewed: January 9, 2026
Next Review Date: January 2027