Home About Pricing Contact Sign In

Business Associate Agreement

Last updated: March 27, 2026

This document is provided for reference and transparency. Care Assistant Pro recommends that all customer agencies have this agreement reviewed by qualified legal counsel before relying on it for HIPAA compliance purposes.

This Business Associate Agreement ("Agreement") is entered into by and between the customer agency ("Covered Entity") and Care Assistant Pro LLC ("Business Associate"), and supplements the Terms of Service governing the Covered Entity's use of the Care Assistant Pro platform.

1. Definitions

Terms used but not defined in this Agreement have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). The following terms are used throughout this Agreement:

  • Protected Health Information (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined by 45 CFR 160.103.
  • Electronic Protected Health Information (ePHI) means PHI that is transmitted or maintained in electronic media.
  • HIPAA Rules means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
  • Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined by 45 CFR 164.304.
  • Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined by 45 CFR 164.402.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

  • As necessary to perform services on behalf of Covered Entity as described in the Terms of Service, including but not limited to shift scheduling, care plan management, billing, invoicing, and payroll reporting.
  • As required by law.
  • For the proper management and administration of Business Associate, provided that any disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the information will be held confidentially.

Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Rules if done by Covered Entity, except as expressly permitted by this Agreement.

3. Safeguards

Business Associate shall:

  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 CFR Part 164, Subpart C.
  • Ensure that all ePHI is encrypted in transit using HTTPS/TLS and stored using industry-standard encryption methods.
  • Use access controls to limit access to PHI to authorized personnel and authorized users of Covered Entity's agency within the platform.
  • Maintain audit controls that record and examine activity in information systems that contain or use ePHI.
  • Ensure that any agent or subcontractor to whom Business Associate provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this Agreement, including implementing reasonable and appropriate safeguards.

4. Breach Notification

Business Associate shall report to Covered Entity any Breach of unsecured PHI without unreasonable delay and in no case later than 30 calendar days after discovery of the Breach. A Breach is considered discovered as of the first day on which it is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

The notification shall include, to the extent possible:

  • A description of the nature of the Breach, including the types of PHI involved.
  • Identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach.
  • A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches.
  • Contact information for individuals at Business Associate to whom Covered Entity can direct questions.

Business Associate shall also report to Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (such as unsuccessful login attempts or port scans) may be provided in summary or aggregate form on a periodic basis.

5. Access and Amendment

To the extent that Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall make such PHI available to Covered Entity as necessary for Covered Entity to satisfy its obligations under 45 CFR 164.524 (individual access) and 45 CFR 164.526 (amendment of PHI). Business Associate shall respond to such requests within 15 business days.

6. Accounting of Disclosures

Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain records of disclosures of PHI for a minimum of six years from the date of disclosure.

7. Return or Destruction of PHI

Upon termination of this Agreement or the underlying Terms of Service, Business Associate shall:

  • Return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate maintains in any form.
  • Retain no copies of the PHI except as required by law or as necessary for Business Associate's proper management and administration, in which case the protections of this Agreement shall continue to apply to such PHI.
  • If return or destruction is not feasible, extend the protections of this Agreement to the remaining PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

Business Associate shall complete the return or destruction of PHI within 30 calendar days of termination, unless Covered Entity requests an extension.

8. HIPAA Security Rule Compliance

Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C) with respect to ePHI. Without limiting the foregoing, Business Associate shall:

  • Conduct periodic risk assessments to evaluate potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Implement procedures to regularly review records of information system activity, such as audit logs and access reports.
  • Ensure that workforce members who access ePHI receive appropriate security awareness training.

9. Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI. A current list of subcontractors who may have access to PHI is maintained in the Care Assistant Pro Privacy Policy.

10. Term and Termination

This Agreement takes effect when Covered Entity accepts it during agency setup and remains in effect for the duration of the Terms of Service, unless terminated earlier as follows:

  • Termination for cause: Either party may terminate this Agreement if it determines that the other party has violated a material term of this Agreement.
  • Automatic termination: This Agreement automatically terminates when the Terms of Service between the parties ends.
  • Effect of termination: The obligations of Business Associate under Section 7 (Return or Destruction of PHI) and Section 6 (Accounting of Disclosures) shall survive termination of this Agreement.

11. Miscellaneous

  • Amendment: This Agreement may be amended by Business Associate as necessary to comply with changes in HIPAA Rules or applicable law. Material changes will be communicated to Covered Entity with at least 30 days' notice.
  • Interpretation: Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules.
  • No third-party beneficiaries: Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns any rights, remedies, or claims.
  • Governing law: This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of law principles.

12. Contact Information

For questions regarding this Business Associate Agreement, please contact: