Skip to main content
Orvica is currently invite-only. Join the waitlist to request access.
Legal · HIPAA

Business Associate Agreement (template)

Version 1.0 · Effective 2026-05-18

This is a template Business Associate Agreement (BAA) Orvica executes with HIPAA-covered entities that use Helix to handle Protected Health Information (PHI). To request a countersigned copy, email legal@orvica.co with your covered-entity legal name.

1. Scope

This Agreement supplements the underlying services agreement between Orvica LLC (“Business Associate”) and the covered entity executing this BAA (“Covered Entity”). It governs Business Associate's creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entity.

2. Permitted uses and disclosures

Business Associate may use and disclose PHI only as permitted by this Agreement, the underlying services agreement, or as required by law. Specifically, Business Associate may use and disclose PHI to:

  • Provide the services Covered Entity has requested.
  • Perform internal management and administration of Business Associate.
  • Carry out legal responsibilities of Business Associate.
  • De-identify PHI in accordance with 45 CFR §164.514(a)-(c).

3. Safeguards

Business Associate shall use appropriate administrative, technical, and physical safeguards to prevent use or disclosure of PHI other than as permitted by this Agreement, and to comply with the HIPAA Security Rule (45 CFR §§164.302-318) with respect to electronic PHI.

4. Reporting unauthorized use or disclosure

Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, including any breach of unsecured PHI as required by 45 CFR §164.410, without unreasonable delay and in no case later than 30 days after discovery.

5. Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially similar restrictions and safeguards. A current list of subprocessors is maintained at /subprocessors.

6. Access, amendment, and accounting

Business Associate shall provide PHI in a designated record set as required by 45 CFR §164.524, incorporate amendments per §164.526, and provide an accounting of disclosures per §164.528, in each case within timeframes that allow Covered Entity to meet its own obligations.

7. Audits

Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance review.

8. Return or destruction on termination

Upon termination of this Agreement, Business Associate shall return or destroy all PHI if feasible. If return or destruction is not feasible, Business Associate shall continue the protections of this Agreement for such PHI and limit further uses and disclosures.

9. Minimum necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose, consistent with 45 CFR §164.502(b) and Covered Entity's policies.

10. Indemnification

Each party shall be responsible for its own acts and omissions related to PHI. Mutual indemnification scope and caps are addressed in the underlying services agreement.

11. Term

This Agreement is effective on the date the underlying services agreement begins and continues until terminated by either party. Sections 5, 6, and 8 survive termination.

12. Execution

To execute this BAA, email legal@orvica.co with your Covered Entity legal name, signing-authority contact, and intended Helix workspace(s). Orvica returns a countersigned PDF within 5 business days.