Last updated: 3 January 2026

(This Business Associate Agreement (“BAA”) is applicable only when the Customer is a Covered Entity under HIPPA)

1. PURPOSE & SCOPE
This BAA is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the HITECH Act, and implementing regulations at 45 CFR Parts 160 and 164. Business Associate provides QUASR+, a software-as-a-service incident reporting and patient safety platform, which may involve the creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”) in support of Covered Entity’s:
• Patient safety activities
• Quality improvement
• Risk management
• Clinical governance and compliance
2. DEFINITIONS Capitalized terms not otherwise defined have the meanings assigned in HIPAA.
   • “PHI” has the meaning set forth in 45 CFR Part 160.103
   • “Breach” has the meaning set forth in 45 CFR Part 164.402
   • “Security Incident” means attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI
3. PERMITTED USES AND DISCLOSURES
   1. Permitted Uses
   Business Associate may use PHI solely to:
   • Provide, operate, support, and secure the QUASR+ platform
   • Perform services described in the applicable master agreement
   • Carry out data analytics related to patient safety and quality improvement on behalf of Covered Entity
   • Comply with legal and regulatory requirements
   2. Permitted Disclosures
   Business Associate may disclose PHI:
   • As necessary to perform its obligations under the Agreement
   • To subcontractors in compliance with Section 7
   • As required by law
   3. Minimum Necessary
   Business Associate shall:
   • Access, use, and disclose only the minimum necessary PHI to perform its obligations
   • Configure systems to support role-based access controls where feasible
   4. Prohibited Uses
   Business Associate shall not:
   Use PHI for marketing, profiling, or advertising
   Sell PHI
   Use PHI for its own independent clinical decision-making
4. SAFEGUARDS & WORKFORCE COMPLIANCE
1. Safeguards
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect:
• Confidentiality
• Integrity
• Availability
of electronic PHI, in compliance with 45 CFR Part 164, Subpart C (Security Rule).
2. Workforce Training
Business Associate shall ensure that:
• Its workforce members with access to PHI receive HIPAA privacy and security training
• Access to PHI is limited to authorized personnel
5. BREACH & SECURITY INCIDENT NOTIFICATION
1. Breach Notification
Business Associate shall notify Covered Entity of any Breach of unsecured PHI:
• Without unreasonable delay, and
• No later than 15 calendar days after discovery
(Shorter timelines may be agreed in the Order Form if required by Covered Entity policy.)
2. Content of Notification
Notification shall include, to the extent known:
• Description of the Breach
• Categories of PHI involved
• Mitigation steps taken
• Information reasonably requested by Covered Entity
3. Security Incidents
Business Associate shall:
• Identify and respond to Security Incidents
• Report material Security Incidents to Covered Entity
6. INDIVIDUAL RIGHTS SUPPORT
Business Associate shall assist Covered Entity, as reasonably requested, in fulfilling its obligations regarding:
• Access to PHI (45 CFR §164.524)
• Amendment of PHI (45 CFR §164.526)
• Accounting of disclosures (45 CFR §164.528)
7. SUBCONTRACTORS
Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI:
• Enters into a written agreement imposing HIPAA-compliant obligations
• Implements safeguards no less protective than those required under this BAA
8. AUDIT & COOPERATION
1. Regulatory Access
Business Associate shall make its internal practices, books, and records relating to PHI available to the U.S. Department of Health and Human Services (HHS) as required by HIPAA.
2. Covered Entity Cooperation
Upon reasonable request, Business Associate shall cooperate with Covered Entity in:
• HIPAA compliance reviews
• Incident investigations related to the Service
This does not grant Covered Entity unrestricted audit rights beyond HIPAA requirements.
9. TERM & TERMINATION
1. Term
This BAA remains in effect until terminated in accordance with this Section.
2. Termination for Cause
Covered Entity may terminate this BAA upon written notice if:
• Business Associate materially breaches this BAA, and
• Fails to cure such breach within 30 days
3. Effect of Termination
Upon termination:
• Business Associate shall return or destroy PHI where feasible
• If infeasible, Business Associate shall continue to protect PHI and limit further uses and disclosures
10. PATIENT SAFETY & NO MEDICAL ADVICE
Business Associate acknowledges that:
• QUASR+ supports patient safety reporting and analysis only
• The Service does not provide medical advice, diagnosis, or treatment
• Clinical decision-making remains the sole responsibility of Covered Entity and its clinicians
11. LIMITATION OF LIABILITY
Liability under this BAA shall be governed by the limitation of liability provisions in the applicable master agreement, except to the extent such limitations are prohibited by HIPAA or applicable law.
12. AMENDMENT
The parties agree to amend this BAA as necessary to comply with:
• Changes in HIPAA or HITECH
• Guidance issued by HHS
13. INTERPRETATION & PRECEDENCE
This BAA shall be interpreted to permit compliance with HIPAA. In the event of conflict:
1. This BAA
2. Country-Specific Terms (Schedule C)
3. Master Terms of Service
14. GOVERNING LAW
This BAA shall be governed by U.S. federal law, and to the extent not pre-empted, the governing law specified in the underlying agreement.