March 20, 2026
This Business Associate Agreement ("BAA") is entered into by and between Vilulia LLC ("Business Associate") and the entity or individual executing this BAA through the Vilulia account setup process ("Covered Entity"). This BAA is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended ("HIPAA"), including the HITECH Act.
Capitalized terms not otherwise defined in this BAA have the meanings set forth in HIPAA, including 45 C.F.R. Parts 160 and 164. "Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. § 160.103. "Breach" has the meaning set forth in 45 C.F.R. § 164.402.
This BAA applies to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Services. In the event of a conflict between this BAA and any other agreement between the parties concerning the handling of PHI, this BAA controls for PHI.
Business Associate may use and disclose PHI only as follows:
Business Associate will not use or disclose PHI other than as permitted by this BAA or as required by law. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. Business Associate will not use PHI to train AI models or for any purpose other than providing the Services to Covered Entity.
Business Associate will implement and maintain appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI, consistent with 45 C.F.R. Part 164, Subpart C (the Security Rule), including access controls, audit controls, and workforce security. Business Associate will review and update safeguards as reasonably necessary in light of known threats or vulnerabilities.
Business Associate will report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than 72 hours after discovery, unless a shorter period is required by the parties' Order Form. Such notice will include, to the extent known, the information required for Covered Entity to comply with 45 C.F.R. § 164.404, including the nature of the breach, the PHI involved, the likely cause, and the steps Business Associate is taking to mitigate harm.
"Security Incident" as used in HIPAA may include unsuccessful attempts; Business Associate may provide periodic summaries of routine, unsuccessful security events as appropriate.
Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions that are at least as stringent as those in this BAA, including appropriate safeguards.
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will assist Covered Entity, as applicable, to: (a) provide individuals access to PHI pursuant to 45 C.F.R. § 164.524; (b) amend PHI pursuant to 45 C.F.R. § 164.526; and (c) provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. Covered Entity is responsible for determining whether requests apply and for communicating necessary instructions. Business Associate will respond to reasonable access and amendment requests within thirty (30) days of receipt.
Business Associate will request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose, consistent with HIPAA requirements, except as otherwise permitted by law.
This BAA is effective as of the date Covered Entity completes account setup acceptance and remains in effect until terminated. Covered Entity may terminate this BAA for material breach by Business Associate if Business Associate fails to cure the breach within thirty (30) days after written notice. Business Associate may terminate this BAA if Covered Entity materially breaches its obligations related to the Services and fails to cure after notice.
If termination is not feasible and Business Associate determines that cure is not possible, Business Associate will report the problem to the U.S. Department of Health and Human Services as required by HIPAA.
Upon termination of this BAA, Business Associate will, at Covered Entity's written request, return or destroy PHI that Business Associate still maintains in any form, except to the extent return or destruction is infeasible. If infeasible, Business Associate will extend the protections of this BAA to such PHI and limit further uses and disclosures. Business Associate will confirm completion of return or destruction in writing within a reasonable time following the request.
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as required by HIPAA.
Nothing in this BAA creates any rights for any third party, including individuals, other than the parties to this BAA.
This BAA is governed by the laws of the Commonwealth of Virginia, to the extent not preempted by HIPAA.
The parties intend for this BAA to comply with HIPAA. Any ambiguity will be resolved to permit Covered Entity and Business Associate to comply with HIPAA. If any provision of this BAA conflicts with HIPAA as amended, HIPAA controls.
This BAA is executed electronically as part of the Vilulia account setup process. By completing the HIPAA plan setup and indicating acceptance, the Covered Entity agrees to be bound by the terms of this BAA. Electronic acceptance has the same legal force as a handwritten signature. The acceptance timestamp and account identifier are recorded and constitute the Covered Entity's binding agreement to these terms. A copy of this BAA, together with the acceptance record, is accessible at any time from your account settings under Legal & Compliance.
Our legal team is here to help with any questions.