January 10, 2026
This Business Associate Agreement (“BAA”) is entered into by and between Vilulia LLC (“Business Associate”) and the entity executing this BAA (“Covered Entity”). This BAA is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (“HIPAA”), including the HITECH Act.
Capitalized terms not otherwise defined in this BAA have the meanings set forth in HIPAA, including 45 C.F.R. Parts 160 and 164. “Protected Health Information” or “PHI” has the meaning set forth in 45 C.F.R. § 160.103. “Breach” has the meaning set forth in 45 C.F.R. § 164.402.
This BAA applies to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Services. In the event of a conflict between this BAA and any other agreement between the parties concerning the handling of PHI, this BAA controls for PHI.
Business Associate may use and disclose PHI only as follows:
Business Associate will not use or disclose PHI other than as permitted by this BAA or as required by law. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.
Business Associate will implement and maintain appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI, consistent with 45 C.F.R. Part 164, Subpart C (the Security Rule), including access controls, audit controls, and workforce security.
Business Associate will report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than 72 hours after discovery, unless a shorter period is required by the parties’ Order Form. Such notice will include, to the extent known, the information required for Covered Entity to comply with 45 C.F.R. § 164.404.
“Security Incident” as used in HIPAA may include unsuccessful attempts; Business Associate may provide periodic summaries of routine, unsuccessful security events as appropriate.
Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions that are at least as stringent as those in this BAA, including appropriate safeguards.
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will assist Covered Entity, as applicable, to: (a) provide individuals access to PHI pursuant to 45 C.F.R. § 164.524; (b) amend PHI pursuant to 45 C.F.R. § 164.526; and (c) provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. Covered Entity is responsible for determining whether requests apply and for communicating necessary instructions.
Business Associate will request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose, consistent with HIPAA requirements, except as otherwise permitted by law.
This BAA is effective as of the Effective Date and remains in effect until terminated. Covered Entity may terminate this BAA for material breach by Business Associate if Business Associate fails to cure the breach within a reasonable period after notice. Business Associate may terminate this BAA if Covered Entity materially breaches its obligations related to the Services and fails to cure after notice.
If termination is not feasible and Business Associate determines that cure is not possible, Business Associate will report the problem to the U.S. Department of Health and Human Services as required by HIPAA.
Upon termination of this BAA, Business Associate will, at Covered Entity’s request, return or destroy PHI that Business Associate still maintains in any form, except to the extent return or destruction is infeasible. If infeasible, Business Associate will extend the protections of this BAA to such PHI and limit further uses and disclosures.
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as required by HIPAA.
Nothing in this BAA creates any rights for any third party, including individuals, other than the parties to this BAA.
This BAA is governed by the laws of the Commonwealth of Virginia, to the extent not preempted by HIPAA.
The parties intend for this BAA to comply with HIPAA. Any ambiguity will be resolved to permit Covered Entity and Business Associate to comply with HIPAA.
Our legal team is here to help with any questions.