Business Associate Agreement
Effective Date: December 12, 2025
Last Updated: December 12, 2025
This Business Associate Agreement ("Agreement") is entered into by and between the healthcare provider or practice ("Covered Entity") and Sessionably ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.
1. Definitions
For purposes of this Agreement, the following definitions apply:
- "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
- "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media.
- "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
- "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.
- "Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI.
2. Obligations of Business Associate
Business Associate agrees to:
- Safeguards: Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI
- Reporting: Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Security Incident or Breach, within 24 hours of discovery
- Subcontractors: Ensure that any subcontractors or agents who receive PHI agree to the same restrictions and conditions that apply to Business Associate
- Access: Make PHI available to Covered Entity or individuals as required by HIPAA
- Amendment: Make PHI available for amendment and incorporate amendments as directed by Covered Entity
- Accounting: Make information available to provide an accounting of disclosures as required by HIPAA
- Compliance: Make internal practices, books, and records relating to PHI available to the Secretary of HHS for determining compliance
- Minimum Necessary: Use, disclose, or request only the minimum necessary PHI to accomplish the intended purpose
- Return/Destruction: Upon termination, return or destroy all PHI received from or created on behalf of Covered Entity, if feasible
3. Permitted Uses and Disclosures
Business Associate may use or disclose PHI only as follows:
- Services: To perform functions, activities, or services for Covered Entity as specified in the Terms of Service
- Own Management: For the proper management and administration of Business Associate, or to carry out legal responsibilities
- Data Aggregation: To provide data aggregation services relating to the healthcare operations of Covered Entity
- De-identification: To de-identify PHI in accordance with HIPAA requirements
- Required by Law: As required by law, including to the Secretary of HHS for compliance investigations
Business Associate shall NOT:
- Use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity
- Use or disclose PHI for marketing purposes without authorization
- Sell PHI without authorization
- Use or disclose genetic information for underwriting purposes
4. Obligations of Covered Entity
Covered Entity agrees to:
- Notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI
- Notify Business Associate of any changes in, or revocation of, authorization by an individual to use or disclose PHI
- Notify Business Associate of any restrictions on uses or disclosures of PHI that Covered Entity has agreed to
- Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity
- Obtain any necessary consents or authorizations prior to providing PHI to Business Associate
5. Term and Termination
5.1 Term
This Agreement shall be effective as of the date Covered Entity first accesses the Sessionably platform and shall remain in effect until all PHI is destroyed or returned to Covered Entity, or if return or destruction is not feasible, until protections are extended as required.
5.2 Termination for Cause
Either party may terminate this Agreement if it determines that the other party has violated a material term of this Agreement. The non-breaching party shall:
- Provide written notice of the violation
- Allow 30 days for the breaching party to cure the violation
- If the violation is not cured, terminate this Agreement immediately
5.3 Effect of Termination
Upon termination, Business Associate shall:
- Return or destroy all PHI received from or created on behalf of Covered Entity
- If return or destruction is not feasible, extend the protections of this Agreement to retained PHI
- Limit further uses and disclosures to those purposes that make return or destruction infeasible
6. General Provisions
6.1 Amendment
This Agreement may be amended only in writing signed by both parties. The parties agree to amend this Agreement as necessary to comply with changes in HIPAA requirements.
6.2 Survival
The obligations of Business Associate under this Agreement shall survive termination to the extent necessary to fulfill the return or destruction requirements and to protect PHI that cannot feasibly be returned or destroyed.
6.3 Interpretation
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
6.4 No Third-Party Beneficiaries
Nothing in this Agreement shall confer upon any person other than the parties any rights, remedies, obligations, or liabilities.
6.5 Governing Law
This Agreement shall be governed by the laws of the State of Colorado, without regard to its conflict of law provisions.
Agreement Acknowledgment
By creating an account and using the Sessionably platform, Covered Entity acknowledges that they have read, understood, and agree to be bound by this Business Associate Agreement.
Contact Information
For questions regarding this Agreement or to report a potential breach, contact:
Sessionably Privacy Office
Email: privacy@sessionably.com
Phone: 720-808-2150
Address: 75 Manhattan Dr. Ste. 206, Boulder, CO 80303
This Business Associate Agreement is effective as of December 12, 2025.