Wocha Docs

Business Associate Agreement

Standard HIPAA Business Associate Agreement for Wocha Cloud enterprise customers.

This Business Associate Agreement ("BAA") forms part of the agreement between Elementary Digital Ltd ("Business Associate", "Wocha", "we") and the entity agreeing to Wocha's terms of service ("Covered Entity", "you", "Customer").

This template is provided for review purposes. Enterprise customers may accept this BAA programmatically via the Customer API or through the Wocha Console.


1. Definitions

TermMeaning
HIPAAThe Health Insurance Portability and Accountability Act of 1996, as amended
HITECHThe Health Information Technology for Economic and Clinical Health Act of 2009
PHIProtected Health Information as defined in 45 CFR 160.103
ePHIElectronic Protected Health Information
Security RuleThe HIPAA Security Standards at 45 CFR Part 164, Subparts A and C
Privacy RuleThe HIPAA Privacy Standards at 45 CFR Part 164, Subpart E
BreachThe acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI
Covered ServicesWocha Cloud authentication, authorisation, and related platform services as described in the main service agreement

Capitalised terms not defined here have the meaning given in HIPAA, HITECH, or the main service agreement.


2. Obligations of Business Associate

Business Associate agrees to:

2.1 Not use or disclose PHI other than as permitted or required by this BAA or as required by law.

2.2 Use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA, in compliance with the Security Rule.

2.3 Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410.

2.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), require that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

2.5 Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524, in accordance with the functionality of the Covered Services.

2.6 Make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 CFR 164.526.

2.7 Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.

2.8 To the extent Business Associate is to carry out Covered Entity's obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

2.9 Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.


3. Permitted uses and disclosures

3.1 Business Associate may use or disclose PHI solely to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the main service agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

3.2 Business Associate may use or disclose PHI as required by law.

3.3 Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed.


4. Breach notification

4.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 30 days after discovery.

4.2 Such report shall include, to the extent known: identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; a description of what happened; the types of PHI involved; steps individuals should take to protect themselves; what Business Associate is doing to investigate, mitigate harm, and prevent future Breaches.

4.3 Business Associate shall cooperate with Covered Entity in the investigation of any Breach and shall provide updates as additional information becomes available.


5. Technical safeguards

Business Associate implements the following technical safeguards for PHI processed through the Covered Services:

SafeguardImplementation
Access controlMulti-factor authentication, role-based API scopes, schema-per-tenant isolation
Audit controlsComprehensive audit event logging with 6-year WORM retention
Integrity controlsEncrypted session cookies (AES-256-GCM), DPoP token binding, HMAC-signed webhooks
Transmission securityTLS 1.2+ on all endpoints; internal service-to-service encryption
PHI containmentPHI field registry, automatic token claim filtering, field-level access logging
Automatic logoffConfigurable session idle and absolute timeouts enforced at consent
Emergency accessBreak-glass override with mandatory audit trail

6. Term and termination

6.1 This BAA shall be effective upon acceptance and shall remain in effect for the duration of the main service agreement, unless earlier terminated as provided herein.

6.2 Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure the breach within 30 days of receiving written notice.

6.3 Upon termination, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.


7. Miscellaneous

7.1 The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of HIPAA, HITECH, and any regulations promulgated thereunder.

7.2 The respective rights and obligations of Business Associate under Section 6.3 shall survive the termination of this BAA.

7.3 Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA and HITECH.


Accepting this BAA

Enterprise customers can accept this BAA through:

  • Console: Navigate to Settings > Compliance > HIPAA and click "Accept BAA"
  • API: POST /api/v1/customer/compliance/baa/accept with signer details

Upon acceptance, a cryptographic hash of the BAA document, the signer's identity, timestamp, and IP address are recorded in an immutable audit trail.

Contact compliance@wocha.ai for questions about this agreement.

On this page