Business Associate Agreement
Version
1.0
Effective date
April 30, 2026
This Business Associate Agreement ("BAA") is entered into between CS Big Bend, Inc. d/b/a Sapling Health, together with its affiliated professional entity Sapling Medical Group, PA where applicable (collectively, "Business Associate" or "Sapling"), and the healthcare practice or other Covered Entity that has executed an Underlying Agreement with Sapling (the "Covered Entity" or "Practice"). Business Associate and Covered Entity are each a "Party" and together the "Parties."
How this BAA is entered into
This BAA is incorporated by reference into each services agreement, pilot agreement, management services organization service agreement, or other written agreement between Sapling and a Covered Entity that references this BAA or links to the URL at which it is posted (each, an "Underlying Agreement"). By executing an Underlying Agreement that references or links to this BAA, the Covered Entity agrees to be bound by the terms of this BAA as in effect on the effective date of that Underlying Agreement.
The Parties intend this BAA to satisfy the written agreement requirement of 45 C.F.R. § 164.504(e) and to govern all use and disclosure of Protected Health Information between the Parties in connection with the services provided under the Underlying Agreement. No separate signature is required to make this BAA effective; execution of the Underlying Agreement constitutes the Parties' agreement to this BAA.
Order of precedence. In the event of any conflict between this BAA and an Underlying Agreement with respect to the use or disclosure of Protected Health Information, the terms of this BAA control.
Versioning
Sapling may update this BAA from time to time as required to comply with changes in law or to reflect changes in Sapling's services. Sapling will identify the version and effective date at the top of this BAA. The version of this BAA in effect on the effective date of an Underlying Agreement governs that Underlying Agreement, except that Sapling may update this BAA prospectively (a) as required by changes in HIPAA, HITECH, or other applicable law, in which case the updated version applies on the date the legal change becomes effective, or (b) on thirty (30) days' prior written notice to the Covered Entity for any other change. The Covered Entity's continued use of the services after the effective date of an updated version constitutes acceptance of that version.
Sapling will maintain an archive of prior versions of this BAA and will provide a copy of any prior version to a Covered Entity on request.
Recitals
WHEREAS, Covered Entity is a "Covered Entity" as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA");
WHEREAS, Business Associate provides services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information on behalf of Covered Entity, making Business Associate a "Business Associate" of Covered Entity under HIPAA; and
WHEREAS, the Parties wish to comply with the Privacy Rule, Security Rule, and Breach Notification Rule under HIPAA, the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and applicable state privacy laws;
NOW, THEREFORE, the Parties agree as follows.
01 Definitions
Capitalized terms used but not defined in this BAA have the meanings given to them in HIPAA. For ease of reference:
"Breach" has the meaning set forth at 45 C.F.R. § 164.402.
"Designated Record Set" has the meaning set forth at 45 C.F.R. § 164.501.
"Electronic Protected Health Information" or "ePHI" has the meaning set forth at 45 C.F.R. § 160.103.
"Individual" has the meaning set forth at 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative.
"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
"Protected Health Information" or "PHI" has the meaning set forth at 45 C.F.R. § 160.103, limited to information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Services.
"Security Rule" means the Security Standards at 45 C.F.R. Parts 160 and 164, Subparts A and C.
"Services" means the services Business Associate provides to Covered Entity under the Underlying Agreement, which may include AI-powered clinical documentation, AI receptionist (inbound and outbound voice), prior authorization and referral handling, medical coding, claims submission and revenue cycle management, credentialing, and related administrative and management services.
"Subcontractor" has the meaning set forth at 45 C.F.R. § 160.103.
"Unsecured PHI" has the meaning set forth at 45 C.F.R. § 164.402.
02 Permitted uses and disclosures of PHI
2.1 Performance of the Services
Business Associate may use and disclose PHI only as necessary to perform the Services for, or on behalf of, Covered Entity, and only in a manner consistent with the minimum necessary standard and with this BAA.
2.2 Management and administration of Business Associate
Business Associate may use PHI for its own proper management and administration and to carry out its legal responsibilities. Business Associate may disclose PHI for these purposes only if (a) the disclosure is required by law, or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used only as required by law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.
2.3 Data aggregation services
Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.4 De-identification
Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). De-identified information is not PHI and may be used by Business Associate for any lawful purpose, subject to the restrictions in Section 2.6.
2.5 Required by law
Business Associate may use or disclose PHI as required by law.
2.6 Prohibited uses
(a) No model training. Business Associate will not use PHI, and will not permit any Subcontractor to use PHI, to train, fine-tune, or improve any artificial intelligence or machine learning model, whether Business Associate's own or that of any third party. Business Associate will also not use de-identified information derived from PHI to train, fine-tune, or improve any third-party artificial intelligence or machine learning model.
(b) No sale of PHI. Business Associate will not sell PHI in violation of 45 C.F.R. § 164.502(a)(5)(ii).
(c) No marketing. Business Associate will not use or disclose PHI for marketing purposes in violation of 45 C.F.R. § 164.508(a)(3), except as authorized in writing by Covered Entity.
(d) No other uses. Business Associate will not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as expressly permitted by this BAA.
03 Obligations of Business Associate
3.1 Safeguards
Business Associate will implement and maintain appropriate administrative, physical, and technical safeguards as required by the Security Rule to protect the confidentiality, integrity, and availability of ePHI it creates, receives, maintains, or transmits on behalf of Covered Entity. These safeguards include, at a minimum, encryption of ePHI in transit and at rest, role-based access controls, audit logging of access to ePHI, secure software development practices, workforce HIPAA training, and incident response procedures.
3.2 Mitigation
Business Associate will mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this BAA.
3.3 Reporting
Business Associate will report to Covered Entity:
- any use or disclosure of PHI not permitted by this BAA;
- any Security Incident of which it becomes aware (provided that the Parties agree this BAA constitutes notice of unsuccessful Security Incidents such as routinely blocked port scans and unsuccessful login attempts, for which no further notice is required); and
- any Breach of Unsecured PHI.
Business Associate will provide notice of a Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery. The notice will include, to the extent then known, the information required under 45 C.F.R. § 164.410, including the identification of each affected Individual, a description of what happened, the types of PHI involved, and the steps Business Associate is taking in response.
3.4 Subcontractors
Business Associate will, in accordance with 45 C.F.R. § 164.502(e)(1)(ii), enter into a written agreement with each Subcontractor that creates, receives, maintains, or transmits PHI on its behalf, requiring the Subcontractor to comply with restrictions and conditions at least as protective as those imposed on Business Associate by this BAA. A current list of Subcontractors that handle PHI is available to Covered Entity on request.
3.5 Access
Within fifteen (15) business days of a written request from Covered Entity, Business Associate will make available PHI in a Designated Record Set as needed for Covered Entity to respond to an Individual's request for access under 45 C.F.R. § 164.524. Business Associate is not obligated to respond directly to Individuals.
3.6 Amendment
Within thirty (30) days of a written request from Covered Entity, Business Associate will make any amendment to PHI in a Designated Record Set that Covered Entity directs in accordance with 45 C.F.R. § 164.526.
3.7 Accounting of disclosures
Business Associate will document disclosures of PHI and information related to such disclosures as needed for Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528, and will provide such information to Covered Entity within thirty (30) days of a written request.
3.8 Access by HHS
Business Associate will make its internal practices, books, and records relating to its use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required by 45 C.F.R. § 164.504(e)(2)(ii)(I).
3.9 Compliance with Covered Entity's obligations
To the extent Business Associate carries out one or more of Covered Entity's obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations.
3.10 Minimum necessary
Business Associate will limit its requests for, uses, and disclosures of PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b).
04 Obligations of Covered Entity
4.1 Notice of Privacy Practices
Covered Entity will notify Business Associate of any provisions in its Notice of Privacy Practices, or any limitation in its use or disclosure of PHI, that may affect Business Associate's use or disclosure of PHI under this BAA.
4.2 Permissions and consents
Covered Entity is responsible for obtaining any patient consents, authorizations, or notices required under federal or state law in connection with the Services, including any consent required for ambient clinical documentation, recording or use of voice communications, or outbound patient outreach.
4.3 Restrictions
Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed under 45 C.F.R. § 164.522 that may affect Business Associate's use or disclosure of PHI.
4.4 Permitted requests
Covered Entity will not request that Business Associate use or disclose PHI in any manner that would not be permitted under HIPAA if done by Covered Entity, except as expressly permitted by Section 2.
05 Term and termination
5.1 Term
This BAA takes effect with respect to a Covered Entity on the effective date of its Underlying Agreement and continues until the Underlying Agreement terminates and the obligations in Section 5.4 have been satisfied, whichever is later.
5.2 Termination for cause
Either Party may terminate this BAA, and the Underlying Agreement, if it determines that the other Party has materially breached this BAA and such breach has not been cured within thirty (30) days after written notice. If cure is not feasible, the non-breaching Party may terminate immediately.
5.3 Termination of Underlying Agreement
Termination or expiration of the Underlying Agreement automatically terminates this BAA, subject to Section 5.4.
5.4 Return or destruction of PHI
Within thirty (30) days after termination or expiration of this BAA, Business Associate will, at Covered Entity's written direction, return or securely destroy all PHI then in its possession or in the possession of its Subcontractors, and will retain no copies, except as set forth below. Business Associate will provide written certification of return or destruction on request.
5.5 Infeasibility of return or destruction
If Business Associate determines that return or destruction of PHI is infeasible (including because retention is required by law, by Covered Entity's instructions for ongoing claims-handling, or by the technical configuration of backup systems), Business Associate will (a) notify Covered Entity in writing of the basis for the determination, (b) extend the protections of this BAA to the retained PHI, and (c) limit further uses and disclosures of the retained PHI to the purposes that make return or destruction infeasible, for so long as Business Associate retains the PHI.
5.6 Survival
The obligations of Business Associate in Section 5.4 and Section 5.5 survive termination of this BAA.
06 Miscellaneous
6.1 Regulatory references
A reference in this BAA to a section of HIPAA means the section as in effect or as amended from time to time.
6.2 Amendment
This BAA may be amended in accordance with the versioning provisions above. The Parties will negotiate in good faith to amend this BAA as necessary to comply with any changes to HIPAA, HITECH, or other applicable law.
6.3 Interpretation
Any ambiguity in this BAA will be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
6.4 No third-party beneficiaries
Nothing in this BAA confers any rights upon any person other than the Parties and their respective successors and permitted assigns.
6.5 Governing law
This BAA is governed by the laws of the State of Florida, without regard to its conflict of laws principles, except to the extent preempted by federal law.
6.6 Independent capacity
Nothing in this BAA is intended to create a partnership, joint venture, agency, or employment relationship between the Parties.
6.7 Notices
Notices required under this BAA will be sent to the addresses set forth in the Underlying Agreement, with a copy of any breach or compliance notice to hello@saplinghealth.com.