Privacy PolicyTerms of ServiceBusiness Associate AgreementHIPAA Notice

Legal

Business Associate Agreement

Last updated: April 24, 2026 · Effective: April 24, 2026

How this BAA takes effect

This Business Associate Agreement (“BAA”) takes effect when a healthcare provider (a “Covered Entity” or, if acting for another Covered Entity, a “Business Associate”) creates a LittleClouds account and accepts these terms as part of signup, or when the parties sign a counterpart of this BAA in writing. The latest version in effect between the parties governs. If you would like a countersigned copy with your legal name on the face page, email legal@littleclouds.app.

This BAA is between [LEGAL ENTITY NAME](“Business Associate” or “LittleClouds”) and the entity identified in the associated LittleClouds account as the customer (“Covered Entity”). It is incorporated into and supplements the Terms of Service between the parties (the “Underlying Agreement”). Capitalized terms not defined here have the meanings in the HIPAA Rules.

Contents
  1. Definitions
  2. Permitted uses & disclosures
  3. Obligations of Business Associate
  4. Safeguards
  5. Subcontractors
  6. Reporting & breach notification
  7. Individual rights support
  8. Obligations of Covered Entity
  9. Term & termination
  10. Return or destruction of PHI
  11. Miscellaneous

1. Definitions

HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164, as amended.

PHI” (Protected Health Information) means information as defined in 45 C.F.R. § 160.103, limited to the PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity in connection with the Services.

Electronic PHI” (ePHI), Breach”, Individual”, Required by Law”, Secretary”, Subcontractor”, and other capitalized terms have the meanings in the HIPAA Rules.

2. Permitted uses & disclosures

Business Associate may use or disclose PHI only as necessary to perform the Services described in the Underlying Agreement, as permitted or required by this BAA, or as Required by Law. In addition, Business Associate may:

  • Use PHI for the proper management and administration of Business Associate or to carry out Business Associate's legal responsibilities, provided the disclosure is Required by Law, or Business Associate obtains reasonable assurances from the recipient that the information will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any breach of confidentiality;
  • Disclose PHI for the proper management and administration of Business Associate, subject to the conditions above;
  • Provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); and
  • De-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c); de-identified information is not PHI and may be used and disclosed by Business Associate without restriction. Business Associate does not use PHI to train generalized machine-learning or artificial-intelligence models, and does not use PHI for marketing or sell PHI.

Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted by this Section 2.

3. Obligations of Business Associate

Business Associate will:

  • Not use or further disclose PHI other than as permitted or required by this BAA or as Required by Law;
  • Use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA;
  • Mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this BAA;
  • Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules;
  • To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, comply with the requirements that apply to Covered Entity in performing that obligation;
  • Limit uses, disclosures, and requests of PHI to the minimum necessary consistent with applicable HHS guidance.

4. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by the Security Rule (45 C.F.R. Part 164, Subpart C). Current safeguards include, without limitation:

  • Encryption of ePHI in transit using TLS, and encryption of data at rest through our infrastructure providers;
  • Identity and access management with per-Practice isolation, enforced by row-level security in the database layer;
  • Audit logging of access to records, and periodic review of administrative access;
  • Least-privilege access controls for Business Associate personnel, with access to production systems limited to the minimum necessary and revoked promptly at offboarding;
  • Vulnerability management, secure software development practices, and periodic dependency and configuration review;
  • Written workforce confidentiality and security policies.

5. Subcontractors

Business Associate will, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate with respect to such information. Business Associate maintains a current list of Subcontractors that handle PHI in the subprocessor list of its Privacy Policy and will provide reasonable advance notice of material changes so Covered Entity may object.

6. Reporting & breach notification

Business Associate will:

  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Security Incident of which it becomes aware. The parties agree that, to avoid unnecessary burden on Covered Entity, unsuccessful Security Incidents (for example, pings on a firewall, port scans, and other unsuccessful attempts at unauthorized access) are reported in the aggregate by this Section; successful Security Incidents and any incident resulting in unauthorized access to or acquisition of PHI will be reported individually;
  • Following discovery, notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery. The notification will, to the extent then known, include: (i) identification of each Individual whose PHI was or is reasonably believed to have been breached; (ii) a description of what happened; (iii) the types of PHI involved; (iv) steps Individuals should take; and (v) a description of Business Associate's mitigation and investigation;
  • Cooperate reasonably with Covered Entity's investigation and required notifications to Individuals, the Secretary, and the media, as applicable under 45 C.F.R. §§ 164.404–408.

7. Individual rights support

Business Associate will:

  • Make PHI in a Designated Record Set available to Covered Entity (and, to the extent directed by Covered Entity, to the Individual) as necessary for Covered Entity to respond to access requests under 45 C.F.R. § 164.524;
  • Make PHI in a Designated Record Set available for amendment, and incorporate amendments to PHI, as directed by Covered Entity, as necessary to satisfy 45 C.F.R. § 164.526;
  • Document and make available to Covered Entity the information needed to provide an accounting of disclosures as required by 45 C.F.R. § 164.528.

Requests from Individuals directed to Business Associate will be forwarded to Covered Entity for handling. Business Associate will not respond to an Individual directly unless directed in writing by Covered Entity.

8. Obligations of Covered Entity

Covered Entity will:

  • Provide its Notice of Privacy Practices to Individuals as required by 45 C.F.R. § 164.520, and notify Business Associate of any limitation in the Notice that may affect Business Associate's use or disclosure of PHI;
  • Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's use or disclosure of PHI;
  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, if such restriction affects Business Associate's use or disclosure of PHI;
  • Not request Business Associate to use or disclose PHI in a manner that would not be permitted by the HIPAA Rules if done by Covered Entity, except as permitted for Data Aggregation or management and administration of Business Associate, or as Required by Law.

9. Term & termination

This BAA takes effect on the date Covered Entity first accepts it, and continues until the Underlying Agreement ends or this BAA is otherwise terminated.

Termination for material breach.Upon either party's knowledge of a material breach by the other, the non-breaching party may: (a) provide an opportunity to cure the breach, and terminate this BAA and the Underlying Agreement if the breaching party does not cure within thirty (30) days; or (b) immediately terminate if cure is not feasible. If neither termination nor cure is feasible, the non-breaching party will report the violation to the Secretary.

10. Return or destruction of PHI

On termination of this BAA, Business Associate will, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains, and will retain no copies. Covered Entity may export its data through the Services prior to termination.

If return or destruction is not feasible (for example, with respect to PHI residing in system backups), Business Associate will extend the protections of this BAA to that PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible for so long as Business Associate maintains the PHI.

11. Miscellaneous

  • Regulatory changes. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary to comply with the requirements of the HIPAA Rules.
  • Interpretation. Any ambiguity in this BAA will be resolved in favor of a meaning that permits compliance with the HIPAA Rules. In the event of a conflict between this BAA and the Underlying Agreement with respect to PHI, this BAA controls.
  • No third-party beneficiaries. Nothing in this BAA is intended to confer any rights on any person other than the parties.
  • Survival. Sections 6, 7, 10, and 11 survive termination of this BAA.
  • Governing law. Governing law and dispute resolution follow the Underlying Agreement.
  • Notices. Notices to Business Associate should be sent to legal@littleclouds.app and to [BUSINESS ADDRESS]. Notices to Covered Entity will be sent to the email address on the LittleClouds account.

By clicking “I agree,” creating an account, or otherwise using the Services to store or process PHI, the parties acknowledge and accept this BAA.