Version: 1.0 · Effective on: the date of electronic execution by Customer (the "Effective Date") · Form of execution: electronic, via this page · Sentinel counterpart: pre-executed by Sentinel Risk Group, LLC.
WHEREAS, Customer ("Covered Entity") is a healthcare practice, clinic, hospital system, or other healthcare delivery organization that may, in the course of its operations, create, receive, maintain, or transmit Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the regulations promulgated thereunder at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules");
WHEREAS, Sentinel Risk Group, LLC ("Business Associate" or "Sentinel") provides AI governance evaluation, certification, behavioral-health overlay, and related advisory Services to healthcare organizations (the "Services") pursuant to its published Master Terms of Service and applicable Schedules thereto (the "Master Terms," as in effect from time to time at sentinelriskgrp.com/terms/);
WHEREAS, the Services are expressly engineered to operate without flow of Protected Health Information to Sentinel (Master Terms § H.8);
WHEREAS, Sentinel's position is that, as so designed, the Services do not cause Sentinel to create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity, and accordingly that Sentinel is not a Business Associate of Covered Entity within the meaning of 45 C.F.R. § 160.103 in fact;
WHEREAS, Covered Entity's privacy officer or compliance program may nevertheless require a signed Business Associate Agreement as a procurement, documentation, or compliance gating condition;
WHEREAS, the Parties enter into this Business Associate Agreement (this "Agreement") out of an abundance of caution and to satisfy such procurement and compliance documentation requirements of Covered Entity, without conceding that Sentinel is, in fact, a Business Associate of Covered Entity under HIPAA, and on the conditions and with the reservations expressly set forth herein;
NOW, THEREFORE, in consideration of the mutual covenants and conditions herein and for other good and valuable consideration, the Parties agree as follows:
1.1 Capitalized terms used herein and not otherwise defined have the meanings set forth in the HIPAA Rules, including 45 C.F.R. §§ 160.103, 164.103, 164.304, 164.402, 164.501, and 164.504.
1.2 "PHI" means Protected Health Information as defined at 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in performance of the Services. "ePHI," "Breach," "Designated Record Set," "Required by Law," "Security Incident," and "Subcontractor" carry the meanings set forth in the HIPAA Rules.
2.1 Scope. The operative obligations of this Agreement attach only with respect to PHI, if any, that Business Associate actually creates, receives, maintains, or transmits in performance of the Services. Business Associate does not, in the ordinary course of the Services, create, receive, maintain, or transmit PHI from Covered Entity.
2.2 Covered Entity covenant. Covered Entity acknowledges that the Services are designed to operate without PHI flow and agrees to provide only de-identified, synthetic, or otherwise non-PHI information to Business Associate in connection with the Services.
2.3 No expansion. This Agreement does not expand the scope of the Services or alter the Master Terms.
3.1 Performance of Services. Business Associate may use and disclose PHI, if any, only as necessary to perform the Services.
3.2 Management and administration; legal responsibilities. Business Associate may use PHI for its proper management and administration and to carry out its legal responsibilities, and may disclose PHI for such purposes if Required by Law or under reasonable confidentiality assurances per 45 C.F.R. § 164.504(e)(4).
3.3 Data aggregation services. Permitted per 45 C.F.R. § 164.504(e)(2)(i)(B).
3.4 De-identification. Per 45 C.F.R. § 164.514(a)–(c).
3.5 No other use or disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the Services, or as Required by Law.
4.1 Business Associate shall use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to any ePHI it actually creates, receives, maintains, or transmits.
4.2 Consistent with Master Terms § H.8, any PHI that may inadvertently reach Business Associate's systems is (a) encrypted at rest (AES-256) and in transit (TLS 1.2+); (b) isolated in a quarantine repository with documented need-to-know access; (c) retained only for the minimum necessary review period and destroyed thereafter via industry-standard secure-deletion; (d) covered by the executed Amazon Web Services BAA with respect to the fallback quarantine bucket per 45 C.F.R. § 164.502(e)(1)(ii); and (e) accessible only to workforce who complete annual HIPAA training.
4.3 Minimum necessary per 45 C.F.R. § 164.502(b).
5.1 Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including Breaches of unsecured PHI and Security Incidents, within sixty (60) calendar days of discovery, in accordance with 45 C.F.R. § 164.410.
5.2 The report shall include, to the extent known: nature of the incident, categories of PHI involved, identity of affected individuals, mitigation steps, and contact procedures.
5.3 Unsuccessful Security Incidents (pings, port scans, probes) are deemed reported by this Section.
6.1 Flow-down. Per 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate ensures any Subcontractor that actually creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially the same restrictions, conditions, and obligations applicable to Business Associate.
6.2 Subcontractor list (informational). Most listed do not handle PHI in the ordinary course of the Services. The list is provided for transparency: Amazon Web Services, Inc.; Postmark (ActiveCampaign LLC); Make.com (Celonis SE); Anthropic, PBC; Stripe, Inc.; Cloudflare, Inc. Updated from time to time; current list available on written request.
7.1 To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will, within thirty (30) days of written request, provide access (§ 164.524), make amendments as Covered Entity directs (§ 164.526), and provide accounting documentation (§ 164.528).
7.2 HHS access. Business Associate shall make internal practices, books, and records relating to use and disclosure of PHI received from Covered Entity available to the Secretary of HHS for compliance determination.
8.1 Term. Effective on the Effective Date; continues until terminated or until the underlying Services conclude.
8.2 Termination for breach. Either Party may terminate on 30 days' notice of uncured material breach; if neither cure nor termination is feasible, the non-breaching Party may report per 45 C.F.R. § 164.504(e)(1)(iii).
8.3 Return or destruction. Business Associate shall, upon termination, return or destroy PHI; retain no copies; and, where infeasible, extend protections of this Agreement to retained PHI and limit further use to that purpose.
9.1 Indemnification obligations for PHI handling are governed by, and limited as set forth in, § 9 of the Master Terms and applicable Schedule. Business Associate's aggregate liability is limited per the Master Terms.
10.1 Reservation. Neither this Agreement nor its execution shall be construed as Business Associate's admission, acknowledgment, or concession that it is a Business Associate of Covered Entity under HIPAA in fact. The Parties acknowledge that the Services are designed to operate without PHI flow to Business Associate and that Business Associate maintains the position that, as so designed, it is not a Business Associate of Covered Entity within the meaning of 45 C.F.R. § 160.103.
10.2 Without prejudice. This Agreement is executed without prejudice to Business Associate's position. Operative obligations apply only to the extent (if any) that Business Associate is determined by a regulator or court of competent jurisdiction to be a Business Associate in fact.
10.3 No waiver. Nothing herein waives Business Associate's position in any administrative, regulatory, or judicial proceeding.
11.1 Regulatory amendment. Upon enactment or promulgation affecting business-associate obligations under HIPAA, the Parties shall negotiate in good faith to amend.
11.2 Interpretation. Any ambiguity shall be resolved to permit compliance with the HIPAA Rules.
11.3 Survival. Sections 5, 7, 8.3, 9, and 10 survive termination.
11.4 Governing law and venue. Florida law (without conflicts), federal HIPAA Rules; venue and dispute resolution per the Master Terms.
11.5 Counterparts; electronic signature. Electronic execution is valid and binding under the federal E-SIGN Act (15 U.S.C. § 7001) and the Florida Uniform Electronic Transaction Act (F.S. § 668.50).
11.6 Entire agreement; no modification. This Agreement, together with the Master Terms and applicable Schedule(s), constitutes the entire agreement between the Parties with respect to PHI handling. Modifications require electronic execution through this page or a subsequent writing signed by both Parties.
11.7 Notices. To Business Associate: Sentinel Risk Group, LLC, 1125 N. Chickasaw Trail, Orlando, FL 32825, USA, marked “Attn: BAA Notice.” To Covered Entity: the email address provided at execution.
Business Associate: Sentinel Risk Group, LLC. By: Authorized Signatory (pre-executed at template level). Title: Authorized Signatory.
Covered Entity: as recorded by the form below.