← Home

Business Associate Agreement

Syncroly Inc.

Effective March 11, 2026

This Business Associate Agreement (“Agreement”) is entered into by and between the Covered Entity identified at account registration and Syncroly Inc. (“Business Associate”). This Agreement is effective as of the date on which Covered Entity electronically accepts this Agreement or begins using Business Associate’s Services, whichever occurs first (the “Effective Date”).

Table of Contents

Recitals

WHEREAS, Business Associate provides a HIPAA-compliant referral coordination platform (the “Services”) that enables Covered Entity to create, send, and manage healthcare referrals electronically;

WHEREAS, in the course of providing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity;

WHEREAS, the Parties intend to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the “HIPAA Rules”);

NOW, THEREFORE, in consideration of the mutual promises contained herein, the Parties agree as follows:

Article 1 — Definitions

1.1 Unless otherwise defined herein, all capitalized terms — including “Breach,” “Covered Entity,” “Business Associate,” “Designated Record Set,” “Electronic Protected Health Information” (“ePHI”), “Required by Law,” “Security Incident,” “Subcontractor,” and “Unsecured Protected Health Information” — shall have the meanings assigned to them under the HIPAA Rules, including 45 CFR § 160.103, § 164.304, § 164.402, and § 164.501.

1.2 “Individual” shall have the meaning given in 45 CFR § 160.103 and includes a person who qualifies as a personal representative under 45 CFR § 164.502(g).

1.3 “Protected Health Information” or “PHI” shall have the meaning given in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.

1.4 “Services” shall mean the referral coordination platform and related services provided by Business Associate to Covered Entity, as described in the underlying service agreement between the Parties (the “Service Agreement”) and in Exhibit B.

Article 2 — Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate is permitted to use and disclose PHI as necessary to perform the Services under the Service Agreement, subject to the limitations of this Agreement.

2.2 Prohibited Uses and Disclosures

Business Associate shall not:

  • (a) Use or disclose PHI for marketing purposes without prior written authorization from the Individual, except as permitted under 45 CFR § 164.508(a)(3);
  • (b) Sell PHI, as defined under 45 CFR § 164.502(a)(5)(ii), without prior written authorization from the Individual;
  • (c) Use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted under Section 2.3.

2.3 Permitted Uses for Business Associate’s Own Operations

Unless otherwise limited by this Agreement, Business Associate may:

  • (a) Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities;
  • (b) Disclose PHI for the proper management and administration of Business Associate, provided that: (i) the disclosures are Required by Law; or (ii) Business Associate obtains reasonable assurances from the recipient that the information will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any breaches of confidentiality;
  • (c) Use PHI to provide data aggregation services relating to the healthcare operations of Covered Entity, as permitted by 45 CFR § 164.504(e)(2)(i)(B);
  • (d) De-identify PHI in accordance with 45 CFR § 164.514(a)-(c), provided such de-identification is performed in compliance with the HIPAA Rules.

2.4 Minimum Necessary Standard

Business Associate shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

2.5 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). Specific platform security measures are described in Article 5.

2.6 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, in accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2). Business Associate shall remain responsible for compliance by its Subcontractors. Current Subcontractors are listed in Exhibit A.

2.7 Access to PHI by Individuals

Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity, or at Covered Entity’s direction to an Individual, in accordance with 45 CFR § 164.524, within fifteen (15) business days of a written request. Where ePHI is maintained electronically, Business Associate shall provide it in the electronic form and format requested, if readily producible, or in a mutually agreed-upon alternative format.

2.8 Amendment of PHI

Business Associate shall make PHI maintained in a Designated Record Set available for amendment and shall incorporate amendments directed by Covered Entity, in accordance with 45 CFR § 164.526, within fifteen (15) business days of a written request.

2.9 Accounting of Disclosures

Business Associate shall document disclosures of PHI as required under 45 CFR § 164.528 and shall provide such documentation to Covered Entity within thirty (30) days of a written request. Documentation shall include: (i) the date of disclosure; (ii) the name and, if known, address of the recipient; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure.

2.10 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules, in accordance with 45 CFR § 164.504(e)(2)(ii)(H).

2.11 Mitigation

Business Associate agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of this Agreement.

Article 3 — Breach Notification

3.1 Notification Obligation

Business Associate shall report to Covered Entity any Breach of Unsecured Protected Health Information, any Security Incident, and any use or disclosure of PHI not permitted under this Agreement, of which Business Associate becomes aware.

3.2 Timing of Notification

Business Associate shall provide notification to Covered Entity without unreasonable delay, and in no case later than fifteen (15) business days after discovery of a Breach. A Breach shall be treated as discovered as of the first day on which it is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

3.3 Content of Notification

The Breach notification shall include, to the extent reasonably available:

  • (a) Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
  • (b) A description of what happened, including the date of the Breach and the date of discovery;
  • (c) A description of the types of Unsecured PHI involved;
  • (d) Any steps the Individual should take to protect themselves from potential harm;
  • (e) A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches;
  • (f) Contact information for Business Associate’s designated privacy or security officer.

Business Associate shall supplement the notification promptly as additional information becomes available.

3.4 Security Incidents

Business Associate shall report Security Incidents to Covered Entity within five (5) business days of discovery. The Parties acknowledge that unsuccessful Security Incidents (such as pings, port scans, unsuccessful log-in attempts, or denial-of-service attacks that do not result in unauthorized access, use, or disclosure of PHI) occur routinely and that no additional notification is required for such unsuccessful incidents beyond this acknowledgment.

3.5 Cooperation

Business Associate shall cooperate with Covered Entity in the investigation of any Breach, including providing reasonable access to records and personnel, and shall cooperate in meeting Covered Entity’s obligations under 45 CFR §§ 164.404–164.408.

3.6 Preservation of Evidence

In the event of a Breach or Security Incident, Business Associate shall preserve relevant forensic evidence, audit logs, and access records for a minimum of six (6) years or such longer period as required by law.

Article 4 — Obligations of Covered Entity

4.1 Permissions

Covered Entity shall inform Business Associate of any limitations in its notice of privacy practices under 45 CFR § 164.520 that may affect Business Associate’s use or disclosure of PHI.

4.2 Restrictions

Covered Entity shall inform Business Associate of any changes in, or revocation of, an Individual’s permission to use or disclose PHI, to the extent such changes affect Business Associate’s obligations.

4.3 Impermissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as permitted under Section 2.3.

4.4 Authorizations and Consents

Covered Entity is responsible for obtaining any consents, authorizations, or other permissions required under the HIPAA Rules or applicable state law for the disclosure of PHI to Business Associate.

Article 5 — Security Standards

5.1 Security Rule Compliance

Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C), including the administrative, physical, and technical safeguard standards and implementation specifications.

5.2 Platform Security Measures

Business Associate represents that its platform incorporates the following security measures:

  • (a) Encryption: AES-256 encryption for data at rest (provided by infrastructure); TLS 1.2 or higher for data in transit; application-layer field-level encryption (AES-256-GCM) for designated high-risk data elements including free-text clinical notes and public form submission snapshots; structured PHI additionally protected by database-level encryption at rest, tenant isolation, consent gating, and role-based access controls.
  • (a-1) Data Residency: All Customer Data, including PHI, is stored and processed within the United States. Business Associate shall not transfer PHI outside the United States without prior written consent of Covered Entity.
  • (b) Access Controls: Role-based access control; tenant-scoped data isolation; token-based access for referral views with expiration enforcement.
  • (c) Authentication: Secure password hashing; session management with secure cookie handling.
  • (d) Audit Logging: Activity logging for sensitive operations including referral access, consent events, and data modifications.
  • (e) Data Isolation: Logical multi-tenant isolation enforced at the database query level, ensuring tenant-scoped data access.
  • (f) Infrastructure: Hosted on infrastructure providers that maintain their own HIPAA compliance programs and BAAs (listed in Exhibit A).

5.3 Risk Assessments

Business Associate shall conduct periodic risk assessments in accordance with 45 CFR § 164.308(a)(1)(ii)(A) and shall address identified risks in a timely manner.

5.4 Compliance Verification

Upon reasonable written request (no more than once per twelve (12)-month period, unless a Breach has occurred), Business Associate shall provide Covered Entity with a summary of its most recent security risk assessment, evidence of security controls relevant to the protection of PHI, and any available third-party compliance reports or certifications. Business Associate may satisfy this requirement through provision of a standardized security questionnaire or compliance report.

Article 6 — Term and Termination

6.1 Term

This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the Service Agreement. If the Service Agreement does not specify a termination date, this Agreement shall remain in effect until all PHI is destroyed or returned, or protections are extended in accordance with Section 6.5.

6.2 Termination for Cause

Either Party may terminate this Agreement if the other Party materially breaches any provision and fails to cure within thirty (30) days of written notice. If cure is not feasible, the non-breaching Party may terminate immediately upon written notice.

6.3 Termination by Covered Entity

Covered Entity may terminate this Agreement and the Service Agreement immediately upon written notice if Business Associate has engaged in a pattern of material violation of this Agreement or has failed to comply with applicable provisions of the HIPAA Rules.

6.4 Effect of Termination

Termination of this Agreement shall constitute grounds for termination of the Service Agreement. Termination of the Service Agreement shall trigger the obligations set forth in Section 6.5.

6.5 Return or Destruction of PHI

Upon termination, Business Associate shall:

  • (a) If feasible, return or destroy all PHI received from, or created on behalf of, Covered Entity within sixty (60) days of termination and provide written certification of destruction;
  • (b) If return or destruction is not feasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures to the purposes that make return or destruction not feasible;
  • (c) Retain no copies of PHI except as necessary under subsection (b) or as Required by Law.

6.6 Survival

The obligations under this Article and under Articles 2, 3, and 5 shall survive termination with respect to any PHI that Business Associate retains.

Article 7 — Limitation of Liability

7.1 NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION OR THEORY OF LIABILITY.

7.2 EXCEPT IN CASES OF WILLFUL MISCONDUCT OR GROSS NEGLIGENCE, BUSINESS ASSOCIATE’S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID BY COVERED ENTITY UNDER THE SERVICE AGREEMENT DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. IF NO FEES HAVE BEEN PAID UNDER THE SERVICE AGREEMENT DURING SUCH PERIOD (INCLUDING WHERE COVERED ENTITY IS USING A FREE TIER), BUSINESS ASSOCIATE’S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED ONE HUNDRED DOLLARS ($100).

7.3 THE LIMITATIONS IN THIS ARTICLE SHALL NOT APPLY TO EITHER PARTY’S OBLIGATIONS UNDER APPLICABLE LAW, INCLUDING THE HIPAA RULES, WHICH ARE ENFORCED BY THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES AND ARE NOT WAIVABLE BY CONTRACT.

Article 8 — Miscellaneous

8.1 Regulatory References

Any reference in this Agreement to a provision of the HIPAA Rules shall mean such provision as in effect or as amended.

8.2 Amendment

This Agreement may not be amended except by written instrument signed by both Parties, or by Business Associate posting an updated version with at least thirty (30) days’ notice to Covered Entity. The Parties agree to amend this Agreement in good faith as necessary to comply with changes in the HIPAA Rules or applicable law.

8.3 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. In the event of conflict, the HIPAA Rules shall control.

8.4 No Third-Party Beneficiaries

Nothing in this Agreement shall confer rights or remedies upon any person other than the Parties and their respective successors and permitted assigns.

8.5 Waiver

Failure to enforce any provision shall not constitute a waiver of the right to enforce that or any other provision.

8.6 Severability

If any provision is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

8.7 Entire Agreement

This Agreement, together with the Service Agreement and any exhibits hereto, constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior understandings.

8.8 Governing Law

This Agreement shall be governed by federal law, including the HIPAA Rules. To the extent state law applies, this Agreement shall be governed by the laws of the State of Delaware, without regard to conflict of laws principles.

8.9 Notices

All notices under this Agreement shall be in writing and deemed given when sent by confirmed email.

To Covered Entity: The email address provided at account registration or as subsequently updated in Covered Entity’s account settings.

To Business Associate:

Syncroly Inc.

Attn: Privacy Officer

privacy@syncroly.co

8.10 Dispute Resolution

The Parties shall make good faith efforts to resolve any dispute arising under this Agreement informally before pursuing formal remedies.

8.11 Electronic Acceptance

By electronically accepting this Agreement — whether by clicking “I agree,” checking an acceptance box, or by using the Services — Covered Entity agrees that this Agreement is legally binding and enforceable with the same force and effect as a handwritten signature, in accordance with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and applicable state law. Business Associate shall maintain a timestamped record of acceptance.

8.12 Assignment

Neither Party may assign or transfer this Agreement without the prior written consent of the other Party, except that Business Associate may assign this Agreement without consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, provided the assignee agrees in writing to be bound by the terms of this Agreement.

Exhibit A — Subcontractors

The following Subcontractors may create, receive, maintain, or transmit PHI on behalf of Business Associate in connection with the Services. Business Associate maintains BAAs with each listed Subcontractor.

SubcontractorServicePHI Access
Vercel (Cleveland, Ohio)Application hostingePHI in transit and at rest
Neon / AWS (US)Database hosting (PostgreSQL)ePHI at rest
AWS S3 (us-east-1, Virginia)File storageReferral attachments
Postmark (US)Transactional emailRecipient email addresses, message content (no PHI in message bodies per policy)
Twilio (US)SMS notificationsPhone numbers, message content (no PHI in message bodies per policy)

Business Associate shall update this Exhibit upon adding or changing Subcontractors that may have access to PHI, and shall notify Covered Entity of any such changes within thirty (30) days.

Exhibit B — Description of Services

Business Associate provides the following Services to Covered Entity:

  1. Referral Coordination Platform — A web-based application enabling Covered Entity to create, send, track, and manage healthcare referrals electronically.
  2. Secure Patient Access Links — Token-based, time-limited links for patients to view referral information and provide HIPAA consent.
  3. Secure Provider Access Links — Token-based, time-limited links for receiving providers to view referral details after patient consent.
  4. Audit Trail and Activity Logging — Recording of all access, consent, and modification events related to referrals.
  5. Referral Status Tracking — Lifecycle management of referrals (Sent, Viewed, Booked, Stale).

Categories of PHI Involved

  • Patient demographics (name, date of birth, contact information)
  • Referral notes and clinical context
  • Category-specific clinical data (e.g., dental charting, mental health risk assessments)
  • Provider contact and practice information
  • Consent records and timestamps

For information about our terms of use, see our Terms of Service. For our data practices, see our Privacy Policy.

Business Associate Agreement | Syncroly