Baa Template

Business Associate Agreement — Template (Draft)

This BAA template is provided for procurement discussion only. Final terms require review by counsel for both parties before execution. Tessara’s metadata-only architecture may make a BAA technically inapplicable; see Architecture Disclosure below. BAA execution is offered nonetheless as defense-in-depth.

Architecture Disclosure

Tessara’s product is metadata-only. Tessara reads only the public /metadata endpoint (the FHIR CapabilityStatement) of target APIs, which describes the structural shape of the API — resources supported, operations available, search parameters declared, security posture announced — and contains no patient data. Tessara does not access, intercept, transmit, store, or process FHIR resource payloads, patient identifiers, clinical records, claims, eligibility, or any other category of Protected Health Information (PHI) as defined at 45 CFR §160.103. Under a strict reading of the HIPAA Privacy Rule, an entity that never creates, receives, maintains, or transmits PHI on behalf of a Covered Entity is arguably not a Business Associate. This BAA is offered as defense-in-depth so that, if at any point Tessara’s architecture is extended such that PHI custody could arise, the contractual obligations attach automatically and the parties have a pre-negotiated framework in place.

1. Definitions

Terms used in this Agreement have the meanings set forth in the HIPAA Privacy, Security, and Breach Notification Rules at 45 CFR Parts 160 and 164. In addition:

  • “Business Associate” means Tessara, Inc. (a Delaware corporation, in formation).
  • “Covered Entity” means [Counterparty Payer Legal Name].
  • “PHI” has the meaning given at 45 CFR §160.103 and refers to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity, if any.
  • “Effective Date” means [YYYY-MM-DD].
  • “Services” means the structural FHIR API conformance monitoring services described in the Master Service Agreement between the parties dated [YYYY-MM-DD].
  • “Security Incident” has the meaning given at 45 CFR §164.304.
  • “Breach” has the meaning given at 45 CFR §164.402.

2. Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as necessary to perform the Services. The Services consist of the following metadata-only operations:

  • Issuing unauthenticated HTTP GET requests to Covered Entity’s public FHIR /metadata and CapabilityStatement endpoints.
  • Parsing the returned CapabilityStatement into structural drift categories per the canonical 6-category taxonomy.
  • Computing SHA-256 hashes of canonicalized structural metadata (RFC 8785 JCS canonicalization).
  • Generating Ed25519-signed conformance verdicts over the structural records.
  • Storing structural records, hashes, and signed verdicts in a local SQLite database on Covered Entity’s infrastructure or in Business Associate’s monitoring infrastructure as agreed under the Services.

Business Associate does not use, disclose, or retain PHI in any operation. Business Associate shall not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

3. Required Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect any PHI it may create, receive, maintain, or transmit on behalf of Covered Entity. Specific controls include:

  • Transport security: TLS 1.2 or higher for all outbound probes and dashboard API endpoints.
  • Encryption at rest: AES-256 encryption for any persistent state containing potentially sensitive records.
  • Access controls: API key and JWT-based authentication for the dashboard API; CORS origin restrictions enforced; wildcard origins rejected in production.
  • Audit logging: Append-only audit log of all probe operations and verdict generations, chained via SHA-256 hash so any modification is detectable (Structural Contract Model hash chain).
  • Workforce training: Annual HIPAA Privacy and Security Rule training for all workforce members with any access to systems that process counterparty data.
  • SSRF defense: Three-layer protection (URL validation, DNS resolution check, private-IP block list) on all outbound probes.

4. Reporting Obligations

Business Associate shall report to Covered Entity:

  • Any Security Incident of which it becomes aware, within 5 business days of discovery.
  • Any Breach of unsecured PHI of which it becomes aware, per the timelines and content requirements at 45 CFR §164.410 (without unreasonable delay and in no case later than 60 calendar days following discovery).

Given the metadata-only architecture (Section above), Business Associate represents that the expected frequency of such reports is zero. Reports shall be transmitted to Covered Entity’s designated privacy contact via the channel specified in the Master Service Agreement.

5. Subcontractors

Business Associate shall not engage any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate without first obtaining written assurances, in the form of a downstream Business Associate Agreement, that the Subcontractor will comply with the same restrictions and conditions that apply to Business Associate under this Agreement.

Business Associate maintains a public sub-processor list at tessara.us/trust. Any addition or material change to the sub-processor list requires 30 days’ prior written notice to Covered Entity. Covered Entity may object to the addition of a sub-processor on reasonable grounds within the 30-day window; the parties shall negotiate in good faith to resolve any objection.

6. Access, Amendment, and Accounting

To the extent Business Associate maintains PHI in a Designated Record Set:

  • Access (45 CFR §164.524): Business Associate shall make such PHI available to Covered Entity within 15 business days of request.
  • Amendment (45 CFR §164.526): Business Associate shall make any amendment to PHI agreed to by Covered Entity within 15 business days of receipt of the amendment.
  • Accounting (45 CFR §164.528): Business Associate shall provide an accounting of disclosures of PHI made by Business Associate within 30 business days of request.

Given Business Associate’s metadata-only architecture, the expected output of access, amendment, and accounting requests is empty records, and Business Associate shall furnish a written attestation to that effect within the same timelines.

7. Termination

Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity, including PHI held by Subcontractors. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

Given the metadata-only architecture, the expected scope of this provision is not applicable (no PHI is held). Business Associate shall furnish a written attestation to that effect upon termination.

8. Term

This Agreement shall be coterminous with the underlying Master Service Agreement between the parties and shall remain in effect until terminated in accordance with that agreement, except that Business Associate’s obligations with respect to any PHI that survives termination shall continue until such PHI is returned or destroyed.

9. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of [State], without regard to its conflict-of-law principles. Any dispute arising under this Agreement shall be resolved in the state or federal courts located in [Venue].

10. Miscellaneous

  • Regulatory References: Any reference in this Agreement to a section of the Code of Federal Regulations means the section as in effect or as amended.
  • Amendment: The parties agree to amend this Agreement as necessary to comply with the requirements of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act and their implementing regulations.
  • Survival: Sections 6, 7, and 10 survive termination of this Agreement.
  • Entire Agreement: This Agreement, together with the Master Service Agreement, constitutes the entire agreement between the parties with respect to the subject matter and supersedes all prior or contemporaneous agreements or understandings, whether oral or written.

11. Counterparts and Signatures

This Agreement may be executed in counterparts, each of which shall be deemed an original and which together shall constitute one and the same instrument. Electronic signatures shall have the same force and effect as original signatures.

Covered Entity: ____________________ Name: __________________________ Title: __________________________ Date: __________________________

Business Associate — Tessara, Inc.: ____________________ Name: __________________________ Title: __________________________ Date: __________________________

DRAFT — counsel review pending. This document is provided for procurement discussion. Final legal terms subject to attorney review and counterparty redlines. Tessara’s metadata-only architecture may render a BAA technically inapplicable; this template is offered as defense-in-depth at counterparty request.