Skip to content

Legal

Business Associate Agreement

Version: 1.1

Effective date: 2026-07-10

Last updated: 2026-07-10

This Business Associate Agreement ("BAA") is between the organization that owns or controls the Upstream workspace identified in the acceptance record ("Covered Entity") and ByteWorthy LLC, a Texas limited liability company offering the Upstream service ("Business Associate"). Covered Entity and Business Associate are each a "Party" and together the "Parties."

The BAA supplements the Terms of Service, order form, master services agreement, or other agreement under which Business Associate provides the Service (the "Services Agreement"). It is intended to satisfy the business-associate contract requirements of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations.

1. Effective Date and Electronic Signature

Business Associate adopts this BAA as the offeror. Covered Entity executes it when an authorized person affirmatively accepts it through the dedicated electronic control. The Effective Date for the Parties is the acceptance time in the server-generated record.

The acceptance record identifies the Customer account and accepting user and stores the signer's name and title, this BAA's version and SHA-256 hash, acceptance time, IP address, and user agent. The accepting person represents that they are authorized to bind Covered Entity. The Parties agree that the acceptance record constitutes their electronic signatures and evidence of the complete version accepted. A negotiated BAA signed by both Parties supersedes this clickwrap BAA to the extent it expressly says so.

2. Definitions

Capitalized terms not defined in this BAA have the meanings assigned by the HIPAA Rules. In particular:

  • Breach has the meaning in 45 C.F.R. Section 164.402.
  • Designated Record Set has the meaning in 45 C.F.R. Section 164.501.
  • Electronic Protected Health Information or ePHI has the meaning in 45 C.F.R. Section 160.103.
  • HIPAA Rules means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164, as amended.
  • Protected Health Information or PHI has the meaning in 45 C.F.R. Section 160.103, limited to PHI Business Associate creates, receives, maintains, or transmits for Covered Entity.
  • Required by Law, Secretary, Security Incident, Subcontractor, and Unsecured PHI have the meanings assigned by the HIPAA Rules.

3. Permitted and Required Uses and Disclosures

3.1 Service Delivery

Business Associate may use or disclose PHI only:

  1. to perform the services and follow the documented instructions in the Services Agreement;
  2. as permitted by this BAA;
  3. as Required by Law; or
  4. as otherwise authorized in writing by Covered Entity and permitted by the HIPAA Rules.

Business Associate will not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific management, administration, data aggregation, and de-identification permissions below.

3.2 Management and Legal Responsibilities

Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities. It may disclose PHI for those purposes only if the disclosure is Required by Law or it obtains reasonable written assurances that the recipient will keep the PHI confidential, use or further disclose it only for the stated purpose or as Required by Law, and notify Business Associate of any known breach of confidentiality.

3.3 Data Aggregation and De-identification

Business Associate may provide data aggregation services relating to Covered Entity's health care operations as permitted by the HIPAA Rules. Business Associate may de-identify PHI in accordance with 45 C.F.R. Section 164.514. Once information is de-identified under that standard, Business Associate may use it to operate, secure, evaluate, benchmark, and improve the Service. Business Associate will not attempt to re-identify it except to validate de-identification safeguards or as otherwise permitted by law and the Services Agreement.

3.4 Restrictions

Business Associate will not:

  1. sell PHI;
  2. use PHI for marketing except as expressly permitted by the HIPAA Rules and Covered Entity's documented instruction;
  3. use identifiable PHI to train a model shared across customers;
  4. route PHI through a provider lacking the written protections required by this BAA; or
  5. use or disclose more PHI than is reasonably necessary for the permitted purpose, to the extent the HIPAA minimum-necessary standard applies.

4. Business Associate Obligations

4.1 Safeguards and Security Rule

Business Associate will use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this BAA. Business Associate will comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 for ePHI, including risk management, access control, audit controls, transmission security, and workforce safeguards.

4.2 Reporting Impermissible Uses, Security Incidents, and Breaches

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA and any Security Incident that results in unauthorized access to, acquisition of, use of, disclosure of, modification of, or destruction of PHI. Business Associate will report a Breach of Unsecured PHI without unreasonable delay and no later than five business days after discovery.

To the extent known at the time, the report will identify the affected individuals, the nature of the event, the types of PHI involved, mitigation and remediation steps, and information reasonably needed for Covered Entity's investigation and notices. Business Associate will supplement the report as material information becomes available and cooperate with Covered Entity's legally required notices. Covered Entity remains responsible for notices to individuals, regulators, and the media unless the Parties agree otherwise in writing.

This BAA constitutes advance notice of routine unsuccessful Security Incidents that do not result in unauthorized access, use, disclosure, modification, destruction, or material loss of availability of PHI, including unsuccessful pings, port scans, blocked malware, and failed login attempts. Separate notice is not required unless an incident becomes reportable under this Section.

4.3 Mitigation

Business Associate will mitigate, to the extent practicable, harmful effects known to it from a use or disclosure of PHI in violation of this BAA.

4.4 Subcontractors

Before a Subcontractor creates, receives, maintains, or transmits PHI for Business Associate, Business Associate will enter a written agreement requiring the Subcontractor to comply with the same restrictions, conditions, and requirements that apply to Business Associate for that PHI, including applicable Security Rule obligations.

4.5 Access

At Covered Entity's written direction, Business Associate will make PHI in a Designated Record Set available to Covered Entity or, as directed by Covered Entity, to an Individual as necessary for Covered Entity to satisfy 45 C.F.R. Section 164.524. Business Associate will do so within fifteen business days after the request unless a shorter period is required by law.

4.6 Amendment

At Covered Entity's written direction, Business Associate will amend PHI in a Designated Record Set or take other measures necessary for Covered Entity to satisfy 45 C.F.R. Section 164.526. Business Associate will act within thirty business days after the request unless a shorter period is required by law.

4.7 Accounting of Disclosures

Business Associate will document disclosures and make information available to Covered Entity as necessary for Covered Entity to respond to a request under 45 C.F.R. Section 164.528. Business Associate will provide available information within thirty business days after the request unless a shorter period is required by law.

4.8 Government Access to Records

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received for, Covered Entity available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules.

4.9 Delegated Covered Entity Duties

To the extent Business Associate performs a Covered Entity obligation under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in performing that obligation.

5. Covered Entity Obligations

Covered Entity will:

  1. notify Business Associate of limitations in its notice of privacy practices that affect Business Associate's permitted use or disclosure of PHI;
  2. notify Business Associate of changes in or revocations of an Individual's permission that affect Business Associate's permitted use or disclosure of PHI;
  3. notify Business Associate of agreed or legally required restrictions that affect Business Associate's use or disclosure of PHI;
  4. not direct Business Associate to use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted by this BAA;
  5. configure access and integrations consistent with minimum necessary; and
  6. provide accurate notice contacts and instructions for privacy and security matters.

6. Term and Termination

6.1 Term

This BAA begins on the Effective Date and continues until the later of termination of the Services Agreement or completion of Business Associate's return, destruction, or protected retention of PHI under Section 6.3.

6.2 Termination for Cause

If Covered Entity knows of a material violation by Business Associate, Covered Entity may give Business Associate a reasonable opportunity to cure. Covered Entity may terminate the BAA and affected Services Agreement if Business Associate does not cure within thirty days, or immediately if cure is not possible. If termination is not feasible, Covered Entity may report the violation to the Secretary as required by the HIPAA Rules.

6.3 Return, Destruction, or Protected Retention

At termination, Business Associate will, if feasible, return or destroy all PHI received from Covered Entity or created, received, or maintained for Covered Entity, including PHI held by Subcontractors. If Covered Entity requests return, Business Associate will provide an available, reasonably usable export subject to the Services Agreement.

If return or destruction is infeasible, Business Associate will explain the condition in writing, retain only the PHI necessary for that condition, continue the safeguards and Security Rule protections in this BAA, and limit further uses and disclosures to the purpose making return or destruction infeasible. Business Associate will return or destroy retained PHI when the condition ends. Routine backups may be deleted through the documented backup lifecycle if they remain protected and are not restored except for disaster recovery or legal necessity.

Business Associate will not block Covered Entity's access to PHI needed to meet Covered Entity's HIPAA obligations solely because of a payment dispute.

7. Relationship to Other Terms

This BAA controls over the Services Agreement regarding PHI. The DPA governs non-PHI personal data processed for Covered Entity. The Limited Agency Authorization governs only Business Associate's authority to transmit specific Customer-approved transactions and does not expand the permitted uses or disclosures of PHI in this BAA.

Commercial limitations and dispute terms in the Services Agreement apply to this BAA unless they would prevent a Party from complying with the HIPAA Rules or this BAA expressly states otherwise.

8. General

Regulatory references include amendments and successor provisions. The Parties will amend this BAA as necessary to comply with applicable changes to the HIPAA Rules. Any ambiguity will be resolved to permit compliance with the HIPAA Rules.

The obligations in Section 6.3 survive termination. Neither this BAA nor its electronic execution creates rights for anyone other than the Parties and their permitted successors and assigns. Business Associate may assign this BAA with the Services Agreement to a successor that assumes its obligations in writing.

Notices to Business Associate must be sent to legal@upstream.cx; urgent security notices must also be sent to security@upstream.cx. Mail notices to:

ByteWorthy LLC

220 Town Park Avenue

Princeton, TX 75407-9846

United States

Notices to Covered Entity will be sent to the account owner, signer, or other notice contact in the Customer account or Services Agreement.


End of Business Associate Agreement version 1.1.

Canonical source: care/legal/baa.md | Version 1.1 | SHA-256 734f95e2d52474a2b68154039c2a8ff53bfa216af6bb003266597e0b20ffa322