Business Associate Agreement
Last Updated: December 10, 2025
This Business Associate Agreement ("Agreement") is entered into as of the date of electronic acceptance below ("Effective Date") by and between:
Covered Entity: Our Customer
Business Associate: Waterglass UK Limited ("Notehouse") 21 Ellis Street, London, SW1X 9AL, United Kingdom
This Agreement governs the handling of Protected Health Information ("PHI") in connection with Business Associate's provision of the Notehouse platform (the "Service"), in accordance with HIPAA, the HITECH Act, and their implementing regulations (the "HIPAA Rules").
The following terms have the meanings set forth below. Terms not defined herein have the meanings set forth in the HIPAA Rules at 45 CFR Parts 160 and 164.
"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
"Covered Entity" means a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a covered transaction, as defined in 45 CFR § 160.103.
"Designated Record Set" means a group of records maintained by or for a Covered Entity that includes medical records, billing records, enrollment, payment, claims adjudication, and case management records, as defined in 45 CFR § 164.501.
"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media, as defined in 45 CFR § 160.103.
"HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended.
"Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
"Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI, as defined in 45 CFR § 164.103.
"Secretary" means the Secretary of the U.S. Department of Health and Human Services.
"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
"Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction, as specified in 45 CFR § 164.402.
Business Associate agrees to:
a) Use and disclose PHI only as permitted by this Agreement, as required to provide the Service, or as Required by Law.
b) Implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, in accordance with the HIPAA Security Rule.
c) Report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) days after discovery. Business Associate will provide Covered Entity with sufficient information to enable Covered Entity to fulfill its breach notification obligations.
d) Report to Covered Entity any Security Incident of which Business Associate becomes aware. The Parties acknowledge that unsuccessful security incidents (such as pings, port scans, unsuccessful log-on attempts, or denial of service attacks that do not result in unauthorized access) occur routinely and need not be reported individually.
e) Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to restrictions and conditions substantially similar to those that apply to Business Associate under this Agreement.
f) Make PHI available to Covered Entity to enable Covered Entity to fulfill its obligations to provide individuals with access to their PHI under 45 CFR § 164.524, to the extent such PHI is in Business Associate's possession and technically feasible to provide.
g) Make PHI available for amendment and incorporate amendments to PHI as directed by Covered Entity in accordance with 45 CFR § 164.526, to the extent technically feasible.
h) Make information available to Covered Entity as required to provide an accounting of disclosures in accordance with 45 CFR § 164.528, limited to disclosures made by Business Associate.
i) Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
j) To the extent Business Associate carries out any of Covered Entity's obligations under the HIPAA Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
Access Limitations: Business Associate does not access PHI in the ordinary course of operations. PHI is encrypted at rest and in transit. Business Associate personnel do not access PHI except as necessary to provide the Service, for technical support or security maintenance, or as Required by Law.
a) Business Associate may use and disclose PHI solely as necessary to provide the Service to Covered Entity, as described in Notehouse's Terms of Service.
b) Business Associate may use and disclose PHI for its proper management and administration, provided that any disclosure is Required by Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and that the recipient will notify Business Associate of any Breach.
c) Business Associate may use PHI to provide data aggregation services relating to the healthcare operations of Covered Entity, if applicable.
d) Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)-(c). De-identified information is not subject to this Agreement.
Covered Entity agrees to:
a) Obtain all necessary consents, authorizations, and permissions required under the HIPAA Rules before submitting PHI to the Service.
b) Maintain the confidentiality and security of its account credentials and implement appropriate access controls for its users.
c) Notify Business Associate promptly of any changes in, or revocation of, authorization by an individual to use or disclose PHI, to the extent such changes affect Business Associate's permitted uses and disclosures.
d) Notify Business Associate promptly of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restrictions affect Business Associate's permitted uses and disclosures.
e) Comply with all applicable provisions of the HIPAA Rules, including breach notification to affected individuals, the Secretary, and media outlets where required.
f) Export and retain all PHI required under applicable law before terminating its subscription. Covered Entity acknowledges that Business Associate is not a records retention service.
g) Not request Business Associate to use or disclose PHI in any manner that would violate the HIPAA Rules.
a) Term. This Agreement is effective as of the Effective Date and continues until Covered Entity's subscription to the Service terminates or expires.
b) Termination for Cause. Either Party may terminate this Agreement if the other Party materially breaches this Agreement and fails to cure such breach within thirty (30) days of receiving written notice.
c) Effect of Termination. Upon termination, Business Associate will return or destroy all PHI received from Covered Entity or created on behalf of Covered Entity, except to the extent retention is required by law or necessary for Business Associate's proper management and administration. PHI is retained for ninety (90) days post-termination to allow Covered Entity to export data, after which it is deleted from active systems. If return or destruction is not feasible, Business Associate will continue to protect the PHI and limit further uses and disclosures.
d) Survival. The obligations of Business Associate under Section 3 shall survive termination to the extent Business Associate retains any PHI.
The limitation of liability, disclaimer of warranties, and indemnification provisions set forth in Notehouse's Terms of Service are incorporated herein by reference and apply to this Agreement.
a) Governing Law. This Agreement is governed by U.S. federal law, including HIPAA and the HITECH Act. To the extent state law applies, the laws of the State of Delaware shall govern without regard to conflict of law principles.
b) Dispute Resolution. Disputes arising under this Agreement shall be resolved in accordance with Section 19 of Notehouse's Terms of Service, provided that claims related to HIPAA compliance or data breaches involving PHI may be brought in courts of competent jurisdiction in the United States.
c) Amendments. Business Associate may amend this Agreement upon thirty (30) days' notice to Covered Entity to comply with changes in the HIPAA Rules or other applicable law. Covered Entity's continued use of the Service following such notice constitutes acceptance of the amended Agreement.
d) Regulatory Changes. The Parties agree to negotiate in good faith to amend this Agreement as necessary to comply with changes in the HIPAA Rules.
e) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both Parties to comply with the HIPAA Rules.
f) Entire Agreement. This Agreement supplements Notehouse's Terms of Service and Privacy Policy. In the event of conflict between this Agreement and the Terms of Service with respect to PHI, this Agreement controls. In all other respects, the Terms of Service control.
g) Severability. If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
h) No Third-Party Beneficiaries. Nothing in this Agreement confers any rights upon any person other than the Parties.
i) Independent Contractor. Business Associate is an independent contractor and not an agent of Covered Entity.
j) Notices. Notices to Business Associate shall be sent to info@getnotehouse.com. Notices to Covered Entity shall be sent to the email address associated with Covered Entity's account.
Powerfully Simple Case Management You'll Actually Use
4.7 stars from 101 customers reviews
Case Management Software for nonprofit leaders, counselors, managers, and social workers.
© 2026 Waterglass UK Ltd.
