Business Associate Agreement
Effective: March 24, 2026
Noorros, LLC dba GuardWell Compliance offers a standard HIPAA Business Associate Agreement to all customers whose workflows involve Protected Health Information (PHI). This BAA defines the responsibilities of both parties under the HIPAA Privacy, Security, and Breach Notification Rules.
Click-to-Accept
Accept the BAA online from your dashboard — no printing or mailing required.
Recorded & Auditable
Your acceptance is timestamped with your identity and IP address for compliance records.
HIPAA Compliant
Covers all required elements under 45 CFR 164.504(e) including breach notification and termination.
Business Associate Agreement
Between Noorros, LLC dba GuardWell Compliance (“Business Associate”) and Your Practice (“Covered Entity”)
1. Definitions
For purposes of this Agreement, the following terms shall have the meanings set forth below: (a) "Business Associate" means Noorros, LLC dba GuardWell Compliance. (b) "Covered Entity" means the healthcare practice or organization that accepts this Agreement through the GuardWell platform. (c) "PHI" means Protected Health Information as defined by the HIPAA Privacy Rule (45 CFR 160.103). (d) "Electronic PHI" or "ePHI" means PHI that is transmitted or maintained in electronic media. (e) "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended from time to time, including amendments under the HIPAA Security Rule Update proposed in January 2025 (NPRM). (f) "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304. (g) "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402. (h) "Subcontractor" means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of the Business Associate. (i) "Designated Record Set" means a group of records maintained by or for a Covered Entity, as defined in 45 CFR 164.501.
2. Obligations of Business Associate
Business Associate agrees to: (a) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law. (b) Use appropriate safeguards and comply with the HIPAA Security Rule (including the 2025 Security Rule Update requirements) to prevent use or disclosure of PHI other than as provided for by this Agreement. (c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR 164.410. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information, including the requirement to implement administrative, physical, and technical safeguards. (e) Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524, within 15 days of a request. (f) Make available PHI for amendment and incorporate any amendments to PHI as necessary for Covered Entity to meet requirements under 45 CFR 164.526. (g) Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528. (h) To the extent Business Associate is carrying out Covered Entity's obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. (i) Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. (j) Maintain documentation of compliance activities, security measures, and incident responses as required under the HIPAA Rules, and retain such documentation for a minimum of six (6) years from the date of its creation or the date when it was last in effect, whichever is later.
3. Permitted Uses and Disclosures
(a) Business Associate may use or disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the GuardWell Terms of Service, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity. (b) Business Associate may use or disclose PHI as required by law. (c) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purposes for which it was disclosed. (d) Business Associate may de-identify PHI in accordance with 45 CFR 164.514(a)-(c). (e) Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth in subsections (a) through (d) above.
4. Data Security Safeguards
Business Associate shall implement the following safeguards to protect ePHI, consistent with the HIPAA Security Rule including the 2025 Security Rule Update: (a) Encryption of data in transit using TLS 1.2 or higher (HTTPS). (b) Encryption of data at rest using AES-256 or equivalent. (c) Role-based access controls limiting data access to authorized personnel only, with the principle of least privilege applied. (d) Audit logging of all access to ePHI, including user identification, timestamp, action taken, and data accessed. Audit logs are retained for a minimum of six (6) years. (e) Regular security risk assessments conducted at least annually, with documented risk analysis and risk management plans. (f) Vulnerability scanning conducted at least quarterly and penetration testing conducted at least annually. (g) Infrastructure hosted on Google Cloud Platform with SOC 2 Type II certified data centers located within the United States. (h) Automated backup and disaster recovery procedures, with recovery time and recovery point objectives documented and tested at least annually. (i) Multi-factor authentication required for all administrative access and supported for all user accounts. (j) Workforce training on HIPAA security requirements conducted upon hiring and at least annually thereafter. (k) Incident response plan documented and tested at least annually. (l) Automatic session timeout after a period of inactivity. (m) Technology asset inventory and network mapping maintained and reviewed at least annually.
5. Subcontractors
(a) Business Associate shall not engage a subcontractor to create, receive, maintain, or transmit ePHI on behalf of the Business Associate without first entering into a written agreement with such subcontractor that contains the same obligations and restrictions with respect to ePHI as those that apply to Business Associate under this Agreement. (b) Business Associate shall maintain a current list of all subcontractors that have access to ePHI and shall make such list available to Covered Entity upon request. The current subcontractors are: - Google Cloud Platform (Cloud SQL, Cloud Run, Cloud Storage) — database hosting, application hosting, and file storage - Firebase Authentication (Google Cloud) — user authentication - Anthropic (Claude AI) — AI content generation (practice profile data only; no raw PHI is transmitted to Anthropic unless explicitly initiated by the user) - Stripe — payment processing (no PHI is shared with Stripe) - Resend — transactional email delivery (no PHI is included in email content) (c) Business Associate shall notify Covered Entity at least 30 days in advance of any planned addition or replacement of a subcontractor that will have access to ePHI, and Covered Entity shall have the right to object to such change.
6. Breach Notification
(a) Business Associate shall report to Covered Entity any breach of unsecured PHI without unreasonable delay and in no case later than fifteen (15) calendar days after discovery of such breach. (b) Such notification shall include, to the extent possible: (i) The identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (ii) A brief description of what happened, including the date of the breach and the date of discovery; (iii) A description of the types of unsecured PHI involved; (iv) Any steps individuals should take to protect themselves; (v) A description of what Business Associate is doing to investigate the breach, mitigate harm, and prevent future breaches. (c) Business Associate shall cooperate with Covered Entity in meeting Covered Entity's obligations under the Breach Notification Rule (45 CFR Part 164, Subpart D), including assisting with individual notifications, media notifications (where applicable), and notifications to the Secretary of HHS. (d) Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement. (e) Business Associate shall document all security incidents and breaches, including those that do not rise to the level of a reportable breach, and shall provide a summary of such incidents to Covered Entity upon request.
7. Audit Rights
(a) Covered Entity shall have the right, upon reasonable written notice of at least thirty (30) days, to audit Business Associate's compliance with the terms of this Agreement and the HIPAA Rules, including inspection of Business Associate's facilities, systems, and records related to PHI. (b) Business Associate shall cooperate fully with any such audit, including providing access to relevant personnel, documentation, and systems. (c) Audits shall be conducted during normal business hours and shall be limited in scope to the verification of Business Associate's compliance with this Agreement and applicable HIPAA Rules. (d) In lieu of an on-site audit, Business Associate may provide Covered Entity with: (i) a current SOC 2 Type II report or equivalent third-party security audit report; (ii) a summary of its most recent HIPAA security risk assessment; or (iii) other evidence of compliance reasonably acceptable to Covered Entity. (e) Each party shall bear its own costs in connection with any audit, unless the audit reveals a material breach of this Agreement by Business Associate, in which case Business Associate shall bear the reasonable costs of the audit.
8. Term and Termination
(a) This Agreement shall be effective as of the date accepted through the GuardWell platform and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned. (b) Either party may terminate this Agreement if it determines that the other party has violated a material term of this Agreement, provided that the terminating party gives the other party 30 days written notice and an opportunity to cure. If the breach is not cured within the 30-day period, the terminating party may terminate this Agreement immediately. (c) Covered Entity may terminate this Agreement immediately if Business Associate has breached a material term of this Agreement and cure is not possible. (d) Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) days of termination. Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction infeasible. (e) The obligations of Business Associate under Sections 4 (Data Security Safeguards), 5 (Subcontractors), 6 (Breach Notification), and 7 (Audit Rights) shall survive termination of this Agreement for as long as Business Associate retains any PHI.
9. Miscellaneous
(a) This Agreement shall be governed by the laws of the State of Delaware. (b) The parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the HIPAA Rules and any other applicable law. (c) Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. (d) This Agreement constitutes the complete agreement between the parties relating to the subject matter hereof and supersedes all prior agreements and understandings. (e) If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. (f) All notices required or permitted under this Agreement shall be in writing and shall be delivered by email to the addresses on file for each party, or by such other means as may be agreed upon by the parties. (g) Neither party may assign this Agreement without the prior written consent of the other party, except that Business Associate may assign this Agreement in connection with a merger, acquisition, or sale of substantially all of its assets, provided the assignee agrees in writing to be bound by the terms of this Agreement.
Ready to accept?
Sign in to your GuardWell dashboard to review and accept this BAA online.