Business Associate Agreement

Last updated: June 2026

1. Purpose & Scope

This Business Associate Agreement ("BAA") supplements the agreement between you ("Covered Entity") and SIA VisionBridge, a company registered in the Republic of Latvia (registration No. 40203641390), with its registered office at Avotu iela 54B, Rīga, LV-1009, Latvia, operating LegacyBridge ("LegacyBridge", "Business Associate"), and applies where LegacyBridge creates, receives, maintains, or transmits Protected Health Information ("PHI") on behalf of Covered Entity in connection with the Services. It is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"), including the Privacy, Security, and Breach Notification Rules. Where Covered Entity is itself a business associate, LegacyBridge acts as a subcontractor and these terms apply accordingly.

2. Definitions

Terms used but not otherwise defined have the meanings given in HIPAA. "Protected Health Information" (PHI) and "Electronic PHI" (ePHI) are limited to information LegacyBridge creates, receives, maintains, or transmits for or on behalf of Covered Entity. "Breach", "Covered Entity", "Business Associate", "Required by Law", "Security Incident", and "Unsecured PHI" have the meanings set out in 45 CFR Parts 160 and 164.

3. Permitted Uses & Disclosures

LegacyBridge may use and disclose PHI only as follows:

  • To perform the Services and functions on behalf of Covered Entity, as permitted by the agreement and this BAA
  • As Required by Law
  • For the proper management and administration of LegacyBridge, or to carry out its legal responsibilities, provided that disclosures are Required by Law or made with reasonable assurances of confidentiality and breach notification from the recipient
  • To provide data aggregation services relating to the health care operations of Covered Entity, where applicable

LegacyBridge will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as expressly permitted above. LegacyBridge does not sell PHI and does not use PHI for marketing or for training its own models.

4. Obligations of Business Associate

LegacyBridge will:

  • Not use or disclose PHI other than as permitted by this BAA or Required by Law
  • Use appropriate safeguards, and comply with the HIPAA Security Rule with respect to ePHI, to prevent unauthorized use or disclosure of PHI
  • Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose
  • Report to Covered Entity any use or disclosure not provided for by this BAA, any Security Incident, and any Breach of Unsecured PHI, as described below
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI on its behalf agree in writing to the same restrictions and conditions that apply to LegacyBridge
  • Make PHI available, and incorporate amendments, as needed for Covered Entity to meet its access and amendment obligations under 45 CFR 164.524 and 164.526
  • Maintain and make available information required to provide an accounting of disclosures under 45 CFR 164.528
  • To the extent LegacyBridge carries out a Covered Entity obligation, comply with the requirements of the Privacy Rule applicable to that obligation
  • Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance

5. Security Rule Compliance

With respect to ePHI, LegacyBridge will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by 45 CFR Part 164 Subpart C. These include access controls and unique user identification, encryption of ePHI in transit and of credentials and sensitive data at rest, audit logging, tenant and per-organization isolation, and workforce confidentiality obligations.

6. Breach & Security Incident Reporting

LegacyBridge will report to Covered Entity any Breach of Unsecured PHI of which it becomes aware without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of the Breach (or any shorter period specified in the agreement), consistent with 45 CFR 164.410. The report will include, to the extent available, the identification of each individual affected and the information Covered Entity needs to meet its own notification obligations. LegacyBridge will also report any use or disclosure of PHI not permitted by this BAA and any successful Security Incident. Unsuccessful Security Incidents (such as routine probes, scans, and pings that do not result in unauthorized access to PHI) are reported on an aggregate basis upon request.

7. Obligations of Covered Entity

Covered Entity will:

  • Notify LegacyBridge of any limitation in its notice of privacy practices, and of any changes to, or revocation of, an individual's permission to use or disclose PHI, to the extent it affects LegacyBridge's use or disclosure
  • Not request LegacyBridge to use or disclose PHI in any manner that would not be permitted under HIPAA if done by Covered Entity
  • Implement appropriate safeguards and configure the Services so that PHI is only provided where intended

8. Term & Termination

This BAA is effective on the date Covered Entity accepts it and remains in effect until all PHI is returned or destroyed, or protections are extended as described below.

  • Covered Entity may terminate the agreement if LegacyBridge materially breaches this BAA and fails to cure within a reasonable period
  • On termination, LegacyBridge will, if feasible, return or destroy all PHI it maintains and retain no copies; transient and log data are deleted on their stated schedules
  • Where return or destruction is not feasible, LegacyBridge will extend the protections of this BAA to the retained PHI and limit further use and disclosure to the purposes that make return or destruction infeasible, for so long as it retains the PHI

9. Miscellaneous

  • Regulatory references are to the sections as in effect or amended from time to time
  • The parties agree to take such action as is necessary to amend this BAA to comply with changes in HIPAA
  • Any ambiguity is resolved to permit compliance with HIPAA
  • In case of conflict between this BAA and the rest of the agreement on the protection of PHI, this BAA controls
  • Nothing in this BAA creates rights in any third party

10. Contact

For questions about this BAA, or to arrange a counter-signed agreement, contact us at: [email protected]