← All legal documents

Business Associate Agreement

Version 2026-05-10 · Effective 2026-05-10

⚠ Draft — not yet reviewed by counsel

This document was generated by AI as a starting point tailored to the Arbor codebase and operating model. It has not been reviewed by a licensed attorney. Do not rely on it for binding legal effect until a qualified lawyer has reviewed and approved it. Acceptance recorded against this version will need to be re-collected when counsel-approved language replaces this draft.

This Business Associate Agreement ("BAA") supplements the Terms of Service between Customer ("Covered Entity") and Raised Beef AI, LLC ("Business Associate") and applies whenever Business Associate creates, receives, maintains, or transmits Protected Health Information ("PHI") on behalf of Covered Entity in connection with the ArborService. It is intended to comply with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (the "HIPAA Rules"), including the Privacy, Security, and Breach Notification Rules at 45 CFR Parts 160 and 164.

This BAA must be countersigned by an authorized representative of each party before any PHI is transmitted to the Service. Acceptance via the in-app acceptance flow does not constitute execution; an executed PDF (delivered via /admin/legal/baa) is required.

1. Definitions

Capitalized terms used but not defined in this BAA have the meaning given in the HIPAA Rules. "PHI" has the meaning given in 45 CFR § 160.103, limited to the information Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

  • to perform the functions, activities, or services for, or on behalf of, Covered Entity as described in the Terms of Service;
  • for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that any disclosure is required by law or the recipient provides reasonable assurances of confidentiality;
  • to provide data aggregation services as that term is defined at 45 CFR § 164.501, relating to the health care operations of Covered Entity;
  • as Required by Law.

3. Obligations of Business Associate

Business Associate will:

  • not use or disclose PHI other than as permitted by this BAA or Required by Law;
  • implement appropriate administrative, physical, and technical safeguards (and comply with the HIPAA Security Rule with respect to electronic PHI) to prevent use or disclosure of PHI other than as permitted by this BAA;
  • report to Covered Entity any use or disclosure of PHI not permitted by this BAA (including a Breach of Unsecured PHI) without unreasonable delay, and in any event no later than 30 calendar days after Discovery; for confirmed Breaches, deliver the notification required by 45 CFR § 164.410 within 60 days of Discovery;
  • ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate, in compliance with 45 CFR § 164.502(e)(1)(ii);
  • make PHI available to Covered Entity (or, at Covered Entity's direction, an individual) as necessary to satisfy Covered Entity's obligations under 45 CFR §§ 164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures), within the time and manner required by the HIPAA Rules;
  • make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules;
  • to the extent Business Associate is to carry out an obligation of Covered Entity under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation.

4. Permitted Subcontractors

Covered Entity authorizes Business Associate to engage as subcontractors the subprocessors listed at /legal/subprocessors, each of which has executed a HIPAA-compliant business associate agreement with Business Associate or operates under a Business Associate Agreement available from the subprocessor (e.g. Supabase HIPAA add-on, Vercel HIPAA add-on). Business Associate will not engage additional subcontractors that will receive PHI without first executing a compliant BAA and providing notice in accordance with Section 4 of the DPA.

5. Term and Termination

This BAA is effective on the latest party signature date and remains in effect until the termination of the underlying Terms of Service. Either party may terminate this BAA immediately if the other party has materially breached an obligation under this BAA and failed to cure within 30 days of written notice. Upon termination, Business Associate will, at Covered Entity's option, return or destroy all PHI it maintains in any form within 30 days, unless return or destruction is infeasible, in which case the protections of this BAA will continue to apply to the retained PHI.

6. Compliance with the HIPAA Security Rule

Business Associate will comply with the applicable provisions of the HIPAA Security Rule (45 CFR Part 164, Subpart C), including the implementation of administrative, physical, and technical safeguards described in Annex A of the Data Processing Addendum, which is incorporated into this BAA by reference.

7. Breach Notification

Business Associate will notify Covered Entity of any Breach of Unsecured PHI in accordance with 45 CFR § 164.410. The notification will include, to the extent known: (a) identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed; (b) any other available information Covered Entity is required to include in notifications to individuals under 45 CFR § 164.404(c) at the time of the notification; (c) the steps Business Associate has taken to investigate, mitigate, and prevent recurrence.

8. Miscellaneous

Any ambiguity in this BAA will be resolved in favor of a meaning that permits compliance with the HIPAA Rules. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with changes to the HIPAA Rules. This BAA supersedes any prior agreement between the parties on the subject of business associate obligations.

To execute this BAA for your organization, sign in as a manager and request execution at /admin/legal/baa, or email legal@arbor.app with your organization name, signer name, signer title, and signer email. Business Associate will deliver a countersigned PDF for your records.