Disclaimer: Please consult a licensed attorney before relying on these documents. These materials are provided for informational purposes only and do not constitute legal advice.
Business Associate Agreement — Client
Last updated: March 9, 2026
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is entered into by and between:
- Business Associate: Ali Management Group LLC, doing business as Compliance Pro, with its principal place of business at 2810 N Church St #501279, Wilmington, DE 19802 (“Business Associate”), info@compliancepro.live
- Covered Entity: The home care agency subscribing to the Compliance Pro platform (“Covered Entity”), whose name, address, and authorized signature are collected during onboarding.
Effective Date: This Agreement is effective as of March 9, 2026, or the date the Covered Entity first accesses the Service, whichever is later.
WHEREAS, Business Associate provides a cloud-based compliance management software platform known as Compliance Pro (compliancepro.live), and in the course of providing such services may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of the Covered Entity; and
WHEREAS, the parties wish to establish the terms and conditions pursuant to which the Business Associate will receive, use, and disclose PHI in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and all applicable regulations;
NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, the parties agree as follows:
1. Definitions
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). The following terms shall have the meanings set forth below:
- “Business Associate” means Ali Management Group LLC, doing business as Compliance Pro, a company that performs certain functions or activities on behalf of, or provides certain services to, the Covered Entity that involve the use or disclosure of PHI.
- “Covered Entity” means the home care agency or other HIPAA-covered entity that subscribes to the Compliance Pro platform and executes this Agreement.
- “Protected Health Information” or “PHI” means any information, whether oral or recorded in any form or medium, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, as defined in 45 CFR 160.103.
- “Electronic Protected Health Information” or “ePHI” means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended.
- “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-5.
- “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.
- “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
- “Subcontractor” means a person or entity to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Business Associate’s workforce, as defined in 45 CFR 160.103.
2. Obligations of Business Associate
Business Associate (Ali Management Group LLC) agrees to:
- Restrictions on Use and Disclosure. Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the requirements of the HIPAA Privacy Rule if done by the Covered Entity.
- Safeguards. Implement appropriate administrative, physical, and technical safeguards, and comply with the Security Rule with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement. Such safeguards shall be reasonably designed to protect the confidentiality, integrity, and availability of ePHI.
- Security Incident and Breach Reporting. Report to Covered Entity any Security Incident or Breach of Unsecured PHI of which Business Associate becomes aware. Such report shall be made without unreasonable delay and in no case later than seventy-two (72) hours after discovery of the incident or breach.
- Subcontractor Agreements. Ensure that all Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement by entering into a written business associate agreement with each Subcontractor that complies with 45 CFR 164.504(e). Business Associate maintains current BAAs with all Subcontractors as listed in Section 7.
- Access to PHI. Make available PHI in a Designated Record Set to the Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements of 45 CFR 164.524, within thirty (30) days of a request.
- Amendment of PHI. Make any amendment(s) to PHI in a Designated Record Set as directed by the Covered Entity or as agreed to by the Covered Entity pursuant to 45 CFR 164.526, within thirty (30) days of a request.
- Accounting of Disclosures. Make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528, within sixty (60) days of a request.
- Return or Destruction of PHI. Upon termination of this Agreement for any reason, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) days. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI for as long as it is maintained.
- Government Access. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
- AI Data Handling. Business Associate’s artificial intelligence features use anonymized and de-identified data only. No raw PHI is transmitted to any AI provider, including Anthropic. All personally identifiable information is stripped before any data is processed by AI systems, in compliance with the HIPAA Privacy Rule’s de-identification standard (45 CFR 164.514).
3. Permitted Uses and Disclosures
3.1 Service Performance
Business Associate may use or disclose PHI as necessary to perform compliance management software services for the Covered Entity, including but not limited to: form management, credential tracking, training management, e-signature processing, incident reporting, compliance auditing, and related functions provided through the Compliance Pro platform.
3.2 Management and Administration
Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that:
- The disclosures are Required by Law; or
- Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
3.3 Aggregate and De-Identified Data
Business Associate may aggregate data for compliance reporting purposes, provided that all such aggregated data is de-identified in accordance with 45 CFR 164.514(a)-(c). De-identified information is not subject to the terms of this Agreement.
3.4 Prohibition on Sale of PHI
Business Associate shall never sell PHI as defined in 45 CFR 164.502(a)(5)(ii). No PHI shall be exchanged for direct or indirect remuneration.
3.5 Prohibition on Marketing Use
Business Associate shall never use PHI for marketing purposes as defined in 45 CFR 164.501. No PHI shall be used to make any communication about a product or service that encourages recipients to purchase or use the product or service.
3.6 Minimum Necessary
Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in compliance with 45 CFR 164.502(b) and 164.514(d).
4. Obligations of Covered Entity
Covered Entity (the home care agency) agrees to:
- Necessary PHI Only. Provide Business Associate only with the PHI that is necessary for Business Associate to perform its services under this Agreement, in accordance with the minimum necessary standard.
- Proper Authorizations. Obtain proper authorizations from clients, employees, and other individuals before entering their PHI into the Compliance Pro platform, to the extent required by the HIPAA Privacy Rule.
- Notice of Restrictions. Notify Business Associate of any limitation(s) in the Covered Entity’s notice of privacy practices, any changes in or revocation of the permission by an individual to use or disclose PHI, and any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Lawful Requests Only. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity, except as specifically permitted for Business Associate management and administration under Section 3.2.
5. Term and Termination
5.1 Term
This Agreement shall be effective as of the Effective Date and shall remain in effect for the duration of the Covered Entity’s subscription to the Compliance Pro platform, unless terminated earlier in accordance with this Section.
5.2 Termination for Cause
Either party may terminate this Agreement with thirty (30) days written notice if the other party materially breaches any provision of this Agreement and fails to cure such breach within the thirty-day notice period. If cure is not possible, the non-breaching party may terminate immediately upon written notice.
5.3 Effect of Termination
Upon termination of this Agreement for any reason, Business Associate shall:
- Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) days of termination.
- This provision shall apply to PHI that is in the possession of Subcontractors of Business Associate.
- Retain no copies of the PHI, except as necessary for Business Associate’s proper management and administration or to carry out its legal responsibilities.
- If return or destruction of PHI is infeasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.
5.4 Survival
The obligations of Business Associate under Sections 2 (Obligations of Business Associate), 6 (Breach Notification), and 8 (Security) shall survive the termination of this Agreement.
6. Breach Notification
6.1 Notification Timeline
Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than seventy-two (72) hours after discovery of such Breach.
6.2 Content of Notification
The notification shall include, to the extent known or reasonably determinable:
- The nature and extent of the PHI involved in the Breach, including the types of identifiers and likelihood of re-identification;
- The identity of the unauthorized person(s) who accessed or acquired the PHI, or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed, or if only the opportunity existed;
- A description of what Business Associate has done or is doing to investigate the Breach, mitigate harm, and protect against further breaches; and
- Any other information that the Covered Entity is required to include in notification to affected individuals under 45 CFR 164.404(c).
6.3 Cooperation
Business Associate shall cooperate with Covered Entity in investigating any Breach or Security Incident, including providing all information and assistance reasonably requested by Covered Entity to enable Covered Entity to fulfill its obligations under the Breach Notification Rule (45 CFR Part 164, Subpart D).
7. Subcontractors
Business Associate uses the following Subcontractors in connection with its provision of the Compliance Pro platform. Business Associate has entered into written business associate agreements with each Subcontractor that processes PHI, as required by 45 CFR 164.502(e)(1)(ii):
| Subcontractor | Service Provided | BAA Status |
|---|---|---|
| Supabase Inc. | Database hosting and cloud storage | BAA on file |
| Amazon Web Services (AWS) | Application hosting and infrastructure | BAA on file |
| Paubox Inc. | HIPAA-compliant email delivery | BAA on file |
| SignWell | Electronic signature processing | BAA on file |
| Anthropic | AI processing — anonymized data only, no PHI transmitted | No PHI access |
Business Associate shall notify Covered Entity of any changes to its Subcontractors that may affect the processing of PHI. Business Associate shall ensure that each Subcontractor complies with the same restrictions and conditions that apply to Business Associate under this Agreement.
8. Security
Business Associate has implemented and maintains the following security measures to protect ePHI in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C):
- Encryption at Rest. All ePHI stored within the Compliance Pro platform is encrypted at rest using AES-256 encryption.
- Encryption in Transit. All ePHI transmitted to or from the Compliance Pro platform is encrypted in transit using TLS 1.2 or higher.
- Role-Based Access Controls. Access to ePHI is restricted through role-based access controls (RBAC), ensuring that users may only access the minimum necessary ePHI required for their role and responsibilities.
- Audit Logging. All access to ePHI is logged through comprehensive audit logging, including the identity of the user, the date and time of access, and the nature of the access. Audit logs are retained for a minimum of six (6) years.
- Annual Security Assessments. Business Associate conducts annual security risk assessments in accordance with 45 CFR 164.308(a)(1)(ii)(A) to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Employee Training. All Business Associate workforce members who access ePHI receive training on HIPAA requirements and the Business Associate’s security policies upon hire and annually thereafter.
9. Miscellaneous
9.1 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions, and the applicable provisions of HIPAA and the HITECH Act.
9.2 Entire Agreement
This Agreement, together with the Compliance Pro Terms of Service and any other agreements between the parties, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral, between the parties with respect to the subject matter hereof.
9.3 Amendments
This Agreement may not be modified or amended except in writing signed by both parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the requirements of the HIPAA Rules and the HITECH Act.
9.4 Severability
If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement shall remain in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.
9.5 Interpretation
Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. In the event of a conflict between the provisions of this Agreement and mandatory provisions of the HIPAA Rules, the HIPAA Rules shall control.
9.6 No Third-Party Beneficiaries
Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
9.7 Notices
All notices required or permitted under this Agreement shall be in writing and shall be sent to the addresses set forth in the signature blocks below, or to such other address as either party may designate in writing. Notice may be provided by email to the email addresses provided.
10. Signatures
IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date.
BUSINESS ASSOCIATE
Ali Management Group LLC
d/b/a Compliance Pro
2810 N Church St #501279
Wilmington, DE 19802
info@compliancepro.live
Authorized Representative Signature
Printed Name and Title
Date
COVERED ENTITY
Agency Legal Name: ________________________________
Address: ________________________________
Email: ________________________________
NPI Number (optional): ________________________________
Authorized Representative Signature
Printed Name and Title
Date
Electronic Signature: During onboarding, this agreement is presented for electronic signature via SignWell, a HIPAA-compliant e-signature platform. Electronic signatures have the same legal effect as handwritten signatures under the ESIGN Act (15 U.S.C. § 7001) and UETA.