Business Associate Agreement (BAA), Terms of Use, and Privacy Policy -
Barnabus Inc.
Business Associate
Agreement (BAA)
Effective Date
Aug 27, 2025
A Living System, Not a Static Platform
This Business Associate Agreement ("Agreement") is entered into by and between Barnabus Inc., a corporation incorporated in Ontario, Canada under provincial and federal law ("Business Associate" or "Barnabus"), and the applicable healthcare provider, organization, or licensed professional ("Covered Entity").
This Agreement is incorporated into and forms part of the Barnabus Terms of Use. It governs how Barnabus handles Protected Health Information ("PHI") and Electronic Protected Health Information ("ePHI") in accordance with:
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended
The Health Information Technology for Economic and Clinical Health Act ("HITECH"),
And applicable Canadian privacy laws, including but not limited to PIPEDA, PHIPA (Ontario), and other provincial acts.
Purpose
Barnabus provides AI-powered services that may involve creating, receiving, maintaining, or transmitting PHI for clinical decision support, diagnostics, workflow automation, or research. This Agreement ensures compliance with HIPAA and Canadian laws and defines the mutual obligations for safeguarding PHI.
Definitions
Terms such as "Protected Health Information (PHI)," "Electronic PHI (ePHI)," "Individual," "Subcontractor," "Use," and "Disclosure" have the meanings set forth in 45 C.F.R. §160.103 and applicable Canadian privacy law.
Obligations of Barnabus (Business Associate)
Barnabus agrees to:
Use or disclose PHI only as permitted by this Agreement or as Required by Law.
Implement appropriate administrative, technical, and physical safeguards to protect ePHI in accordance with 45 C.F.R. §164 Subpart C and equivalent Canadian standards.
Report to Covered Entity any breach, unauthorized use, or security incident involving PHI within 10 business days of discovery.
Notify Covered Entity of any attempted but unsuccessful security incidents.
Ensure that subcontractors with PHI access enter into agreements with obligations no less stringent than this Agreement.
Make PHI available to Covered Entity to meet access or amendment obligations under HIPAA and applicable Canadian regulations.
Refer any individual requests for PHI access or changes directly to Covered Entity unless otherwise instructed in writing.
Cooperate with audits by the U.S. Secretary of Health and Human Services or Canadian regulators.
Permitted Uses and Disclosures
Barnabus may:
Use PHI to provide services under its Terms of Use.
Use PHI for its internal operations, legal compliance, or de-identification (in accordance with HIPAA §164.514 and Canadian anonymization standards).
Disclose PHI as Required by Law.
Use PHI for Data Aggregation related to healthcare operations.
Share PHI with authorized subcontractors under appropriate agreements.
Additional Canadian-Specific Commitments
Barnabus agrees to:
Comply with PIPEDA, PHIPA (Ontario), and other applicable provincial legislation where PHI is collected, used, or disclosed.
Address any conflicts between HIPAA and Canadian law by applying the most protective standard.
Disclose PHI as Required by Law.
Use PHI for Data Aggregation related to healthcare operations.
Share PHI with authorized subcontractors under appropriate agreements.
Data Residency and Cross-Border Transfers
Covered Entity acknowledges that Barnabus may use secure cloud infrastructure located in the United States, Canada, or other approved jurisdictions. All cross-border transfers of PHI shall be encrypted and governed by appropriate contractual and technical safeguards.
Subcontractor Accountability
Barnabus remains directly responsible for its subcontractors’ handling of PHI and shall require them to:
Enter written agreements with equivalent privacy and security obligations.
Notify Barnabus of any security incident or breach related to Covered Entity’s PHI.
Breach Notification and Incident Handling
Barnabus will notify Covered Entity of any confirmed breach or material incident involving PHI within 10 business days.
Where full impact assessment is delayed, Barnabus will provide an initial notice and issue updates as more details become available.
Liability Limitation
Except in cases of gross negligence or willful misconduct, Barnabus’s total liability under this Agreement is limited to the total amount paid by Covered Entity for services in the twelve (12) months preceding any claim.
Right to Audit
Covered Entity may, no more than once annually and with reasonable advance notice, request evidence of Barnabus’s HIPAA and Canadian privacy compliance. Barnabus may provide:
Summaries of third-party security assessments (e.g., SOC 2, ISO 27001),
Documentation of internal safeguards,
Annual risk audit summaries, All subject to a mutually agreed non-disclosure agreement or standard confidentiality protections.
Term & Termination
Covered Entity shall:
Effective Date: Upon activation of Covered Entity’s Barnabus account.
Termination for Cause: Either party may terminate this Agreement with 30 days’ notice upon a material breach.
Post-Termination:
• Barnabus will retain only PHI needed for legal or operational purposes.
• Return or securely destroy remaining PHI where feasible.
• Maintain protections and restrict use of retained PHI.
Miscellaneous
Governing Law: Laws of Ontario, Canada, unless overridden by applicable federal privacy laws or HIPAA.
Dispute Resolution: Any dispute shall be resolved via binding arbitration under the rules of JAMS, with hearings held in a mutually agreed location.
Amendments: May be modified to reflect legal changes or regulatory updates.
Severability: If a provision is found unenforceable, the remainder shall still apply.
No Third-Party Rights: This Agreement benefits only Barnabus and the Covered Entity.
Acceptance
By registering for and using Barnabus services, the Covered Entity agrees to the terms of this Business Associate Agreement.