Business Associate Agreement (BAA), Terms of Use, and Privacy Policy - Barnabus Inc.
1. Introduction
This Business Associate Agreement ("Agreement") is entered into by and between Barnabus
Inc., a corporation incorporated in Ontario, Canada under provincial and federal law
("Business Associate" or "Barnabus"), and the applicable healthcare provider, organization,
or licensed professional ("Covered Entity").
This Agreement is incorporated into and forms part of the Barnabus Terms of Use. It governs
how Barnabus handles Protected Health Information ("PHI") and Electronic Protected Health
Information ("ePHI") in accordance with:
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended,
The Health Information Technology for Economic and Clinical Health Act ("HITECH"),
And applicable Canadian privacy laws, including but not limited to PIPEDA, PHIPA (Ontario), and other provincial acts.
2. Purpose
Barnabus provides AI-powered services that may involve creating, receiving, maintaining, or transmitting PHI for clinical decision support, diagnostics, workflow automation, or research. This Agreement ensures compliance with HIPAA and Canadian laws and defines the mutual obligations for safeguarding PHI.
3. Definitions
Terms such as "Protected Health Information (PHI)," "Electronic PHI (ePHI)," "Individual," "Subcontractor," "Use," and "Disclosure" have the meanings set forth in 45 C.F.R. §160.103 and applicable Canadian privacy law.
4. Obligations of Barnabus (Business Associate)
Barnabus agrees to:
Use or disclose PHI only as permitted by this Agreement or as Required by Law.
Implement appropriate administrative, technical, and physical safeguards to protect ePHI in accordance with 45 C.F.R. §164 Subpart C and equivalent Canadian standards.
Report to Covered Entity any breach, unauthorized use, or security incident involving PHI within 10 business days of discovery.
Notify Covered Entity of any attempted but unsuccessful security incidents.
Ensure that subcontractors with PHI access enter into agreements with obligations no less stringent than this Agreement.
Make PHI available to Covered Entity to meet access or amendment obligations under HIPAA and applicable Canadian regulations.
Refer any individual requests for PHI access or changes directly to Covered Entity unless otherwise instructed in writing.
Cooperate with audits by the U.S. Secretary of Health and Human Services or Canadian regulators.
5. Permitted Uses and Disclosures
Barnabus may:
Use PHI to provide services under its Terms of Use.
Use PHI for its internal operations, legal compliance, or de-identification (in accordance with HIPAA §164.514 and Canadian anonymization standards).
Disclose PHI as Required by Law.
Use PHI for Data Aggregation related to healthcare operations.
Share PHI with authorized subcontractors under appropriate agreements.
6. Additional Canadian-Specific Commitments
Comply with PIPEDA, PHIPA (Ontario), and other applicable provincial legislation where PHI is collected, used, or disclosed.
Address any conflicts between HIPAA and Canadian law by applying the most protective standard.
Disclose PHI as Required by Law.
Use PHI for Data Aggregation related to healthcare operations.
Share PHI with authorized subcontractors under appropriate agreements.
7. Data Residency and Cross-Border Transfers
Covered Entity acknowledges that Barnabus may use secure cloud infrastructure located in the United States, Canada, or other approved jurisdictions. All cross-border transfers of PHI shall be encrypted and governed by appropriate contractual and technical safeguards.
8. Subcontractor Accountability
Barnabus remains directly responsible for its subcontractors’ handling of PHI and shall require them to:
Enter written agreements with equivalent privacy and security obligations.
Notify Barnabus of any security incident or breach related to Covered Entity’s PHI.
9. Breach Notification and Incident Handling
Barnabus will notify Covered Entity of any confirmed breach or material incident involving PHI within 10 business days.
Where full impact assessment is delayed, Barnabus will provide an initial notice and issue updates as more details become available.
10. Covered Entity Responsibilities
Covered Entity shall:
Ensure it has all necessary consents to share PHI with Barnabus.
Notify Barnabus of any patient restrictions, revocations, or privacy policies that may affect use of PHI.
Not request Barnabus to use or disclose PHI in violation of HIPAA or Canadian law.
11. Liability Limitation
Except in cases of gross negligence or willful misconduct, Barnabus’s total liability under this Agreement is limited to the total amount paid by Covered Entity for services in the twelve (12) months preceding any claim.
12. Right to Audit
Covered Entity may, no more than once annually and with reasonable advance notice, request evidence of Barnabus’s HIPAA and Canadian privacy compliance. Barnabus may provide:
Summaries of third-party security assessments (e.g., SOC 2, ISO 27001),
Documentation of internal safeguards,
Annual risk audit summaries, All subject to a mutually agreed non-disclosure agreement or standard confidentiality protections.
13. Term & Termination
Effective Date: Upon activation of Covered Entity’s Barnabus account.
Termination for Cause: Either party may terminate this Agreement with 30 days’ notice upon a material breach.
Post-Termination:
- Barnabus will retain only PHI needed for legal or operational purposes.
- Return or securely destroy remaining PHI where feasible.
- Maintain protections and restrict use of retained PHI.
14. Miscellaneous
Governing Law: Laws of Ontario, Canada, unless overridden by applicable federal privacy laws or HIPAA.
Dispute Resolution: Any dispute shall be resolved via binding arbitration under the rules of JAMS, with hearings held in a mutually agreed location.
Amendments: May be modified to reflect legal changes or regulatory updates.
Severability: If a provision is found unenforceable, the remainder shall still apply.
No Third-Party Rights: This Agreement benefits only Barnabus and the Covered Entity.
15. Acceptance
By registering for and using Barnabus services, the Covered Entity agrees to the terms of this Business Associate Agreement.
1. Account Registration
To access certain Services, you must register and create an account. You agree to provide accurate, current, and complete registration information, including your name, professional credentials, and contact details. You are responsible for maintaining the confidentiality of your login credentials and all activity under your account.
2. Use of the Services
The Services are intended only for licensed healthcare professionals in Canada, the United States, and other authorized jurisdictions. By using the Services, you represent that you:
Are legally authorized to practice in your jurisdiction;
Have provided accurate professional credentials;
Will use the Services in accordance with these Terms and applicable law.
The Services do not constitute medical advice. Information provided is for professional support and reference only. Decisions about diagnosis or treatment remain the sole responsibility of the healthcare provider. You are responsible for complying with all applicable laws, including HIPAA, PIPEDA, PHIPA (Ontario), and other relevant federal and provincial regulations.
If you are a Covered Entity under HIPAA and use Barnabus to transmit Protected Health Information (PHI), our Business Associate Agreement (BAA) applies and is incorporated herein by reference.
3. Professional Use Only
Barnabus is not intended for direct use by patients or consumers. If you are a non-professional accessing the Services, you acknowledge that content provided is not a substitute for professional medical advice, diagnosis, or treatment.
4. Privacy and Security
Our Privacy Policy outlines how we collect, store, and process personal and non-personal information. By using the Services, you agree to the terms of our Privacy Policy.
PHI submitted through the Services is protected under HIPAA, PIPEDA, and other applicable regulations. We apply strict security protocols, including encryption, access controls, and audit logging.
5. Acceptable Use
You agree not to:
Use the Services for unlawful, unethical, or unauthorized purposes;
Upload content that includes PHI without appropriate patient consent;
Violate privacy, copyright, trademark, or other legal rights;
Attempt to probe, scan, or test system security;
Use bots, crawlers, or scraping tools to access the Services;
Reverse-engineer or disassemble any part of the Services.
We reserve the right to suspend or terminate accounts found to be in violation of these Terms.
6. User-Generated Content
If you submit content (e.g., case notes, annotations, feedback), you retain ownership but grant Barnabus a royalty-free, worldwide license to use, display, and improve our Services. You are solely responsible for the legality and compliance of any information you submit.
Do not upload PHI or personally identifiable information without obtaining all legally required patient consents.
7. Data Collection and Use
Barnabus may collect de-identified usage data, interaction logs, and prompt inputs for the purpose of improving system performance, safety, and AI models. This data may be shared or licensed in anonymized form but will never include identifiable personal or patient data unless expressly permitted by law or consent.
8. Third-Party Content and Integrations
Barnabus may provide access to third-party tools, content, or APIs. We do not endorse, and are not responsible for, the accuracy, availability, or security of any third-party resources.
9. Service Availability and Modifications
We may modify, suspend, or discontinue parts of the Services at any time. We are not liable for loss of access, data, or interruptions caused by such changes.
10. Intellectual Property
All content, trademarks, designs, and software associated with Barnabus are owned by Barnabus Inc. or its licensors. You are granted a limited, non-transferable license to use the Services for personal and professional healthcare use. Any commercial use, distribution, or reproduction is strictly prohibited.
11. Limitation of Liability
To the maximum extent permitted by law, Barnabus and its officers, directors, employees, contractors, and partners are not liable for indirect, incidental, or consequential damages arising from use of the Services. Barnabus’s total liability for any claim will not exceed CAD $100.
12. Indemnity
You agree to indemnify and hold harmless Barnabus and its affiliates against claims arising from your use of the Services, your violation of these Terms, or any unauthorized disclosure of patient or third-party data.
13. Governing Law
These Terms are governed by the laws of the Province of Ontario and the federal laws of Canada. Any disputes shall be resolved under binding arbitration in Ontario.
14. Termination
We reserve the right to suspend or terminate your access at our discretion, particularly in cases of fraud, misuse, or breach of these Terms.
15. Feedback
Any suggestions or feedback submitted become the property of Barnabus Inc. and may be used to improve the Services without obligation or compensation.
16. Changes to These Terms
We may update these Terms at any time. Changes will be posted on our website. Continued use of the Services after changes means you accept the updated Terms.
17. Contact Us
For questions, legal notices, or support:
Email: support@barnabus.ai
Mailing Address: Barnabus Inc., [Insert Canadian office address here]
1. Scope and Applicability
This Privacy Policy applies to all users of Barnabus Services, including healthcare professionals, researchers, and invited collaborators. If you are a patient, please note that Barnabus is not intended for direct consumer use. Any patient information processed is done solely on behalf of authorized healthcare professionals using our Services.
2. Information We Collect
We collect the following types of information:
a. Account & Identity Information
Name, email address, contact details
Credentials and licensing information (e.g., medical license, professional role)
Organization/affiliation
b. Usage Data
Log files (IP address, access time, pages viewed)
Interaction with Services and tools
Search history and clinical workflow usage (de-identified)
c. Communication & Feedback
Emails and messages sent to us
Feedback, support requests, and surveys
d. Device & Technical Info
Browser type, operating system, device type
Cookies and similar technologies (see Section 8)
e. Personal Health Information (PHI) Only if you, as a licensed healthcare professional, enter PHI into the system as part of care delivery or documentation. This information is handled in compliance with applicable health privacy laws (e.g., HIPAA, PIPEDA, PHIPA).
3. How We Use Your Information
We use your information to:
Provide, operate, and improve the Barnabus platform
Verify your identity and professional eligibility
Maintain security and compliance with legal obligations
Respond to inquiries, provide support, and deliver updates
Perform analytics on usage trends and performance (de-identified data)
Deliver optional product announcements or educational material (opt-in only)
4. Legal Basis for Processing
We process your information under the following legal bases:
Consent: You give consent by registering or using our Services.
Contractual necessity: To provide Services you’ve requested.
Legal compliance: To comply with regulatory or legal obligations.
Legitimate interests: For system security, platform integrity, and non-identifiable analytics.
5. Disclosure of Information
We do not sell your personal or health information. We may share information only in the following limited cases:
With vendors or service providers who help deliver the Services (e.g., secure hosting, customer support)
With government or legal authorities if required by law
With third parties in anonymized or de-identified form for research and development
With your explicit permission (e.g., referrals, collaborations)
All vendors are bound by confidentiality agreements and data protection obligations equivalent to ours.
6. Data Location and International Transfers
Our primary data centers are located in Canada and the United States. If you are located outside of Canada, your information may be transferred and stored in a jurisdiction that may not have equivalent privacy protections. However, we apply the same level of protection regardless of location.
7. Data Security
We implement administrative, technical, and physical safeguards to protect your information, including:
End-to-end encryption
Access controls and audit trails
Regular vulnerability testing and monitoring
Despite our efforts, no method of transmission over the internet is 100% secure. You are responsible for safeguarding your account credentials.
8. Cookies and Tracking Technologies
We use cookies to:
Maintain user sessions
Understand usage patterns
Improve user experience
You can manage your cookie preferences in your browser settings. Disabling cookies may affect the functionality of certain features.
9. Data Retention
We retain your information only as long as necessary for the purposes outlined in this Policy or as required by law. You may request deletion of your account or data, subject to applicable legal and operational constraints.
10. Your Rights (Canada, U.S. & Global)
Depending on your jurisdiction, you have the right to:
Access your personal information
Request corrections to inaccurate data
Withdraw consent (where processing is based on consent)
Request deletion, subject to legal retention policies
To exercise these rights, email privacy@barnabus.ai with your request. We will respond within 30 days as per legal requirements.
11. Children's Privacy
Our Services are not intended for children under 18. We do not knowingly collect or process personal data from minors.
12. Changes to This Privacy Policy
We may revise this Privacy Policy periodically. If we make material changes, we will notify you via email or prominent notice on the platform. Continued use of our Services means you accept the revised Policy.
13. Contact Us
For any questions about this Privacy Policy, contact:
Barnabus Inc.
Email: support@barnabus.ai
Mailing Address: Barnabus Inc., [Insert Canadian office address here]
14. Acceptance
By using Barnabus, you acknowledge and accept this Privacy Policy.