Standard customer BAA template — ready for your legal team.
This is the template we sign with every Team and Enterprise customer before any Protected Health Information flows into CareBridge. It's HHS-derived and adapted for our service. Your legal team can red-line; the executed version goes on file in your CareBridge org settings.
Quick summary — what the BAA establishes
1. Defined responsibilities
Your agency is the Covered Entity. CareBridge is the Business Associate. The BAA sets out HIPAA-mandated terms governing how we handle Protected Health Information (PHI) on your behalf.
2. Permitted uses of PHI
CareBridge will use PHI only to provide the contracted service: documentation, scheduling, knowledge retrieval, AI-assisted note drafting, and integration with the systems you authorize. We will not sell, market, or repurpose PHI under any circumstance.
3. Safeguards we implement
- Encryption in transit (TLS 1.2/1.3) and at rest (AES-256-GCM via KMS envelope) for all PHI columns.
- Audit logs of every read and write of PHI, retained for 7 years minimum (HIPAA requires 6).
- Role-based access control with unique user identification and automatic 15-minute logoff.
- Documented Incident Response and Breach Notification procedures aligned with HHS guidance.
- Annual workforce HIPAA training for all CareBridge staff with system access.
- Background checks for all CareBridge personnel with PHI access, with documented termination procedures.
4. Subcontractor (downstream) BAAs
CareBridge does not subcontract PHI processing without an executed BAA with the downstream vendor. Our current downstream BAA stack is published on our Trust page: AWS, Anthropic, OpenAI, Google, Microsoft. Adding a new PHI-touching vendor requires updating this list and notifying you.
5. Breach notification
CareBridge notifies you of any breach of unsecured PHI without unreasonable delay and no later than 30 days after discovery. Notification includes a description of the incident, the PHI involved, and the steps taken in response. This is more aggressive than the federal 60-day requirement.
6. Termination
On termination of services, CareBridge will (at your election) return or destroy all PHI in our possession, including in backups and archives. Where return or destruction is technically infeasible, we will continue protecting the PHI under the BAA terms indefinitely.
7. Audit rights
You may, with 30 days' written notice, request an audit of CareBridge's HIPAA compliance program by an independent third-party auditor. We provide reasonable cooperation. Frequency: not more than once per 12 months absent reasonable cause.
8. Indemnification
CareBridge indemnifies your agency against direct damages caused by our breach of the BAA terms, capped at 12 months of fees paid. Indirect, consequential, and punitive damages are excluded except in cases of willful misconduct.
9. Governing law
The BAA is governed by the laws of New York State. Disputes are resolved through binding arbitration before commencing litigation, except for breach-of-confidentiality emergency injunctive relief.
How signing works
- You receive the template — either by request to legal@cb.infinitebarrz.cloud or download from this page.
- Your legal team reviews — we welcome red-lines and respond within two business days.
- Both parties execute — typically electronic signature via DocuSign or similar.
- Executed copy filed — the signed BAA is uploaded to your CareBridge org settings and emailed to your designated compliance officer.
- PHI handling unlocks — your Team or Enterprise tier features that handle real PHI activate after the executed BAA is on file.
Lead time: typical signing turnaround is 5–10 business days from first request. We can fast-track for design partner agreements.