Business Associate Agreement
Last updated: June 21, 2026
This Business Associate Agreement (“BAA”) supplements and is part of the Terms of Service between Hat Rack Group, LLC (“GuideRelay,” the “Business Associate”) and the agency that accepts it (the “Customer” or “Covered Entity”). It governs Protected Health Information that GuideRelay creates, receives, maintains, or transmits on the Customer’s behalf through the GuideRelay service. It is effective when the Customer accepts it (for example, at sign-up). Capitalized terms not defined here have the meanings given in the HIPAA Rules.
1. Definitions
“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164. “PHI” means Protected Health Information, limited to information GuideRelay creates, receives, maintains, or transmits for the Customer through the Service. “Breach,” “Security Incident,” “Required by Law,” “Subcontractor,” “Designated Record Set,” “Secretary,” and “Unsecured PHI” have the meanings in the HIPAA Rules.
2. Permitted Uses and Disclosures
GuideRelay may use and disclose PHI only:
- to perform the Service for the Customer as described in the Terms of Service;
- as Required by Law;
- for GuideRelay’s proper management and administration or to carry out its legal responsibilities, provided that any disclosure is either Required by Law or made with reasonable written assurances from the recipient that the PHI will be kept confidential and that the recipient will notify GuideRelay of any breach of confidentiality;
- to provide data aggregation services relating to the Customer’s health care operations, and to de-identify PHI in accordance with 45 CFR 164.514(a)–(b) (de-identified information is no longer PHI).
GuideRelay will not use or disclose PHI other than as permitted or required by this BAA or as Required by Law, and will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by the Customer (except as expressly permitted above).
3. Safeguards
GuideRelay will use appropriate administrative, physical, and technical safeguards — and, with respect to electronic PHI, comply with the Security Rule — to prevent use or disclosure of PHI other than as provided by this BAA.
4. Minimum Necessary
GuideRelay will make reasonable efforts to use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose, consistent with the HIPAA Rules.
5. Reporting
GuideRelay will report to the Customer any use or disclosure of PHI not permitted by this BAA, any Security Incident, and any Breach of Unsecured PHI of which it becomes aware, without unreasonable delay and no later than ten (10) business days after discovery. For a Breach, GuideRelay will provide the information reasonably available to it that the Customer needs to meet its own notification obligations. The parties acknowledge that unsuccessful Security Incidents (such as pings, port scans, and routine attempted access that result in no unauthorized access to PHI) occur routinely and require no individual report; this sentence constitutes notice of them.
6. Subcontractors
GuideRelay will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those that apply to GuideRelay under this BAA, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).
7. Individual Rights
To help the Customer meet its obligations under the Privacy Rule, GuideRelay will:
- make PHI in a Designated Record Set available to the Customer (or, as the Customer directs, to the individual) to enable access under 45 CFR 164.524;
- make PHI available for amendment and incorporate amendments the Customer directs, under 45 CFR 164.526;
- maintain and make available the information needed to provide an accounting of disclosures under 45 CFR 164.528;
- forward to the Customer any related request an individual makes directly to GuideRelay.
8. Availability of Records to HHS
GuideRelay will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining the Customer’s compliance with the HIPAA Rules.
9. Obligations of the Customer (Covered Entity)
The Customer will: notify GuideRelay of any limitation in its Notice of Privacy Practices, any change in or revocation of an individual’s permission, and any restriction the Customer agrees to under 45 CFR 164.522, to the extent any of these may affect GuideRelay’s use or disclosure of PHI; and not request GuideRelay to use or disclose PHI in any manner that would not be permitted under the HIPAA Rules if done by the Customer, except as permitted in Section 2. The Customer is responsible for obtaining any consents or authorizations required for the PHI it places in the Service.
10. Term and Termination
This BAA is effective upon the Customer’s acceptance and continues while GuideRelay maintains PHI for the Customer. If either party materially breaches this BAA and does not cure within 30 days of written notice, the non-breaching party may terminate the Service. On termination, and if feasible, GuideRelay will return or destroy all PHI (and ensure its Subcontractors do the same). If return or destruction is infeasible, GuideRelay will extend the protections of this BAA to that PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as it retains the PHI.
11. Interpretation and Amendment
Any ambiguity in this BAA will be resolved to permit compliance with the HIPAA Rules. References to sections of the HIPAA Rules mean those sections as in effect or as amended. The parties will take such action as is necessary to amend this BAA to comply with changes in applicable law.
12. Miscellaneous
This BAA supplements the Terms of Service; with respect to PHI, this BAA controls over any conflicting term. It creates no third-party beneficiary rights. The obligations of GuideRelay that by their nature should survive will survive termination. Customers that require a separately signed BAA may request one at privacy@hatrackgroup.com.
13. Contact
Questions about this BAA? Contact us at privacy@hatrackgroup.com. See also our Terms of Service and Privacy Policy.