Business Associate Agreement
Effective version: v1.2026-05
This Business Associate Agreement ("BAA") supplements the ClinXtra Terms of Service and governs the parties' obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and 45 CFR Parts 160 and 164.
1. Definitions
Capitalized terms not defined here have the meanings given in 45 CFR §160.103 and §164.501. "PHI" means Protected Health Information that ClinXtra creates, receives, maintains, or transmits on behalf of Customer.
2. Permitted Uses and Disclosures
ClinXtra will use and disclose PHI only as permitted by this BAA, the Terms of Service, or as required by law. ClinXtra will not sell PHI or use it for marketing without authorization.
3. Safeguards
ClinXtra implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege access, audit logging, and routine vulnerability management.
4. Subcontractors
ClinXtra ensures any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to substantially the same restrictions and conditions.
5. Breach Notification
ClinXtra will report any Breach of Unsecured PHI to Customer without unreasonable delay and in no case later than sixty (60) days after discovery, per 45 CFR §164.410.
6. Individual Rights
ClinXtra will, within commercially reasonable timeframes, support Customer's obligations to provide individuals access to, amendment of, and accounting of disclosures of their PHI.
7. Return or Destruction
Upon termination, ClinXtra will return or destroy PHI within ninety (90) days, except where retention is required by law. Customer may also request export and deletion at any time via the in-app Compliance page.
8. Term and Termination
This BAA continues for the duration of the underlying Terms of Service and may be terminated by Customer for material breach as provided therein.
Questions? Email compliance@clinxtra.com.
