Business Associate Agreement

Last updated: 2026-06-11

1. Purpose and parties

This Business Associate Agreement (“BAA”) is entered into between OneTerp LLC(“Business Associate” or “OneTerp,” “we,” “us”) and the interpreting agency that accepts it (“Covered Entity” or “you”). It applies whenever you use the OneTerpplatform to create, receive, maintain, or transmit Protected Health Information (“PHI”). This BAA supplements the Terms of Serviceand governs PHI; where there is a conflict regarding PHI, this BAA controls. It is required by, and is to be interpreted consistently with, the Health Insurance Portability and Accountability Act of 1996, the HITECH Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (together, “HIPAA”). It takes effect when you accept it (for example, by checking the acceptance box when you create your agency) and remains in effect while you use the platform to process PHI.

2. Definitions

Capitalized terms not defined here have the meanings given to them in HIPAA. “Protected Health Information” and “PHI” mean PHI, including electronic PHI, that OneTerpcreates, receives, maintains, or transmits for or on your behalf through the platform. Where you are yourself a Business Associate of an upstream covered entity, you act as that entity’s Business Associate and OneTerp acts as your subcontractor; the obligations in this BAA apply to OneTerp in that role as well.

3. Permitted uses and disclosures by OneTerp

  • OneTerp will use and disclose PHI only as necessary to provide and support the platform and the services described in the Terms of Service, as permitted or required by this BAA, or as Required by Law.
  • OneTerp may use PHI for its own proper management and administration and to carry out its legal responsibilities, and may disclose PHI for those purposes only if the disclosure is Required by Law, or if OneTerp obtains reasonable assurances that the recipient will keep the PHI confidential and will notify OneTerp of any breach of confidentiality.
  • OneTerp may provide Data Aggregation services relating to your health care operations, and may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c).
  • OneTerp will not use or disclose PHI in a manner that would violate HIPAA if done by you, except as otherwise expressly permitted above.

4. Obligations of OneTerp

  • No improper use or disclosure. Not use or disclose PHI other than as permitted by this BAA or as Required by Law, and apply the minimum necessary standard.
  • Safeguards. Use appropriate administrative, physical, and technical safeguards, and, with respect to electronic PHI, comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), to prevent use or disclosure of PHI other than as provided by this BAA.
  • Reporting. Report to you any use or disclosure of PHI not permitted by this BAA of which it becomes aware, any Security Incident, and any Breach of Unsecured PHI. OneTerp will make such report without unreasonable delay and, for a Breach, no later than thirty (30) calendar days after discovery, and will cooperate in good faith to provide information reasonably needed for you to meet your breach-notification obligations. Unsuccessful, routine security incidents (such as pings, scans, and blocked attempts) are reported by this sentence and require no further individual notice.
  • Subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those in this BAA, as required by 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2).
  • Individual rights.Make PHI available as needed for you to meet your obligations regarding individuals’ rights of access (§ 164.524) and amendment (§ 164.526), incorporate amendments you direct, and provide information needed for an accounting of disclosures (§ 164.528).
  • Government access. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining your compliance with HIPAA.
  • Mitigation. Take reasonable steps to mitigate any harmful effect, known to OneTerp, of a use or disclosure of PHI in violation of this BAA.
  • Carried-out obligations. To the extent OneTerp carries out one of your obligations under the HIPAA Privacy Rule, comply with the requirements of that Rule that apply to that obligation.

5. Your obligations

  • Do not enter into the platform any PHI you are not authorized to process, and only to the extent the platform is designed to receive it. The platform is designed to operate with minimal PHI, and certain features (such as SMS, subscription billing, and accounting sync) are kept free of PHI: do not attempt to route PHI through them.
  • Notify OneTerpof any limitation in your notice of privacy practices, of any change in or revocation of an individual’s permission, and of any restriction on the use or disclosure of PHI you have agreed to or are required to abide by, to the extent any of these affects OneTerp’s use or disclosure of PHI.
  • Not request OneTerp to use or disclose PHI in any manner that would not be permitted under HIPAA if done by you.
  • Maintain and apply appropriate user access controls, and promptly remove access for users who should no longer have it.

6. Subcontractors and infrastructure

OneTerp uses Google Cloud Platform and Google Workspace to host the platform, store data, and send email, under a Business Associate Agreement with Google that covers those services. Other providers used to operate the platform (for example, subscription billing and SMS) are kept out of PHI scope. OneTerpremains responsible for its subcontractors’ compliance as required by HIPAA.

7. Term and termination

  • This BAA is effective on your acceptance and continues until all PHI is returned or destroyed, or protections are extended as described below.
  • If OneTerp materially breaches this BAA, you may provide an opportunity to cure and may terminate the services if the breach is not cured within a reasonable time; either party may terminate as permitted by the Terms of Service.
  • Effect of termination. On termination, OneTerp will, if feasible, return or destroy all PHI it maintains on your behalf and retain no copies. Where return or destruction is not feasible (for example, for routine backups or as Required by Law), OneTerp will extend the protections of this BAA to that PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as it retains the PHI.

8. Miscellaneous

  • Regulatory references are to the sections as in effect or amended. The parties agree to take action to amend this BAA as necessary to comply with HIPAA, and it will be interpreted to permit compliance with HIPAA.
  • No third-party beneficiaries. Nothing in this BAA confers any rights on any person other than the parties.
  • Survival. The obligations regarding PHI that by their nature should survive termination do survive.
  • Governing law. This BAA is governed by the laws of the Commonwealth of Kentucky and by HIPAA; where they conflict, HIPAA controls.

9. Acceptance

By accepting this BAA, you represent that you are authorized to bind your agency, and you and OneTerp agree to its terms. Questions? Email bryan@oneterpscheduling.com, or write to OneTerp LLC, P.O. Box 232, Berea, KY 40403.