On this page

Platform Terms

Privacy Policy

Acceptable Use Policy

Employers

  • Employer Agreement
  • Business Associate Agreement

Members

  • Member Agreement

Partners

  • Partner Agreement
  • Data Use and Transfer Agreement

Financial Partners

  • Debit Cardholder Agreement
  • Consumer Deposit Account Agreement

Business Associate Agreement

Last updated: August 21, 2025

This Business Associate Agreement ("BAA") is entered into by Thatch (“Business Associate”) and the Employer for whom Thatch provides services under a Platform Agreement on behalf of such Employer’s group health plan (“Covered Entity”), effective on the Effective Date of the Platform Agreement between the Parties. References herein to the Platform Agreement include the Employer Agreement between the Parties and all other exhibits, schedules and other materials related to such Platform Agreement.

Covered Entity is a “Covered Entity” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (HIPAA), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”).

Business Associate performs Services for or on behalf of Covered Entity, and in performing said Services, Business Associate creates, receives, maintains, or transmits individually identifiable health information.

The Parties intend to protect the privacy and provide for the security of the individually identifiable health information Disclosed by Covered Entity to Business Associate, or accessed, received, created, or transmitted by Business Associate, when providing Services. Such individually identifiable health information or Protected Health Information (PHI) will be protected in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (the “HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time.

Covered Entity is required under the HIPAA Regulations to enter into a Business Associate Agreement that meets certain requirements with respect to the Use and Disclosure of PHI, which are met by this BAA. Accordingly, to the extent required by HIPAA, Business Associate will comply with this BAA. The Parties agree as follows:

1. Definitions

Capitalized terms used in this BAA and not otherwise defined have the meanings ascribed to them in the HIPAA Regulations or otherwise in the Platform Agreement.

2. Obligations of Business Associate

A. Permitted Uses and Disclosures of Protected Health Information

Business Associate will not Use or Disclose PHI received, accessed, maintained, or created for or on behalf of Covered Entity except to perform the Services required by the Platform Agreement, or as permitted by this BAA or Required by Law. Business Associate will not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so Used or Disclosed by Covered Entity. Without limiting the generality of the foregoing, Business Associate is permitted to (i) Use PHI for the proper management and administration of Business Associate; (ii) Use and Disclose PHI to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains an agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (iii) Use PHI for Data Aggregation purposes in connection with the Health Care Operations of Covered Entity; and (iv) Use PHI for purposes of de-identification of the PHI.

B. Adequate Safeguards of PHI

Business Associate will comply with Subpart C of 45 C.F.R. Part 164 with respect to PHI, to reasonably and appropriately protect the confidentially, integrity, and availability of e-PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. 

C. Mitigation

Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA.

D. Reporting Security Incidents and Non-Permitted Uses or Disclosures

Business Associate will notify Covered Entity of any Use or Disclosure by Business Associate or its Subcontractors that is not specifically permitted by this BAA and each Security Incident, including Breaches of Unsecured PHI, within 10 business days of becoming aware. Notwithstanding the foregoing, Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Covered Entity acknowledges and agrees that no additional notification to Covered Entity of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. If Business Associate determines that a Breach of Unsecured PHI has occurred, Business Associate will provide a written report to Covered Entity without unreasonable delay but no later than 30 calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity will be in accordance with 45 C.F.R. §164.410(c).

E. Delegated Responsibilities

To the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to Covered Entities in the performance of such obligations.

F. Availability of Internal Practices, Books, and Records to Government

Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Covered Entity’s PHI available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.

G. Access to and Amendment of Protected Health Information

To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate will make the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Set available to Covered Entity for inspection and copying to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 within 15 business days of a request by Covered Entity. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate will amend the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 within 15 business days of a request by Covered Entity.

H. Accounting

To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, within 30 days of receipt of a request from Covered Entity or an individual for an accounting of disclosures of PHI, Business Associate and its Subcontractors will make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528.

I. Use of Subcontractors

Business Associate will require each of its Subcontractors that creates, receives, maintains, or transmits PHI on behalf of Business Associate, to execute a written agreement that includes substantially the same restrictions and conditions that apply to Business Associate under this BAA with respect to PHI.

J. Minimum Necessary

Business Associate (and its Subcontractors) will, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.

3. Term and Termination

A. Term

This BAA is effective as of the Effective Date and will terminate on the date that all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information. 

B. Termination for Cause

In addition to and notwithstanding the termination provisions set forth in the Platform Agreement, upon Covered Entity’s or Business Associate’s knowledge of a material breach or violation of this BAA by the other Party, the non-breaching Party will either: (a) Notify the breaching Party of the breach in writing, and provide an opportunity for the breaching Party to cure the breach or end the violation within 30 days of such notification; provided that if the breaching Party fails to cure the breach or end the violation within such time period to the satisfaction of the non-breaching Party, the non-breaching Party may immediately terminate this BAA upon written notice to the breaching Party; or (b) Upon 30 days written notice to the breaching Party, immediately terminate this BAA and the Platform Agreement if the non-breaching Party determines that such breach cannot be cured.

C. Disposition of Protected Health Information Upon Termination

Upon termination or expiration of this BAA, Business Associate will either return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such PHI. If return or destruction is not feasible, Business Associate will continue to extend the protections of this BAA to the PHI for as long as Business Associate retains the PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible. 

4. Miscellaneous

A. Amendment to Comply with Law

To the extent applicable, amendments or modification to HIPAA or the HITECH Act may require amendments to certain provisions of this BAA. Amendments will only be effective if executed in writing and signed by a duly authorized representative of each Party.

B. Relationship to Underlying Agreement Provisions

In the event that a provision of this BAA is contrary to a provision of the Platform Agreement, the provision of this BAA will control. Otherwise, this BAA will be construed under, and in accordance with, the terms of such Platform Agreement, and will be considered an amendment of and supplement to such Platform Agreement, subject to Section 4.3 below.

C. Notices

Any notices or communications hereunder will be in writing by certified mail, return receipt requested, or delivered by a nationally recognized courier service with delivery confirmation, such as FedEx, or by facsimile (with evidence of receipt) at the addresses provided in the Platform Agreement.

D. Relationship of Parties

Notwithstanding anything to the contrary in the Platform Agreement, Business Associate is an independent contractor and not an agent of Covered Entity under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.

E. Interpretation

This BAA will be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act.  The parties agree that any ambiguity in this BAA will be resolved in favor of a meaning that complies and is consistent with such laws.

F. No Third Party Beneficiaries

Nothing express or implied in this BAA is intended to confer, nor will anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

G. Choice of Law

This BAA will be governed by the laws of the State of California regardless of the choice of law rules of any jurisdiction.  Any ambiguities in this BAA will be resolved in a manner that allows Covered Entity and Business Associate to comply with the Privacy Rule, and, if applicable, the Security Rule.  The parties hereby agree and consent that the exclusive venue and jurisdiction for any and all disputes arising under or related to this BAA will be in the federal or state courts in San Francisco County California and waive any contention that any such court is an improper venue for such disputes.

Calculate insurance costs instantly →

Health benefits from the future

Thatch makes it easy to give your team great healthcare. You set a budget, and your employees spend it the way that works best for them.

Start nowBook a demo
Thatch dashboard