Skip to main content
EMMA
Sign in

Business Associate Agreement

Last updated: April 11, 2026

1. Purpose

This Business Associate Agreement ("BAA") establishes the terms under which Gift of Gab Tech Inc. ("Business Associate") may receive, maintain, or transmit Protected Health Information ("PHI") on behalf of a Covered Entity or its business associates ("Covered Entity") in connection with the EMMA platform.

This BAA is intended for clients operating in healthcare-adjacent industries, including but not limited to senior living communities, assisted living facilities, home health agencies, and real estate firms specializing in medical office or healthcare facility transactions, where contact records may incidentally contain health-related information.

2. Definitions

Terms used in this BAA that are defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the Privacy Rule and the Security Rule, shall have the same meaning as set forth therein. Key terms include:

  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium.
  • Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media.
  • Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
  • Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

3. Obligations of Business Associate

Gift of Gab Tech Inc. agrees to the following obligations with respect to any PHI received from or on behalf of the Covered Entity:

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law.
  • Use appropriate safeguards, including administrative, physical, and technical safeguards, to prevent the use or disclosure of PHI other than as provided for by this BAA.
  • Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Breach of Unsecured PHI and any Security Incident.
  • Ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this BAA.
  • Make PHI available to the Covered Entity as necessary to satisfy the Covered Entity's obligations to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • Make available its internal practices, books, and records relating to the use and disclosure of PHI for purposes of the Secretary of Health and Human Services determining the Covered Entity's compliance with HIPAA.

4. Safeguards for PHI

Business Associate implements the following safeguards to protect PHI:

4.1 Administrative Safeguards

  • Designated security personnel responsible for developing and implementing security policies.
  • Workforce training on PHI handling, privacy obligations, and security awareness.
  • Access management procedures ensuring workforce members have access to PHI only as necessary for their job functions.
  • Periodic risk assessments and policy reviews.

4.2 Physical Safeguards

  • All data hosted on Microsoft Azure infrastructure with SOC 2 Type II certified physical data center security.
  • No PHI is stored on employee workstations, portable devices, or removable media.

4.3 Technical Safeguards

  • AES-256 encryption for ePHI at rest.
  • TLS 1.3 encryption for ePHI in transit.
  • Unique user identification, role-based access controls, and session management.
  • Audit controls and logging of access to systems containing ePHI.
  • Integrity controls to prevent unauthorized alteration of ePHI.

5. Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall:

  • Notify the Covered Entity without unreasonable delay and no later than 72 hours after discovery of the Breach.
  • Provide the Covered Entity with the identification of each individual whose PHI has been, or is reasonably believed to have been, affected by the Breach.
  • Provide any other information the Covered Entity is required to include in its notification to affected individuals and the Secretary of Health and Human Services, to the extent such information is available.
  • Cooperate with the Covered Entity in investigating the Breach and mitigating harmful effects.

6. Term and Termination

This BAA is effective for the duration of the underlying Service agreement. Upon termination:

  • Business Associate shall return or destroy all PHI received from, or created or received on behalf of, the Covered Entity that Business Associate still maintains. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
  • The Covered Entity may terminate this BAA and the underlying Service agreement if Business Associate has materially breached this BAA and has not cured the breach within 30 days of receiving written notice.

7. Governing Law

This BAA shall be governed by and construed in accordance with the federal laws of Canada and the laws of the Province of Ontario, and applicable federal law including HIPAA and the HITECH Act where the Covered Entity is subject to United States jurisdiction.

8. Request a BAA

If your organization requires a Business Associate Agreement with Gift of Gab Tech Inc., please contact our compliance team to initiate the process:

Request BAA