Skip to content
SMEG Request Pricing
Legal · BAA

Business Associate Agreement (Template)

Effective April 25, 2026

This template establishes the contractual framework that satisfies HIPAA's Business Associate provisions (45 CFR §164.504(e)) when Supreme Medical Evaluation Group, LLC handles protected health information on a Covered Entity's behalf.

This is a template starting point. Real BAAs require legal review and signature. To request the executed version SMEG actually signs — including any redlines or schedule attachments your facility requires — contact smeg@suprememedicalevaluationgroup.com. SMEG does not exchange PHI without an executed BAA in place.

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement have the meanings ascribed to them in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the implementing regulations at 45 CFR Parts 160 and 164 (the "HIPAA Rules").

  • "Business Associate" means Supreme Medical Evaluation Group, LLC ("SMEG").
  • "Covered Entity" means the skilled nursing facility, contract therapy company, or other HIPAA-regulated entity counterparty to this Agreement.
  • "Protected Health Information" or "PHI" has the meaning set out at 45 CFR §160.103, limited to information SMEG creates, receives, maintains, or transmits on Covered Entity's behalf.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as permitted or required by this Agreement, the underlying Services Agreement, or as Required by Law.

2.1 Service Performance

Business Associate may use PHI to perform the documentation-risk review, audit-readiness analysis, and reporting services described in the Services Agreement, including incidental processing necessary to deliver those services.

2.2 Management and Administration

Business Associate may use PHI for the proper management and administration of Business Associate or to carry out legal responsibilities, provided that any disclosure is Required by Law or Business Associate obtains reasonable assurances that the PHI will remain confidential.

2.3 Data Aggregation

Business Associate may de-identify PHI in accordance with 45 CFR §164.514(b) (Safe Harbor or Expert Determination) and use the resulting de-identified data for product improvement, benchmarking, and aggregate reporting. De-identified data is not PHI and is not subject to the HIPAA Rules once properly de-identified.

2.4 Prohibited Uses

Business Associate shall not sell PHI, use PHI for marketing, or use identifiable PHI to train third-party machine-learning models. SMEG uses synthetic, fake, de-identified, or publicly available regulatory materials for demos and development.

3. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required by 45 CFR §§164.308, 164.310, and 164.312. Specific controls include:

  • Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege defaults; immutable access logs retained ≥ 6 years per 45 CFR §164.530(j).
  • Multi-factor authentication for all administrative and clinical-reviewer accounts.
  • HIPAA training and a documented security-incident response workflow before PHI access.

4. Reporting

4.1 Security Incidents

Business Associate will report to Covered Entity, without unreasonable delay and in any event within five (5) business days of discovery, any Security Incident of which it becomes aware. Routine, unsuccessful intrusion attempts (e.g., port scans, rejected log-in attempts) are deemed reported by this paragraph and require no individual notice.

4.2 Breach Notification

Business Associate will notify Covered Entity within sixty (60) days following discovery of a Breach of Unsecured PHI in accordance with 45 CFR §§164.410 and 164.404. Notification will include, to the extent then known, the identification of each Individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed.

5. Subcontractors

Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially the same restrictions and conditions as those imposed on Business Associate by this Agreement, in accordance with 45 CFR §164.502(e)(1)(ii).

6. Individual Rights

Within fifteen (15) business days of a written request, Business Associate will:

  • Make PHI in a Designated Record Set available to Covered Entity for access by an Individual under 45 CFR §164.524.
  • Make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity, pursuant to 45 CFR §164.526.
  • Document and make available the disclosures of PHI necessary for Covered Entity to respond to an accounting request under 45 CFR §164.528.

7. Term and Termination

This Agreement is effective on the date executed by both parties and continues until the Services Agreement terminates, subject to the survival provisions below. Either party may terminate this Agreement for material breach not cured within thirty (30) days of written notice.

7.1 Return or Destruction of PHI

Upon termination, Business Associate will return or destroy all PHI received from, or created or received on behalf of, Covered Entity. Where return or destruction is infeasible, Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

8. Miscellaneous

Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

Interpretation. Any ambiguity in this Agreement will be resolved to permit the parties to comply with the HIPAA Rules.

No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer, nor will anything herein confer, upon any person other than the parties any rights, remedies, obligations, or liabilities whatsoever.

How to execute this BAA with SMEG. Email smeg@suprememedicalevaluationgroup.com with subject line "BAA Request — [Facility Name]". SMEG will return a signature-ready PDF, accept reasonable redlines from your counsel, and counter-sign via DocuSign. Turnaround depends on redlines, facility counsel, security review, and required attachments. Founder-led — no procurement chain.

Source & modeling note

  • U.S. Department of Health & Human Services, Office for Civil Rights — Sample Business Associate Agreement Provisions. SMEG's template structure mirrors the HHS sample provisions for buyer-counsel familiarity. hhs.gov/hipaa
  • 45 CFR §164.504(e) — Required Business Associate contract terms.
  • HITECH Act §13401 — Application of HIPAA security and privacy provisions to Business Associates.