HIPAA Business Associate Agreement

Malama Business Associate Agreement

Last Updated: May 19, 2026

Effective Date: The date of electronic acceptance or the date Malama first creates, receives, maintains, or transmits protected health information on behalf of Covered Entity, whichever occurs first.

This Business Associate Agreement (“BAA”) is entered into by and between Malama Health, Inc. (“Business Associate” or “Malama”) and the healthcare practice, facility, organization, care team, payer, or other entity identified during registration or otherwise using Malama’s services (“Covered Entity” or “Customer”), to the extent Customer is a covered entity or business associate under HIPAA and Malama creates, receives, maintains, or transmits protected health information on behalf of Customer.

This BAA is incorporated into the Malama Provider Portal Terms of Service, Malama Provider Portal Engagement Agreement, or other applicable agreement between the parties governing Customer’s use of Malama’s services (the “Services Agreement”).

By clicking “I Agree,” “Agree and Sign,” or a similar button, or by accessing or using Malama services involving protected health information, the individual completing registration represents that they have authority to bind Customer and agrees to this BAA on behalf of Customer.

1. Definitions

Capitalized terms used but not defined in this BAA have the meanings given to them under HIPAA.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Privacy Rule, Security Rule, Breach Notification Rule, and the Health Information Technology for Economic and Clinical Health Act, as amended from time to time.

“Protected Health Information” or “PHI” has the meaning given under HIPAA and is limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Customer.

“Services” means the services provided by Malama under the applicable Services Agreement.

2. Applicability

This BAA applies only to the extent Malama creates, receives, maintains, or transmits PHI on behalf of Customer in a capacity that makes Malama a business associate or subcontractor business associate under HIPAA.

If Customer is not a covered entity or business associate under HIPAA, this BAA does not make Customer a covered entity or business associate and does not independently impose HIPAA obligations where HIPAA does not apply.

If there is a conflict between this BAA and the Services Agreement with respect to PHI, this BAA controls.

3. Permitted Uses and Disclosures by Business Associate

Business Associate may use or disclose PHI only as permitted or required by this BAA, the Services Agreement, or applicable law.

Business Associate may use and disclose PHI to perform the Services.

Business Associate may use PHI for the proper management and administration of Business Associate and to carry out Business Associate’s legal responsibilities.

Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities if:

  • the disclosure is required by law; or

  • Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential, will be used or further disclosed only as required by law or for the purpose for which it was disclosed, and the recipient will notify Business Associate of any breach of confidentiality of which it becomes aware.

Business Associate may use PHI to provide data aggregation services relating to the healthcare operations of Customer, as permitted by HIPAA.

Business Associate may use PHI to de-identify information in accordance with HIPAA. Once information is de-identified in accordance with HIPAA, it is no longer PHI and may be used and disclosed by Business Associate for lawful purposes, including analytics, benchmarking, research, product improvement, publication, business, and other purposes, unless prohibited by the Services Agreement.

Business Associate may use and disclose PHI as required by law.

Business Associate may not use or disclose PHI in a manner that would violate HIPAA if done by Customer, except as permitted for Business Associate’s management and administration, legal responsibilities, or data aggregation.

4. Obligations of Business Associate

Business Associate shall:

  • not use or disclose PHI other than as permitted or required by this BAA or as required by law;

  • use appropriate safeguards and comply with the applicable requirements of the HIPAA Security Rule with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this BAA;

  • report to Customer any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including breaches of unsecured PHI, without unreasonable delay and in no event later than sixty (60) days after discovery;

  • report to Customer any Security Incident involving electronic PHI of which Business Associate becomes aware, provided that the parties acknowledge and agree that this BAA constitutes notice of routine unsuccessful Security Incidents, including pings, port scans, unsuccessful login attempts, denial-of-service attempts, malware probes, and similar events that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations;

  • ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions, conditions, and requirements at least as protective as those that apply to Business Associate with respect to PHI;

  • make PHI in a Designated Record Set available to Customer as necessary for Customer to satisfy its obligations under 45 C.F.R. § 164.524;

  • make PHI in a Designated Record Set available for amendment and incorporate amendments as directed by Customer, as necessary for Customer to satisfy its obligations under 45 C.F.R. § 164.526;

  • maintain and make available information required to provide an accounting of disclosures as necessary for Customer to satisfy its obligations under 45 C.F.R. § 164.528;

  • to the extent Business Associate is to carry out one or more of Customer’s obligations under the HIPAA Privacy Rule, comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations;

  • make its internal practices, books, and records relating to the use and disclosure of PHI received from, created by, or received by Business Associate on behalf of Customer available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA.

5. Customer Obligations

Customer shall:

  • notify Business Associate of any limitation in Customer’s notice of privacy practices to the extent such limitation may affect Business Associate’s use or disclosure of PHI;

  • notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI to the extent such changes may affect Business Associate’s use or disclosure of PHI;

  • notify Business Associate of any restriction on the use or disclosure of PHI that Customer has agreed to or is required to abide by to the extent such restriction may affect Business Associate’s use or disclosure of PHI;

  • not request Business Associate to use or disclose PHI in a manner that would violate HIPAA if done by Customer, except to the extent permitted by HIPAA for Business Associate’s management and administration, legal responsibilities, or data aggregation;

  • obtain all rights, permissions, consents, authorizations, and notices required for Customer to disclose PHI to Business Associate and for Business Associate to perform the Services;

  • be responsible for determining whether HIPAA applies to Customer and whether this BAA is required.

6. Breach Notification

Business Associate shall notify Customer following discovery of a breach of unsecured PHI without unreasonable delay and in no event later than sixty (60) days after discovery.

To the extent available, the notice shall include:

  • a brief description of the breach;

  • the date of the breach and date of discovery, if known;

  • the types of PHI involved;

  • the steps Business Associate has taken or plans to take to investigate, mitigate harm, and protect against further breaches;

  • any other information reasonably required for Customer to satisfy its breach notification obligations under HIPAA.

Business Associate may supplement the notice as additional information becomes available.

7. Subcontractors

Business Associate may use subcontractors to perform the Services.

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions, conditions, and requirements at least as protective as those that apply to Business Associate under this BAA.

Business Associate remains responsible for its subcontractors’ compliance with those written obligations.

8. Access, Amendment, and Accounting

Business Associate shall reasonably assist Customer in responding to individual requests for access, amendment, and accounting of disclosures as required by HIPAA.

If Business Associate receives a request directly from an individual relating to PHI maintained on behalf of Customer, Business Associate may direct the individual to Customer unless otherwise required by law or agreed in writing.

Customer is responsible for responding to individual requests unless otherwise agreed in writing.

9. De-Identification

Business Associate may de-identify PHI in accordance with HIPAA.

De-identified information is not PHI and may be used and disclosed by Business Associate for lawful purposes, including analytics, benchmarking, research, product improvement, publication, business, and other purposes, unless prohibited by the Services Agreement.

Business Associate shall not attempt to re-identify de-identified information except as permitted by HIPAA or applicable law.

10. Term and Termination

This BAA begins on the Effective Date and remains in effect until all PHI provided by Customer to Business Associate, or created, received, maintained, or transmitted by Business Associate on behalf of Customer, is returned, destroyed, or protected in accordance with this BAA.

Either party may terminate this BAA and the related Services Agreement if the other party materially breaches this BAA and fails to cure the breach within thirty (30) days after written notice, if cure is possible.

If cure is not possible, the non-breaching party may terminate this BAA and the related Services Agreement immediately.

11. Effect of Termination

Upon termination of this BAA, Business Associate shall, if feasible, return or destroy all PHI received from Customer, or created, received, maintained, or transmitted by Business Associate on behalf of Customer, that Business Associate still maintains in any form.

If return or destruction is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

This section applies to PHI maintained by subcontractors to the extent required by HIPAA.

12. Survival

Business Associate’s obligations with respect to PHI shall survive termination of this BAA for as long as Business Associate maintains PHI.

13. Electronic Acceptance

Customer agrees that electronic acceptance of this BAA has the same legal effect as a handwritten signature.

Business Associate may maintain records of electronic acceptance, including signer name, signer email, signer role/title, Customer name, timestamp, IP address, user agent, document version, and agreement snapshot.

14. Amendment

The parties agree to amend this BAA as necessary to comply with HIPAA or other applicable law.

Business Associate may update this BAA from time to time by posting an updated version or making it available through the Provider Portal or other Malama service.

For material changes, Business Associate may require Customer or its users to accept the updated BAA before continuing to use services involving PHI.

15. No Third-Party Beneficiaries

Nothing in this BAA is intended to confer any rights, remedies, obligations, or liabilities upon any person other than Business Associate, Customer, and their respective permitted successors and assigns.

16. Interpretation

Any ambiguity in this BAA shall be interpreted to permit the parties to comply with HIPAA.

17. Notices

Notices to Malama shall be sent to:

Malama Health, Inc.

2261 Market St. #4875

San Francisco, CA 94114

Email: hello@heymalama.com

Notices to Customer may be sent to the contact information provided during registration or otherwise maintained in Customer’s account.