Business Associate Agreement
Effective Date: May 8, 2026 · Last Updated: May 8, 2026 · Version 1.0
This page publishes the Veri-Tech preferred Business Associate Agreement ("BAA" or "Agreement") form. Customers who subscribe to the Veri-Tech HIPAA Compliance Pack accept this BAA at checkout; the executed Agreement uses Customer-specific information (legal name, address, signatory) in place of the bracketed placeholders below. To request a counter-signed PDF for your records, contact legal@veri-tech.net.
Parties and Effective Date
This Business Associate Agreement is entered into by and between VERI-TECH, INC., an Indiana corporation with its principal office at 285 Robb Hill Rd, Martinsville, IN 46151 ("Business Associate" or "Veri-Tech"), and the Customer identified at checkout or in the executed Order Form ("Covered Entity"), effective as of the date Customer accepts the Veri-Tech HIPAA Compliance Pack at checkout (the "Effective Date").
This Agreement supplements, and is incorporated by reference into, the Veri-Tech Terms of Service and any applicable Master Services Agreement or Order Form between the parties (the "Underlying Agreement"). In the event of a conflict between this Agreement and the Underlying Agreement with respect to the use or disclosure of Protected Health Information, this Agreement controls.
1. Definitions
The following capitalized terms have the meanings set forth in 45 CFR Parts 160 and 164 (the "HIPAA Rules"):
- Breach — as defined at 45 CFR §164.402.
- Business Associate — as defined at 45 CFR §160.103. For purposes of this Agreement, the Business Associate is Veri-Tech.
- Covered Entity — as defined at 45 CFR §160.103. For purposes of this Agreement, the Covered Entity is the Customer identified at checkout or in the executed Order Form.
- Designated Record Set — as defined at 45 CFR §164.501.
- Electronic Protected Health Information ("ePHI") — as defined at 45 CFR §160.103, limited to information that Veri-Tech creates, receives, maintains, or transmits on behalf of the Covered Entity.
- Individual — as defined at 45 CFR §160.103.
- Privacy Rule — Subpart E of 45 CFR Part 164.
- Protected Health Information ("PHI") — as defined at 45 CFR §160.103, limited to information Veri-Tech creates, receives, maintains, or transmits on behalf of the Covered Entity.
- Required by Law — as defined at 45 CFR §164.103.
- Secretary — the Secretary of the U.S. Department of Health and Human Services or designee.
- Security Rule — Subpart C of 45 CFR Part 164.
- Services — the cybersecurity assessment, compliance reporting, and remediation services Veri-Tech provides under the Underlying Agreement, including the Veri-Guard, Veri-Tune, Veri-Patch, Veri-Vault, and Veri-Docs products.
- Subcontractor — as defined at 45 CFR §160.103.
- Unsecured PHI — as defined at 45 CFR §164.402.
2. Scope and Limitations of Veri-Tech Access
The parties acknowledge that Veri-Tech's Services are designed to scan and report on the security configuration of Covered Entity's Microsoft 365 tenant and connected systems, and to optionally remediate misconfigurations. Veri-Tech's standard scanning and reporting Services do not access, read, copy, or store the content of Covered Entity's mailboxes, files, messages, calendar items, or other PHI-bearing records.
Notwithstanding the foregoing, the parties acknowledge that:
(a) Veri-Tech's authorized Microsoft Graph API permissions could permit access to PHI; (b) configuration metadata (e.g., distribution-list memberships, mailbox display names) may incidentally identify Individuals; and (c) Veri-Tech is therefore deemed a Business Associate under HIPAA whenever Covered Entity's tenant contains ePHI, even if Veri-Tech does not in fact access PHI content.
Veri-Tech's Position on PHI. The Veri-Tech platform is an administrative tool for IT, security, and compliance engineers. It does not request, require, or process PHI; only Microsoft 365 tenant configuration metadata and account references for portal users, just-in-time write consenters, and customer-designated emergency-access account holders. Covered Entity acknowledges in Section 5(d) that it will not submit PHI to the Service.
This Agreement governs Veri-Tech's handling of any PHI that is created, received, maintained, or transmitted by Veri-Tech on behalf of Covered Entity, regardless of volume or whether access was incidental or intentional.
3. Obligations and Activities of Veri-Tech
Pursuant to 45 CFR §164.504(e)(2)(ii), Veri-Tech agrees to:
(a) Limited Use and Disclosure. Veri-Tech will not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.
(b) Safeguards. Veri-Tech will use appropriate administrative, physical, and technical safeguards, and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement. Veri-Tech maintains a written information security program that includes at minimum:
- (i) encryption of ePHI at rest (AES-256 minimum) and in transit (TLS 1.2+);
- (ii) least-privilege access controls with role-based authorization;
- (iii) multi-factor authentication for all administrative access to systems that process PHI;
- (iv) audit logging of all access to systems that process PHI, retained for at least six (6) years;
- (v) annual workforce HIPAA training and confidentiality agreements;
- (vi) annual penetration testing of customer-facing systems, with the first such test completed no later than Q4 2026; and
- (vii) a documented incident response plan tested at least annually.
(c) Reporting of Improper Use, Disclosure, or Breach. Veri-Tech will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Veri-Tech becomes aware, including any Breach of Unsecured PHI as required by 45 CFR §164.410. Veri-Tech will provide such notice without unreasonable delay and in no event later than sixty (60) days following the date Veri-Tech discovers the Breach. Each such report will include, to the extent known at the time of reporting:
- the identification of each Individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
- a description of the nature of the Breach, the types of PHI involved, and the steps Veri-Tech has taken to investigate, mitigate, and prevent recurrence.
Veri-Tech will cooperate with Covered Entity's reasonable requests for additional information needed for Covered Entity's own breach analysis under 45 CFR §164.404.
(d) Subcontractor Flow-Down. Veri-Tech will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Veri-Tech agrees in writing to substantially the same restrictions and conditions that apply to Veri-Tech under this Agreement. Veri-Tech currently uses the following Subprocessors:
| Subprocessor | Role | BAA in place? |
|---|---|---|
| Microsoft Corporation (Azure) | Cloud hosting, storage, and Application Insights monitoring | Yes — Microsoft Online Services DPA + BAA |
| Microsoft Corporation (Graph API) | API conduit for reading and applying customer-authorized changes against the Covered Entity's own M365 tenant | Yes — Microsoft Online Services DPA + BAA |
| Microsoft Corporation (Bookings) | Sales/onboarding/security call scheduling for prospects | Yes — Microsoft Online Services DPA + BAA |
| Vercel, Inc. | Web hosting for portal and marketing site | Not required — no PHI processed |
| Stripe, Inc. | Payment processing and subscription billing | Not required — no PHI processed |
| Resend, Inc. | Transactional email (job notifications, drift alerts, invitations); notification content does not include PHI | Not required — no PHI processed |
| Anthropic, PBC | AI features (support assistant, in-product Copilot, remediation plan generation); UI instructs users not to enter PHI | Not in place — see disclosure; Anthropic Enterprise BAA is on the post-launch hardening roadmap |
| GitHub, Inc. | Support ticket intake to a private Veri-Tech repository; tickets are administrative in nature and the form instructs users not to enter PHI | Not in place — see disclosure |
Veri-Tech will give Covered Entity at least thirty (30) days' notice before adding or replacing a Subprocessor that handles ePHI, via update to the Subprocessor list at veri-tech.net/legal/subprocessors. Covered Entity may terminate the Underlying Agreement and this Agreement without penalty if Covered Entity reasonably objects to a new Subprocessor on documented privacy or security grounds.
(e) Access to PHI. To the extent Veri-Tech maintains PHI in a Designated Record Set, Veri-Tech will make such PHI available to Covered Entity within thirty (30) days of a written request, in the time and manner reasonably designated by Covered Entity, sufficient for Covered Entity to comply with its obligations under 45 CFR §164.524.
(f) Amendment of PHI. To the extent Veri-Tech maintains PHI in a Designated Record Set, Veri-Tech will make such PHI available for amendment, and incorporate any amendments to such PHI as directed by Covered Entity, sufficient for Covered Entity to comply with its obligations under 45 CFR §164.526.
(g) Accounting of Disclosures. Veri-Tech will document and make available to Covered Entity, within sixty (60) days of a written request, the information required for Covered Entity to provide an accounting of disclosures pursuant to 45 CFR §164.528.
(h) Performance of Covered Entity Obligations. To the extent Veri-Tech is to carry out one or more of Covered Entity's obligations under the Privacy Rule, Veri-Tech will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
(i) Availability to the Secretary. Veri-Tech will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Veri-Tech on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules.
(j) Return or Destruction at Termination. At termination of this Agreement, if feasible, Veri-Tech will return or destroy all PHI received from, or created or received by Veri-Tech on behalf of, Covered Entity that Veri-Tech still maintains in any form, and retain no copies. If such return or destruction is not feasible (for example, PHI persists in archived backups subject to a documented retention schedule), Veri-Tech will:
- (i) notify Covered Entity in writing of the basis for infeasibility;
- (ii) extend the protections of this Agreement to that PHI for so long as Veri-Tech maintains it; and
- (iii) limit further uses and disclosures of that PHI to those purposes that make the return or destruction infeasible.
4. Permitted Uses and Disclosures of PHI by Veri-Tech
(a) Performance of Services. Veri-Tech may use and disclose PHI as necessary to perform the Services described in the Underlying Agreement.
(b) Management and Administration. Pursuant to 45 CFR §164.504(e)(4), Veri-Tech may use PHI for the proper management and administration of Veri-Tech, or to carry out the legal responsibilities of Veri-Tech, provided that any such disclosure outside Veri-Tech is:
- (i) Required by Law; or
- (ii) made with reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that the recipient will notify Veri-Tech of any breach of confidentiality.
(c) Data Aggregation Services. Veri-Tech may provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR §164.504(e)(2)(i)(B).
(d) De-Identification. Veri-Tech may de-identify PHI in accordance with 45 CFR §164.514(a)–(c). De-identified information is not PHI and is not subject to this Agreement.
(e) Prohibited Uses. Veri-Tech will not use or disclose PHI in any manner that would violate the Privacy Rule if done by Covered Entity, except as expressly permitted by §3 or this §4.
5. Obligations of Covered Entity
(a) Notice of Privacy Practices. Covered Entity will notify Veri-Tech of any limitations in its Notice of Privacy Practices that may affect Veri-Tech's permitted uses or disclosures.
(b) Restrictions and Authorizations. Covered Entity will notify Veri-Tech of any restriction on the use or disclosure of PHI to which Covered Entity has agreed, and any changes in or revocation of an authorization by an Individual, that may affect Veri-Tech's permitted uses or disclosures.
(c) Permissible Requests. Covered Entity will not request Veri-Tech to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
(d) No PHI Submission. Covered Entity acknowledges that the Veri-Tech Service is an administrative tool that does not require PHI to operate, and Covered Entity covenants that its workforce will not submit, paste, or otherwise transmit PHI through any interface of the Service, including but not limited to AI chat fields, support ticket descriptions, configuration notes, or comment fields. Veri-Tech displays operational guardrails (in-product warnings) to reinforce this covenant. To the extent PHI is incidentally transmitted by Covered Entity in violation of this section, Veri-Tech will treat it as PHI subject to this Agreement, but Covered Entity remains responsible for the unauthorized submission.
6. Term and Termination
(a) Term. This Agreement is effective as of the Effective Date and continues until the Underlying Agreement terminates, or until terminated earlier as provided herein.
(b) Termination for Cause. Pursuant to 45 CFR §164.504(e)(2)(iii), Covered Entity may terminate this Agreement and the Underlying Agreement upon thirty (30) days' written notice if Covered Entity determines that Veri-Tech has materially breached this Agreement and Veri-Tech fails to cure the breach within the notice period. If cure is not feasible, Covered Entity may terminate immediately upon written notice. Veri-Tech retains the same right of termination upon Covered Entity's material breach of §5.
(c) Effect of Termination. Upon termination, Veri-Tech will comply with §3(j) regarding return or destruction of PHI. The obligations of Veri-Tech under §3 and §7 survive termination of this Agreement.
7. Miscellaneous
(a) Regulatory References. Any reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended from time to time.
(b) Amendment. The parties will negotiate in good faith to amend this Agreement as necessary to comply with future amendments to the HIPAA Rules. Either party may propose amendments by written notice; the other party will not unreasonably withhold consent.
(c) Survival. The respective rights and obligations of Veri-Tech under §3(j), §6(c), and this §7 survive termination of this Agreement.
(d) Interpretation. Any ambiguity in this Agreement will be resolved to permit Veri-Tech and Covered Entity to comply with the HIPAA Rules.
(e) No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer any rights, remedies, obligations, or liabilities upon any person other than the parties and their respective successors and permitted assigns. Individuals are not third-party beneficiaries of this Agreement.
(f) Limitation of Liability. Except for (i) Veri-Tech's breach of §3(a) (limited use), §3(b) (safeguards), or §3(d) (subcontractor flow-down); or (ii) Veri-Tech's gross negligence or willful misconduct, Veri-Tech's total cumulative liability arising under this Agreement will not exceed the fees paid by Covered Entity under the Underlying Agreement in the twelve (12) months preceding the event giving rise to the claim. The foregoing cap does not limit liability for indemnification obligations under §7(g).
(g) Indemnification. Veri-Tech will indemnify and hold harmless Covered Entity from and against any third-party claim, demand, action, suit, or proceeding (including reasonable attorneys' fees) arising directly out of Veri-Tech's material breach of §3(a), §3(b), §3(c), or §3(d), to the extent not caused by Covered Entity's own negligence or breach. Indemnification is contingent on Covered Entity (i) giving Veri-Tech prompt written notice of the claim, (ii) granting Veri-Tech sole control of the defense and settlement, and (iii) providing reasonable cooperation at Veri-Tech's expense.
(h) Insurance. Veri-Tech will maintain at its sole expense throughout the term of this Agreement: (i) commercial general liability insurance with limits of not less than $1,000,000 per occurrence and $2,000,000 aggregate; (ii) cyber liability insurance with limits of not less than $1,000,000 per occurrence covering claims arising from a Breach; and (iii) errors-and-omissions insurance with limits of not less than $1,000,000 per claim. Veri-Tech will provide a Certificate of Insurance upon Covered Entity's reasonable written request.
(i) Governing Law and Venue. This Agreement is governed by the laws of the State of Indiana, without regard to its conflict-of-laws principles. The exclusive venue for any dispute arising under this Agreement is the state or federal courts located in Marion County or Morgan County, Indiana, and each party irrevocably consents to personal jurisdiction therein.
(j) Entire Agreement and Order of Precedence. This Agreement, together with the Underlying Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof. With respect to the use or disclosure of PHI, this Agreement controls over any conflicting provision in the Underlying Agreement.
(k) Counterparts; Electronic Signature. This Agreement may be executed in counterparts, each of which is an original, and electronic signatures (including via Stripe's consent collection, DocuSign, or similar service) have the same effect as wet-ink originals. By accepting the HIPAA Compliance Pack at checkout, Customer accepts and agrees to be bound by this Agreement, and Customer's acceptance timestamp and IP address are recorded as Customer's electronic signature.
Appendix A — Summary of HIPAA Required Elements
This appendix maps each section of this BAA to the corresponding HIPAA regulatory requirement, for audit reference.
| BAA Section | HIPAA Citation | Required Element |
|---|---|---|
| §3(a) | 45 CFR §164.504(e)(2)(ii)(A) | Not use or further disclose PHI other than as permitted |
| §3(b) | 45 CFR §164.504(e)(2)(ii)(B); 45 CFR §164.314(a)(2) | Use appropriate safeguards; comply with Security Rule |
| §3(c) | 45 CFR §164.504(e)(2)(ii)(C); 45 CFR §164.410 | Report uses, disclosures, and breaches |
| §3(d) | 45 CFR §164.504(e)(2)(ii)(D); 45 CFR §164.502(e)(1)(ii) | Subcontractor flow-down |
| §3(e) | 45 CFR §164.504(e)(2)(ii)(E); 45 CFR §164.524 | Access to PHI |
| §3(f) | 45 CFR §164.504(e)(2)(ii)(F); 45 CFR §164.526 | Amendment of PHI |
| §3(g) | 45 CFR §164.504(e)(2)(ii)(G); 45 CFR §164.528 | Accounting of disclosures |
| §3(h) | 45 CFR §164.504(e)(2)(ii)(H) | Performance of Covered Entity obligations |
| §3(i) | 45 CFR §164.504(e)(2)(ii)(I) | Availability to the Secretary |
| §3(j) | 45 CFR §164.504(e)(2)(ii)(J) | Return or destruction at termination |
| §4 | 45 CFR §164.504(e)(2)(i); §164.504(e)(4) | Permitted uses and disclosures |
| §6(b) | 45 CFR §164.504(e)(2)(iii) | Termination for material breach |
Contact Information
Veri-Tech, Inc. — HIPAA Privacy
Legal: legal@veri-tech.net
Privacy: privacy@veri-tech.net
Security incidents: security@veri-tech.net
Website: veri-tech.net