Skip to main content

Business Associate Agreement (BAA)

Effective April 15, 2026 · SignalEDI Inc.

HIPAA Business Associate terms for healthcare EDI workflows. Review alongside the Trust Center and Security overview — a fully executed BAA is required before transmitting PHI.

On this page

Important:This page describes SignalEDI’s BAA terms for informational purposes. A BAA must be fully executed before transmitting any PHI through SignalEDI. Contact support@signaledi.com to request execution of a BAA.

1Purpose

This Business Associate Agreement (“BAA”) governs the use, disclosure, and safeguarding of Protected Health Information (“PHI”) when Client (“Covered Entity”) uses SignalEDI Inc. (“Business Associate”) to process healthcare data, including HL7 v2.x, FHIR, and HIPAA-regulated EDI transactions such as 837, 835, 270/271, 276/277, and 999 transaction sets.

2Definitions

  • PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form as defined by 45 CFR §160.103.
  • ePHI (Electronic PHI): PHI transmitted or maintained in electronic media.
  • Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits health information electronically, as defined by HIPAA.
  • Business Associate: A person or entity that performs functions or activities on behalf of a Covered Entity involving the use or disclosure of PHI.
  • Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, as defined by 45 CFR §164.402.
  • Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, as defined by 45 CFR §164.304.
  • Third-Party Service: Any vendor, supplier, subcontractor, cloud provider, clearinghouse, trading partner, payer, carrier, payment processor, telecommunications provider, or other third party whose systems, networks, or personnel are not owned or operated by Business Associate but may affect transmission, storage, or processing of PHI (including sub-processors engaged by Business Associate).
  • Force Majeure Event: An event beyond a party’s reasonable control, including natural disasters, acts of war or terrorism, civil unrest, pandemic, government order or embargo, widespread internet or power outage, or failure of a Third-Party Service outside that party’s reasonable control.

3Obligations of Business Associate (SignalEDI)

  • Not use or disclose PHI except as permitted by this BAA or as required by law.
  • Implement administrative, physical, and technical safeguards including AES-256 encryption at rest and TLS 1.3 encryption in transit.
  • Report Breaches of Unsecured PHI to Covered Entity within 72 hours of discovery (as defined by 45 CFR §164.410). Investigation of a Security Incident may precede breach determination; notification obligations attach upon discovery of a Breach, not upon initial discovery of a Security Incident alone.
  • Make PHI available for access requests within 30 days, subject to reasonable delays caused by Third-Party Service outages or Force Majeure Events as described in Section 9.
  • Return or destroy PHI upon termination, per Client’s election and Section 7.
  • Ensure subcontractors and sub-processors that create, receive, maintain, or transmit PHI on Business Associate’s behalf agree to substantially similar restrictions and conditions (flow-down provisions).
  • Before transmitting data to external AI providers, Business Associate uses commercially reasonable efforts to apply HIPAA Safe Harbor-style de-identification to prompts. Raw PHI and full EDI payload bodies are not intentionally sent to external AI providers. Covered Entity is responsible for avoiding unnecessary PHI in unstructured inputs or optional free-text fields when structured EDI, HL7, or FHIR paths are available. Healthcare transaction sets require an executed BAA on file before upload.
  • Maintain audit logs for a minimum of 6 years per HIPAA requirements.
  • Business Associate is not responsible for the acts, omissions, outages, or security failures of Third-Party Services except to the extent Business Associate failed to meet its vendor-management obligations under this BAA and applicable law.

4Obligations of Covered Entity (Client)

  • Obtain necessary consents and authorizations before transmitting PHI to SignalEDI.
  • Not request SignalEDI to use or disclose PHI in any manner that would violate HIPAA.
  • Notify SignalEDI of any restrictions on the use or disclosure of PHI.
  • Ensure the minimum necessary standard is applied when transmitting PHI.
  • Apply minimum-necessary PHI in all uploads and avoid placing PHI in unstructured fields or optional free-text inputs when structured EDI, HL7, or FHIR transaction paths are available.
  • Maintain connectivity, credentials, and compliance with trading partners, payers, clearinghouses, suppliers, and other Third-Party Services outside Business Associate’s platform; Business Associate is not responsible for partner-side rejections, delays, or outages beyond the SignalEDI service boundary.

5Permitted Uses & Disclosures

Business Associate may use and disclose PHI as necessary to perform services on behalf of the Covered Entity, including:

  • Treatment, payment, and healthcare operations as defined by HIPAA.
  • Data aggregation services related to the healthcare operations of the Covered Entity.
  • De-identified data (per Safe Harbor method) for analytics and service improvement.
  • Management and administration of the Business Associate, provided disclosures are required by law or Business Associate obtains reasonable assurances of confidentiality.

6Breach Notification

  • Business Associate shall notify Covered Entity within 72 hours of discovery of a Breach of Unsecured PHI (as defined by 45 CFR §164.410). Investigation of a Security Incident may precede breach determination; notification obligations attach upon discovery of a Breach, not upon initial discovery of a Security Incident alone.
  • Notification shall include: the nature and extent of the breach, the PHI involved, mitigation steps taken, and corrective actions planned.
  • Business Associate shall cooperate in good faith with the Covered Entity’s breach response and notification obligations.
  • Breach response costs: Each party bears its own internal response costs. Business Associate bears reasonable third-party forensic, containment, and notification-support costs directly attributable to a Breach caused by Business Associate’s breach of this BAA or failure of systems within Business Associate’s control. Covered Entity bears regulatory notification costs owed by Covered Entity under HIPAA (including individual, HHS, and media notices where applicable). Costs arising primarily from a Third-Party Service or Force Majeure Event are allocated under Section 9. Nothing in this Section limits either party’s obligations under applicable law.

7Term & Termination

  • This BAA is effective upon execution and remains in effect until terminated or until the underlying service agreement expires.
  • Either party may terminate for material breach with a 30-day cure period.
  • Upon termination and Covered Entity’s written request, Business Associate shall return or destroy all PHI within 60 days, per Client’s written instructions. Covered Entity bears reasonable costs of custom formatting, export, or transfer beyond standard platform export capabilities.
  • If return or destruction is not feasible, protections shall extend to retained PHI and further uses and disclosures shall be limited to purposes that make return or destruction infeasible.
  • Business Associate may retain archival backups in the ordinary course of business, subject to the protections of this BAA, where return or destruction is infeasible or until backups expire per applicable retention policies.

8Restoration Commitment

Business Associate commits to use commercially reasonable efforts to restore critical systems within Business Associate’s control that affect the availability of ePHI following a disruption. This includes restoration of access to electronic PHI, re-establishment of secure processing capabilities, and verification of data integrity post-restoration.

Restoration timelines do not apply to outages, delays, or data unavailability caused by Third-Party Services, trading partners, payers, suppliers, Force Majeure Events, scheduled maintenance (with advance notice), issues caused by Covered Entity actions or configurations, or third-party infrastructure failures (including cloud hosting, database, CDN, email, payment, and telecommunications providers). Incident response targets for paid plans are described in the Service Level Agreement.

9Third-Party Dependencies & Force Majeure

SignalEDI operates as part of a broader healthcare and cloud ecosystem. Many failures that affect PHI processing originate outside Business Associate’s direct control.

  • Third-Party Services. Business Associate is not liable for delay, failure, unavailability, data loss, security incident, or Breach arising from a Third-Party Service (including sub-processors, hosting providers, AI vendors, clearinghouses, VANs, payers, trading partners, suppliers, carriers, or internet/telecom providers) except to the extent caused by Business Associate’s failure to meet its subcontractor and vendor-management obligations under this BAA and applicable law.
  • Trading partner and payer connectivity. Covered Entity is responsible for partner enrollment, certification, credentials, acknowledgments, and compliance on systems outside the SignalEDI platform. Business Associate does not guarantee partner acceptance, turnaround times, or uptime of external networks.
  • Force Majeure. Neither party is liable for failure or delay in performance (including restoration, breach notification support, or PHI availability) to the extent caused by a Force Majeure Event, provided the affected party uses commercially reasonable efforts to resume performance and notifies the other party without undue delay.
  • Cooperation. Upon a Third-Party Service failure affecting PHI, the parties will cooperate in good faith to reroute, restore, or contain impact. Business Associate will use commercially reasonable efforts to work with its sub-processors and vendors to mitigate harm.

10Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

  • Neither party shall be liable to the other for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, data, business opportunities, goodwill, or anticipated savings, arising out of or relating to this BAA or PHI processed under it, regardless of the theory of liability, even if advised of the possibility of such damages.
  • Business Associate’s total aggregate liability for direct damages arising out of or relating to this BAA shall not exceed the total fees actually paid by Covered Entity to Business Associate during the twelve (12) months immediately preceding the event giving rise to the claim.
  • Business Associate shall have no liability for claims arising primarily from Third-Party Services, trading partner systems, payer networks, supplier or carrier failures, Covered Entity misconfiguration, or Force Majeure Events, except to the extent directly caused by Business Associate’s breach of this BAA or willful misconduct.
  • Non-BAA claims relating to the Service remain subject to the Terms of Service. In the event of conflict regarding PHI-specific obligations, this BAA governs PHI handling; regarding monetary caps on PHI-related direct damages, this Section 10 governs to the extent permitted by law.
  • Nothing in this BAA limits either party’s regulatory, reporting, or compliance obligations under HIPAA, HITECH, or other applicable law where such limitations are prohibited.

11How to Execute

Contact support@signaledi.com to request execution of this Business Associate Agreement. A BAA must be fully executed before transmitting any Protected Health Information through SignalEDI.

SignalEDI’s Business Associate signature appears below. The Covered Entity completes the counterpart block, returns a countersigned copy, and retains an executed PDF for compliance records.

Business Associate

SignalEDI Inc.

Chris Rosecrans signature, SignalEDI Inc.

Chris Rosecrans

Founder and CEO, SignalEDI Inc.

Date: April 15, 2026

Covered Entity

[Legal entity name]

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

© 2026 SignalEDI Inc. All rights reserved.

© 2026 SignalEDI Inc. All rights reserved.