Business Associate Agreement (BAA) Template

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA") is entered into between [Covered Entity Name] ("Covered Entity") and Codeck Yazılım Anonim Şirketi, operating imzala.org ("Business Associate"), effective as of [Date].

This BAA supplements the underlying Service Agreement and Data Processing Agreement between the parties.

1. DEFINITIONS

Capitalized terms have the meanings assigned in HIPAA (45 CFR Parts 160, 162, 164), as amended by HITECH Act (2009) and Omnibus Rule (2013):

• "PHI": Protected Health Information (45 CFR §160.103)
• "ePHI": Electronic Protected Health Information
• "Breach": 45 CFR §164.402 definition
• "Designated Record Set": 45 CFR §164.501
• "Required by Law": 45 CFR §164.103
• "Subcontractor": 45 CFR §160.103
• "Use" / "Disclosure": 45 CFR §160.103
• "Security Incident": 45 CFR §164.304

2. PERMITTED USES AND DISCLOSURES

2.1 Business Associate may use or disclose PHI only for:

• Performing services described in the underlying Service Agreement
• Proper management and administration of Business Associate
• Carrying out legal responsibilities of Business Associate
• Data aggregation services as permitted by 45 CFR §164.504(e)(2)(i)(B)

2.2 Prohibited Uses:

• Marketing or fundraising without prior written authorization
• Sale of PHI as defined in 45 CFR §164.502(a)(5)(ii)
• Use beyond the scope of the underlying Service Agreement
• Re-identification of de-identified PHI

3. OBLIGATIONS OF BUSINESS ASSOCIATE

3.1 Safeguards:

Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect ePHI from unauthorized use or disclosure (45 CFR §164.504(e)(2)(ii)(B)). Specific safeguards detailed in Exhibit A.

3.2 Reporting:

• Report any unauthorized use or disclosure of PHI
• Report any Security Incident involving ePHI
• Report Breaches of unsecured PHI as required by 45 CFR §164.410
• Reporting timeline: within 60 days of discovery (HIPAA standard); we aim for 72 hours for KVKK/GDPR alignment

Breach notification shall include:

• Identity of each individual whose PHI is breached
• Description of the breach
• Steps to mitigate
• Date of discovery and breach
• Type of PHI involved

3.3 Subcontractors:

• Business Associate shall require Subcontractors with access to PHI to sign downstream BAAs
• Subcontractors are bound by same protections as Business Associate
• Current Subcontractors with potential PHI access listed in Exhibit B
• 30-day notice for new Subcontractors

3.4 Access to PHI:

Business Associate shall make available PHI in a Designated Record Set within 30 days of Covered Entity's request, in accordance with 45 CFR §164.524. Self-serve API for data export is provided to Covered Entity admins.

3.5 Amendment of PHI:

Business Associate shall make PHI available for amendment at Covered Entity's request, and incorporate amendments in accordance with 45 CFR §164.526. Within 30 days.

3.6 Accounting of Disclosures:

Business Associate shall maintain accounting of disclosures of PHI for 6 years (45 CFR §164.528), and provide such accounting to Covered Entity upon request within 60 days.

3.7 Internal Practices Available to HHS:

Business Associate shall make its internal practices, books, and records relating to use and disclosure of PHI available to HHS Secretary upon request (45 CFR §164.504(e)(2)(ii)(I)).

3.8 Training:

Business Associate's workforce members with access to PHI shall complete annual HIPAA security awareness training. Training records maintained.

4. OBLIGATIONS OF COVERED ENTITY

• Notify Business Associate of any restrictions agreed to under 45 CFR §164.522
• Notify Business Associate of any changes in or revocation of PHI authorization
• Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity
• Provide Business Associate with Notice of Privacy Practices applicable to PHI
• Ensure that all PHI uploaded to imzala.org platform is in compliance with HIPAA Privacy Rule

5. TERM AND TERMINATION

5.1 Term:

This BAA shall commence on the Effective Date and continue until termination of the underlying Service Agreement or until terminated as provided herein.

5.2 Termination for Cause:

Covered Entity may terminate this BAA if Business Associate has breached a material term and failed to cure within 30 days of written notice. If cure is not feasible, Covered Entity may terminate immediately.

5.3 Effect of Termination:

• Business Associate shall return or destroy all PHI within 90 days
• If return or destruction is not feasible, Business Associate shall extend protections of this BAA to such PHI for as long as it is retained
• Audit log and retention records (HIPAA §164.530(j)) maintained for 7 years

6. INDEMNIFICATION

Each party shall indemnify the other for losses arising from its own breach of this BAA, subject to applicable liability limits in the underlying Service Agreement.

7. GENERAL PROVISIONS

7.1 Survival: Sections 3.7, 3.8, 5.3, 6 survive termination.

7.2 Amendments: Amendments must be in writing, signed by both parties.

7.3 Interpretation: In case of conflict between this BAA and the underlying Service Agreement, this BAA prevails for matters relating to PHI.

7.4 Governing Law: This BAA shall be governed by Turkish law for general contractual matters; HIPAA-specific provisions interpreted under U.S. federal law.

7.5 Forum: Disputes related to HIPAA matters shall be resolved through arbitration (AAA Commercial Rules); other disputes through Istanbul (Çağlayan) Courts.

EXHIBIT A — TECHNICAL & ADMINISTRATIVE SAFEGUARDS

Administrative Safeguards (45 CFR §164.308):

• Risk Analysis annually (NIST SP 800-66r2)
• Workforce screening + NDA + AUP
• Access management (RBAC, MFA, least-privilege)
• Annual Security Awareness Training
• Incident Response Procedures (5-phase response)
• Contingency Plan (4-layer backup, DR drill PASS)
• Periodic Evaluation (annually)

Physical Safeguards (45 CFR §164.310):

Production infrastructure hosted at Hetzner Falkenstein, Germany (ISO 27001 certified). Physical safeguards including multi-factor access control, 24/7 video surveillance, environmental controls, power redundancy.

Technical Safeguards (45 CFR §164.312):

• Access Control: JWT RS256 + RBAC + MFA mandatory for admin
• Audit Controls: Application + KMS + K8s API audit log (5+ years)
• Integrity: KMS digital signature (RSA-2048) + SHA-256 hash chain
• Authentication: MFA + OTP + biometric (optional)
• Transmission Security: TLS 1.2/1.3 (modern cipher suites)
• Encryption at Rest: AES-256 off-site backups; full PostgreSQL TDE in Faz 5 roadmap
• Automatic Logoff: JWT expiry 30 min + idle timeout

EXHIBIT B — APPROVED SUBCONTRACTORS

Subcontractors with potential PHI access (each requires downstream BAA when activated for HIPAA mode):

Subcontractor	Region	Purpose	BAA Status
Hetzner Online GmbH	Germany (EU)	Server hosting (storage layer)	DPA + ISO 27001
Cloudflare	USA	CDN, WAF (HIPAA-eligible tier)	BAA available for HIPAA mode
Mailgun	Germany (EU)	Notification emails	HIPAA Compliant Tier
Pazarlama / analitik servisler (GA4, Meta Pixel, vb.) HIPAA mode'da devre dışı bırakılır.

SIGNATURES