ZIA | Talent in Motion

Last Updated: February 11, 2026

Business Associate Agreement (BAA)

Business Associate Agreement (BAA) Overview

Business Associate Relationship
When required under HIPAA, we enter into a Business Associate Agreement (BAA) with Covered Entities prior to receiving or accessing PHI.

Our BAA governs the permitted uses and disclosures of PHI and outlines our responsibilities under federal law.

Permitted Uses and Disclosures
We may use or disclose PHI only:

  • To perform services described in our agreement with the Covered Entity
  • As required by law
  • For proper management and administration of our organization, as permitted under HIPAA

We do not sell PHI or use PHI for marketing purposes.

Safeguards

Under our BAA, we agree to:

  • Implement appropriate administrative, physical, and technical safeguards
  • Protect against unauthorized access, acquisition, use, or disclosure
  • Ensure subcontractors agree to the same restrictions and conditions

Reporting Obligations

We agree to:

  • Report any use or disclosure not permitted by the BAA
  • Report security incidents and potential breaches without unreasonable delay
  • Provide information necessary for the Covered Entity to meet breach notification obligations

Subcontractors

Any subcontractor that creates, receives, maintains, or transmits PHI on our behalf is required to execute a written agreement imposing the same HIPAA compliance obligations.

Termination

If we determine that a material breach has occurred and is not cured within a reasonable timeframe, the BAA permits termination of services as required under HIPAA regulations.

Ongoing Compliance

We monitor regulatory updates and revise our agreements and safeguards as necessary to remain aligned with evolving federal requirements, including anticipated updates to the HIPAA Security Rule.

Cybersecurity Commitment

Beyond baseline compliance, we proactively strengthen our security posture through:

  • Routine policy reviews
  • Security awareness training
  • Incident response testing
  • Technology environment monitoring

We treat PHI protection as an operational responsibility, not a legal checkbox.