HIPPA Business Associate Addendum (BAA)
Last updated: 30/11/2025
This Business Associate Addendum (“BAA”) applies only to US users who are HIPAA-covered entities (“Covered Entity”) and use Clerkal in a manner involving Protected Health Information (“PHI”).
1. Definitions
Business Associate (BA): Clerkal Ltd
Covered Entity (CE): You or your organisation
PHI: As defined in HIPAA (45 CFR §160.103)
2. Obligations of Clerkal (Business Associate)
Clerkal agrees to:
Use or disclose PHI only as permitted by this BAA or required by law.
Implement safeguards to protect PHI, including encryption and access control.
Report any breaches of unsecured PHI to the Covered Entity without unreasonable delay.
Ensure subcontractors handling PHI comply with HIPAA requirements.
Provide access to PHI as required under 45 CFR §164.524.
Make PHI amendments available per 45 CFR §164.526.
Maintain records necessary for CE or OCR audits.
Upon termination, return or destroy PHI unless infeasible.
3. Permitted Uses and Disclosures
Clerkal may use PHI:
To provide the Clerkal service, including AI-assisted generation
For internal management and operations
For security, analytics, and maintenance
As required by law
To de-identify PHI following HIPAA standards
Clerkal will not use PHI:
For marketing
For sales
For AI model training outside the Clerkal environment
4. Responsibilities of the Covered Entity
You agree to:
Only upload PHI if necessary
Provide accurate instructions to Clerkal
Not request Clerkal to perform prohibited actions under HIPAA
Maintain required patient notices and consents
5. Termination
Upon termination:
Clerkal will return or securely destroy PHI within 90 days unless infeasible.
If destruction is infeasible, Clerkal will extend protections indefinitely.
6. Interpretation
This BAA is governed by HIPAA and applies only to US-based Covered Entities. In case of conflict with other agreements, HIPAA requirements prevail.
Last updated