We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Business Associate Agreement
LactaSite, LLC
This Business Associate Agreement ("Agreement") is entered into between LactaSite, LLC ("Business Associate") and the healthcare provider or organization subscribing to the LactaSite platform ("Covered Entity").
This Agreement is effective as of the date Covered Entity accepts the LactaSite Terms of Service.
Interpretation
All capitalized terms not otherwise defined in this Agreement shall have the meanings assigned to them under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations at 45 CFR Parts 160 and 164.
In the event of any conflict between this Agreement and the LactaSite Terms of Service, this Agreement shall control with respect to Protected Health Information ("PHI").
1. Purpose
Business Associate provides a cloud-based practice management, documentation, and data hosting platform ("Services") that may involve the creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entity.
This Agreement sets forth the parties' obligations with respect to PHI as required by HIPAA.
2. Permitted Uses and Disclosures
Business Associate may use and disclose PHI solely:
- To provide the Services described in the LactaSite Terms of Service
- As required by law
- For the proper management and administration of Business Associate
- To provide data hosting, backup, system maintenance, security monitoring, and technical support
Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.
3. Safeguards
Business Associate shall implement appropriate administrative, physical, and technical safeguards to protect PHI, including:
- Encryption of PHI in transit using industry-standard TLS
- Encryption of PHI at rest within hosted infrastructure
- Role-based access controls
- Audit logging of system access and data modifications
- Reasonable protections against unauthorized access, alteration, or destruction
Business Associate shall not store PHI in authentication session cookies or temporary access tokens.
4. Subcontractors
Business Associate may engage subcontractors that create, receive, maintain, or transmit PHI on its behalf, provided that such subcontractors agree in writing to implement safeguards consistent with HIPAA requirements applicable to Business Associates.
5. Reporting and Breach Notification
Business Associate shall:
- Investigate suspected security incidents involving PHI
- Conduct a risk assessment consistent with HIPAA
- Notify Covered Entity of a confirmed Breach without unreasonable delay and in no case later than sixty (60) days after discovery
Notification shall include, to the extent known:
- A description of the incident
- The types of PHI involved
- The date of discovery
- Mitigation steps taken
- Contact information for follow-up
The parties acknowledge that unsuccessful attempts (such as automated scans, firewall-blocked traffic, or failed login attempts) do not constitute reportable Security Incidents unless they result in unauthorized access to PHI.
Business Associate shall reasonably cooperate with Covered Entity in fulfilling any required regulatory notifications.
6. Access, Amendment, and Accounting
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall:
- Provide access to PHI as directed by Covered Entity
- Make amendments as directed by Covered Entity
- Provide information necessary for an accounting of disclosures
7. Data Retention and Return
Upon termination of Services:
- Covered Entity may export its data during any applicable transition period
- Business Associate shall retain PHI only as required by applicable law or legitimate business purposes
- After applicable retention requirements are satisfied, PHI shall be securely deleted if feasible
If secure deletion is not feasible, PHI shall remain protected under this Agreement.
8. Termination for Cause
If Covered Entity determines that Business Associate has materially breached this Agreement, Covered Entity may provide written notice and opportunity to cure. If cure is not possible, Covered Entity may terminate the Services.
9. Survival
The obligations of Business Associate under this Agreement shall survive termination of Services with respect to retained PHI.
Business Associate Agreement – Version 1.0 – Effective February 24, 2026