NaturaeSoft NaturaeSoft  
Legal › BAA
Legal

HIPAA Business Associate Agreement

Last updated May 5, 2026

This is part of the legal agreement between you (the Covered Entity) and NaturaeSoft LLC d.b.a. NaturaeSoft regarding the use of all NaturaeSoft services.

This Business Associate Agreement (the "Agreement") is entered into by and between NaturaeSoft LLC, DBA NaturaeSoft ("Business Associate") and the Covered Entity identified at registration ("Covered Entity"), collectively the "Parties." This Agreement ensures compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, and its implementing regulations, including the Privacy, Security, Breach Notification, and Enforcement Rules (45 CFR Parts 160 and 164).

1. Definitions

  • Business Associate: NaturaeSoft LLC, DBA NaturaeSoft.
  • Covered Entity: The individual or organization engaging NaturaeSoft services for managing protected health information (PHI).
  • Services: Includes managing electronic medical records (EMRs) via OfficePro, secure data storage, and any ancillary support related to PHI.
  • Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained by NaturaeSoft on behalf of the Covered Entity, as defined in 45 CFR §160.103.
  • Breach: Unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy, as defined in 45 CFR §164.402.

2. Obligations of Business Associate

Permitted Uses and Disclosures

  • Use or disclose PHI only as necessary to perform Services or as required by law.
  • Ensure disclosures comply with the Privacy Rule and the Covered Entity's minimum necessary policies.

Safeguards

  • Maintain administrative, physical, and technical safeguards, including encrypted VPNs, SSH, private keys, and zoned access within Google Cloud.
  • Perform daily backups with geographic redundancy for disaster recovery.

Subcontractors, Reporting & Training

  • Subcontractors and Agents: Require subcontractors or agents to agree in writing to the same restrictions and conditions applicable to NaturaeSoft under this Agreement.
  • Reporting: Notify the Covered Entity within 6 to 12 hours of any incident involving unauthorized use, access, or disclosure of PHI.
  • Training: Ensure employees handling PHI receive HIPAA-compliant training during onboarding and periodically thereafter.

3. Obligations of Covered Entity

Notify NaturaeSoft of limitations in its Notice of Privacy Practices affecting PHI use; changes in, or revocation of, permissions by individuals; and restrictions on the use or disclosure of PHI. Provide NaturaeSoft with timely updates that impact its ability to comply with the Agreement or Privacy Rule.

4. Data Access and Individual Rights

  • Access to PHI: Provide Covered Entity or individuals with timely access to PHI in accordance with 45 CFR §164.524.
  • Amendments to PHI: Implement requested amendments to PHI in compliance with 45 CFR §164.526.
  • Accounting of Disclosures: Maintain and provide an accounting of disclosures as required under 45 CFR §164.528.

5. Breach Notification and Mitigation

Incident Response: Notify Covered Entity within 6 to 12 hours of becoming aware of a breach involving PHI. The notification will include a description of the breach, the types of PHI involved, steps taken to mitigate harm, and plans for preventing future breaches. Mitigation: Work with the Covered Entity to address and mitigate any harm resulting from the breach.

6. Termination and Data Disposition

Return or Destruction of PHI: Upon termination of this Agreement, NaturaeSoft shall return or destroy all PHI received or created on behalf of the Covered Entity in accordance with the NaturaeSoft Data Disposition Addendum, incorporated herein by reference. Specifically:

  • The Covered Entity may request a full data export within 30 days of the effective termination date; NaturaeSoft will fulfill such requests within 30 days of receipt.
  • All primary storage copies of PHI will be deleted within 60 days of the effective termination date.
  • All backup and archival copies will be purged within 90 days of the effective termination date.
  • A written Data Destruction Certificate will be issued upon request after deletion is confirmed.

Retention Where Infeasible: If return or destruction of PHI is infeasible (e.g., due to a legal hold or regulatory obligation), NaturaeSoft shall notify the Covered Entity in writing and extend all protections of this Agreement to retained PHI for as long as it is maintained. Covered Entity Termination Rights: Covered Entity may terminate this Agreement if NaturaeSoft breaches a material term and fails to cure within the agreed-upon timeline, or is unable to comply with HIPAA requirements.

7. Miscellaneous

  • Amendments: Amend this Agreement as necessary to comply with HIPAA and related regulations.
  • Survival: Obligations regarding PHI retention and protections survive termination.
  • Governing Law: This Agreement is governed by federal law and the laws of the State of Oregon. The Parties agree to submit to jurisdiction in courts within the State of Oregon.
  • No Third-Party Beneficiaries: This Agreement does not create rights or remedies for third parties.

Any questions about this BA Agreement should be addressed to privacy@NaturaeSoft.com.

Last updated: 05/05/2026 · See also the Terms of Service and Privacy Policy.