Policy

Terms of ServicePrivacy PolicyBusiness Associate Agreement

Business Associate Agreement (BAA)

Last updated: December 2025

Note: This is the standard Business Associate Agreement template. When signing the BAA through the Botern mobile application, you will be redirected here to review the full agreement before accepting. Upon acceptance, a signed copy will be generated with your organization's details and stored in your account.

1. Parties

This Business Associate Agreement ("BAA") is entered into between:

  • Covered Entity: [Your Organization/Institution Name]
  • Business Associate: Swasth Bharat Techno Private Limited ("Botern")

2. Purpose

This BAA establishes the permitted and required uses and disclosures of Protected Health Information (PHI) by Botern as a Business Associate, in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

3. Botern's HIPAA Compliance Measures

3.1. Data Encryption

  • All PHI is encrypted at rest using industry-standard encryption (AES-256)
  • All data in transit is encrypted using TLS 1.3
  • Encryption keys are managed securely and separately from encrypted data
  • Database storage uses encrypted storage systems to protect PHI at rest

3.2. Access Controls

  • Access to PHI is strictly limited to authorized personnel only
  • User authentication required for all access to PHI
  • Role-based access control (RBAC) ensures users only access authorized data
  • Multi-factor authentication (MFA) available for enhanced security
  • Automatic session timeout after periods of inactivity
  • Access is granted on a need-to-know basis and regularly reviewed

3.3. Employee Training and Compliance

  • All employees who handle PHI are required to complete HIPAA training
  • Training covers HIPAA regulations, privacy requirements, and security best practices
  • Employees are trained on proper handling, storage, and disposal of PHI
  • Regular refresher training is conducted to ensure ongoing compliance
  • Employees sign confidentiality agreements regarding PHI handling

3.4. Audit Trails

  • Comprehensive logging of all PHI access, modification, and deletion
  • Audit logs include: user identity, timestamp, action performed, and data accessed
  • Logs are retained for a minimum of 6 years as required by HIPAA
  • Logs are tamper-evident and cannot be modified by users

3.5. Data Minimization

  • Botern only collects and processes PHI necessary for service delivery
  • Users can explicitly mark fields containing PHI
  • Identifiers can be separated from clinical data for research purposes
  • Anonymization tools available for data export

3.6. AI and Machine Learning

  • PHI is never used to train AI models
  • AI processing is transient and does not store PHI in training datasets
  • All AI features require explicit user consent
  • Human verification required for all AI-generated clinical content

4. Permitted Uses and Disclosures

Botern may use or disclose PHI only:

  • As necessary to perform services for the Covered Entity
  • As required by law
  • As permitted by this BAA
  • With explicit authorization from the Covered Entity

5. Prohibited Uses

Botern agrees NOT to:

  • Use or disclose PHI for any purpose other than as specified in this BAA
  • Use PHI for marketing or commercial purposes without authorization
  • Use PHI to train AI models or machine learning algorithms
  • Disclose PHI to third parties except as permitted by this BAA

6. Safeguards

Botern will implement and maintain appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, in accordance with HIPAA Security Rule requirements.

7. Subcontractors and Third-Party Services

Botern may engage subcontractors or use third-party services (including cloud hosting providers, database services, and other infrastructure providers) to assist in service delivery. All such third-party service providers are required to:

  • Sign Business Associate Agreements (BAAs) with Botern
  • Comply with all applicable HIPAA requirements
  • Implement appropriate administrative, physical, and technical safeguards
  • Maintain HIPAA-eligible infrastructure and security measures
  • Agree to the same restrictions and conditions that apply to Botern under this BAA

Botern ensures that all third-party services used for storing, processing, or transmitting PHI have executed BAAs and maintain HIPAA-compliant practices. This includes but is not limited to cloud hosting providers, database services, and any other infrastructure that may come into contact with PHI.

8. Breach Notification

In the event of a breach of unsecured PHI, Botern will:

  • Notify the Covered Entity within 60 days of discovery
  • Provide detailed information about the breach, including affected individuals
  • Assist in breach investigation and mitigation
  • Comply with all applicable breach notification requirements

9. Access and Amendment

Upon request, Botern will provide access to PHI and facilitate amendments as required by HIPAA, subject to the Covered Entity's instructions.

10. Termination

Upon termination of this BAA:

  • Botern will return or destroy all PHI, if feasible
  • If return or destruction is not feasible, Botern will continue to protect PHI
  • Botern will not retain any copies of PHI except as required by law

11. Compliance and Audits

Botern will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Covered Entity or the Secretary of Health and Human Services for compliance reviews.

12. Contact Information

For questions about this BAA or HIPAA compliance: