PARIE's standard HIPAA Business Associate Agreement, drafted to be readable, defensible, and signable without lawyer ping-pong. Scoped to the case where the Customer (a Covered Entity or upstream Business Associate) routes Protected Health Information through PARIE's services.
This is a template, not a signed contract. It is published for procurement teams to review the standard PARIE BAA terms before engaging. To execute, contact hello@parie.io with subject BAA_REQUEST — PARIE returns a signable copy with your entity details filled in. PARIE will not transmit, receive, or process Protected Health Information (PHI) until a fully executed BAA is in place.
Upstream BAAs PARIE relies on: PARIE has executed (or is in the process of executing) BAAs with Anthropic PBC (LLM inference) and Google LLC (Cloud / Firebase hosting). The chain of BAAs from Customer → PARIE → these subprocessors is what makes this BAA enforceable end-to-end. Status of upstream BAAs is published in PARIE's trust dossier; current readiness as of May 2026 is "drafting / requested." PARIE will confirm signed-status of all upstream BAAs in writing before activating this BAA.
This Business Associate Agreement ("BAA") is entered into between:
Customer: ___________________________ ("Covered Entity" or "Upstream BA"), with offices at ___________________________; and
PARIE: PARIE, McKinney, Texas, USA ("Business Associate" or "PARIE"). Authorized signatory and full registered address provided on the executed copy.
This BAA takes effect on the latest signature date below (the "Effective Date") and is incorporated by reference into the Master Subscription Agreement, Order Form, or other governing services agreement between the parties (the "Underlying Agreement").
In the event of a conflict between this BAA and the Underlying Agreement solely with respect to PHI, the terms of this BAA prevail.
2. Definitions.
Capitalized terms not defined in this BAA have the meaning given in 45 CFR Parts 160 and 164 (the "HIPAA Rules") or the HITECH Act. Key terms used in this BAA:
HIPAA
The Health Insurance Portability and Accountability Act of 1996, as amended, including the Privacy Rule (45 CFR Part 164 Subpart E), Security Rule (Subpart C), Breach Notification Rule (Subpart D), and Enforcement Rule (45 CFR Part 160 Subparts C–E).
HITECH
The Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009.
PHI
"Protected Health Information" as defined in 45 CFR § 160.103 — limited, for the purposes of this BAA, to PHI received from, created on behalf of, or transmitted to Customer.
ePHI
Electronic Protected Health Information, the subset of PHI maintained or transmitted in electronic form.
Designated Record Set
As defined at 45 CFR § 164.501.
Required by Law
As defined at 45 CFR § 164.103.
Security Incident
As defined at 45 CFR § 164.304.
Subcontractor
A person or entity to whom PARIE delegates a function involving PHI on Customer's behalf, as defined in 45 CFR § 160.103.
Services
The PARIE products and services described in Exhibit A and the Underlying Agreement.
3. Permitted uses & disclosures of PHI.
PARIE may use and disclose PHI only as follows:
To perform the Services. PARIE may use and disclose PHI as necessary to deliver the Services described in Exhibit A and as further specified in the Underlying Agreement.
For PARIE's own management and administration. PARIE may use PHI for its proper management and administration, or to carry out its legal responsibilities, provided that any disclosure of PHI to a third party is (a) Required by Law, or (b) made under reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only for the purpose for which it was disclosed, and that the recipient will notify PARIE of any breach of confidentiality.
De-identification. PARIE may de-identify PHI in accordance with 45 CFR § 164.514(b) and use such de-identified information for any lawful purpose, including improving the Services. PHI used to derive de-identified data is destroyed in accordance with §11.
Data aggregation. PARIE may use PHI to provide data aggregation services to Customer as permitted by 45 CFR § 164.504(e)(2)(i)(B), where Customer requests such aggregation in writing.
Required disclosures. PARIE may use or disclose PHI as Required by Law.
4. Prohibited uses & disclosures.
Without limiting any other provision of this BAA, PARIE shall not:
Use or disclose PHI in a manner that would violate the HIPAA Rules if done by Customer (except as expressly permitted in §3.2 and §3.4 above);
Sell PHI or use PHI for marketing in violation of HITECH §13405;
Use PHI to train, fine-tune, evaluate, or test any artificial intelligence or machine-learning model maintained by PARIE or any subprocessor, including the Anthropic Claude models, except for de-identified data as permitted in §3.3;
Disclose PHI to any subprocessor not listed in Exhibit B without (a) executing a written subcontractor agreement that contains restrictions and conditions at least as protective as those in this BAA, and (b) updating Exhibit B and notifying Customer with 30 days' advance notice; or
Transmit PHI outside the United States without Customer's prior written consent, except where transmission is to an upstream subprocessor (e.g., Anthropic) processing in the US, in which case PARIE represents that the transmission is intra-US.
5. Safeguards & security obligations.
PARIE shall implement and maintain administrative, physical, and technical safeguards reasonably designed to prevent the use or disclosure of PHI other than as permitted by this BAA, and shall comply with the applicable provisions of the Security Rule (45 CFR § 164 Subpart C) with respect to ePHI. Without limiting the generality of the foregoing, PARIE represents and warrants that it:
Encrypts PHI at rest (AES-256, inherited from Google Cloud) and in transit (TLS 1.2 minimum, TLS 1.3 default);
Maintains multi-tenant rule-layer isolation at the Firestore Security Rules level so that PHI of Customer is logically and access-controlled segregated from other customers' data;
Maintains append-only audit logs of all access to PHI, with logs retained for the term of this BAA plus 6 years;
Restricts access to PHI to authorized personnel on a strict need-to-know basis and requires multi-factor authentication for all administrative access;
Conducts an annual third-party penetration test and remediates findings within the SLAs published in PARIE's trust dossier;
Maintains an incident-response plan and on-call rotation as described in the trust dossier §11; and
Trains all personnel who may access PHI on PARIE's privacy and security policies upon hire and annually thereafter.
PARIE shall report to Customer any Security Incident of which it becomes aware, including breaches of Unsecured PHI as required under §6 below. Unsuccessful Security Incidents (including pings, port scans, denial-of-service attempts, and access attempts that do not result in actual access to PHI) need not be reported individually; PARIE provides aggregate reporting on request.
6. Breach notification.
PARIE shall, following the discovery of a breach of Unsecured PHI:
Notify Customer in writing without unreasonable delay and no later than 72 hours after PARIE's discovery of the breach;
Provide, to the extent known at the time of notice, (a) the identities of individuals whose PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (b) a description of the types of Unsecured PHI involved; (c) any steps individuals should take to protect themselves; (d) a description of what PARIE is doing to investigate, mitigate, and prevent recurrence; and (e) the contact information for further inquiries; and
Cooperate with Customer's good-faith investigation of the breach, including by making personnel and records reasonably available, by producing the audit logs described in §5, and (where the breach affects multiple Customers' PHI) by coordinating notifications.
Customer is responsible for any breach notifications required under HIPAA, HITECH, or applicable state law to affected individuals, the Secretary of HHS, and the media. PARIE shall reimburse Customer for reasonable, documented costs of breach notification to the extent the breach is caused by PARIE's material failure to comply with this BAA.
7. Subcontractors & downstream Business Associates.
PARIE shall enter into a written agreement with each Subcontractor that has or may have access to PHI, containing terms substantially the same as those in this BAA (a "Downstream BAA"). The Subcontractors PARIE currently uses are listed in Exhibit B. PARIE shall update Exhibit B and provide Customer at least 30 days' prior written notice before adding a Subcontractor with access to PHI. Customer may object in writing within that 30-day window; if PARIE cannot reasonably accommodate the objection, Customer may terminate the affected Order Form for convenience without penalty.
PARIE remains responsible for the acts and omissions of its Subcontractors with respect to PHI as if those acts and omissions were its own.
8. Individual rights — access, amendment, accounting.
Access. Where PARIE maintains PHI in a Designated Record Set on Customer's behalf, PARIE shall provide such PHI to Customer (or, if directed by Customer, to the individual) within 15 business days of a written request, in the electronic format reasonably requested.
Amendment. PARIE shall make amendments to PHI in a Designated Record Set as Customer directs, within 30 business days of a written request from Customer.
Accounting of disclosures. PARIE shall maintain records of disclosures of PHI sufficient for Customer to respond to requests for accounting of disclosures under 45 CFR § 164.528, and shall provide such records to Customer within 30 business days of a written request.
Restrictions. PARIE shall comply with any restrictions on the use or disclosure of PHI to which Customer has agreed under 45 CFR § 164.522, provided Customer notifies PARIE of the restriction in writing.
9. Inspection & audit.
PARIE shall make available to Customer or to the Secretary of HHS, upon reasonable advance written notice, its internal practices, books, and records relating to the use and disclosure of PHI for purposes of Customer's or the Secretary's review of compliance with the HIPAA Rules. Customer may exercise its inspection rights under this section not more than once per year, except in connection with an actual or suspected breach, in which case the right may be exercised as reasonably necessary to investigate.
Inspections shall be conducted during normal business hours, with reasonable steps to avoid disruption of PARIE's operations and to protect the confidentiality of other customers' data. PARIE may satisfy this obligation by providing a current SOC 2 Type II report (when available), penetration test executive summary, and the trust dossier in lieu of an on-site inspection where Customer's procurement framework permits.
10. Term & termination.
This BAA takes effect on the Effective Date and continues for the term of the Underlying Agreement, unless earlier terminated as provided herein.
Termination for cause. Customer may terminate this BAA and the Underlying Agreement (with respect to PHI) immediately upon written notice if PARIE has materially breached this BAA and has failed to cure the breach within 30 days of written notice from Customer (or such longer period as is reasonable under the circumstances). Customer may also report a material breach to the Secretary of HHS as provided in 45 CFR § 164.504(e)(1)(ii).
Termination for convenience. Either party may terminate this BAA on 90 days' written notice if no Underlying Agreement remains in effect.
11. Effect of termination.
Within 30 days after the termination of this BAA, PARIE shall:
Return or destroy all PHI received from, created on behalf of, or transmitted by Customer that is then in PARIE's possession or control, including PHI in the possession of Subcontractors. Where return or destruction is infeasible (for example, PHI embedded in immutable audit logs maintained for HIPAA compliance), PARIE shall extend the protections of this BAA to that PHI and limit further use to the purposes that make return or destruction infeasible, for as long as PARIE maintains the PHI; and
Certify in writing to Customer that all PHI not retained pursuant to subsection (1) above has been returned or destroyed.
12. Miscellaneous.
Regulatory references. A reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended.
Amendment. The parties agree to amend this BAA from time to time as necessary to comply with the requirements of HIPAA, HITECH, and any final implementing regulations.
Survival. The obligations of PARIE under §3 (data aggregation), §6 (breach), §7 (subcontractors), §11 (effect of termination), and §12 (miscellaneous) survive any termination of this BAA.
Interpretation. Any ambiguity in this BAA shall be resolved in favor of an interpretation that permits compliance with the HIPAA Rules.
No third-party beneficiaries. Nothing in this BAA confers any rights upon any person other than the parties and their respective successors and permitted assigns.
Governing law. This BAA is governed by the laws of the State of Delaware, USA, except to the extent that federal law (including HIPAA and HITECH) is preeminent.
Counterparts & electronic signature. This BAA may be executed in counterparts (including PDF and electronic signatures), each of which is deemed an original and which together constitute one and the same instrument.
13. Signatures.
Intending to be legally bound, the parties have caused their duly authorized representatives to execute this BAA as of the Effective Date.
Customer (Covered Entity / Upstream BA)
Entity name
Authorized signatory
Title
Date
Signature
PARIE (Business Associate)
Entity name
PARIE
Authorized signatory
Title
Date
Signature
Exhibit A — Description of Services & Scope of PHI.
A.1 Services.
PARIE provides multi-tenant SaaS that delivers AI-grounded guidance, training, and certification to end users inside enterprise web applications (Oracle Cloud, SAP, Salesforce, Workday, NetSuite, Microsoft Dynamics, EPM tools, banking platforms). Where Customer routes PHI through PARIE, PHI may be encountered in:
Knowledge-base documents that Customer's authorized administrators upload to PARIE for grounding (e.g., HIPAA training manuals, internal SOPs, compliance procedures);
End-user prompts to the AI copilot (where a clinical or administrative user includes PHI in a question);
Visible UI labels of the active tab when a user invokes the Chrome-extension copilot inside an enterprise application that displays PHI on screen.
A.2 Categories of PHI processed.
Demographic identifiers (name, address, date of birth, MRN, contact info) where included in Customer-uploaded documents or end-user prompts;
Clinical narrative content (diagnoses, procedures, medications) where included in same;
Insurance / payer identifiers where included in same;
PARIE does not intentionally read form values, table rows, or query results from Customer's enterprise applications. The Chrome extension reads only visible UI labels.
A.3 Recipients of PHI within PARIE.
PARIE personnel: authorized engineering and support staff with documented need-to-know;
Subprocessors listed in Exhibit B;
No other parties, except as expressly permitted in §3 or Required by Law.
Exhibit B — Subprocessors with PHI access.
The following subprocessors may have access to PHI in the course of providing the Services. PARIE represents that it has executed (or, where indicated, is in the process of executing) a Business Associate Agreement with each subprocessor below. Status as of May 2026:
BAA available via Cloud Identity; PARIE has requested execution and confirms in writing before BAA goes into effect.
Anthropic PBC
LLM inference (Claude API)
BAA available; PARIE has requested execution. PHI is transmitted to Anthropic only as part of the user's prompt; Anthropic does not retain prompts per its API terms.
Other subprocessors used for non-PHI processing (Stripe billing metadata, Postmark email, Namecheap DNS, GitHub source) are listed in PARIE's full subprocessor list at parie.io/subprocessors; none of these process PHI.
Adding a PHI subprocessor: PARIE will provide 30 days' advance written notice and update this Exhibit before any new subprocessor with PHI access is engaged. Customer's right to object is preserved per §7.