logo
Client Terms

Last Updated: August 29, 2025

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BAA”) is effective as  upon the earlier of (i) the date Client begins receiving Services from Sword or (ii) the date Client signs an Order Form and is entered into by and between  the company or other legal entity which has entered into an Order Form as the plan sponsor of one or more employee welfare benefit plans and on behalf of each such plan (“Covered Entity”) and Sword Health, Inc., (“Sword”) (each a “Party” and collectively the “Parties”).

RECITALS

WHEREAS, Sword performs certain services for or on behalf of Covered Entity that involve the use or disclosure of “PHI,” as that term is defined herein, which services are reflected in one or more separate written contracts between Covered Entity and Sword (“Underlying Contract(s)”).

WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 and Title XIII, Subtitle D, of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), known as the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder, as amended from time to time,(“HIPAA”).

WHEREAS, the purpose of this BAA is to satisfy the obligations of Covered Entity under the HIPAA Laws and to ensure the integrity and confidentiality of PHI held, transmitted, disclosed, received, or created by Sword from or on behalf of Covered Entity.

NOW, THEREFORE, in consideration of the foregoing recitals and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

AGREEMENT

1.   Definitions.  Unless otherwise defined in this BAA, all capitalized terms used in this BAA have the meanings ascribed to such term in HIPAA.

a.  “Business Associate Services” shall mean those services performed by Sword on behalf of the Covered Entity but does not include services provided directly to an Individual (excluding their personal representative) by Sword and activities related thereto.

b.  “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in HIPAA, to the extent such information is created, maintained, received, or transmitted by Sword from or on behalf of Covered Entity for the Business Associate Services.

c.  “Individual” shall have the same meaning as the term “individual” in HIPAA and shall include a person who qualifies as a personal representative in accordance with the Privacy Rule.

d.  “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in HIPAA, to the extent such information is created, maintained, received or transmitted by Sword from or on behalf of Covered Entity for the Business Associate Services.

2.   Scope.  This BAA shall supplement and/or amend each of the Underlying Contract(s) only with respect to Sword’s use and disclosure of PHI pursuant to the Business Associate Services to allow Covered Entity and Sword to comply with HIPAA.  In the event of a conflict between this BAA and the Underlying Contract(s), the terms of this BAA shall control with respect to the subject matter herein.

3.   Permitted Activities of Sword.  Unless otherwise limited or prohibited by this BAA, Sword may:

a.     use and disclose PHI as necessary to perform the Business Associate Services, or fulfill any other contractual obligations to Covered Entity, or to carry out Covered Entity’s written instruction(s), provided that such use or disclosure would not violate HIPAA if done by Covered Entity.

b.     use PHI in its possession as Required by Law, or as necessary for its proper management and administration, and to fulfill any present or future legal responsibilities.

c.    disclose PHI in its possession to a third party if necessary for the purposes of its proper management and administration or to fulfill any present or future legal responsibilities, provided that: (i) the disclosure is Required by Law; or (ii) Sword has received from the third party reasonable assurances regarding its confidential handling of such PHI and that the PHI will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party, and (iii) the third party notifies Sword of any instances of which it is aware in which the confidentiality of the information has been breached.

d.     use PHI to provide Data Aggregation services relating to the Health Care Operations of the Covered Entity.

e.    de-identify any and all PHI, provided that the de-identification conforms to the requirements of 45 C.F.R. 164.514 and guidance issued by the Secretary from time to time.  The Parties agree that such de-identified information does not constitute “PHI” and the terms of this BAA shall no longer apply.

f.      use or disclose PHI for purposes and to the extent authorized by the Individual.

4.   Protection of PHI by Sword.  With regard to its use and/or disclosure of PHI, Sword shall:

a.     not Use or Disclose PHI other than as permitted or required by this BAA or as Required By Law.

b.     use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA.

c.     implement administrative, physical, and technical safeguards and comply with the policies, procedures, and documentation requirements of HIPAA.

d.    report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, including without limitation, any Breach or Security Incident, (collectively, an “Incident”) without unreasonable delay, but in no event later than fifteen (15) days following its Discovery.  The Parties acknowledge and agree that this section constitutes notice by Sword to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Sword’s firewall, port scans, unsuccessful log-on attempts, denial of service of attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI. The report required under this section shall include, to the extent known at the time of the report:  (i) the identification of each Individual whose PHI has been, or is reasonably believed by Sword to have been, accessed, acquired, used, lost, modified, destroyed, or disclosed in the Incident; (ii) a brief description of what happened, including the date of the Incident and the date of the discovery of the Incident; (iii) a description of the types of PHI involved; (iv) any steps Individuals should take to protect themselves from potential harm resulting from the Incident; (v) a brief description of what Sword is doing to investigate, remediate, and respond to the Incident, mitigate harm to Individuals, and protect against further Incidents; and (vi) such other information that is available to Sword that Covered Entity reasonably requests.  Sword shall supplement its initial notification as additional information is obtained.

e.   use commercially reasonable efforts to mitigate any deleterious effect that is known to Sword of an improper use or disclosure of PHI in violation of the requirements of this BAA.

f.   ensure that any Subcontractor that receives PHI from Sword enters into an agreement or similar arrangement with Sword which contains substantially similar restrictions and limitations on Subcontractor as those imposed upon Sword in this BAA.

g.   if Sword maintains PHI in a Designated Record Set, following a written request from Covered Entity, provide access to PHI in such Designated Record Set, directly to Covered Entity for Covered Entity to comply with its obligations under HIPAA in responding to an Individual’s request for access their PHI. In the event any Individual requests access to PHI directly from Sword, Sword shall, within ten (10) days, forward such request to Covered Entity.  Any denials of access to the PHI requested shall be the exclusive responsibility of the Covered Entity.

h.   if Sword maintains PHI in a Designated Record Set, following a written request from Covered Entity, make available to the Covered Entity such PHI necessary for Covered Entity to comply with its obligations under HIPAA in responding to an Individual’s request for amendment and Sword shall incorporate any amendments to the PHI as directed by Covered Entity.  In the event any Individual requests an amendment to PHI directly by Sword, Sword shall, within ten (10) days, forward such request to Covered Entity.

i.   make available to the Covered Entity the information required for the Covered Entity to provide an accounting of disclosures of PHI as required by HIPAA.  In the event any Individual requests an accounting of PHI directly from Sword, Sword shall within ten (10) business days forward such request to the Covered Entity.

j.  make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with HIPAA, subject to attorney-client and other applicable privileges.

k.  to the extent that Sword carries out one or more of Covered Entity’s obligations under HIPAA, comply with the requirements as they apply to Covered Entity in the performance of such obligations.

l.   utilize a Limited Data Set, if practicable, when using, disclosing, or requesting PHI.  Otherwise, Sword shall use, disclose, or request only the Minimum Necessary PHI to accomplish the purpose of the use, disclosure, or request.

5.   Obligations of Covered Entity.  With regard to the use and disclosure of PHI by Sword, Covered Entity agrees to:

a.   provide Sword with the Notice of Privacy Practices, as well as inform Sword of any changes in said notice that may affect Sword’s use and disclosure of PHI;

b.   inform Sword of any changes in, or revocation of, permission by the Individual to use or disclose PHI, if such changes may affect Sword’s use or disclosure of PHI;

c.   notify Sword of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under HIPAA, if such restriction may affect Sword’s use or disclosure of PHI;

d.   not request that Sword use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity;

e.   only disclose to Sword the PHI that is the minimum amount of PHI necessary for the accomplishment of the Business Associate Services; and

f.    obtain any consents, authorization, and/or legal permission required under HIPAA and other applicable state laws for the disclosure of PHI to Sword.

6.   Term.  This BAA shall commence as of the earlier of (i) the Effective Date or (ii) the date Sword first held, transmitted, disclosed, received, or created PHI and shall continue in effect until terminated as provided in this BAA.

7.   Termination.  This BAA shall terminate when all PHI provided by Covered Entity to Sword, or created or received by Sword on behalf of Covered Entity, is returned to Covered Entity or destroyed, or, if it is infeasible to return or destroy all of the PHI, protections are extended to such information in accordance with the provisions of Section 7.b.

a.   Termination for Cause.  Should a Party become aware of a material breach of this BAA, the non-breaching Party shall provide the breaching Party with written notice of such breach in sufficient detail to enable the breaching Party to understand the specific nature of the breach. The non-breaching Party shall be entitled to immediately terminate this BAA if, after the non-breaching Party provides such notice of breach to the breaching Party, the breaching Party fails to cure the breach or end the violation within a reasonable time period from the breaching Party’s receipt of such notice; provided, however, the non-breaching Party shall have the discretion to agree to such longer cure period based on the nature of the breach involved.

b.   Effect of Termination.  Except as provided in this section, upon termination of this BAA for any reason, Sword shall return or destroy all PHI received from Covered Entity or created or received by Sword or any Subcontractor on behalf of Covered Entity and neither Sword nor any Subcontractor shall retain copies of the PHI.  In the event Sword reasonably determines that returning or destroying the PHI is infeasible, Sword shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Sword shall extend the protections of this BAA to such retained PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Sword and its contractors, agents, or Subcontractors maintain such PHI. 

8.   MISCELLANEOUS.

a.   Indemnification and Limitation on Liability.  Any right to indemnification or limitation on liability shall be determined under the Underlying Contract(s).

b.  Regulatory References.  A reference in this BAA to a section in HIPAA, means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.

c.   Notice.  Any notice required by this BAA to either Party shall be sent by certified mail (which is required for Breach) or electronic mail (i) to Sword at 169 Madison Ave, Suite 15501, New York, NY 10016 Attn: Privacy Counsel, email: privacy@swordhealth.com (ii) to Client at the address and email address listed on the most recent Order Form signed by Covered Entity or if such fields are blank to the address and email address on file in Sword’s records. 

d.   Survival.  The respective rights and obligations of Sword and Covered Entity under this BAA which by their nature shall survive this BAA shall survive the expiration or termination of this BAA indefinitely, including without limitation Section 4(i) and (j), Section 7(b), and this Section 8(d).

e.   Interpretation.  Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.

f.    Relationship of the Parties.  In the performance of the work, duties, and obligations described in this BAA, the Parties acknowledge and agree that each Party is at all times acting and performing as an independent contractor and at no time shall the relationship between the Parties be construed as a partnership, joint venture, employment, principal/agent relationship, or master/servant relationship.

g.   No Third Party Beneficiaries.  Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.  Without limiting the foregoing, it is the Parties’ specific intent that nothing contained in this BAA shall give rise to any right or cause of action, contractual or otherwise, in or on behalf of any Individual whose PHI is used or disclosed pursuant to this BAA.

h.   Entire Agreement and Amendment. This BAA constitutes the entire agreement between the Parties with respect to PHI. This BAA is provided via weblink, the most recent version of this BAA posted as of the date Client signs an Order Form shall apply.  Sword may modify this BAA at any time, however such modified terms will only become effective upon the earlier of (i) the renewal of an Order Form; (ii) or the date which Client enters into a new Order Form at which time such most recent BAA shall govern the use of all of Services. Any other modification of the terms and conditions of this BAA must be in writing and signed by an authorized representative for each party. As the requirements of HIPAA may be modified from time to time, the Parties agree that Sword may amend this BAA upon notice to Covered Entity as needed to ensure continued compliance with HIPAA as determined by the Parties’ respective counsel. If Covered Entity reasonably believes that Sword has made a material error in judgement in amending this BAA due to a change in HIPAA, it may provide such objection in writing to Sword within thirty (30) days of the date it was notified by Sword of the amendment (the “Objection Notice”).  After receipt of the Objection Notice the parties will meet to discuss Company’s objection and negotiate in good faith to determine a mutually agreeable solution.

i.   Waiver.  No provision of this BAA may be waived except by an agreement in writing signed by the waiving party. A waiver with respect to one event will not be construed as continuing, or as a bar or waiver of any right or remedy as to subsequent events.

j.    Headings.  The headings of each section are inserted solely for purposes of convenience and shall not alter the meaning of this BAA.

k.   Governing Law.  The Parties hereby agree that this BAA shall be governed by, and construed in accordance with, the laws and courts identified in the Underlying Contract(s).

 

_________________

End of Business Associate Agreement