Skip to content
CCohessra
Book a Demo

Business Associate Agreement (BAA)

This page provides the structure for the BAA used with healthcare customers where applicable. The final agreement text will be supplied by legal counsel.

Last updated: Feb 2, 2026Version: v0.1Draft template
This page is provided for procurement evaluation and readability. The executed Business Associate Agreement provided for signature controls.

Parties and scope

This Business Associate Agreement (“BAA”) outlines responsibilities for handling protected health information where Cohessra acts as a business associate on behalf of a covered entity customer.

This page is presented as a structured template so stakeholders can review the categories of obligations. The final executed BAA will be provided by legal counsel.

Definitions

Key terms are defined to align expectations and reduce ambiguity during procurement. Examples include “Covered Entity,” “Business Associate,” “Protected Health Information (PHI),” and “Breach.”

Definitions may reference applicable HIPAA regulations and related guidance, depending on the final BAA language supplied for execution.

Permitted uses and disclosures

The BAA describes how Cohessra may use and disclose PHI only as necessary to provide services to the customer, and only as allowed by the agreement and applicable law.

Any permitted uses are intended to be specific and constrained, so customers can evaluate fit with their compliance program.

Safeguards

The BAA typically requires administrative, technical, and physical safeguards appropriate to the services provided. Specific safeguards are described in the final BAA language and supporting security materials.

Customers may request additional documentation during procurement to support their internal risk assessment and compliance obligations.

Breach notification

The BAA defines notification responsibilities and timelines for security incidents involving PHI, including how notifications are delivered and what information is included.

Final notification timelines and processes will be defined in the executed BAA and should be reviewed by the customer’s compliance and legal teams.

Term and termination

The BAA specifies how long obligations remain in effect and what happens upon termination of services, including requirements related to PHI return or destruction where applicable.

Termination provisions are intended to be clear and operational so both parties can execute responsibilities without uncertainty.

Contact

For BAA requests and procurement questions, contact the Cohessra team through the Support page or via your procurement channel.