Business Associate Agreement (BAA)

Effective: March 30, 2026
Updated: March 30, 2026
Version 1.1

(SOA Vault / ACA workflows)

Last Updated: March 30, 2026

This Business Associate Agreement (“BAA”) is entered into between Ardor Service LLC d/b/a Informed + Choice (“Business Associate” or “Informed + Choice”) and the User of the Services (“Covered Entity” or “Agent”). This BAA is incorporated by reference into the Informed + Choice Terms of Service.

WHEREAS, Business Associate provides the software platform known as HealthLink Secure, which includes Medicare SOA and ACA compliance workflows (collectively, the “Services”); and

WHEREAS, in the course of providing these Services, Business Associate may Create, Receive, Maintain, or Transmit Protected Health Information (“PHI”) on behalf of Covered Entity;

The parties agree as follows:

1. Definitions

Catch-all terms used but not defined in this BAA (e.g., Breach, Security Incident, Designated Record Set) shall have the same meaning as defined in the HIPAA Rules (45 CFR Parts 160 and 164).

2. Obligations of Business Associate

2.1 Security & Privacy

Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 (the Security Rule) to prevent Use or Disclosure of PHI other than as provided for by this BAA.

2.2 Prohibited Uses (No Data Mining or AI)

Business Associate expressly agrees that it shall not use, sell, or license PHI for:

  • Marketing purposes.
  • Training, fine-tuning, or developing machine learning models, Large Language Models (LLMs), or Artificial Intelligence systems.
  • Any data mining activities not strictly required for the delivery of the Services (e.g., PDF generation, audio compression).

2.3 Reporting

Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA, including any Security Incident or Breach of Unsecured PHI, without unreasonable delay and in no case later than 60 days after discovery.

2.4 Access and Amendment

To the extent Business Associate maintains a Designated Record Set (specifically, vaulted Medicare SOA, ACA compliance, and related audio artifacts), it agrees to make PHI available to Covered Entity to fulfill Covered Entity’s obligations under 45 CFR § 164.524 and § 164.526.

2.5 Subcontractors

Business Associate shall ensure that any subcontractors that Create, Receive, Maintain, or Transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate.

  • Authorized Subcontractors: Covered Entity acknowledges and authorizes the use of Amazon Web Services (AWS) for secure storage and Twilio for telephony services, with whom Business Associate maintains valid BAAs.

3. Permitted Uses by Business Associate

3.1

Business Associate may Use or Disclose PHI as necessary to perform the Services defined in the Terms of Service (specifically: operating the HealthLink Secure platform, creating/storing Medicare SOA and ACA compliance documents, and processing associated audio recordings).

3.2

Business Associate may Use PHI for the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances that the information will remain confidential.

4. Obligations of Covered Entity (The Agent)

4.1 Valid Authorization

Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

4.2 Consent & TCPA Liability (Audio/Signing)

Covered Entity acknowledges that it is the sole initiator of all communications. Covered Entity warrants that:

  • It has obtained all necessary consents required by the Telephone Consumer Protection Act (TCPA) and applicable state two-party consent wiretapping laws prior to utilizing the Audio/Telephony features of the Service.
  • It is solely responsible for verifying the identity of the individual accessing Public Signing Links. Business Associate provides the technical token mechanism but does not verify the legal identity of the signer.

5. Term, Termination, and Data Retention

5.1 Term

This BAA is effective as of the date the Covered Entity creates a HealthLink Secure account and terminates when all PHI provided by Covered Entity is destroyed or returned to Covered Entity.

5.2 Termination for Cause

Covered Entity may terminate this BAA if it determines Business Associate has violated a material term of the BAA.

5.3 Access for Return of PHI

Upon expiration or termination of this BAA or the underlying services relationship, and subject to Covered Entity’s authentication and reasonable administrative safeguards, Business Associate shall make PHI maintained for Covered Entity available through Business Associate’s standard export and offboarding process so that Covered Entity may retrieve the PHI in Business Associate’s standard available format.

5.4 Destruction Following Retrieval Opportunity and Instruction

After Covered Entity has had a reasonable opportunity to retrieve such PHI and has provided written direction to proceed, Business Associate shall destroy, redact, or minimize PHI maintained in active production systems to the extent feasible and consistent with Business Associate’s standard retention, security, and offboarding procedures.

5.5 No Automatic Destruction Solely Upon Termination

Covered Entity acknowledges that termination of services, by itself, does not require immediate destruction of PHI where Business Associate has not yet provided the agreed export opportunity, where Covered Entity has not yet directed destruction, or where retention is otherwise required or permitted under this BAA or applicable law.

5.6 Retention Where Return or Destruction Is Not Feasible

To the extent Business Associate determines that return or destruction of any PHI is not feasible, or is restricted by law, legal process, security requirements, immutable storage controls, backup or archival lifecycle constraints, or documented record-retention obligations, Business Associate may retain the minimum PHI necessary for such purpose. Business Associate shall continue to extend the protections of this BAA to such retained PHI and shall not use or disclose such retained PHI except for the limited purpose requiring its retention and for so long as such retention remains necessary.

5.7 Residual and Audit Records

The Parties acknowledge that Business Associate may retain limited audit trails, system logs, deletion attestations, record manifests, hashes, timestamps, routing history, and other minimal residual records necessary to document prior processing, satisfy security and compliance obligations, or preserve evidentiary continuity, provided that such retained information remains subject to the confidentiality, security, and permitted-use restrictions of this BAA.

5.8 Subcontractors

Business Associate shall require any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate and that retains PHI after termination for any permissible reason to agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

6. Miscellaneous

6.1 Survival

The obligations of Business Associate under Section 5 (Data Retention) shall survive the termination of this Agreement.

6.2 Independent Contractor

Business Associate is an independent contractor and not an agent of Covered Entity.

Related Policies

Privacy Policy Terms & Conditions All Legal Documents Contact DPO