Business Associate Agreement (BAA)

Last Updated: November 11, 2025

1. Definitions

Covered Entity:

The healthcare organization or research entity (Customer) that is subject to HIPAA.

Business Associate:

RealVigil, which creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of the Covered Entity.

Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium.

2. Permitted Uses and Disclosures

2.1 Services

RealVigil may use and disclose PHI only as necessary to perform services specified in our Service Agreement and as permitted by this BAA.

2.2 Legal Requirements

RealVigil may use or disclose PHI as required by law, provided that we notify the Covered Entity of such disclosure when feasible.

3. Obligations of Business Associate

RealVigil agrees to:

• Not use or disclose PHI except as permitted by this BAA or required by law
• Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Report to Covered Entity any use or disclosure not provided for by this BAA
• Ensure that any subcontractors agree to the same restrictions
• Make PHI available to individuals as required by HIPAA
• Make PHI available for amendment and incorporate amendments as required
• Maintain and make available information required for accounting of disclosures
• Make internal practices, books, and records available to HHS for compliance determination

4. Security Requirements

RealVigil implements administrative, physical, and technical safeguards including:

• Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for user access
• Role-based access controls
• Audit logging and monitoring
• Regular security risk assessments
• Workforce training on HIPAA compliance
• Disaster recovery and business continuity planning

5. Breach Notification

RealVigil will report any breach of unsecured PHI to the Covered Entity without unreasonable delay and no later than 60 days after discovery. The notification will include identification of affected individuals, a description of the breach, and mitigation steps taken.

6. Subcontractors

RealVigil will ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to restrictions and conditions equivalent to those in this BAA.

7. Term and Termination

This BAA remains in effect until all PHI is destroyed or returned to the Covered Entity. Upon termination of services, RealVigil will return or destroy all PHI, except where retention is required by law.

8. Individual Rights

RealVigil will provide access to PHI to enable the Covered Entity to fulfill individuals' rights under HIPAA, including rights of access, amendment, and accounting of disclosures.

9. Minimum Necessary

RealVigil will make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose.

10. Requesting a BAA

To execute a Business Associate Agreement with RealVigil, please contact:

Email: compliance@realvigil.com

We typically execute BAAs within 5-7 business days of receiving a request.