Northern+
LoginSign up

Legal

Business Associate Agreement

Last updated: June 18, 2026

This HIPAA Business Associate Agreement (“BAA”) supplements the Master Subscription Agreement (the “Agreement”) between NorthernPlus Inc., a Delaware corporation (“NorthernPlus”), and the customer that has entered into the Agreement (“Customer”). It applies to the extent NorthernPlus creates, receives, maintains, or transmits Protected Health Information on Customer’s behalf, and is offered for eligible engagements where HIPAA applies, as described in an Order Form (for example, on the Advanced tier).

This BAA takes effect when executed as part of an eligible Order Form or when countersigned by NorthernPlus. To request a countersigned BAA, contact hello@northernplus.com. Customer should not submit PHI to the Service unless a BAA is in effect.

/ 01

Definitions

Capitalized terms used but not defined in this BAA have the meanings given in the HIPAA Rules or in the Master Subscription Agreement (the “Agreement”). “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164, as amended, including by the HITECH Act. “PHI” means Protected Health Information, and “ePHI” means electronic PHI, in each case limited to PHI that NorthernPlus creates, receives, maintains, or transmits for or on behalf of Customer under the Agreement.

In this BAA, NorthernPlus is the “Business Associate” and Customer is the “Covered Entity.” If Customer is itself a Business Associate of a third-party covered entity, then NorthernPlus is Customer’s Subcontractor and the obligations of a Business Associate in this BAA apply to NorthernPlus as Subcontractor and the obligations of a Covered Entity apply to Customer.

/ 02

Permitted uses and disclosures

NorthernPlus may use and disclose PHI only as follows:

  • to perform the Service and the functions, activities, and services described in the Agreement, provided the use or disclosure would not violate the Privacy Rule if done by Customer;
  • as Required by Law;
  • for the proper management and administration of NorthernPlus or to carry out its legal responsibilities, provided that disclosures are Required by Law or NorthernPlus obtains reasonable assurances from the recipient that the PHI will remain confidential and that the recipient will notify NorthernPlus of any breach of confidentiality;
  • to provide data aggregation services relating to the health care operations of Customer, if requested; and
  • to de-identify PHI in accordance with 45 C.F.R. 164.514(a)-(c), after which the de-identified information is no longer PHI.

NorthernPlus will not use or disclose PHI other than as permitted or required by this BAA or as Required by Law, and will not Sell PHI or use or disclose PHI for marketing except as permitted by the HIPAA Rules and the Agreement.

/ 03

Obligations of NorthernPlus

NorthernPlus will:

  • implement administrative, physical, and technical safeguards, and comply with the Security Rule with respect to ePHI, consistent with the measures described in our DPA and on our Security page;
  • use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA;
  • report to Customer any use or disclosure of PHI not permitted by this BAA of which it becomes aware, any Security Incident, and any Breach of Unsecured PHI, without unreasonable delay and in no event later than thirty (30) calendar days after discovery, and provide the information Customer needs to meet its breach notification obligations; the parties agree that this is notice of unsuccessful Security Incidents (such as routine pings, scans, and failed access attempts) that require no further reporting unless Customer requests a summary;
  • in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on NorthernPlus’s behalf agrees in writing to restrictions and conditions at least as protective as those that apply to NorthernPlus under this BAA;
  • make PHI in a Designated Record Set available to Customer as necessary to satisfy Customer’s obligations under 45 C.F.R. 164.524 (access), and make PHI available for amendment and incorporate amendments under 45 C.F.R. 164.526;
  • maintain and make available the information required to provide an accounting of disclosures under 45 C.F.R. 164.528;
  • to the extent NorthernPlus is to carry out an obligation of Customer under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to that obligation;
  • make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules; and
  • mitigate, to the extent practicable, any harmful effect known to NorthernPlus of a use or disclosure of PHI in violation of this BAA.

/ 04

Obligations of Customer

Customer will:

  • notify NorthernPlus of any limitation in its notice of privacy practices, any change in or revocation of permission by an individual, and any restriction on the use or disclosure of PHI that Customer has agreed to or is required to abide by, to the extent any of these affects NorthernPlus’s use or disclosure of PHI;
  • not request NorthernPlus to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer, except as permitted under Section 02 for NorthernPlus’s management, administration, legal responsibilities, or data aggregation; and
  • obtain any consent, authorization, or permission required for the collection and processing of PHI through the Service and configure the Service so that PHI is submitted only through supported methods.

/ 05

Term and termination

This BAA is effective on the effective date of the Agreement (or the date Customer becomes eligible for and elects a BAA, as stated in an Order Form) and remains in effect until all PHI is returned or destroyed or, where return or destruction is infeasible, the protections of this BAA are extended to that PHI.

If either party becomes aware of a material breach by the other of its obligations under this BAA, the non-breaching party may require the breaching party to cure the breach within a reasonable period and, if the breach is not cured, may terminate the Agreement and this BAA to the extent permitted by the HIPAA Rules.

/ 06

Return or destruction of PHI

On termination of this BAA, NorthernPlus will, if feasible, return or destroy all PHI that it maintains and retain no copies, including by requiring its Subcontractors to do the same. Where return or destruction is infeasible, NorthernPlus will extend the protections of this BAA to that PHI and limit further use or disclosure to the purposes that make return or destruction infeasible, for so long as it maintains the PHI.

/ 07

Miscellaneous

7.1 Interpretation. This BAA is to be interpreted so that NorthernPlus and Customer comply with the HIPAA Rules. The parties will negotiate in good faith to amend this BAA as needed to comply with changes to the HIPAA Rules.

7.2 Relationship to the Agreement; precedence. This BAA forms part of the Agreement. With respect to PHI, this BAA controls over any conflicting term of the Agreement (including the DPA). All other terms of the Agreement, including the limitations and exclusions of liability, continue to apply.

7.3 No third-party beneficiaries. Nothing in this BAA creates any rights in any third party.

7.4 Survival. NorthernPlus’s obligations with respect to PHI that it continues to maintain after termination survive termination of this BAA.

Request a Demo

We'll walk through the platform with your workflow in mind, talk pricing, etc

By submitting, you agree that NorthernPlus may contact you at the number provided. Your information is kept confidential. See our Privacy Policy.

Request a demo