Olive LogoOlive Legal
Log in
Sign up

Business Associate Agreement

Last updated: 10/6/2025

This Business Associate Agreement ("Agreement") is entered into by and between Olive Legal Inc. ("Business Associate") and the Signing Party ("Covered Entity"), collectively referred to as the "Parties." By creating an account with Olive Legal and agreeing to this Agreement via electronic acceptance, the Signing Party acknowledges and agrees that this Agreement is binding, effective as of the date of account creation ("Effective Date"), and is incorporated into Olive Legal's Terms of Service. (olive.legal)

1. Purpose

Business Associate provides services that require access to, use of, or disclosure of Protected Health Information ("PHI") as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"). These services include, but are not limited to, medical-record upload, review, summarization, and secure storage. Business Associate performs prompt engineering and benchmarking on user data to improve service quality, but PHI is processed transiently in memory and is not stored, retained, or used for model training or fine-tuning. (olive.legal)

2. Definitions

HIPAA. The Health Insurance Portability and Accountability Act of 1996, the HITECH Act, and the regulations on Privacy, Security, Breach Notification and Enforcement at 45 C.F.R. Parts 160 & 164, as amended from time to time.

PHI. Individually identifiable health information transmitted or maintained in any form or medium that relates to an individual's past, present, or future physical or mental health, health-care provision, or payment for health care.

Security Incident. The attempted or successful unauthorized access, use, disclosure, modification or destruction of information, or interference with system operations in an information system—excluding innocuous events such as port scans or unsuccessful log-ons that do not result in unauthorized access, use, or disclosure of PHI.

3. Compliance with Applicable Law

Each Party shall comply with this Agreement, HIPAA, and all other applicable state and federal privacy and security laws, as they exist now or are amended or superseded in the future.

4. HIPAA Compliance Certification

Olive Legal certifies that it:

  • Maintains administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI (45 C.F.R. § 164.306, §§ 164.308–312);
  • Performs periodic risk assessments and maintains HIPAA-compliant policies and procedures;
  • Executes Business Associate Agreements with any subcontractors or vendors that may access PHI; and
  • Has established procedures for breach notification, access control and audit logging. (olive.legal)

5. Permitted Uses and Disclosures

Business Associate may:

  1. Use or disclose PHI only as necessary to perform services for the Covered Entity or as required by law;
  2. Use PHI for its proper management, administration, or to carry out its legal responsibilities, provided any recipient agrees to keep the information confidential and to notify Business Associate of any breach;
  3. Request, use and disclose only the minimum necessary PHI consistent with 45 C.F.R. § 164.514(d);
  4. Process PHI transiently in memory for prompt engineering and benchmarking purposes to improve service quality, provided that PHI is not persisted, stored, retained, or used for the purposes of model training or fine-tuning beyond the duration of processing.

6. Obligations of Business Associate

Business Associate shall:

  • Implement and maintain appropriate administrative, physical and technical safeguards to protect PHI, including electronic PHI ("ePHI").
  • Report to the Covered Entity (i) any use or disclosure of PHI not permitted by this Agreement, and (ii) any Security Incident or breach of unsecured PHI, without unreasonable delay and in no event later than five (5) days after discovery.
  • Mitigate, to the extent practicable, any harmful effect of an impermissible use or disclosure.
  • Ensure that all subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree, by written contract, to the same restrictions and conditions.
  • Make PHI in a Designated Record Set available for access or amendment within fifteen (15) and thirty (30) days respectively, and document and provide an accounting of disclosures within thirty (30) days of request.
  • Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for compliance purposes.

7. Data Aggregation

Subject to the limitations of this Agreement, Business Associate may use PHI to provide data-aggregation services to the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

8. Qualified Service Organization (QSO)

To the extent Business Associate qualifies as a QSO under 42 C.F.R. Part 2, Business Associate agrees to be fully bound by the Part 2 confidentiality regulations and will resist in judicial proceedings any efforts to obtain PHI except as permitted therein.

9. Breach Notification

Business Associate will provide the Covered Entity with all information required under 45 C.F.R. § 164.410 to enable timely notification to affected individuals, HHS and, where applicable, the media.

10. Term, Termination & Effect of Termination

This Agreement is effective on the Effective Date and remains in effect for as long as Business Associate provides services involving PHI.

  • Termination for Cause. Covered Entity may terminate this Agreement immediately upon knowledge of a material breach. At its option, Covered Entity may provide Business Associate an opportunity to cure such breach within thirty (30) days.
  • Return or Destruction of PHI. Upon termination, Business Associate shall, if feasible, return or destroy all PHI. If return or destruction is infeasible, Business Associate shall continue to protect the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

11. Indemnification & Reimbursement of Notification Costs

Business Associate shall indemnify and hold harmless the Covered Entity and its affiliates from all third-party claims, penalties, costs (including reasonable attorneys' fees), and damages arising out of Business Associate's negligence, willful misconduct, or breach of this Agreement or HIPAA. Business Associate shall also reimburse the Covered Entity for reasonable costs incurred in providing breach notifications, including credit or identity-protection services.

12. No Agency; Injunctive Relief

Nothing in this Agreement creates an agency relationship between the Parties; Business Associate is an independent contractor. Unauthorized use or disclosure of PHI may cause irreparable harm, entitling the Covered Entity to seek injunctive relief and recovery of related costs and attorneys' fees.

13. Changes in the Law

The Parties shall amend this Agreement as necessary to comply with changes to HIPAA, other applicable laws, or implementing regulations.

14. Conflicts

If any provision of this Agreement conflicts with any other agreement between the Parties, the terms of this Agreement shall control with respect to PHI.

15. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Massachusetts, without regard to its conflict-of-law rules. (olive.legal)

16. Electronic Agreement

By checking the acknowledgment box during account creation, the Signing Party:

  • Represents that it is authorized to bind its organization;
  • Accepts all terms and conditions herein as legally binding; and
  • Acknowledges that this electronic Agreement is enforceable under the E-SIGN Act. (olive.legal)

IN WITNESS WHEREOF, the Parties agree to the foregoing as of the Effective Date by means of electronic acceptance.