Legal

Business Associate Agreement

Standard BAA for HIPAA-covered entities using FileShot for secure file sharing. Available on the Professional plan.

To execute this agreement: Subscribe to the Professional plan, then complete the acceptance form below. Your signed BAA takes effect immediately upon submission under the ESIGN Act. A PDF copy will be emailed to you for your records.

BUSINESS ASSOCIATE AGREEMENT

Effective as of the date countersigned by both parties ("Effective Date")

This Business Associate Agreement ("BAA") is entered into between the entity identified in the subscription account ("Covered Entity") and FileShot.io, operated by GraySoft ("Business Associate"), collectively referred to as the "Parties."

This BAA supplements and is incorporated into the FileShot.io Terms of Service and governs the handling of Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 CFR Parts 160 and 164.

1. Definitions

Terms used but not defined in this BAA shall have the meanings assigned to them in HIPAA and the HITECH Act. The following definitions apply:

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, subject to the exclusions and exceptions set forth in 45 CFR 164.402.
"Electronic Protected Health Information" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.
"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2. Obligations of Business Associate

Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as required by law. Business Associate shall use and disclose PHI only for the purpose of performing services for Covered Entity as described in the Terms of Service.
Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, and shall comply with the requirements of 45 CFR Part 164 Subpart C, to prevent the use or disclosure of PHI other than as provided for by this BAA. Specifically, Business Associate implements the following safeguards:
1. AES-256-GCM client-side encryption of all files before transmission to Business Associate's servers
2. Zero-knowledge architecture: encryption keys are never transmitted to or stored on Business Associate's servers
3. TLS 1.2+ encryption for all data in transit
4. Audit logging of access events, retained for a minimum of six (6) years
5. Automatic file expiration and deletion per the configuration set by Covered Entity
Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410, within sixty (60) days of discovery.
Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this BAA.
Access to PHI. Due to the zero-knowledge architecture, Business Associate does not have the ability to access, read, or decrypt the content of files stored by Covered Entity. Business Associate shall make available any unencrypted metadata in its possession that constitutes PHI to Covered Entity upon request within thirty (30) days, as required by 45 CFR 164.524.
Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set as directed by Covered Entity, to the extent such amendments are technically feasible given the zero-knowledge architecture.
Accounting of Disclosures. Business Associate shall make available information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain audit logs sufficient to satisfy this requirement.
HHS Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

3. Obligations of Covered Entity

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate HIPAA or the HITECH Act.
Covered Entity acknowledges that Business Associate's zero-knowledge architecture means that Business Associate cannot access or review the content of files. Covered Entity is solely responsible for the content of files uploaded to the service.
Covered Entity is responsible for maintaining the confidentiality of download links and any passwords used to protect files. Sharing a download link is equivalent to granting access to the file.
Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI.

4. Term and Termination

Term. This BAA is effective as of the Effective Date and shall remain in effect for the duration of the Covered Entity's Professional plan subscription, unless earlier terminated as provided herein.
Termination for Cause. Either Party may terminate this BAA if it determines that the other Party has violated a material term of this BAA. The terminating Party shall provide thirty (30) days written notice and an opportunity to cure the violation.
Effect of Termination. Upon termination or expiration of this BAA, Business Associate shall, if feasible, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make return or destruction infeasible. Files that have reached their configured expiration date are automatically and permanently deleted.

5. Miscellaneous

Regulatory References. Any reference in this BAA to a provision of HIPAA or the HITECH Act means the provision as in effect or as amended.
Amendment. This BAA may be amended only by written agreement of both Parties. The Parties agree to negotiate in good faith any amendments necessary to ensure compliance with changes to HIPAA or the HITECH Act.
Survival. The obligations of Business Associate under Section 4(c) of this BAA shall survive termination of this BAA.
Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA and the HITECH Act.
Governing Law. This BAA shall be governed by federal law, including HIPAA and the HITECH Act. To the extent not preempted by federal law, the laws of the State of Maine shall apply.

Execute this Agreement

Complete the fields below to electronically sign this BAA. Your signature is legally binding under the ESIGN Act (15 U.S.C. 7001 et seq.).

Organization Name (Covered Entity) *

Authorized Representative *

Title *

Organization Email *

Electronic Signature *

Type your full legal name exactly as it appears above. This constitutes your electronic signature.

I have read and understand this Business Associate Agreement in its entirety. I am authorized to bind the organization named above. I agree that by typing my name and submitting this form, I am electronically signing this BAA, which is legally binding under the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. 7001 et seq.) and the Uniform Electronic Transactions Act (UETA).

BAA Version 1.0

Questions? Contact hipaa@fileshot.io for questions about this agreement or to request modifications for your organization's specific compliance requirements. See our HIPAA Compliance page for details about FileShot's security architecture and data handling practices.