CharterMD Business Associate Agreement
Last updated: 2026-06-02 · **Draft pending final review by licensed counsel.** Operative for current users; CharterMD will execute an updated BAA if required by law or counsel.
This Business Associate Agreement ("BAA") supplements the CharterMD Terms of Service and governs Protected Health Information ("PHI") that CharterMD LLC ("Business Associate") creates, receives, maintains, or transmits on behalf of the licensed provider or practice using the platform ("Covered Entity", "you"). It is required by the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164). Capitalized terms not defined here have the meanings in 45 CFR §§ 160.103 and 164.501.
By accepting this BAA at sign-up (recorded with its version, the date, and your IP address) you and CharterMD agree as follows.
1. Relationship of the parties
You are the Covered Entity; CharterMD is your Business Associate, handling PHI to provide the platform's scheduling, messaging, records, telehealth, billing-support, and related services. CharterMD's subcontractors — notably Microsoft Azure, which hosts the application, database, email, video, AI, and storage — act as CharterMD's subcontractor Business Associates under a separate Microsoft BAA.
2. Permitted uses and disclosures
CharterMD may use and disclose PHI only: (a) to perform the services in the Terms of Service, consistent with your instructions and law; (b) for CharterMD's proper management and administration or to carry out its legal responsibilities, provided any disclosure is Required by Law or the recipient is bound to protect the PHI and to notify CharterMD of breaches; (c) to provide data-aggregation services relating to your health-care operations as permitted by 45 CFR §164.504(e)(2)(i)(B); and (d) as Required by Law. CharterMD will not use or disclose PHI in a manner that would violate the Privacy Rule if done by you.
3. CharterMD's safeguards and obligations
CharterMD will:
- implement administrative, physical, and technical safeguards (including those required by the HIPAA Security Rule, 45 CFR §§164.308, 164.310, 164.312, 164.316) that reasonably and appropriately protect PHI, including electronic PHI;
- ensure any subcontractor that handles PHI on CharterMD's behalf agrees in writing to restrictions at least as protective as those here (flow-down);
- report to you any use or disclosure not permitted by this BAA, any Security Incident, and any Breach of Unsecured PHI of which it becomes aware, without unreasonable delay and within the timeframes of 45 CFR §164.410 — promptly enough for you to meet your 60-day individual-notification obligation;
- make PHI in a Designated Record Set available so you can meet access (45 CFR §164.524) and amendment (§164.526) obligations, and maintain information needed for an accounting of disclosures (§164.528);
- to the extent CharterMD carries out any of your Privacy Rule obligations, comply with the requirements that apply to you in doing so; and
- make its internal practices, books, and records relating to PHI available to the Secretary of HHS for determining compliance.
4. Your obligations
You will obtain any consents/authorizations required for the PHI you place in the platform, not request uses/disclosures that would violate HIPAA, and notify CharterMD of any limitation in your Notice of Privacy Practices, individual restriction, or revocation that affects CharterMD's permitted uses.
5. Term and termination
Effective when you accept it and continuing while CharterMD maintains PHI for you. On a known material breach, the non-breaching party will allow an opportunity to cure and, failing cure, may terminate.
6. Effect of termination
On termination CharterMD will, if feasible, return or destroy all PHI it maintains for you and retain no copies. Where infeasible (e.g., legally required retention or backups), CharterMD will extend this BAA's protections to that PHI and limit further use/disclosure to the purposes making return/destruction infeasible. Records you and your patients rely on remain available per the Terms of Service and retention law.
7. Miscellaneous
Regulatory references are to sections as amended. The parties will amend this BAA as needed to comply with changes in law; CharterMD may publish an updated version with a new effective date. Ambiguities are resolved to permit HIPAA compliance. No third-party beneficiaries. Section 6 survives termination.
8. Contact
HIPAA / privacy matters: privacy@chartermd.ai.