Legal

Business Associate Agreement

Effective date: June 26, 2026  ·  dataCentury, Clearwater, Florida

A signed BAA is available upon request. If your engagement with dataCentury involves access to, or the handling of, electronic protected health information (ePHI) on your behalf, we will execute a HIPAA-compliant Business Associate Agreement before any work begins. Contact [email protected] to request a BAA.

1. Applicability

This page describes when a Business Associate Agreement (BAA) applies to engagements with dataCentury. A BAA is required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act when a Business Associate creates, receives, maintains, or transmits ePHI on behalf of a Covered Entity.

dataCentury is a Business Associate when its services involve ePHI. Many of our engagements are purely advisory or involve infrastructure that is specifically architected to avoid contact with ePHI. In those cases, a BAA may not be required. We will assess this with you during the Discovery phase.

2. What our BAA covers

Our standard BAA addresses the following in accordance with 45 CFR § 164.504(e):

  • Permitted uses and disclosures of ePHI
  • Obligations to safeguard ePHI using appropriate administrative, physical, and technical safeguards
  • Requirement to report breaches, security incidents, and impermissible disclosures without unreasonable delay
  • Obligations of subcontractors who may encounter ePHI
  • Individual rights of access and amendment
  • Return or destruction of ePHI at termination

3. Scope of services covered

Services that typically require a BAA with dataCentury include:

  • Server-side form handling pipelines where intake data may include PHI
  • CRM integrations connecting patient intake to practice management systems
  • Analytics configurations involving session data tied to appointment requests
  • Any service where dataCentury personnel have access to systems containing ePHI

Services that typically do not require a BAA include:

  • Strategic advisory and auditing engagements (no system access)
  • Static website builds where forms route to HIPAA-compliant third-party services under their own BAAs
  • HIPAA tracking architecture design where no ePHI flows through dataCentury infrastructure

4. Subcontractors and third-party services

Where our work involves subcontractors or third-party platforms that may encounter ePHI, dataCentury will ensure that appropriate BAAs are in place with those parties as required by 45 CFR § 164.502(e)(1)(ii). We will disclose all such subcontractors to you upon request.

5. Breach notification

In the event of a discovered breach of unsecured ePHI, dataCentury will notify the affected Covered Entity without unreasonable delay and in no case later than 60 calendar days after discovery, in accordance with 45 CFR § 164.410.

6. Requesting a BAA

To request a copy of our standard Business Associate Agreement, or to discuss whether your engagement requires one, contact us at:

[email protected]

We will respond within 2 business days. Execution of the BAA is a prerequisite to beginning any work that involves ePHI.

7. Limitation

This page is informational and does not constitute a signed Business Associate Agreement. It does not create binding legal obligations between dataCentury and any party. Only a fully executed BAA signed by both parties establishes those obligations.