Legal

HIPAA Business Associate Agreement

Published: June 20, 2026  ·  Customer-review version; effective only when signed or incorporated

1. Important Status Notice

This page provides Business Associate Agreement (“BAA”) terms for customer and counsel review. It is not effective unless Merba and the customer sign a BAA or incorporate it into a signed order form or agreement.

Merba provides controls for HIPAA-oriented workflows for U.S. covered entities and business associates when an appropriate BAA, PHI-eligible subprocessors, and required operational approvals are in place.

2. Relationship and Permitted Use

If a customer is a HIPAA covered entity or business associate and Merba processes protected health information on that customer's behalf, Merba may act as a business associate for the limited services described in the signed agreement.

Under a signed BAA, Merba uses or discloses PHI only to provide, secure, support, maintain, audit, export, delete, or troubleshoot the Service; to comply with law; to report incidents; or as otherwise allowed by that BAA and HIPAA.

PHI-capable operational records are processed through protected platform workflows such as tenant scoping, charting, approvals, exports, appointments, invoices, notifications, and payment-metadata routing. They are not a permitted input category for Merba's ad, market, or media-generation AI features.

Merba will not sell PHI, use PHI for third-party advertising, or use PHI for third-party model training.

3. Safeguards

  • Administrative, technical, and organizational safeguards for electronic PHI.
  • Tenant-scoped access controls and authenticated user sessions.
  • Audit logs for selected sensitive actions and denied attempts.
  • Incident-response procedures for suspected unauthorized access or disclosure.
  • Subprocessor and vendor review before PHI-eligible use.
  • Deterministic processing for PHI-capable charting, approval, export, appointment, invoice, notification, and payment-metadata workflows.
  • Provider-boundary controls that keep PHI-labeled payloads out of host AI calls unless expressly approved in writing.

4. Subcontractors and Reporting

Merba will require subcontractors that handle PHI under a signed BAA to agree to appropriate written restrictions and safeguards. Not every provider listed in the Subprocessor Register is approved for PHI. PHI-eligible provider status must be reviewed before HIPAA-covered use.

Merba will report suspected unauthorized use or disclosure of PHI to the customer without unreasonable delay and will provide available information needed for the customer's HIPAA breach assessment. Exact reporting windows and procedures should be defined in the signed BAA.

5. Access, Amendment, Accounting, and Termination

Merba will provide reasonable technical support for the customer's obligations involving access, amendment, accounting of disclosures, restrictions, and confidential communications, to the extent the relevant records are maintained in Merba and the request is technically feasible.

At termination, Merba will return, export, delete, or retain PHI according to the signed agreement, legal requirements, backup lifecycle, audit/security needs, and any infeasibility exception that applies.

6. Official HIPAA References

This BAA references official HHS materials for HIPAA Privacy Rule scope, covered entities, business associates, PHI, business associate contracts, access/amendment support, disclosure accounting, and safeguards.

7. Contact

HIPAA or BAA requests should be sent to privacy@merba.app.

    HIPAA Business Associate Agreement | Merba