Business Associate Agreement
Last updated: March 9, 2026
1. Parties
Covered Entity: The healthcare organization using ClinicWarden ("Covered Entity", "you", "your").
Business Associate: Shift Warden LLC d/b/a ClinicWarden ("ClinicWarden", "Business Associate", "we", "us").
2. Definitions
Protected Health Information (PHI) has the meaning given under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, including all regulations promulgated thereunder.
Business Associate performs certain functions and activities on behalf of the Covered Entity that involve the use or disclosure of PHI. As such, HIPAA requires the Covered Entity to receive satisfactory assurances that the Business Associate will appropriately safeguard PHI.
ClinicWarden operates as a Compliance Infrastructure Platform providing regulatory task tracking, compliance workflow automation, documentation management, supervisor approval tracking, and audit logging.
Important: ClinicWarden does NOT provide healthcare services, legal services, or compliance consulting. ClinicWarden is a technology platform only.
3. Services Provided
ClinicWarden provides the following services to the Covered Entity:
- Track regulatory compliance workflows
- Assign operational tasks to staff
- Store compliance documentation
- Maintain audit logs
- Generate operational compliance reports
ClinicWarden functions solely as a technology platform. The Covered Entity retains full responsibility for ensuring its own regulatory compliance.
4. Permitted Uses and Disclosures
Business Associate shall use PHI solely for the purpose of providing the platform services described in this Agreement and as permitted under HIPAA.
Business Associate shall not sell PHI, use PHI for marketing purposes, or disclose PHI outside the scope of the permitted services described herein.
5. Minimum Necessary Data Principle
The platform primarily uses Client Identifiers (Client IDs) rather than patient names to track compliance activities. Covered Entities are encouraged to store only the minimum information necessary to accomplish the intended purpose.
ClinicWarden does not require full medical records to operate. The platform is designed for compliance workflow management, not clinical documentation.
6. Safeguards
Business Associate shall implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, including:
Encryption
- In transit: All data is encrypted using TLS (Transport Layer Security)
- At rest: Data is encrypted using industry-standard encryption
Access Controls
- Role-based access control (RBAC)
- Authentication mechanisms
- Session management with automatic expiration
Audit Logging
- Immutable audit logs documenting access and actions within the platform
Infrastructure Security
- Continuous monitoring and logging for security incidents
7. Subcontractor Obligations
Any subcontractors or agents that access PHI on behalf of ClinicWarden will agree to the same restrictions and conditions that apply to the Business Associate under this Agreement.
A current list of sub-processors is maintained at clinicwarden.com/subprocessors and in the Data Processing Agreement at clinicwarden.com/dpa.
8. Breach and Security Incident Notification
Business Associate shall report successful Security Incidents (as defined in 45 CFR 164.304) to the Covered Entity without unreasonable delay.
Unsuccessful Security Incidents — including pings, port scans, unsuccessful log-in attempts, and denial-of-service attacks — shall be reported upon request or as part of periodic security summaries.
For breaches of unsecured PHI, notification will include:
- A description of the incident
- The type of PHI involved
- Mitigation steps taken
The Covered Entity retains responsibility for any required regulatory breach notifications.
9. Individual Rights
Business Associate shall make PHI maintained in a Designated Record Set available to the Covered Entity as necessary for the Covered Entity to satisfy its obligations under 45 CFR 164.524 (individual access) and 45 CFR 164.526 (amendments).
Business Associate shall respond to such requests within 15 business days.
10. Accounting of Disclosures
Business Associate shall make available information required for the Covered Entity to provide an accounting of disclosures in accordance with 45 CFR 164.528.
11. HHS Access
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining the Covered Entity's compliance with HIPAA.
12. Data Ownership and Access
The Covered Entity retains full ownership of all data entered into the ClinicWarden platform. ClinicWarden claims no ownership of customer data.
Covered Entities may export, download, or request deletion of their data at any time.
13. Data Return or Deletion
Upon termination, ClinicWarden shall securely delete all PHI within 30 calendar days of the Covered Entity's written request.
Any PHI that cannot feasibly be deleted (e.g., within encrypted backups) shall remain subject to the protections of this Agreement until destroyed.
14. Limitation of Role
ClinicWarden provides technology infrastructure only. ClinicWarden does NOT interpret laws, provide legal advice, compliance consulting, or medical services.
The Covered Entity is solely responsible for determining its own regulatory requirements and ensuring compliance with applicable laws and regulations.
15. Compliance Responsibility Disclaimer
Templates, workflows, and regulatory references provided within the platform are for informational and operational support only. Use of the platform does not guarantee regulatory compliance.
ClinicWarden does not review, validate, or guarantee the accuracy of documentation uploaded by the Covered Entity.
Covered Entities remain solely responsible for their own regulatory compliance.
16. Limitation of Liability
The total liability of ClinicWarden under this Agreement shall not exceed the fees paid by the Covered Entity in the twelve (12) months preceding the event giving rise to the claim.
ClinicWarden shall not be liable for regulatory enforcement actions, compliance violations, penalties, or loss of business revenue arising from the Covered Entity's use of the platform.
17. Indemnification
The Covered Entity shall indemnify, defend, and hold harmless ClinicWarden from and against any claims, damages, losses, or expenses arising from the Covered Entity's improper use of the platform, failure to comply with applicable regulations, or improper handling of PHI.
18. Audit Support
ClinicWarden maintains audit logs documenting compliance actions taken within the platform. These logs may be exported by the Covered Entity at any time.
ClinicWarden is not responsible for responding to regulatory audits on behalf of the Covered Entity.
19. Termination
Either party may terminate this Agreement upon material breach if the breach is not cured within 30 days of written notice.
This Agreement remains in effect for as long as the Covered Entity uses the ClinicWarden platform.
20. Governing Law
This Agreement shall be governed by the laws of the United States and the applicable jurisdiction of the Covered Entity.
21. Execution
This Agreement is available for execution via electronic signature. To request a signed BAA, contact founder@clinicwarden.com.
Company: Shift Warden LLC d/b/a ClinicWarden
Email: founder@clinicwarden.com