Legal

Business Associate Agreement

Effective Date: March 20, 2026  ·  Agreement Version: 1.0  ·  Governing Law: HIPAA / HITECH (45 CFR Parts 160, 162, 164)

HIPAA §164.314 — Business Associate Agreement

1. Definitions

The following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given to them in HIPAA, HITECH, or their implementing regulations.

1.1 Business Associate

"Business Associate" means Syllabi, Inc. ("Syllabi"), providing learning management, compliance training, and related services to Covered Entity under an applicable service agreement.

1.2 Covered Entity

"Covered Entity" means the organization (identified during the signature process) that is a covered entity or business associate subject to HIPAA, which has engaged Syllabi for services that may involve access to Protected Health Information.

1.3 Protected Health Information (PHI)

"PHI" means individually identifiable health information as defined in 45 CFR §160.103, including ePHI (electronic PHI). For clarity, PHI that Syllabi may encounter through its services is limited to information uploaded or entered by Covered Entity's users in the course of using the Syllabi platform.

1.4 Service Agreement

"Service Agreement" means any written or electronic agreement between Syllabi and Covered Entity governing access to and use of the Syllabi platform.

2. Permitted Uses and Disclosures of PHI

2.1 Permitted Uses

Syllabi may use PHI only as necessary to:

  • Provide the services specified in the Service Agreement;
  • Perform data aggregation services on behalf of Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B);
  • Ensure the proper management and administration of Syllabi's operations;
  • Carry out legal responsibilities of Syllabi, provided such disclosures are required by law or Syllabi obtains reasonable assurances that the PHI will be held confidentially.

2.2 Prohibited Uses

Syllabi shall not use or disclose PHI:

  • In a manner that would violate HIPAA if done by Covered Entity, except as permitted below;
  • For Syllabi's independent marketing purposes;
  • To sell PHI, as defined under 45 CFR §164.502(a)(5)(ii);
  • For any purpose not specified in this Agreement or the Service Agreement.

2.3 Disclosure to Subcontractors

Syllabi may disclose PHI to its subcontractors and agents only if they agree in writing to restrictions and conditions at least as protective as those in this Agreement. Syllabi is responsible for ensuring subcontractors comply with HIPAA obligations. See Section 8 (Sub-Processors) for the current list.

3. Safeguards Maintained by Syllabi

Syllabi implements and maintains the following technical and administrative safeguards in accordance with HIPAA §164.312:

3.1 Technical Safeguards

  • Encryption in transit: All data transmitted between users and Syllabi is encrypted using TLS 1.2 or higher. HTTPS is enforced via HSTS (Strict-Transport-Security headers).
  • Encryption at rest: Database storage is provided by Neon, Inc. (PostgreSQL), which encrypts data at rest using AES-256. Backups are also encrypted.
  • Access controls: Role-based access control (RBAC) limits access to PHI to authorized personnel only. Org admins manage user roles and permissions.
  • Authentication hardening: Account lockout after configurable failed login attempts (HIPAA Mode default: 5 attempts, 15-minute lockout). Password complexity requirements enforced in HIPAA Mode.
  • Session timeout: Configurable per organization. HIPAA Mode enforces a maximum 15-minute inactivity timeout.
  • Audit logging: All access to PHI and security events are logged in an append-only audit trail per 45 CFR §164.312(b). Audit logs retained for a minimum of 6 years in HIPAA Mode.

3.2 Administrative Safeguards

  • Designated privacy and security contacts for breach response;
  • Workforce training on HIPAA Privacy and Security Rules;
  • Security risk analyses performed at least annually;
  • Minimum-necessary standard applied to all PHI access.

3.3 Physical Safeguards

Syllabi's infrastructure is hosted on cloud providers (Render, Inc. for compute; Neon, Inc. for database) that maintain SOC 2 Type II certifications and physical access controls for their data centers.

4. Breach Notification

4.1 Discovery and Investigation

Syllabi shall notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days following Syllabi's discovery of the breach, as required by 45 CFR §164.410. Syllabi's goal is to provide initial notification within 72 hours of discovery.

4.2 Notification Contents

Breach notifications shall include, to the extent known at the time:

  • Identity of each individual whose PHI was involved;
  • Description of what occurred, including the date of breach and discovery;
  • Types of PHI involved (e.g., names, diagnoses, treatment information);
  • Steps affected individuals should take to protect themselves;
  • What Syllabi is doing to investigate and mitigate harm;
  • Contact information for further questions.

4.3 Notification Channel

Syllabi will deliver breach notifications to the primary administrator email address on file. Covered Entity is responsible for maintaining current contact information in org settings.

5. Individual Rights

To the extent Covered Entity is required by HIPAA to enable individuals to exercise rights regarding their PHI (access, amendment, accounting of disclosures, restriction), Syllabi shall cooperate with Covered Entity to fulfill such requests within the timeframes required by HIPAA. Covered Entity is responsible for initiating and coordinating individual rights requests.

6. Covered Entity's Obligations

Covered Entity agrees to:

  • Provide Syllabi with notice of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to with individuals;
  • Not request that Syllabi use or disclose PHI in a manner that would violate HIPAA;
  • Obtain any necessary authorizations from individuals prior to providing PHI to Syllabi;
  • Enable HIPAA Mode in org settings to activate enhanced security controls;
  • Notify Syllabi of any breaches or security incidents Covered Entity discovers that may affect PHI held by Syllabi.

7. Termination

7.1 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches a provision of this Agreement and fails to cure the breach within 30 days of written notice.

7.2 PHI Return or Destruction

Upon termination of the Service Agreement for any reason, Syllabi shall, at Covered Entity's direction:

  • Return: Provide a complete export of Covered Entity's data (including PHI) in a machine-readable format within 30 days; or
  • Destroy: Securely destroy all PHI in Syllabi's possession, using NIST SP 800-88-compliant methods, and provide written certification within 30 days.

If return or destruction is infeasible, Syllabi shall extend the protections of this Agreement to such PHI and limit further use or disclosure.

8. Sub-Processors

Syllabi uses the following sub-processors that may process PHI on behalf of Covered Entity:

Sub-Processor Purpose Location
Render, Inc. Cloud hosting and compute United States
Neon, Inc. PostgreSQL database United States
OpenAI, LLC AI content generation (course text) United States
Cloudflare, Inc. CDN, DDoS protection, DNS United States

Syllabi will provide at least 30 days advance notice before adding new sub-processors that will process PHI, via email to the org's primary administrator.

9. Miscellaneous

9.1 Amendment

The parties agree to amend this Agreement as necessary to comply with changes in HIPAA, HITECH, or other applicable law. Syllabi may update this Agreement by providing 30 days written notice to Covered Entity's primary administrator.

9.2 Survival

Syllabi's obligations under this Agreement shall survive the termination of the Service Agreement for as long as Syllabi retains PHI.

9.3 Entire Agreement

This Agreement, together with the Service Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements, understandings, and negotiations.

9.4 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflicts of law principles, except where federal law (including HIPAA/HITECH) applies.

10. Contact

For HIPAA-related inquiries, breach notifications, or data requests, contact:

Privacy Officer, Syllabi, Inc.
Email: privacy@syllabi.com
Subject line: HIPAA Inquiry — [Organization Name]

Sign this BAA
By signing, you represent that you are authorized to enter into this agreement on behalf of your organization.