Legal

Business Associate Agreement

Last updated: May 27, 2026. The BAA program for Customers that transmit PHI through CareWave.

This page describes how WAVE TECHNOLOGIES LLC (the "Company") makes a Business Associate Agreement ("BAA") available to Customers that use the CareWave platform (the "Service") to create, receive, maintain, or transmit Protected Health Information ("PHI"). This page is informational only and is not itself a BAA. The Company and Customer enter into a binding BAA only through a separately executed written agreement signed by an authorized representative of each party.

Capitalized terms used but not defined here have the meanings given in the executed BAA, the HIPAA Compliance overview, or 45 CFR 160.103.

1. Why a BAA Is Required

Under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and 45 CFR 164.504(e), a Covered Entity may not allow a Business Associate to create, receive, maintain, or transmit PHI on its behalf until the parties have entered into a written agreement containing the required Business Associate provisions. The same requirement flows down to Subcontractor relationships between Business Associates and their delegates.

When Customer uses the Service to transmit PHI, the Company acts as a Business Associate. Customer must execute a BAA with the Company before transmitting any PHI through the Service. Use of the Service in violation of this requirement is a material breach of the Terms of Service.

2. Who Needs a BAA with CareWave

Customers that should execute a BAA with the Company include, without limitation:

  • home-care and home-health agencies that are themselves Covered Entities under HIPAA;
  • staffing agencies and other service organizations that act as Business Associates of hospitals, health systems, payors, or other Covered Entities; and
  • any other Customer that creates, receives, maintains, or transmits PHI through the Service on behalf of a Covered Entity.

Customers that do not transmit PHI through the Service do not need a BAA. The Company does not, however, monitor or restrict the content Customers upload, and Customer remains responsible for ensuring it has a BAA in place before transmitting PHI.

3. What the BAA Covers

The Company's standard BAA addresses the obligations required by 45 CFR 164.504(e) and 164.314(a), including:

  • Permitted Uses and Disclosures. The Company may use and disclose PHI only as necessary to perform the services described in the underlying Order Form and Terms of Service, as required by law, or as otherwise expressly permitted by the BAA.
  • Prohibited Uses. The Company will not sell PHI or use PHI for marketing, except as permitted under HIPAA and with the Customer's prior written authorization.
  • Minimum Necessary. The Company will limit its requests for, uses of, and disclosures of PHI to the minimum necessary to accomplish the intended purpose.
  • Safeguards. The Company will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, consistent with 45 CFR Part 164, Subpart C.
  • Reporting. The Company will report to Customer, without unreasonable delay, any use or disclosure of PHI not permitted by the BAA, any Security Incident of which the Company becomes aware, and any Breach of unsecured PHI in accordance with 45 CFR 164.410.
  • Subcontractors. The Company will require its Subcontractors that create, receive, maintain, or transmit PHI on the Company's behalf to agree in writing to the same restrictions and conditions that apply to the Company.
  • Individual Rights. The Company will reasonably cooperate with Customer to make PHI available to individuals for inspection, amendment, and accounting of disclosures as required by 45 CFR 164.524, 164.526, and 164.528.
  • HHS Access. The Company will make its internal practices, books, and records relating to its use and disclosure of PHI available to the Secretary of HHS for purposes of determining Customer's compliance with the Privacy Rule, subject to attorney-client and other applicable privileges.
  • Term and Termination. Either party may terminate the BAA for material breach uncured for thirty (30) days after written notice. The BAA terminates automatically upon termination of the underlying services agreement.
  • Return or Destruction of PHI. Upon termination of the BAA, the Company will, to the extent feasible, return or destroy all PHI received from, or created or received by the Company on behalf of, Customer. To the extent return or destruction is infeasible, the Company will extend the protections of the BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for as long as the Company maintains the PHI.

4. Process to Execute a BAA

The Company makes its standard BAA available on request. To initiate the BAA process, an authorized representative of Customer should email hello@carewave.us with the following information:

  1. Customer's full legal entity name and state of formation;
  2. the name, title, and email address of the individual authorized to sign the BAA on Customer's behalf;
  3. a brief description of the categories of PHI Customer anticipates transmitting through the Service (for example, caregiver visit records, client clinical notes, scheduled services);
  4. Customer's status under HIPAA (Covered Entity, upstream Business Associate, or both); and
  5. the requested effective date.

The Company will issue a BAA for signature within five (5) business days of receiving a complete request. The Company will accept electronic signatures.

Customer's legal counsel may propose reasonable revisions to the standard BAA. The Company reserves the right to decline changes inconsistent with its standard practices or with HIPAA.

5. Modifications

The Company may amend the standard BAA from time to time to comply with changes in HIPAA, the HITECH Act, applicable HHS guidance, or applicable state law. The Company will provide Customer with at least thirty (30) days' prior written notice of any material amendment, except where a shorter period is required by law.

6. Subcontractors

The Company maintains written Business Associate agreements with each of its Subcontractors that create, receive, maintain, or transmit PHI on the Company's behalf, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b). A current list of Subcontractors handling PHI, including their categories of service, is available to Customer on request and subject to non-disclosure obligations.

7. No Click-through

Nothing on this page, in the Service, in the Terms of Service, in the Privacy Policy, or in the HIPAA Compliance overview constitutes a binding Business Associate Agreement between the Company and any Customer. A BAA is binding only when both parties have executed a written agreement, signed by an authorized representative of each. Access to or use of the Service does not, by itself, create a Business Associate relationship and does not authorize Customer to transmit PHI through the Service.

8. Conflicts

In the event of any conflict between an executed BAA and any other agreement between the parties (including the Terms of Service or any Order Form) regarding the use or disclosure of PHI, the executed BAA controls.

Contact Us

To request a BAA, ask questions about this program, or report a suspected Breach of unsecured PHI, contact us by email at hello@carewave.us.