Effective date: 2026-06-25. Last reviewed: 2026-06-25. Owner: Goliath Dynamics, Inc. — Privacy Officer.
This document is DocPost’s executable Business Associate Agreement (“BAA”) template. Covered-entity customers may execute the agreement below as written by countersigning the Cover Page; on countersignature the agreement is binding between the parties named on the Cover Page and is effective on the date stated there.
The template implements DocPost’s obligations as a business associate under the HIPAA Privacy and Security Rules, including 45 C.F.R. §§ 164.502(e) and 164.504(e) (business-associate contract requirements), 45 C.F.R. § 164.308(b) (business-associate contracts under the Security Rule), 45 C.F.R. § 164.314(a) (technical-safeguard requirements for the business-associate contract), and the provisions made directly applicable to business associates by section 13404 of the HITECH Act and the 2013 Omnibus Rule (78 Fed. Reg. 5566).
It is published as a Tier-0 (public) artifact so a covered entity and its counsel can review the operative provisions before requesting execution. The “request BAA” path on the E-signatures page routes the request to the Privacy Officer for countersignature.
The HIPAA standards and implementation specifications referenced by the operative provisions below include: 45 C.F.R. § 164.504(e)(2)(i) (permitted and required uses and disclosures); § 164.504(e)(2)(ii)(A) (no use or disclosure other than as permitted); § 164.504(e)(2)(ii)(B) (appropriate safeguards); § 164.504(e)(2)(ii)© (report unauthorized use or disclosure); § 164.504(e)(2)(ii)(D) (sub-contractor flow-down); § 164.504(e)(2)(ii)(E) (access support under § 164.524); § 164.504(e)(2)(ii)(F) (amendment support under § 164.526); § 164.504(e)(2)(ii)(G) (accounting support under § 164.528); § 164.504(e)(2)(ii)(H) (make practices available to the Secretary); § 164.504(e)(2)(ii)(I) (return or destruction on termination); § 164.504(e)(2)(iii) (covered entity’s representations and obligations); § 164.504(e)(4) (other arrangements); § 164.308(b)(3) (business-associate contracts and other arrangements); § 164.314(a)(2)(i)–(iii) (business-associate contract content for the Security Rule); § 164.410 (breach notification by a business associate); and § 160.103 (definitions).
This Business Associate Agreement (this “Agreement”) is entered into as of the Effective Date stated below by and between:
Business Associate: Goliath Dynamics, Inc., a Delaware corporation operating the DocPost service, with notice address 7901 4th St N, STE 300, St. Petersburg, FL 33702, United States, attention: Privacy Officer, privacy@goliathdynamics.com and security@goliathdynamics.com (“Business Associate”, “DocPost”).
Covered Entity: [Legal name of the covered entity] (“Covered Entity”), with notice address [street, city, state, postal code, country], attention: [HIPAA Privacy Officer or equivalent], [notice email address].
Underlying Agreement: The services agreement, order form, terms of service, or other written agreement under which Business Associate provides the DocPost service to Covered Entity (the “Underlying Agreement”), executed on or about [date].
Effective Date: This Agreement is effective on the date the last party to sign the Cover Page signs (the “Effective Date”).
The parties agree to the terms set out in §§1–14 below.
Covered Entity signature
Signature: ______________________________________________
Printed name: __________________________________________
Title: _________________________________________________
Date: __________________________________________________
Business Associate signature (Goliath Dynamics, Inc.)
Signature: ______________________________________________
Printed name: __________________________________________
Title: _________________________________________________
Date: __________________________________________________
(a) Capitalized terms used but not defined in this Agreement have the meanings given to them in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. parts 160 and 164 (collectively, the “HIPAA Rules”), as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the 2013 Omnibus Rule (78 Fed. Reg. 5566).
(b) “Business Associate” has the meaning given at 45 C.F.R. § 160.103 and, for purposes of this Agreement, refers to Goliath Dynamics, Inc. as identified on the Cover Page.
© “Covered Entity” has the meaning given at 45 C.F.R. § 160.103 and, for purposes of this Agreement, refers to the entity identified as such on the Cover Page.
(d) “Designated Record Set” has the meaning given at 45 C.F.R. § 164.501.
(e) “Electronic Protected Health Information” or “ePHI” has the meaning given at 45 C.F.R. § 160.103, limited to the information Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.
(f) “Individual” has the meaning given at 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
(g) “Protected Health Information” or “PHI” has the meaning given at 45 C.F.R. § 160.103, limited to the information Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.
(h) “Required by Law” has the meaning given at 45 C.F.R. § 164.103.
(i) “Secretary” means the Secretary of the United States Department of Health and Human Services or his or her designee.
(j) “Security Incident” has the meaning given at 45 C.F.R. § 164.304.
(k) “Subcontractor” has the meaning given at 45 C.F.R. § 160.103.
(l) “Underlying Agreement” has the meaning given on the Cover Page.
(m) “Unsecured PHI” has the meaning given at 45 C.F.R. § 164.402.
(n) “Breach” has the meaning given at 45 C.F.R. § 164.402.
(a) Service of Covered Entity. Business Associate may use and disclose PHI to perform the services for, or on behalf of, Covered Entity under the Underlying Agreement, provided the use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity, or violates the minimum-necessary policies and procedures of Covered Entity. This Agreement does not authorize any use or disclosure of PHI that the Underlying Agreement does not require or permit.
(b) Management and administration of Business Associate. Business Associate may use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities (45 C.F.R. § 164.504(e)(4)(i)(A)). Business Associate may disclose PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities, only where (i) the disclosure is Required by Law or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instance of which it is aware in which the confidentiality of the PHI has been breached (45 C.F.R. § 164.504(e)(4)(i)(B)).
© Data aggregation. Business Associate may use PHI to provide data-aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
(d) De-identification. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–©. De-identified information is not subject to the HIPAA Rules and is not subject to this Agreement, but Business Associate’s general confidentiality and security obligations under the Underlying Agreement continue to apply.
(e) No other uses or disclosures. Business Associate will not use or further disclose PHI other than as permitted or required by this Agreement, or as Required by Law (45 C.F.R. § 164.504(e)(2)(ii)(A)).
(f) Marketing, sale, fundraising. Business Associate will not use or disclose PHI for marketing under 45 C.F.R. § 164.508(a)(3), will not sell PHI in violation of 45 C.F.R. § 164.502(a)(5)(ii), and will not engage in fundraising using PHI under 45 C.F.R. § 164.514(f), in each case except as specifically permitted by an authorization that satisfies 45 C.F.R. § 164.508 and that Covered Entity has obtained from the Individual.
(g) No AI training on PHI. Business Associate will not use PHI to train, fine-tune, or otherwise improve any machine-learning or generative AI model — whether operated by Business Associate or by a third party — except where the resulting model is operated only for the benefit of Covered Entity, the training is performed on PHI that has been de-identified under 45 C.F.R. § 164.514(a)–©, or Covered Entity has specifically authorized the training in writing. This provision implements the no-AI-training posture stated in §6(i) and §10 of the Information Security Policy and §10 of the Privacy Policy.
Business Associate will use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement. The operational safeguards Business Associate implements include those described in:
The version of each artifact in effect on the Effective Date governs unless and until Business Associate publishes a superseding version under the change-management procedure described in those artifacts.
Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Security Incident of which Business Associate becomes aware and any Breach of Unsecured PHI as required by §4 below. Reports under this §3.2 are made in accordance with §4 and §13 of this Agreement.
Business Associate will, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), enter into a written agreement with each Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, under which the Subcontractor agrees to substantially the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such PHI.
Where Business Associate maintains PHI in a Designated Record Set, Business Associate will, upon Covered Entity’s request, make such PHI available to Covered Entity (or, as directed by Covered Entity, to the Individual or the Individual’s designee) as necessary for Covered Entity to satisfy its access obligation at 45 C.F.R. § 164.524. Business Associate will respond to such a request within a reasonable period and in any event in time to allow Covered Entity to meet its statutory deadline.
Where Business Associate maintains PHI in a Designated Record Set, Business Associate will, upon Covered Entity’s request, make any amendment to such PHI that Covered Entity directs or agrees to under 45 C.F.R. § 164.526, in time to allow Covered Entity to meet its statutory deadline.
Business Associate will document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI under 45 C.F.R. § 164.528, and will, upon Covered Entity’s request, provide such documentation to Covered Entity (or, as directed by Covered Entity, to the Individual) in time to allow Covered Entity to meet its statutory deadline.
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for the purpose of the Secretary determining Covered Entity’s compliance with the HIPAA Rules.
Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
To the extent Business Associate carries out a Covered Entity obligation under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation. With respect to ePHI, Business Associate will comply with the applicable provisions of Subpart C of 45 C.F.R. Part 164 made directly applicable to business associates by the HITECH Act and the 2013 Omnibus Rule, including the standards at 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, and 164.316.
Business Associate has not received any consideration in exchange for entering into this Agreement that would create an incentive for Business Associate to violate this Agreement, and Business Associate will not accept any such consideration.
(a) Successful Security Incidents. Business Associate will report to Covered Entity any Security Incident of which Business Associate becomes aware that constitutes a “successful” Security Incident — that is, any unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations affecting ePHI, that meets the Security Incident definition at 45 C.F.R. § 164.304 — without unreasonable delay and in accordance with §4.2 below.
(b) Unsuccessful Security Incidents. The parties acknowledge and agree that this §4.1(b) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Covered Entity is required. Such unsuccessful Security Incidents include, without limitation, pings and other broadcast attacks on the firewall, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the above, so long as none of those incidents results in unauthorized access, use, or disclosure of ePHI.
(a) Maximum timeline. Following the discovery of a Breach of Unsecured PHI, Business Associate will notify Covered Entity without unreasonable delay and in no case later than 60 calendar days after discovery, as required by 45 C.F.R. § 164.410(b). Business Associate’s internal procedure, set out in §5 of the HIPAA Administrative Safeguards, targets initial notification within 14 calendar days where the facts allow.
(b) Discovery date (§ 164.410(a)(2)). A Breach is treated as discovered by Business Associate on the first day on which the Breach is known to Business Associate, or, by exercising reasonable diligence, would have been known to Business Associate (other than the person who committed the Breach). The Security Officer’s determination of the discovery date is recorded in the incident record.
© Content of the notification (§ 164.410©). To the extent the information is then available, the notification will include:
(d) Rolling supplementation. Business Associate will supplement the notification as the investigation develops, in accordance with 45 C.F.R. § 164.410©(2), and will not delay an initial notification within the 60-day window in order to assemble information that is not then available.
(e) Cooperation with downstream notification. Business Associate will cooperate with Covered Entity’s downstream notification obligations to Individuals (§ 164.404), to the media where applicable (§ 164.406), and to the Secretary (§ 164.408), and will provide information Covered Entity reasonably needs to fulfill them. Where a law-enforcement official requests delay of notification under § 164.412, Business Associate will honor the delay for the period stated by the official and document the request and the period in the incident record.
(f) Mitigation. Business Associate will take reasonable steps to mitigate, to the extent practicable, the harmful effects of the Breach that are known to Business Associate, in accordance with §3.8 above.
Notifications under this §4 are delivered to Covered Entity at the notice address stated on the Cover Page. Where the Cover Page notice address is unavailable or the Security Officer judges another channel necessary to meet the timeline, Business Associate may additionally notify Covered Entity through the contact path most recently used by Covered Entity to reach Business Associate’s Privacy Officer or Security Officer at privacy@goliathdynamics.com / security@goliathdynamics.com. Business Associate’s notice address for receiving notifications from Covered Entity is stated on the Cover Page.
(a) Notice of privacy practices. Covered Entity will notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) Changes in or revocation of authorization. Covered Entity will notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
© Restrictions on use or disclosure. Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(d) Permissible requests. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except (i) where Business Associate will use or disclose PHI for, and the contract includes provisions for, data-aggregation or management and administrative activities of Business Associate, in each case as set out in §2 above, and (ii) where the request is otherwise expressly permitted by the HIPAA Rules.
This Agreement is effective on the Effective Date and continues in effect until terminated under this §6 or until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with §6.3 below.
(a) By Covered Entity. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate’s obligation under this Agreement, Covered Entity will take reasonable steps to cure the breach or end the violation, and where such steps are unsuccessful, Covered Entity may terminate this Agreement and (where feasible) the Underlying Agreement.
(b) By Business Associate. If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity’s obligation under this Agreement, Business Associate will take reasonable steps to cure the breach or end the violation, and where such steps are unsuccessful, Business Associate may terminate this Agreement and (where feasible) the Underlying Agreement.
© Reporting to the Secretary. Where neither termination nor a reported-to-the-Secretary path under 45 C.F.R. § 164.504(e)(1)(iii)(B) is feasible, the non-breaching party may report the problem to the Secretary.
(a) Return or destruction. Upon termination of this Agreement for any reason, Business Associate will, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, return to Covered Entity or destroy all such PHI in Business Associate’s possession that Business Associate still maintains in any form. Business Associate will retain no copies of the PHI other than as permitted by §6.3(b) below.
(b) Infeasibility of return or destruction. Where Business Associate determines that returning or destroying the PHI is infeasible — including PHI that is part of the audit trail, the certificate of completion, or other immutable evidence Business Associate retains under 45 C.F.R. § 164.316(b) and §3 of the HIPAA Technical Safeguards — Business Associate will provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon such notification, Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
© Survival. The obligations of Business Associate under this §6.3 survive the termination of this Agreement.
Each party will indemnify, defend, and hold harmless the other party and its officers, directors, employees, and agents from and against any and all losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to a breach by the indemnifying party of its obligations under this Agreement, including any fines, penalties, or assessments imposed by the Secretary or a state attorney general arising out of such breach. This §7 supplements, and does not limit, any indemnification provisions in the Underlying Agreement, and is governed in interpretation by the Underlying Agreement’s indemnification, limitation-of-liability, and notice provisions.
Each party’s liability arising out of or relating to this Agreement is governed by the limitation-of-liability provisions of the Underlying Agreement, except that no limitation in the Underlying Agreement limits a party’s obligations under §3.8 (mitigation), §4 (breach notification), §6.3 (return or destruction on termination), or §7 (indemnification), each of which is treated as an exclusion from any cap.
Where this Agreement conflicts with the Underlying Agreement with respect to the handling, use, disclosure, safeguarding, or breach notification of PHI, this Agreement controls. In all other respects, the Underlying Agreement controls. Where this Agreement conflicts with the HIPAA Rules, the HIPAA Rules control, and this Agreement is read to give effect to the HIPAA Rules to the maximum extent the parties’ words permit.
(a) HIPAA-compliant construction. Any ambiguity in this Agreement is resolved to permit Covered Entity and Business Associate to comply with the HIPAA Rules.
(b) Regulatory references. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.
© Captions and headings. Captions and headings are for convenience only and do not affect the construction or interpretation of this Agreement.
(d) Severability. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions remain in full force and effect to the maximum extent the parties’ words permit.
(e) No third-party beneficiaries. Except as expressly stated, nothing in this Agreement confers any rights or remedies on any person other than the parties.
The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of the HIPAA Rules and any other applicable law. Any other amendment to this Agreement must be in writing and signed by both parties.
This Agreement is governed by, and construed in accordance with, the governing-law and venue provisions of the Underlying Agreement, except to the extent the HIPAA Rules or other federal law controls.
Notices under this Agreement are delivered to the notice address stated on the Cover Page for each party. Notices may be delivered by hand, by reputable overnight courier, or by email to the address stated on the Cover Page; an email notice is effective on the next business day after the email is sent provided no bounce or non-delivery notice is received. Either party may update its notice address by written notice to the other party.
This Agreement may be executed in counterparts, each of which is an original and all of which together constitute one and the same instrument. The parties intend this Agreement to be a record signed by both parties under the Electronic Signatures in Global and National Commerce Act (“ESIGN”, 15 U.S.C. §§ 7001 et seq.) and the Uniform Electronic Transactions Act (“UETA”) as adopted in the governing-law jurisdiction (or, in a jurisdiction that has adopted the Electronic Signatures and Records Act (“ESA”) in place of UETA, under ESA), and consent to execution by electronic signature delivered through the DocPost service or through any other reasonable electronic-signature mechanism.
To request execution of this Agreement against a specific Covered Entity, complete the Cover Page (Covered Entity name, notice address, notice contact, Underlying Agreement identifier and date) and either (a) send the completed Cover Page and any covered-entity-side redlines to privacy@goliathdynamics.com (subject line: “BAA request — [Covered Entity name]”), or (b) use the “Request BAA” path on the E-signatures page, which routes the request to the Privacy Officer. The Privacy Officer responds within five business days with a countersignable copy or with a substantive response to the redlines.
Goliath Dynamics, Inc. Attn: Privacy Officer 7901 4th St N, STE 300 St. Petersburg, FL 33702 United States Email: privacy@goliathdynamics.com Security incidents and breach reports: security@goliathdynamics.com
History