Business Associate Agreement (BAA)

Effective: March 3, 2026
Updated: March 3, 2026
Version 1.0

(SOA Vault & ACA Vault)

Last Updated: March 3, 2026

This Business Associate Agreement (“BAA”) is entered into between Ardor Service LLC d/b/a Informed + Choice (“Business Associate” or “Informed + Choice”) and the User of the Services (“Covered Entity” or “Agent”). This BAA is incorporated by reference into the Informed + Choice Terms of Service.

WHEREAS, Business Associate provides the software platform known as HealthLink Secure, which includes specific compliance modules marketed as SOA Vault and ACA Vault (collectively, the “Services”); and

WHEREAS, in the course of providing these Services, Business Associate may Create, Receive, Maintain, or Transmit Protected Health Information (“PHI”) on behalf of Covered Entity;

The parties agree as follows:

1. Definitions

Catch-all terms used but not defined in this BAA (e.g., Breach, Security Incident, Designated Record Set) shall have the same meaning as defined in the HIPAA Rules (45 CFR Parts 160 and 164).

2. Obligations of Business Associate

2.1 Security & Privacy

Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 (the Security Rule) to prevent Use or Disclosure of PHI other than as provided for by this BAA.

2.2 Prohibited Uses (No Data Mining or AI)

Business Associate expressly agrees that it shall not use, sell, or license PHI for:

  • Marketing purposes.
  • Training, fine-tuning, or developing machine learning models, Large Language Models (LLMs), or Artificial Intelligence systems.
  • Any data mining activities not strictly required for the delivery of the Services (e.g., PDF generation, audio compression).

2.3 Reporting

Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA, including any Security Incident or Breach of Unsecured PHI, without unreasonable delay and in no case later than 60 days after discovery.

2.4 Access and Amendment

To the extent Business Associate maintains a Designated Record Set (specifically, the SOA Vault and ACA Vault artifacts), it agrees to make PHI available to Covered Entity to fulfill Covered Entity’s obligations under 45 CFR § 164.524 and § 164.526.

2.5 Subcontractors

Business Associate shall ensure that any subcontractors that Create, Receive, Maintain, or Transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate.

  • Authorized Subcontractors: Covered Entity acknowledges and authorizes the use of Amazon Web Services (AWS) for secure storage and Twilio for telephony services, with whom Business Associate maintains valid BAAs.

3. Permitted Uses by Business Associate

3.1

Business Associate may Use or Disclose PHI as necessary to perform the Services defined in the Terms of Service (specifically: operating the HealthLink Secure platform, creating/storing SOA Vault and ACA Vault compliance documents, and processing associated audio recordings).

3.2

Business Associate may Use PHI for the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances that the information will remain confidential.

4. Obligations of Covered Entity (The Agent)

4.1 Valid Authorization

Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

4.2 Consent & TCPA Liability (Audio/Signing)

Covered Entity acknowledges that it is the sole initiator of all communications. Covered Entity warrants that:

  • It has obtained all necessary consents required by the Telephone Consumer Protection Act (TCPA) and applicable state two-party consent wiretapping laws prior to utilizing the Audio/Telephony features of the Service.
  • It is solely responsible for verifying the identity of the individual accessing Public Signing Links. Business Associate provides the technical token mechanism but does not verify the legal identity of the signer.

5. Term, Termination, and Data Retention

5.1 Term

This BAA is effective as of the date the Covered Entity creates a HealthLink Secure account and terminates when all PHI provided by Covered Entity is destroyed or returned to Covered Entity.

5.2 Termination for Cause

Covered Entity may terminate this BAA if it determines Business Associate has violated a material term of the BAA.

5.3 Effect of Termination (The Infeasibility Clause)

Upon termination of the Service, the Parties acknowledge that:

  • Regulatory Retention (CMS): Covered Entity is subject to CMS regulations (e.g., 42 CFR § 422.2274) requiring Scope of Appointment documentation and sales recordings be retained for ten (10) years.
  • Infeasibility of Destruction: Due to these regulatory requirements, it is infeasible for Business Associate to immediately destroy all PHI upon termination of the Service if Covered Entity has not yet exported and confirmed possession of such data.
  • Extended Protections: Therefore, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible (i.e., passive storage for compliance recovery) for the duration of the required retention period.

5.4 Vault Export & Liability Transfer

  • Business Associate provides a Vault Export tool allowing Covered Entity to retrieve all PHI stored in the SOA Vault and ACA Vault.
  • Upon Covered Entity’s specific confirmation of export and request for deletion (Confirm-Delete), Business Associate will securely destroy the contents of the Vaults (PDFs and Audio).
  • Liability Shift: Once Covered Entity has exported the data, Covered Entity assumes sole legal responsibility for maintaining the CMS-compliant WORM (Write Once, Read Many) copies for the remainder of the 10-year statutory period.

5.5 System Metadata & Redaction

Covered Entity acknowledges that while the primary artifacts (PDFs/Audio) will be destroyed upon request, Business Associate may retain specific System Metadata (audit logs, database records of transaction history) for its own legal defense and operational integrity. Business Associate warrants that:

  • Direct identifiers (names, phone numbers, emails, signatures) within System Metadata will be redacted or hashed upon Vault deletion.
  • Any residual metadata will remain subject to the protections of this BAA until legally permissible destruction.

6. Miscellaneous

6.1 Survival

The obligations of Business Associate under Section 5 (Data Retention) shall survive the termination of this Agreement.

6.2 Independent Contractor

Business Associate is an independent contractor and not an agent of Covered Entity.

Related Policies

Privacy Policy Terms & Conditions All Legal Documents Contact DPO