Mozu logoMozu

Business Associate Agreement

Last updated: October 6, 2025

Overview

This Business Associate Agreement ("BAA") is entered into between COADIA, Inc DBA Mozu ("Business Associate") and the healthcare provider ("Covered Entity") using Mozu's services.

This BAA is required under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

Definitions

  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form
  • Electronic Protected Health Information (ePHI): PHI transmitted or maintained in electronic form
  • Security Incident: Attempted or successful unauthorized access, use, disclosure, or destruction of PHI
  • Breach: Unauthorized acquisition, access, use, or disclosure of PHI that compromises security or privacy

Obligations of Business Associate

COADIA, Inc DBA Mozu agrees to:

  • Use and disclose PHI only as permitted by this Agreement and applicable law
  • Implement appropriate safeguards to prevent unauthorized use or disclosure
  • Report any security incident or breach to the Covered Entity
  • Ensure any subcontractors agree to the same restrictions and conditions
  • Make PHI available for access by individuals as required by HIPAA
  • Make PHI available for amendment and incorporate amendments as directed
  • Provide an accounting of disclosures as required by HIPAA
  • Make internal practices and records available for compliance audits
  • Return or destroy PHI upon termination of the Agreement

Permitted Uses and Disclosures

Business Associate may use or disclose PHI:

  • To perform services as specified in the Service Agreement
  • For proper management and administration of Business Associate
  • To provide data aggregation services relating to healthcare operations
  • As required by law

2.4 Data Analytics and Service Improvement

(a) De-identification Authority

Business Associate is authorized to use Protected Health Information (PHI) to create De-identified Information in accordance with the standards set forth in 45 CFR § 164.514(b).

(b) Rights to De-identified Data

The Parties agree that De-identified Information created in accordance with 45 CFR § 164.514(b) is not PHI and is not subject to the terms of this Agreement. Business Associate shall retain all right, title, and interest in and to such De-identified Information and may use it for any lawful purpose, including but not limited to:

  • (i) Quality assurance and benchmarking;
  • (ii) Training and improving artificial intelligence models; and
  • (iii) Research and product development.

Security Measures

COADIA, Inc DBA Mozu implements the following security measures:

  • Encryption: End-to-end encryption for all data in transit and at rest using industry-standard protocols.
  • Access Controls: Role-based access controls, unique user identification, and automatic logoff procedures.
  • Audit Controls: Comprehensive logging and monitoring of all access to ePHI.
  • Integrity Controls: Mechanisms to ensure ePHI is not improperly altered or destroyed.

Breach Notification

In the event of a breach of unsecured PHI, COADIA, Inc DBA Mozu will notify the Covered Entity without unreasonable delay and no later than 60 days after discovery. The notification will include identification of affected individuals, description of the breach, steps taken to mitigate harm, and corrective actions.

Term and Termination

This BAA is effective upon acceptance and remains in effect until:

  • All PHI is returned or destroyed
  • The underlying Service Agreement is terminated
  • Either party terminates for material breach

Request a BAA

To request a signed Business Associate Agreement for your practice:

Contact COADIA, Inc DBA Mozu

Email: support@mozuhealth.com

Please include your practice name, contact information, and any specific requirements for your BAA.