Business Associate Agreement
Last updated: June 2026 · Version 1.0
Scope
For customers that are HIPAA Covered Entities or Business Associates and whose use of the Services involves Protected Health Information ("PHI"), EVE NeuroSystems LLC ("EVE") will enter into a Business Associate Agreement ("BAA"). This page summarizes EVE's BAA and when it applies; the executable BAA is provided for signature on request at legal@eveaicore.com.
1. When a BAA Is Required
A BAA is required under the HIPAA Privacy and Security Rules when EVE creates, receives, maintains, or transmits PHI on behalf of a Covered Entity or another Business Associate. If your use of the Services will involve PHI, a BAA must be executed before PHI is submitted to the Services.
2. EVE's Role
Where EVE processes PHI on a customer's behalf, EVE acts as a Business Associate (or subcontractor Business Associate). The customer remains the Covered Entity or Business Associate responsible for its own HIPAA obligations, including the lawfulness of the PHI it transmits and limiting PHI to the minimum necessary.
3. What EVE's BAA Covers
EVE's BAA includes the provisions required by 45 C.F.R. § 164.504(e), including commitments to:
- Use and disclose PHI only as permitted by the BAA or as required by law;
- Implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule for electronic PHI;
- Report to the customer any use or disclosure not permitted by the BAA, any security incident, and any Breach of unsecured PHI, within defined timeframes;
- Ensure that subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions (flow-down);
- Make PHI available to support the customer's obligations regarding individual access, amendment, and an accounting of disclosures;
- Make internal practices, books, and records relating to PHI available to the Secretary of HHS for a determination of compliance;
- Return or destroy PHI at termination where feasible, and otherwise extend protections and limit further use; and
- Mitigate, to the extent practicable, any harmful effect of a use or disclosure not permitted by the BAA.
4. Technical Safeguards
The Services support HIPAA-aligned controls including encryption in transit and at rest, role-based access control with least privilege, tenant isolation, signed and hash-chained audit evidence, and customer-initiated deletion with signed deletion receipts. Detail is available in the Security documentation and the DPA.
5. Important Limitations
- EVE does not provide a HIPAA "certification." HIPAA does not offer a government certification, and EVE does not claim one.
- The Services are not intended to process PHI except under an executed BAA. Do not submit PHI before a BAA is in place.
- Entering a BAA does not by itself make the customer compliant; the customer remains responsible for its own HIPAA Privacy, Security, and Breach Notification Rule obligations and for its policy configuration.
- This page is informational and is not legal advice. The executable BAA is the controlling document and is subject to mutual review and execution.
6. How to Request a BAA
To request EVE's BAA for review and signature, contact legal@eveaicore.com with your organization and intended use. The BAA is typically executed alongside the Master Services Agreement and DPA.
7. Contact
Questions about EVE's BAA or healthcare deployments can be sent to legal@eveaicore.com. See also the Legal Center, Security, and DPA.
Before submitting PHI
A BAA must be executed before any Protected Health Information is sent to the Services. Contact legal@eveaicore.com to begin.