Stedi has updated its BAA Effective April 14, 2025

PLEASE READ THIS BUSINESS ASSOCIATE ADDENDUM (“BAA”) CAREFULLY BEFORE USING THE SERVICES OFFERED BY STEDI, INC. (“STEDI”). BY INDICATING ACCEPTANCE OF THIS BAA THROUGH STEDI’S ONLINE ENROLLMENT PROCESS OR MUTUALLY EXECUTING OR OTHERWISE AGREEING VIA AN ONLINE SIGN-UP PROCESS TO ONE OR MORE ORDER FORMS WITH STEDI WHICH REFERENCE THIS BAA, YOU (“CUSTOMER”), AS OF SUCH DATE (THE “BAA EFFECTIVE DATE”), AGREE TO BE BOUND BY THESE TERMS. THIS BAA, WHICH SUPERSEDES ANY PREVIOUS BUSINESS ASSOCIATE AGREEMENT OR ADDENDUM BETWEEN THE PARTIES, AMENDS, SUPPLEMENTS, AND IS MADE A PART OF THE SERVICE TERMS, BY AND BETWEEN COVERED ENTITY AND BUSINESS ASSOCIATE, AS THE SAME MAY BE AMENDED FROM TIME TO TIME (THE “SERVICE TERMS”). IF YOU ARE USING STEDI’S SERVICES ON BEHALF OF A COMPANY, ORGANIZATION, OR OTHER LEGAL ENTITY, THEN YOU ACKNOWLEDGE THAT YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF SUCH ENTITY AND YOU REPRESENT AND WARRANT THAT YOU ARE AUTHORIZED TO BIND SUCH ENTITY TO THE TERMS OF THIS BAA. IF THE TERMS OF THIS BAA ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO SUCH TERMS.

The parties hereby agree as follows:

1. Integration, Applicability and Definitions

1.1: This BAA may be entered into independently of any order form governing Customer’s purchase of products or services from Stedi (“Order Form”). Once such an Order Form is entered into, this BAA, together with the Service Terms will be incorporated therein unless otherwise agreed by the Parties in writing. If the parties engage in a proof of concept demonstration of services (“POC”) before accepting an Order Form, the POC shall be governed by this BAA and the Service Terms available at https://www.stedi.com/docs/legal/service-terms, which are incorporated herein by reference.

1.2: This BAA applies to the extent you are acting as a Covered Entity or Business Associate to create, receive, maintain or transmit PHI and where Stedi, as a result, is deemed under HIPAA to be acting as your Business Associate or Subcontractor. This BAA is applicable only to the HIPAA Account. You acknowledge that this BAA does not apply to any other accounts you may have now or in the future.

1.3: Unless otherwise expressly defined in this BAA, all capitalized terms in this BAA will have the meanings set forth in the Service Terms or in HIPAA.

  • The “HIPAA Account” means the Stedi Products used to create, receive, maintain or transmit any “protected health information” as defined in 45 C.F.R § 160.103.
  • “HIPAA” means the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, and their implementing regulations.

2. Permitted and required uses and disclosures

2.1: Product offerings. Stedi may Use or Disclose PHI for or on behalf of you as permitted by the Service Terms, the POC, or this BAA or as required by law but shall not otherwise use or disclose any PHI. Stedi shall not, and shall assure that its directors, officers, employees, other agents, and contractors do not, use or disclose PHI received from, or created or received on behalf of you in any manner that would constitute a violation of HIPAA if so used or disclosed by you. To the extent Stedi carries out any of your obligations under HIPAA, Stedi shall comply with the requirements of HIPAA that apply to you in the performance of such obligations.

2.2: Administration and management of Stedi. Stedi may use and disclose PHI as necessary for the proper management and administration of Stedi, including data analysis necessary to review, improve or validate a product, feature or service offered in connection with the POC or Agreement, or to carry out Stedi’s legal responsibilities. Any Disclosures under this section will be made only if Stedi obtains reasonable assurances from the recipient of the PHI that the recipient will (a) hold the PHI confidentially (b) Use or Disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and (c) notify Stedi of any instances of which it is aware in which the confidentiality of the information has been breached.

3. Obligations of Stedi

3.1: Stedi obligations conditioned on appropriate configurations. For any of your accounts other than (a) the HIPAA Account assigned to you upon completion of this BAA, and (b) HIPAA Accounts that you have requested in writing and received written confirmation of acceptance from Stedi, Stedi will have no obligations under this BAA.

3.2: Limit on uses and disclosures. Stedi will use or disclose PHI only as permitted by this Addendum or as required by law, provided that any such use or disclosure would not violate HIPAA if done by a Covered Entity, unless permitted under HIPAA for a Business Associate.

3.3: Safeguards. Stedi will use reasonable and appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 C.F.R. Part 164 (with respect to Electronic PHI) as determined by Stedi.

3.4: Reporting. For all reporting obligations under this BAA, the parties acknowledge that Stedi’s obligations to provide information about the identities of the individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach will be limited to the extent Stedi does not know the nature of PHI contained in any of your accounts.

  • 3.4.1: Reporting of impermissible uses and disclosures. Stedi shall after becoming aware of any acquisition, access, use, or disclosure of PHI in violation of this BAA by Stedi, its employees, other agents or contractors or by a third party to which Stedi disclosed PHI, report the acquisition, access, use, or disclosure to you without unreasonable delay.
  • 3.4.2: Reporting of security incidents. Stedi will report to you without unreasonable delay, no later than five (5) business days, any Security Incidents involving PHI of which Stedi becomes aware; provided, however, that the parties acknowledge and agree that this Section 3.4.2 constitutes notice by Stedi to you of the ongoing existence and occurrence of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Stedi’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access, use, disclosure, modification or destruction of Electronic PHI or intentional interference with system operations in an information system that contains Electronic PHI.
  • 3.4.3: Reporting of breaches. Stedi will report to you any Breach of your Unsecured PHI of which Stedi becomes aware to the extent required by 45 C.F.R. § 164.410. Stedi will make such a report available without unreasonable delay, in accordance with 45 C.F.R. § 164.410, and report to you no later than five (5) business days after a determination of a breach is made.

3.5: Subcontractors. Stedi will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Stedi enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a) that include restrictions and conditions at least as stringent as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect PHI.

3.6: Access to PHI. To the extent that Stedi maintains a Designated Record Set, Stedi will make PHI in a Designated Record Set available to you so that you can comply with 45 C.F.R. § 164.524.

3.7: Amendment to PHI. To the extent that Stedi maintains a Designated Record Set, Stedi will make PHI in a Designated Record Set available to you for amendment and incorporate any amendments to the PHI, as may reasonably be requested by you in accordance with 45 C.F.R. § 164.526.

3.8: Accounting of Disclosures. Stedi will make available to you the information required to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528 of which Stedi is aware, if requested by you. Because Stedi cannot readily identify which Individuals are identified or what types of PHI are included in Content you or any End User (a) run on the Products, (b) cause to interface with the Products, or (c) upload to the Products under your account or otherwise transfer, process, use or store in connection with your account (“Customer Content”), you will be solely responsible for identifying which Individuals, if any, may have been included in Customer Content that Stedi has disclosed and for providing a brief description of the PHI disclosed.

3.9: Internal records. Stedi will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) for purposes of determining your compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information. Upon your written request made not more than once per calendar year and with reasonable advance notice, Stedi shall complete a reasonable written assessment or questionnaire concerning Stedi’s compliance with this addendum and security measures for PHI.

4. Your obligations

4.1: Identification of the HIPAA Account(s). Upon acceptance of this BAA, you will be issued a Stedi account that is eligible to contain “protected health information” as defined in 45 C.F.R. § 160.103. You may request that additional accounts be designated as HIPAA Accounts from time to time.

4.2: Appropriate use of the HIPAA Account. You are responsible for implementing appropriate privacy and security safeguards in order to protect your PHI in compliance with HIPAA and this BAA.

4.3: Necessary consents. You warrant that you have obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing Customer Content, including without limitation PHI, on the Stedi platform.

4.4: Restrictions on disclosures. You will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Stedi to violate this BAA or any applicable law.

4.5: Compliance with HIPAA. You will not request or cause Stedi to make a Use or Disclosure of PHI in a manner that does not comply with HIPAA or this BAA. When disclosing, or arranging for the disclosure of, PHI to Stedi, you are obligated to meet the requirements of HIPAA. You may only provide access to, disclose, reproduce, distribute, display, or otherwise use PHI in a manner consistent with the Service Terms and this BAA.

5. Term and termination

5.1: Term. The term of this BAA will commence on the BAA Effective Date and will remain in effect with respect to the HIPAA Account until the earlier of (a) the termination of the Services, or (b) termination of this BAA by either party as set forth in Section 5.2 below.

5.2: Termination. You have the right to terminate this BAA for any reason upon notice to Stedi. Stedi has the right to terminate this BAA for any reason upon 90 days prior written notice to you. A material breach of this BAA will be treated as a material breach of the Service Terms.

5.3: Effect of termination. Upon termination of this BAA, Stedi shall return or destroy all PHI received from, or created or received on behalf of you which Stedi still maintains in any form. Stedi shall not retain any copies of such PHI; provided, however, that Stedi may maintain de-Identified Data post-termination. Notwithstanding the foregoing, to the extent that Stedi reasonably determines that it is not feasible to return or destroy such PHI, the terms and provisions of this BAA shall survive expiration or termination of this BAA and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI. Termination of this BAA will not terminate any other Stedi Business Associate BAA(s) then in place between you and Stedi with respect to any account other than the HIPAA Account, and such other Stedi Business Associate BAA(s) will remain in effect until terminated in accordance with their respective terms.

6. No agency relationship

Nothing in this BAA is intended to make either party an agent or employee of the other. The parties acknowledge and agree that Stedi is at all times acting as your independent contractor. Nothing in this BAA is intended to confer upon you the right or authority to control Stedi’s conduct in the course of Stedi complying with the POC, Agreement and BAA.

7. Nondisclosure

You agree that the terms of this BAA are not publicly known and constitute Confidential Information under the Service Terms as applicable.

8. Entire agreement; conflict

This BAA, together with any Order Form and the Service Terms: (a) is intended by the parties as a final, complete, and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof. Stedi will not be bound by, and specifically objects to, any term, condition, or other provision which is different from or in addition to the provisions of this BAA (whether or not it would materially alter this BAA) and which is submitted by you in any order, receipt, acceptance, confirmation, correspondence or another document. Notwithstanding anything else, all disclaimers of warranties and limitations or exclusions of liability set forth in the Service Terms (including, without limitation, any provisions limiting the amount or types of recoverable damages) apply in full to this BAA and to the parties’ performance or obligations under this BAA.

9. Mutual Authority to Contract

Each party represents and warrants that it is a duly organized, validly existing legal entity with the full power and authority to enter into and perform its obligations under this BAA. Each party further represents and warrants that the individual accepting on its behalf has the authority to bind the entity to these terms.

10. Modification

From time to time, Stedi may modify the terms of the Stedi Business Associate BAA that it offers to its customers, but no modification or amendment of any portion of this BAA will be effective unless it is accepted by you and by Stedi.

11. No Third-Party Beneficiaries

Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Stedi, you and the parties’ permitted successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

12. Construction

This BAA shall be construed as broadly as necessary to implement and comply with HIPAA. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies with HIPAA.

13. Notices

All notices required to be given to either party under this BAA will be in writing sent via confirmed email.

  • If to Stedi: security@stedi.com
  • If to you: the email address associated with your account at the time the notice is to be sent.

All notices, requests, consents, and other communications hereunder shall be in English and shall be deemed to have been received at the time that receipt of the email has been acknowledged by written confirmation or otherwise.

Was this page helpful?