This BAA is offered as a procurement convenience. Plaintiff personal-injury firms are generally not Business Associates under HIPAA (see HHS FAQ 709). Pleadly provides this template so firms whose IT or procurement process requires a BAA on file can have one. Consult counsel for your specific circumstances — Pleadly does not provide legal advice.
Version: v1-2026-04Effective: April 2026
This Business Associate Agreement (the “Agreement”) supplements the Pleadly Terms of Service between Pleadly Inc. (“Pleadly”) and the customer organization (“Covered Entity” or “Customer”). Capitalized terms not defined here have the meanings set forth in 45 C.F.R. §§ 160.103 and 164.501.
“PHI” means Protected Health Information, as defined under HIPAA, that Pleadly creates, receives, maintains, or transmits on behalf of Customer. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, as amended (including the HITECH Act and the Omnibus Rule). “Security Incident” has the meaning given in 45 C.F.R. § 164.304.
Pleadly may use and disclose PHI only as necessary to perform the services described in the Pleadly Terms of Service (the “Services”), as required by law, or as otherwise permitted by this Agreement. Pleadly will not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Customer.
Pleadly may use PHI for the proper management and administration of its own operations and to carry out its legal responsibilities, and may disclose PHI for those purposes only if (a) the disclosure is required by law, or (b) Pleadly obtains reasonable assurances from the recipient that the PHI will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed.
Pleadly will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required by 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316. These safeguards include, at minimum:
Pleadly will report to Customer any use or disclosure of PHI not permitted by this Agreement of which Pleadly becomes aware, including any Security Incident or Breach of Unsecured PHI as defined at 45 C.F.R. § 164.402. Reports will be made without unreasonable delay and in any event no later than thirty (30) calendar days after discovery, in accordance with 45 C.F.R. § 164.410.
For unsuccessful Security Incidents (e.g. pings, port scans, denial-of-service attempts that do not result in unauthorized access), the parties agree that ongoing reporting is not required; Pleadly will provide a summary in response to Customer’s reasonable request.
Pleadly will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Pleadly agrees in writing to substantially the same restrictions and conditions that apply to Pleadly under this Agreement, in accordance with 45 C.F.R. § 164.502(e)(1)(ii).
Pleadly will, within a reasonable time and at Customer’s request, (a) make PHI available to Customer to fulfill its obligations under 45 C.F.R. § 164.524, (b) make PHI available for amendment under 45 C.F.R. § 164.526, and (c) provide an accounting of disclosures under 45 C.F.R. § 164.528.
This Agreement is effective as of the date Customer’s authorized representative accepts it through the Pleadly compliance page and remains in effect for the duration of the underlying Services Agreement. Either party may terminate this Agreement upon material breach by the other party that is not cured within thirty (30) days of written notice.
Upon termination of the Services Agreement, Pleadly will return to Customer or destroy all PHI received from, or created or received by Pleadly on behalf of, Customer that Pleadly still maintains in any form. If return or destruction is infeasible (e.g. PHI embedded in immutable audit logs), Pleadly will extend the protections of this Agreement to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
This Agreement is governed by the laws of the State of California and supplements the Pleadly Terms of Service. In the event of a conflict between this Agreement and the Terms of Service with respect to PHI, this Agreement controls. The parties agree to amend this Agreement as necessary to comply with future changes to HIPAA or related law.
BAA acceptance happens inside your Pleadly admin console. Owners and admins can sign on behalf of their firm and download a countersigned copy for their procurement records.
Sign in to accept →Related: ABA Op 512 alignment · AI risk inventory · Security overview
Questions? Contact eric@pleadly.ai.