Skip to content

Legal

Business Associate Agreement

Standard form · Last updated: July 14, 2026

Arkos signs a Business Associate Agreement with every practice we serve.

We publish our standard form so you can read exactly what we commit to before a sales conversation. This page is the standard form only — it becomes binding when executed as part of your services agreement with Arkos. Questions: privacy@arkosai.com.

1. Definitions

“Covered Entity” means the dental or healthcare practice executing this Agreement. “Business Associate” means Arkos AI, Inc. Capitalized terms used but not otherwise defined — including Protected Health Information (“PHI”), Breach, Security Incident, Subcontractor, Unsecured PHI, and Required by Law — have the meanings given in the HIPAA Rules (45 CFR Parts 160 and 164, as amended, including by the HITECH Act). PHI is limited to the information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

2. Obligations of Business Associate

Business Associate agrees to:

  1. Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
  2. Use appropriate safeguards — and comply with the HIPAA Security Rule (Subpart C of 45 CFR Part 164) with respect to electronic PHI — to prevent any use or disclosure of PHI other than as provided for by this Agreement;
  3. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410, without unreasonable delay and in no case later than sixty (60) days after discovery, and any Security Incident of which it becomes aware;
  4. Ensure, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to that PHI;
  5. Make PHI in a Designated Record Set available to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524 (individual access);
  6. Make amendments to PHI in a Designated Record Set as directed or agreed by Covered Entity pursuant to 45 CFR 164.526;
  7. Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;
  8. To the extent Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of those obligations; and
  9. Make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

3. Permitted uses and disclosures

Business Associate may:

  1. Use and disclose PHI as necessary to perform the services set forth in the underlying services agreement with Covered Entity — including preparing and submitting insurance claims, working denials and appeals, posting payments, patient billing and communication, and related revenue-cycle work;
  2. Use and disclose PHI as Required by Law;
  3. Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, and disclose PHI for those purposes where the disclosure is Required by Law or where Business Associate obtains reasonable assurances of confidentiality, limited use, and breach notification from the recipient;
  4. Provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B); and
  5. De-identify PHI in accordance with 45 CFR 164.514(a)–(c); de-identified information is no longer PHI. Business Associate does not use PHI to train AI models except as permitted by this Agreement — see our AI and your data disclosure.

Business Associate will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of each use, disclosure, or request.

4. Obligations of Covered Entity

Covered Entity will notify Business Associate of any limitation in its Notice of Privacy Practices, any change in or revocation of an individual’s permission to use or disclose PHI, and any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, in each case to the extent it may affect Business Associate’s use or disclosure of PHI. Covered Entity will not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5. Term and termination

  1. This Agreement is effective as of the date executed and terminates when all PHI is returned or destroyed, or when the underlying services agreement terminates, whichever is later.
  2. Either party may terminate this Agreement and the underlying services agreement if the other party materially breaches this Agreement and fails to cure the breach within thirty (30) days of written notice.
  3. Upon termination, Business Associate will return or destroy all PHI received from or created on behalf of Covered Entity that it still maintains, and retain no copies. If return or destruction is infeasible, Business Associate will extend the protections of this Agreement to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as it maintains the PHI.

6. Miscellaneous

  1. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.
  2. The parties agree to take such action as is necessary to amend this Agreement from time to time as required for compliance with the HIPAA Rules.
  3. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
  4. Nothing in this Agreement is intended to confer any rights or remedies on any third party, including any patient or individual whose PHI is processed under it.

Requesting an executed BAA

The executed BAA is part of onboarding — before Arkos touches any practice data. To start, or to ask anything about this form, email privacy@arkosai.com or use the contact page.