MySummitKeep

Business Associate Agreement

HIPAA Compliance Template

Effective:
June 1, 2026

Status (as of the effective date above): Inactive. MySummitKeep does not currently store, process, or transmit Protected Health Information (PHI) through the Service. The Service does not currently include health-record functionality. This BAA is published as a forward-looking framework that will activate (a) if and when health-record functionality is added to the Service, and (b) when Customer executes this BAA under Section 0.2 and confirms it is a HIPAA Covered Entity or Business Associate under Section 0.1. Until then, no business associate relationship exists between Customer and MySummitKeep, no PHI is being processed, and Customer should not rely on this BAA as creating HIPAA obligations between the Parties.

This Business Associate Agreement (“BAA” or “Agreement”) is entered into by and between the entity or individual identified as the customer in the applicable MySummitKeep subscription agreement (“Covered Entity”) and MySummitKeep LLC, a Florida limited liability company (“Business Associate”), collectively the “Parties.” This BAA supplements and is incorporated into the Terms of Service and/or Cloud Service Agreement (the “Underlying Agreement”) between the Parties.

Note. This BAA applies only where Customer is a “Covered Entity” or “Business Associate” as defined under HIPAA. Most Scouting America volunteer units (troops, packs, crews, ships) are not HIPAA Covered Entities. Where Customer is not a Covered Entity, this BAA does not apply, and Customer’s health-related data is governed by the standard data security and confidentiality commitments in the Cloud Service Agreement, DPA, and Privacy Policy. To execute this BAA, see Section 0.

0. Eligibility and Application of This BAA

0.1 Customer Representation

By executing this BAA, Customer represents and warrants that it is either:

  • a “Covered Entity” as defined in 45 CFR § 160.103, meaning a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted a standard; or
  • a “Business Associate” of a Covered Entity, where MySummitKeep is being engaged as a downstream business associate (in which case this BAA shall be deemed a downstream business associate agreement under 45 CFR § 164.502(e)(1)(ii)).

0.2 Execution

This BAA is not automatically incorporated by acceptance of the Terms of Service. It takes effect only when (a) executed by an authorized representative of Customer through a signed counterpart, or (b) accepted by Customer through the in-app Compliance → HIPAA → Activate BAA workflow, which requires the Customer’s administrator to affirm Section 0.1 and complete an identity-verification step.

0.3 If Customer Is Not a Covered Entity

If Customer is not a Covered Entity or Business Associate, this BAA does not apply and Customer should not execute it. Personal information that Customer uploads to the Service will remain protected by the technical, organizational, and contractual measures described in the Privacy Policy, the DPA, and the Cloud Service Agreement, but the HIPAA framework will not apply between the Parties.

0.4 Current Product Scope

As of the effective date above, MySummitKeep does not store, process, or transmit PHI. The Service collects and processes Personally Identifiable Information (e.g., names, contact information, advancement records, BSA member IDs) but does not collect medical, health, or BSA Annual Health and Medical Record data. The technical safeguards described in Section 2.2 below will be implemented before health-record functionality is enabled and this BAA is activated.

1. Definitions

Capitalized terms used but not otherwise defined here have the meanings ascribed to them in the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, and their implementing regulations at 45 CFR Parts 160 and 164 (“HIPAA Rules”).

  • “Protected Health Information” or “PHI” has the meaning at 45 CFR § 160.103.
  • “Electronic Protected Health Information” or “ePHI” has the meaning at 45 CFR § 160.103.
  • “Breach” has the meaning at 45 CFR § 164.402.
  • “Security Incident” has the meaning at 45 CFR § 164.304.
  • “Designated Record Set” has the meaning at 45 CFR § 164.501.
  • “Subcontractor” has the meaning at 45 CFR § 160.103.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Underlying Agreement, or as required by law. Business Associate may use or disclose PHI solely:

  • To perform functions, activities, or services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
  • For the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that any disclosures are required by law or Business Associate obtains reasonable written assurances from any third party that PHI will be held confidentially and used only as required by law.
  • To provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
  • To de-identify PHI in accordance with 45 CFR § 164.514(a)–(c).

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by 45 CFR §§ 164.308, 164.310, and 164.312.

Planned Health Data Encryption and Access Controls (Applicable Upon Activation). When health-record functionality is enabled and this BAA is activated under Section 0.2, MySummitKeep will protect health-related data using multiple layers of security:

  • Health data fields will be encrypted at rest using AES-256.
  • All data is encrypted in transit via TLS 1.2+.
  • Azure SQL Transparent Data Encryption (TDE) protects database storage at the infrastructure level.
  • Designated health fields will be protected such that access requires role-based authorization; only users with a Leader or Admin role will be able to view or modify health records.
  • All health data access will be audit-logged.

Until activation, no PHI is processed and the safeguards above are not currently in operation for PHI (general data security measures described in the Privacy Policy, DPA, and CSA remain in effect for all Customer Data).

2.3 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to materially equivalent restrictions, conditions, and requirements that apply to Business Associate under this BAA, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), including (a) appropriate safeguards, (b) breach-notification flow-down, and (c) the obligation to flow down equivalent obligations to its own Subcontractors. Business Associate remains liable for its Subcontractors’ performance.

2.4 Breach and Security Incident Reporting

Business Associate shall report to Covered Entity:

  • Initial notification of a Breach of Unsecured PHI. Within seventy-two (72) hours of discovery, with available information.
  • Substantive Breach report. Within ten (10) business days of discovery, including (to the extent available) the identification of affected individuals, the nature of the Breach, types of PHI involved, mitigation actions, and contact information.
  • Successful Security Incidents. Without unreasonable delay.
  • Unsuccessful Security Incidents. (E.g., pings, port scans, unsuccessful login attempts.) Aggregated and provided on Covered Entity’s written request, no more frequently than quarterly.

The timelines in this Section are designed to allow Covered Entity to meet its sixty (60) day individual-notice obligation under 45 CFR § 164.404 with margin. Reporting under this Section 2.4 does not constitute an admission of fault or liability by Business Associate.

2.5 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within fifteen (15) business days of receiving a written request from Covered Entity, make available such PHI for purposes of satisfying Covered Entity’s obligations under 45 CFR § 164.524.

2.6 Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within fifteen (15) business days of receiving a written request, make amendments as directed by Covered Entity pursuant to 45 CFR § 164.526.

2.7 Accounting of Disclosures

Business Associate shall maintain and make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall make such information available within thirty (30) days of a written request.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

2.9 Minimum Necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary, in accordance with 45 CFR §§ 164.502(b) and 164.514(d).

2.10 Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this BAA.

3. Obligations of Covered Entity

Covered Entity shall:

  • Notify Business Associate of any limitations in its notice of privacy practices under 45 CFR § 164.520 that may affect Business Associate’s use or disclosure of PHI.
  • Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, where such changes may affect Business Associate’s use or disclosure of PHI.
  • Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, where such restrictions may affect Business Associate’s use or disclosure of PHI.
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

4. Term and Termination

4.1 Term

This BAA shall be effective as of the date of execution and shall remain in effect for the duration of the Underlying Agreement, unless sooner terminated.

4.2 Termination for Cause

Either Party may terminate this BAA if it determines that the other Party has materially violated this BAA. The non-breaching Party shall provide written notice and afford the breaching Party thirty (30) days to cure. If the breach is not cured, the non-breaching Party may terminate this BAA and, in the case of an uncured breach by Business Associate that constitutes a material breach of HIPAA, the Underlying Agreement.

4.3 Effect of Termination

Upon termination, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further use and disclosure to those purposes that make return or destruction infeasible.

5. State Privacy and Breach Law Cooperation

Business Associate acknowledges that Covered Entity may be subject to state breach-notification laws in addition to HIPAA, including the Florida Information Protection Act (F.S. § 501.171), California Civil Code § 1798.82, and the New York SHIELD Act. Business Associate shall, on written request, provide Covered Entity with the information reasonably required to fulfill state-law notification obligations, including identification of affected residents by state, the categories of personal information involved, and the date(s) of the Breach.

6. Order of Precedence

In the event of a conflict between this BAA and the Underlying Agreement or the Data Processing Addendum with respect to PHI, this BAA controls. In the event of a conflict between this BAA and the HIPAA Rules, the HIPAA Rules control.

7. Miscellaneous

7.1 Regulatory References

A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

7.2 Amendment

The Parties agree to take such action as necessary to amend this BAA from time to time as necessary for compliance with the HIPAA Rules and any other applicable law.

7.3 Survival

The respective rights and obligations of Business Associate under Sections 2.4, 2.5–2.8, 4.3, and 5 shall survive the termination of this BAA.

7.4 Interpretation

Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

7.5 Governing Law

This BAA shall be governed by the laws of the State of Florida, without regard to its conflict-of-laws principles, to the extent not preempted by federal law.

7.6 Indemnification

To the extent permitted by law, Business Associate shall indemnify and hold Covered Entity harmless from third-party claims arising directly out of a Breach of Unsecured PHI to the extent caused by Business Associate’s material breach of this BAA. This indemnification is subject to the limitation of liability set forth in the Underlying Agreement, except that the cap shall not apply to liability arising from Business Associate’s gross negligence or willful misconduct.

7.7 Counterparts and Electronic Signatures

This BAA may be executed in counterparts, including electronically. Electronic signatures and in-app acceptance per Section 0.2 are valid and binding.

To request a signed counterpart: Email support@mysummitkeep.com with subject line “BAA execution request.”

↑ Back to top

Other Legal Documents

Terms of Service · Privacy Policy · Acceptable Use Policy · Cookie Policy · Children's Privacy (COPPA) · Data Processing Addendum · Business Associate Agreement · Cloud Service Agreement · SMS Notifications