Legal

Business Associate Agreement

Version 1.0  ·  Effective at account creation  ·  Last updated May 30, 2026
⚠ Draft template — pending legal review. This Business Associate Agreement is provided as a starting template. It must be reviewed and finalized by qualified legal counsel licensed in your jurisdiction before being relied upon in production. Nothing here is legal advice. Grove Health Inc. will replace this version with counsel-approved language; the version in force is the one recorded against your account at the time of acceptance.

This Business Associate Agreement ("Agreement" or "BAA") forms part of the Terms of Service between Grove Health Inc. ("Grove," "Business Associate") and the practice, clinic, practitioner, or organization that creates a Grove account ("Customer," "Covered Entity"). It governs Grove's handling of Protected Health Information on the Customer's behalf.

By creating a Grove account and affirmatively accepting this Agreement during signup, the Customer and Grove enter into a binding Business Associate Agreement as of the date and time of acceptance, which is recorded against the Customer's account.

1. Definitions

Terms used but not otherwise defined have the meanings given to them under the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (the "HIPAA Rules"), including the Privacy Rule, Security Rule, and Breach Notification Rule.

2. Permitted Uses and Disclosures

Grove may use and disclose PHI only as necessary to perform the services described in the Terms of Service, as required by law, or as otherwise permitted by this Agreement and the HIPAA Rules. Grove will not use or disclose PHI in any manner that would violate the HIPAA Rules if done by the Customer, except as expressly permitted herein.

Grove may use PHI for its own proper management and administration and to carry out its legal responsibilities, and may aggregate and de-identify data in accordance with the HIPAA Rules.

3. Safeguards

Grove will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including:

4. Subcontractors

Grove will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on Grove's behalf agrees in writing to restrictions and conditions at least as protective as those that apply to Grove under this Agreement.

5. Reporting of Breaches and Security Incidents

Grove will report to the Customer any use or disclosure of PHI not permitted by this Agreement, any Security Incident, and any Breach of unsecured PHI of which it becomes aware, without unreasonable delay and in any event consistent with the timelines required by the HIPAA Rules and applicable law.

6. Individual Rights

To the extent Grove maintains PHI in a designated record set, Grove will assist the Customer in responding to individuals' requests for access to, and amendment of, their PHI, and in providing an accounting of disclosures, as required by the HIPAA Rules.

7. Return or Destruction of PHI

Upon termination of the account, the Customer may export its data. Grove will, within a commercially reasonable period and consistent with the Terms of Service, return or securely destroy PHI it maintains, except where retention is required by law, in which case Grove will continue to protect such PHI for as long as it is retained.

8. Obligations of the Customer (Covered Entity)

The Customer will obtain any consents or authorizations required to disclose PHI to Grove, will not request Grove to use or disclose PHI in a manner that would not be permitted under the HIPAA Rules, and is responsible for the accuracy of the PHI it submits and for clinical decisions, which remain the responsibility of the licensed practitioner.

9. Data Residency

Customer data is hosted in the region corresponding to the Customer's country: the United States; ca-central-1 (Canada) for Canadian practices; the United Kingdom / EU for UK practices; and ap-southeast-2 (Sydney) for Australian practices, as applicable and as may be updated from time to time.

10. Non-U.S. Jurisdictions — Data Processing Terms

For Customers outside the United States, this Agreement also serves as the data processing agreement between the Customer (as data controller) and Grove (as data processor) under, as applicable, Canada's PIPEDA and provincial health-information laws, the UK GDPR, and the Australian Privacy Act 1988 (APPs). Grove will process personal data only on the Customer's documented instructions and apply equivalent safeguards to those described above.

11. Term and Termination

This Agreement is effective upon acceptance and continues for as long as Grove maintains PHI on the Customer's behalf. Either party may terminate as provided in the Terms of Service. Sections that by their nature should survive termination (including safeguards and return/destruction obligations) survive.

12. Governing Law

This Agreement is governed by the laws of British Columbia, Canada, except that, with respect to PHI of U.S. individuals, the HIPAA Rules govern the parties' obligations regarding such PHI. Where applicable mandatory local law provides greater protection, that law controls.

13. Order of Precedence

If there is a conflict between this Agreement and the Terms of Service with respect to PHI, this Agreement controls to the extent of the conflict.

How this Agreement is accepted. When an authorized representative of the Customer creates a Grove account and checks the acceptance box for this Business Associate Agreement, that act constitutes the Customer's signature. Grove records the accepting account, the version of this Agreement, the date and time, and the originating IP address as evidence of acceptance.

14. Contact

Questions about this Agreement: hello@getgrovemd.com
Grove Health Inc. · British Columbia, Canada