Legal · Compliance

Business Associate Agreement.

When required under HIPAA, ZIA enters into a Business Associate Agreement with Covered Entities prior to receiving or accessing protected health information.

Last updated: February 11, 2026

Overview

Business Associate Relationship

Where required under HIPAA, ZIA enters into a Business Associate Agreement (BAA) with Covered Entities before receiving or accessing Protected Health Information (PHI). The BAA governs the permitted uses and disclosures of PHI and outlines our responsibilities under federal law.

Scope

Permitted uses and disclosures

PHI may be used or disclosed only in the following circumstances:

  • To perform services described in the agreement with the Covered Entity
  • As required by applicable law
  • For proper management and administration of ZIA, as permitted under HIPAA

PHI is never sold or used for marketing purposes. Access is limited strictly to what the service relationship requires.

Protections

Safeguards

Under the BAA, ZIA commits to:

  • Implementing appropriate administrative, physical, and technical safeguards
  • Protecting against unauthorized access, acquisition, use, or disclosure
  • Requiring subcontractors to agree to the same restrictions and conditions

Obligations

Reporting

ZIA agrees to:

  • Report any use or disclosure not permitted by the BAA
  • Report security incidents and potential breaches without unreasonable delay
  • Provide information necessary for the Covered Entity to meet breach notification obligations under HIPAA

Downstream partners

Subcontractors

Any subcontractor that creates, receives, maintains, or transmits PHI on ZIA's behalf is required to execute a written agreement imposing the same HIPAA compliance obligations as those binding ZIA.

Agreement lifecycle

Termination

If a material breach occurs and is not cured within a reasonable timeframe, the BAA permits termination of services as required under HIPAA regulations.

Ongoing posture

Compliance and cybersecurity

ZIA monitors regulatory updates and revises agreements and safeguards as necessary to stay aligned with evolving federal requirements, including anticipated updates to the HIPAA Security Rule.

Beyond baseline compliance, our security posture is strengthened through:

  • Routine policy reviews
  • Security awareness training
  • Incident response testing
  • Continuous technology environment monitoring

PHI protection is treated as an operational responsibility, not a legal checkbox.

ZIA. © 2026 ZIA · talentbyzia.com