Last Updated: November 3, 2025

This Business Associate Agreement Addendum (BAA) is entered into with the understanding that it complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and the Final Omnibus Rule (together, “Applicable Laws”).

BambooHR’s Terms of Service, which can be found here (the "Agreement”), are incorporated herein by reference, and shall remain in full force and effect to the extent they are consistent with Applicable Laws. The terms of this BAA shall otherwise supersede any potential inconsistent terms under the Agreement.

Any capitalized terms used but not defined herein have the same meaning as the same or substantially equivalent term in the Agreement or Applicable Laws.

1. Recitals.

1. This BAA applies only when a Customer subscribes to certain BambooHR Services (“Qualifying Services”) that require BambooHR to create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of the Customer or any employer group health plan it sponsors (“Covered Entity”). For example, Qualifying Services include only Benefits Administration, Benefit Tracking, and ACA Reporting.
2. Qualifying Services must be expressly identified by BambooHR in the Agreement. The Customer will provide evidence of its status as a Covered Entity upon request.
3. When Applicable Laws apply to the Qualifying Services and the Customer, BambooHR will act as a Business Associate (“BA”) under this BAA.
4. This BAA, in addition to the Agreement, ensures that BambooHR and Customer comply with Applicable Laws.

NOW, THEREFORE, for and in consideration of the mutual covenants and conditions herein, the consideration set forth in the Agreement, and other good and valuable consideration, receipt and adequacy of which are hereby acknowledged, the parties agree as follows:

2. Definitions.

1. Unless otherwise defined, capitalized terms have the same meaning as in the Applicable Laws.
2. “PHI” does not include summary health information or information that has been de-identified in accordance with 45 C.F.R. § 164.514.

3. Permitted Uses and Disclosures.

1. BambooHR may use or disclose PHI only as permitted under this BAA, the Qualifying Services in the Agreement, or Applicable Laws.
2. BambooHR may disclose PHI to other Business Associates of Customer as necessary to perform authorized Qualifying Services.
3. BambooHR may use or disclose PHI for proper management and administration, data aggregation services, or as required by law.
4. BambooHR will limit its use or disclosure of PHI to the minimum necessary to achieve the intended purpose, as instructed by Customer..

4. Safeguards.

1. BambooHR will maintain appropriate administrative, physical, and technical safeguards to protect PHI as required by Applicable Laws.
2. BambooHR will ensure that any subcontractors or agents who handle PHI agree in writing to the same or similar safeguards and restrictions.

5. Reporting Obligations.

1. BambooHR will notify the Customer’s Account Owner without unreasonable delay, and no later than sixty (60) days after discovery, of any use or disclosure of PHI not permitted under this BAA, any Breach of unsecured PHI, or any successful Security Incident within five (5) business days.
2. Access Requests. BambooHR will notify the Customer’s Account Owner about any request for access to PHI by an Individual to whom it relates to the Customer’s Account Owner within five (5) business days of receipt of such request. BambooHR shall not respond to any such request without written authorization of the Customer.
3. Amendment Requests. BambooHR will notify the Customer’s Account Owner any request to amend PHI by an Individual to whom it relates within five (5) business days of receipt of such request. BambooHR shall not respond to any such request, and shall not alter or amend PHI, without written authorization of Customer.
4. Restriction Requests. a request for restriction or a request for confidential communications as provided for in 45 C.F.R. § 164.522. BambooHR shall not respond to such requests without written authorization of the Customer.

6. Additional Obligations of BambooHR.

1. BambooHR will comply with applicable provisions of the Privacy and Security Rules to the extent it performs obligations of a Covered Entity.
2. BambooHR acknowledges that the Applicable Laws apply directly to it and its applicable subcontractors.
3. BambooHR will ensure subcontractors who handle PHI sign written agreements imposing substantially similar restrictions and safeguards.
4. BambooHR will make its records relating to PHI available to the U.S. Department of Health and Human Services upon request.

7. Customer Obligations.

1. Notify BambooHR of any limitations, restrictions, or changes in authorizations or privacy notice that affect BambooHR’s use or disclosure of PHI.
2. Obtain all consents or authorizations necessary for BambooHR’s handling of PHI.
3. Not request BambooHR to use or disclose PHI in any manner not permitted by law.
4. Implement safeguards for PHI before and after its transfer to BambooHR.
5. Report security incidents or breaches as required by Applicable Law.

8. Term and Termination.

This BAA is effective as of the Effective Date of the Qualifying Services and remains in effect until all PHI has been returned to Customer or securely destroyed. Either Party may terminate the Qualifying Services under the Agreement and this BAA under the Agreement.

9. Obligations upon Termination.

Upon termination, BambooHR will return or destroy all PHI unless return or destruction is infeasible. If retention is required by law, BambooHR will continue to protect such PHI in accordance with this BAA.

10. Miscellaneous.

1. Where this BAA differs from the Applicable Laws but is permitted by them, this BAA governs.
2. Any ambiguity shall be interpreted to comply with Applicable Law.
3. The Parties will update this BAA as needed to comply with future changes to the Applicable Laws.
4. Upon reasonable written request, BambooHR will make information available to demonstrate compliance with this BAA. Customer may conduct one audit per twelve (12) months, unless otherwise required by law or following a Security Incident.
5. Upon the occurrence of changes or amendments to the Applicable Laws or other law that affect the legality of the Agreement, BambooHR may modify the Agreement to the extent necessary to permit Customer to comply with any changes in the Regulations.

Contact Information.

If you have any questions about the Service or this Agreement, you may call us at 801-724-6600, email us at [email protected], or write to us at:

Bamboo HR LLC
BambooHR Payroll LLC
ATTN: Legal
42 Future Way
Draper, UT 84020

BambooHR® is a registered trademark of Bamboo HR LLC. © Bamboo HR LLC 2024. All rights reserved.