Celiveo 365 HIPAA Compliance

Pursuant to HIPAA requirements, the Business Associate Agreement (BAA) higlighted below will be executed between Celiveo (as the Business Associate) and any healthcare covered entity subscribing to Celiveo 365 (as the Covered Entity) prior to any use or disclosure of Protected Health Information (PHI), ensuring Celiveo handles PHI—including electronic PHI (ePHI) in print/scan jobs processed via its Azure-native SaaS platform—only as permitted under the agreement and applicable law.

Celiveo 365’s ISO 27001:2022 certification by Intertek, the latest international standard for Information Security Management Systems (ISMS), comprehensively covers PHI protection through a systematic risk-based approach that aligns with HIPAA Security Rule safeguards.

ISO 27001:2022 mandates controls for:

  • access management (Entra ID SSO, Zero-Trust-Access via ECC-P256 certificate forests, granular rights using Entra ID groups)
  • encryption (AES-256-GCM at rest and in transit with dynamic keys and Azure Key Vault)
  • incident response and breach reporting procedures
  • AI-DLP to detect/block PHI/PII in real-timedata loss prevention
  • audit logging (24/7 Azure Cloud Defender scans against HIPAA HITRUST and 13+ norms)
  • secure print/scan workflows, with print release using badge, mobile, NFC, PIN
  • daily compliance verification of the full SaaS infrastructure—including no PII storage (user data as SHA-256 hashes) and PaaS-native immunity to OS vulnerabilities—

providing healthcare subscribers with audited assurance of robust, enterprise-grade safeguards while PHI remains within the customer’s Azure tenant boundaries.

This ISO 27001:2022 certification, encompassing Celiveo’s entire operations, Cloud, SaaS, R&D, support and PII/GDPR handling, positions Celiveo 365 as a compliant solution for secure document management in regulated environments, as evidenced by its explicit HIPAA alignment in product documentation and independent analyses.

HIPAA Business Associate Agreement Template

Version: January 2, 2026

  • BUSINESS ASSOCIATE AGREEMENT

    This Business Associate Agreement (“Agreement” or “BAA”) is entered into effective January 2, 2026 [Effective Date to update] (the “Effective Date”), by and between [your Entity name] (“Covered Entity”) and Celiveo (“Business Associate”).

    Recitals

    WHEREAS, Covered Entity is a “covered entity” as defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), and the regulations promulgated thereunder, as amended (collectively, the “HIPAA Rules”);

    WHEREAS, Business Associate provides Secure Cloud Print Services, Data Loss Prevenstion on printed data, to Covered Entity, which involve the use and/or disclosure of Protected Health Information (“PHI”);

    WHEREAS, the HIPAA Rules require Covered Entity to obtain satisfactory assurances from Business Associate regarding the safeguarding of PHI;

    NOW, THEREFORE, the parties agree as follows:

    1. Definitions

    Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160, 162, and 164).

    2. Obligations and Activities of Business Associate

    Business Associate agrees to:

    (a) Use or disclose PHI only as permitted by this BAA, as Required By Law, or as necessary to perform the limited services described in the underlying agreement.

    (b) Use appropriate safeguards and comply with the HIPAA Security Rule for electronic PHI (ePHI).

    (c) Report to Covered Entity any unpermitted use/disclosure, Breach of Unsecured PHI (per § 164.410), or Security Incident.

    (d) Ensure Subcontractors agree in writing to the same restrictions (per § 164.502(e)(1)(ii) and § 164.308(b)(2)).

    (e) To the extent Business Associate maintains PHI in a Designated Record Set, make it available to Covered Entity or an Individual per § 164.524.

    (f) To the extent Business Associate maintains PHI in a Designated Record Set, make amendments per § 164.526.

    (g) To the extent Business Associate makes disclosures subject to accounting, provide information for accounting per § 164.528.

    (h) If carrying out Covered Entity’s Privacy Rule obligations, comply accordingly.

    (i) Make internal practices/books/records available to HHS for compliance determination.

    (j) The parties acknowledge and agree that Business Associate does not maintain a Designated Record Set and has no ability to alter or amend PHI.

     

    3. Permitted Uses and Disclosures by Business Associate

    Limited to performing the services, namely Secure Cloud Pull Print & Scan, with optional PHI/PII identification for Data Loss Prevention (AI-DLP). Business Associate may use PHI for its proper management/administration or as Required By Law, applying minimum necessary standards.

     

    4. Obligations of Covered Entity

    Covered Entity shall:

    (a) Notify Business Associate of any limitation(s) in its Notice of Privacy Practices that affect Business Associate’s use or disclosure of PHI.

    (b) Notify Business Associate of any restriction on the search, use or disclosure of PHI that Covered Entity has agreed to.

    5. Term and Termination

    (a) Term: This Agreement shall be effective as of the Effective Date and shall terminate when all PHI provided by Covered Entity to Business Associate is destroyed or returned (if feasible), or upon termination of the underlying services agreement.

    (b) Termination for Cause: Upon material breach, the non-breaching party may terminate this Agreement if the breach is not cured within 60 days.

    (c) Return or Destruction of PHI: Upon termination, Business Associate shall destroy all PHI.

    6. Miscellaneous

    (a) Amendment: The parties agree to amend this Agreement as necessary for compliance with changes to the HIPAA Rules or other applicable law.

    (b) Interpretation: Any ambiguity shall be resolved to permit compliance with the HIPAA Rules.

    (c) Governing Law: The validity, construction, interpretation and effect of this Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to the conflicts of laws provisions thereof.

    IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date using Electronic Signature.


    Covered Entity:     <your Entity name>

    _________________________________________

    Signature
    Name:
    Title:
    Date:


    Business Associate:     Celiveo Pte Ltd

    _________________________________________

    Signature
    Name:
    Title:
    Date: