Business Associate Agreement

Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between the Covered Entity (healthcare organization) and Askbuc, Inc. ("Business Associate"), in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations.

1. Definitions

Terms used but not otherwise defined in this BAA shall have the meanings set forth in 45 CFR §§ 160.103 and 164.501:

• "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
• "Business Associate" means Askbuc, Inc., providing enterprise IT infrastructure, data platforms, AI datacenters, and related services to the Covered Entity.
• "Covered Entity" means the healthcare organization that is a covered entity under HIPAA.
• "Designated Record Set" means a group of records maintained by or for a Covered Entity that is used to make decisions about individuals.
• "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by or maintained in electronic media.
• "Individual" means the person who is the subject of Protected Health Information.
• "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
• "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium by Business Associate on behalf of Covered Entity.
• "Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI.
• "Secretary" means the Secretary of the U.S. Department of Health and Human Services or designee.
• "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
• "Unsecured PHI" means PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as permitted or required by this BAA or as Required by Law. Business Associate shall not use or disclose PHI in any manner that would violate the Privacy Rule if done by Covered Entity, except for the specific uses and disclosures set forth below:

• Business Associate may use PHI for the proper management and administration of Business Associate.
• Business Associate may disclose PHI for the proper management and administration of Business Associate, provided the disclosure is Required by Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially.
• Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
• Business Associate may use PHI to report violations of law to appropriate Federal and State authorities.

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided by this BAA. Business Associate shall comply with the Security Rule with respect to ePHI, including:

• Administrative Safeguards: Security management process, workforce security, information access management, security awareness training, security incident procedures, contingency planning, evaluation, and business associate contracts.
• Physical Safeguards: Facility access controls (biometric authentication, 24/7 surveillance, mantrap entry), workstation use and security, device and media controls.
• Technical Safeguards: Access control (unique user identification, emergency access, automatic logoff, encryption/decryption with AES-256), audit controls, integrity controls, person or entity authentication, transmission security (TLS 1.3).
• Encryption: All PHI encrypted at rest using AES-256-GCM and in transit using TLS 1.3 with perfect forward secrecy.
• Access Controls: Role-based access control (RBAC) with principle of least privilege, multi-factor authentication required for all PHI access.
• Audit Logging: Comprehensive audit logs of all PHI access, modifications, and disclosures, retained for minimum 6 years.
• Backup and Disaster Recovery: Daily backups with 15-minute RPO and 1-hour RTO, geographically dispersed backup locations.

2.3 Reporting

Business Associate shall report to Covered Entity:

• Any use or disclosure of PHI not provided for by this BAA within 24 hours of discovery.
• Any Breach of Unsecured PHI without unreasonable delay and in no case later than 10 business days after discovery.
• Any Security Incident involving ePHI within 24 hours of discovery.

Business Associate's report shall include, to the extent known: (a) identification of each Individual whose PHI was involved; (b) description of the incident; (c) date of the incident and discovery; (d) types of PHI involved; (e) steps taken to mitigate harm; and (f) contact information for further inquiries.

2.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this BAA. Business Associate shall provide Covered Entity with written notice of any new subcontractors at least 30 days prior to engagement, and Covered Entity may object within 15 days.

2.5 Access to PHI

Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, within 10 business days of a request, in the time and manner designated by Covered Entity. If Business Associate maintains an Electronic Health Record, access shall be provided in electronic format as required by 45 CFR § 164.524(c)(2)(ii).

2.6 Amendment of PHI

Business Associate shall make any amendments to PHI in a Designated Record Set as directed by Covered Entity within 10 business days of receiving notice, and shall take reasonable steps to inform subcontractors and other business associates of the amendment.

2.7 Accounting of Disclosures

Business Associate shall document all disclosures of PHI and information related to such disclosures as required to provide an accounting of disclosures to Covered Entity or Individual. Business Associate shall provide such accounting to Covered Entity within 10 business days of request, including:

• Date of disclosure
• Name and address of the recipient
• Brief description of PHI disclosed
• Brief statement of purpose of disclosure

If Business Associate uses or maintains an Electronic Health Record with respect to PHI, Business Associate shall account for disclosures for treatment, payment, and health care operations as required by 45 CFR § 164.528(a)(1)(iii).

2.8 Availability of Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with HIPAA. Business Associate maintains SOC 2 Type II certification and undergoes annual HIPAA compliance audits by qualified independent assessors.

2.9 Minimum Necessary

Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d). Business Associate shall implement policies and procedures to limit access to PHI based on job function and necessity.

3. Obligations of Covered Entity

3.1 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as permitted by this BAA.

3.2 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and any changes thereto, to the extent such Notice or changes may affect Business Associate's obligations under this BAA.

3.3 Permission or Authorization

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate's permitted uses and disclosures.

3.4 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI.

4. Term and Termination

4.1 Term

This BAA shall become effective on the date of execution and shall continue in effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or the termination of the Master Services Agreement, whichever is later.

4.2 Termination for Cause

Either party may terminate this BAA upon 30 days' written notice if the other party breaches a material term of this BAA and fails to cure the breach within 30 days of receiving notice. Covered Entity may:

• Immediately terminate the Master Services Agreement if Business Associate has breached a material term of this BAA and cure is not possible; or
• If termination is not feasible, report the violation to the Secretary.

4.3 Effect of Termination

Upon termination of this BAA, Business Associate shall:

• Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate maintains in any form;
• Retain no copies of PHI;
• Extend the protections of this BAA to PHI retained by Business Associate and limit further uses and disclosures to those purposes that make the return or destruction of PHI infeasible;
• Provide written certification to Covered Entity that PHI has been destroyed using NIST 800-88 or DoD 5220.22-M standards, or returned.

5. Breach Notification

Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify Covered Entity of such Breach without unreasonable delay and in no case later than 10 business days after discovery. The notification shall include:

• Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• Description of the nature of the Breach, including the date of the Breach and the date of discovery;
• Types of Unsecured PHI involved in the Breach (e.g., name, SSN, date of birth, medical record number, diagnosis);
• Brief description of what occurred, including how the Breach was discovered;
• Description of steps individuals should take to protect themselves from potential harm;
• Description of steps Business Associate is taking to investigate, mitigate harm, and prevent further Breaches;
• Contact information for individuals to ask questions or obtain additional information.

Business Associate shall cooperate with Covered Entity in meeting Covered Entity's obligations under 45 CFR § 164.404-414, including providing information necessary for Covered Entity to notify affected individuals, the Secretary, and, if applicable, the media, within the timeframes required by HIPAA (generally 60 days from discovery).

6. Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to Business Associate's breach of this BAA, violation of HIPAA, or negligent or wrongful acts or omissions in the handling of PHI. This indemnification obligation shall survive termination of this BAA.

7. Miscellaneous

7.1 Regulatory Changes

The parties acknowledge that federal and state laws relating to data security and privacy are rapidly evolving. If any provision of this BAA is affected by a change in applicable law, the parties agree to negotiate in good faith to amend this BAA to comply with such law.

7.2 Interpretation

Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with HIPAA and the HITECH Act. The terms of this BAA shall prevail over any conflicting terms in the Master Services Agreement with respect to the use and disclosure of PHI.

7.3 No Third-Party Beneficiaries

Nothing in this BAA shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

7.4 Survival

The obligations of Business Associate under Sections 2.3 (Reporting), 2.7 (Accounting of Disclosures), 4.3 (Effect of Termination), and 6 (Indemnification) shall survive termination of this BAA.

8. Contact Information

For questions or concerns regarding this Business Associate Agreement, please contact: