Business Associate Agreement

This BAA supplements and is incorporated into the Terms of Service and is required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the HIPAA Omnibus Rule (78 Fed. Reg. 5566, Jan. 25, 2013). In the event of any conflict between this BAA and the Terms of Service, this BAA shall control with respect to the protection of PHI.

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the meanings assigned to them under HIPAA, the HITECH Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164, as amended from time to time.

"Covered Entity"

means a health plan, healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form in connection with a transaction covered under HIPAA, as defined in 45 C.F.R. § 160.103. For purposes of this Agreement, Covered Entity is the subscribing healthcare practice identified in the applicable service agreement.

"Business Associate"

means ClarioScope AI, Inc., a person or entity that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of PHI, as defined in 45 C.F.R. § 160.103.

"Protected Health Information" or "PHI"

means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, as defined in 45 C.F.R. § 160.103, and includes electronic PHI (ePHI) as defined in 45 C.F.R. § 160.103.

"Electronic Protected Health Information" or "ePHI"

means PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 C.F.R. § 160.103. All ePHI handled by Business Associate is subject to the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) in addition to the Privacy Rule.

"Security Incident"

means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.

"Breach"

means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402. Breach excludes: (i) any unintentional acquisition, access, or use of PHI by a workforce member acting in good faith; (ii) any inadvertent disclosure by an authorized person to another authorized person; and (iii) disclosures where Business Associate has a good faith belief that the unauthorized person who received the PHI could not reasonably have retained it.

2. Permitted Uses and Disclosures of PHI

2.1 Authorized Uses

Business Associate may use and disclose PHI only as necessary to perform its obligations under the Terms of Service or as otherwise permitted in this Agreement, including: operating the AI Receptionist call-handling service, processing appointment scheduling data, generating practice analytics and growth reports, and providing related technology services on behalf of Covered Entity. Business Associate may also use PHI to perform data aggregation services relating to the healthcare operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

2.2 Prohibited Uses

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule. Business Associate shall not use or disclose PHI for Business Associate's own independent purposes, for marketing as defined under HIPAA without authorization, for the sale of PHI, or in any manner not expressly authorized by this Agreement or required by applicable law.

2.3 Minimum Necessary

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose, consistent with the minimum necessary standard at 45 C.F.R. § 164.502(b) and § 164.514(d). Business Associate shall implement policies and procedures to enforce minimum necessary access by its workforce and subcontractors.

3. Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 C.F.R. Part 164, Subpart C (HIPAA Security Rule). These safeguards include, without limitation:

• Encryption at rest: All ePHI stored on Business Associate's infrastructure is encrypted using AES-256 (Advanced Encryption Standard, 256-bit key length).
• Encryption in transit: All ePHI transmitted over public networks is protected using TLS 1.3 or higher. Older protocol versions (TLS 1.0, 1.1, SSL) are disabled.
• Multi-Factor Authentication (MFA): All administrative and privileged access to systems containing ePHI requires MFA. End-user portal access requires MFA enrollment.
• Role-Based Access Controls (RBAC): Access to ePHI is restricted to workforce members whose job functions require such access. Roles are reviewed quarterly and upon role changes.
• Audit logging: Business Associate maintains comprehensive audit logs of all access to, creation of, modification of, and deletion of ePHI. Logs are retained for a minimum of six (6) years and are reviewed regularly for anomalous activity.
• Annual risk assessment: Business Associate conducts a formal HIPAA Security Rule risk analysis at least annually and implements a risk management plan to address identified vulnerabilities, per 45 C.F.R. § 164.308(a)(1).

4. Subcontractors

In accordance with 45 C.F.R. § 164.504(e)(2)(ii)(D) and the HITECH Act, Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement. Business Associate shall execute a written Business Associate Agreement with each such subcontractor prior to permitting access to PHI. Business Associate shall not subcontract any services involving PHI to subcontractors that cannot demonstrate adequate HIPAA compliance.

Business Associate shall remain directly liable to Covered Entity for the acts and omissions of its subcontractors to the same extent as if Business Associate had performed the act or omission itself.

5. Breach Notification

Business Associate shall notify Covered Entity of a Breach of unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the Breach, as required by 45 C.F.R. §§ 164.410 and 164.412. Discovery occurs on the first day on which the Breach is known, or by exercising reasonable diligence would have been known, to any member of Business Associate's workforce.

The notification shall include, to the extent possible:

1. Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed.
2. A brief description of what happened, including the date of the Breach and the date of discovery.
3. A description of the types of unsecured PHI involved (e.g., full name, date of birth, social security number, account numbers, diagnosis codes).
4. Any steps individuals should take to protect themselves from potential harm.
5. A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches.
6. Contact procedures for individuals to ask questions or learn additional information.

Business Associate shall cooperate with Covered Entity's obligation to notify affected individuals, the Secretary of HHS, and, where applicable, prominent media outlets, as required by 45 C.F.R. §§ 164.404–164.408. Business Associate shall take prompt steps to mitigate, to the extent practicable, harmful effects of any Breach.

6. Individual Rights

Business Associate shall support Covered Entity in fulfilling individuals' HIPAA rights with respect to PHI maintained by Business Associate. Business Associate shall respond to Covered Entity's requests regarding individual rights within fifteen (15) business days of receipt.

• Right of access (45 C.F.R. § 164.524): Business Associate shall make PHI it maintains in a designated record set available to Covered Entity to allow Covered Entity to respond to individual requests for access within the required timeframe.
• Right of amendment (45 C.F.R. § 164.526): Business Associate shall make any amendment(s) to PHI in a designated record set as directed by Covered Entity consistent with 45 C.F.R. § 164.526.
• Accounting of disclosures (45 C.F.R. § 164.528): Business Associate shall maintain and make available the information required to provide an accounting of disclosures for the prior six (6) years upon request by Covered Entity within fifteen (15) business days.

7. HITECH Compliance

Business Associate acknowledges that, pursuant to the HITECH Act and the HIPAA Omnibus Rule, Business Associate is directly liable under the HIPAA Privacy and Security Rules for uses and disclosures of PHI that are not authorized by this Agreement or required by law, and for failing to safeguard ePHI in accordance with the HIPAA Security Rule. Business Associate agrees to comply with the applicable requirements of the HITECH Act, including, without limitation, Sections 13401 and 13404 of the HITECH Act (42 U.S.C. §§ 17931 and 17934).

Business Associate shall cooperate with Covered Entity and the Secretary of HHS in any investigation, audit, or enforcement action related to compliance with HIPAA or the HITECH Act. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance, per 45 C.F.R. § 164.504(e)(2)(ii)(H).

8. Audit Rights

Covered Entity shall have the right to audit Business Associate's compliance with this Agreement, subject to the following conditions:

1. Covered Entity shall provide Business Associate with at least ten (10) business days prior written notice of its intent to conduct an audit.
2. Audits shall be conducted no more than once per calendar year, unless a material breach or Security Incident provides reasonable cause for an additional audit.
3. Audits shall be conducted during normal business hours and shall be limited to a reasonable scope — specifically, those practices, books, and records relating to Business Associate's use and disclosure of PHI on behalf of Covered Entity.
4. Covered Entity shall bear the costs of any audit unless the audit reveals a material breach of this Agreement, in which case Business Associate shall bear its own reasonable costs of cooperation.
5. Business Associate may satisfy its audit obligations by providing Covered Entity with access to its most recent third-party security audit report (e.g., SOC 2 Type II) in lieu of a direct audit, where such report covers the relevant security domains within the past twelve (12) months.

9. Term and Termination

9.1 Effective Date

This Agreement shall become effective upon the Covered Entity's execution of the Terms of Service or a separate service agreement that incorporates this BAA, whichever occurs first.

9.2 Term

This Agreement shall remain in effect for the duration of the underlying service relationship between Business Associate and Covered Entity and shall terminate automatically upon the termination or expiration of the applicable service agreement.

9.3 Termination Triggers

Either party may terminate this Agreement upon written notice if:

1. The other party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) days of receiving written notice specifying the breach; or
2. Covered Entity reasonably determines that Business Associate has violated a material term and cure is not possible.

9.4 Effect of Termination — Data Return or Destruction

Upon termination or expiration of this Agreement, Business Associate shall, within thirty (30) days, return to Covered Entity or securely destroy all PHI received from, or created on behalf of, Covered Entity that Business Associate still maintains in any form. This includes all copies, backups, and derivative works. Business Associate shall provide Covered Entity with written certification of destruction. If return or destruction is not feasible (e.g., due to legal hold obligations), Business Associate shall notify Covered Entity in writing, limit further uses and disclosures to those purposes that make return or destruction infeasible, and continue to apply the protections of this Agreement to such PHI for as long as it is retained.

10. Amendments

Business Associate may amend this Agreement upon sixty (60) days prior written notice to Covered Entity where such amendment is required to ensure compliance with changes in applicable law, including amendments to HIPAA, the HITECH Act, or regulations promulgated thereunder by the Secretary of HHS. Covered Entity's continued use of services involving PHI following the notice period shall constitute acceptance of such amendments. For all other amendments, the written consent of both parties is required.

11. No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever. The parties do not intend the benefits of this Agreement to inure to any third party, including any patient or individual whose PHI is subject to this Agreement. Individuals' rights with respect to their PHI shall be asserted against and addressed by the Covered Entity, not Business Associate directly, except as otherwise required by law.