HEALTHCLAIMAGENT.AI

Business Associate Agreement

Recitals

WHEREAS, Covered Entity is a licensed behavioral health provider or practice that submits insurance claims and generates appeal letters using the Service;

WHEREAS, in the course of providing the Service, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;

WHEREAS, the Parties intend to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”);

NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, the Parties agree as follows:

1. Definitions

1.1

Capitalized terms used but not defined in this BAA shall have the meanings assigned to them in the HIPAA Rules at 45 C.F.R. Parts 160 and 164.

1.2 Breach

“Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the Protected Health Information, as defined at 45 C.F.R. § 164.402.

1.3 Protected Health Information

“Protected Health Information” or “PHI” means individually identifiable health information as defined at 45 C.F.R. § 160.103, limited to information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Service. This includes patient names, dates of birth, insurance member identification numbers, diagnosis codes associated with identified individuals, claim numbers, and dates of service.

1.4 Electronic Protected Health Information

“Electronic Protected Health Information” or “ePHI” means Protected Health Information that is transmitted or maintained in electronic media, as defined at 45 C.F.R. § 160.103.

1.5 Security Incident

“Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 C.F.R. § 164.304.

1.6 Subcontractor

“Subcontractor” means a person or entity to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as required by law. Business Associate may use or disclose PHI solely for the following purposes:

(a) To perform functions, activities, or services for or on behalf of Covered Entity as specified in the Terms of Service, including the generation of insurance denial appeal letters, parity analysis, evidence retrieval, and citation verification;

(b) For the proper management and administration of Business Associate, provided that any disclosure for such purpose is required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or disclosed only as required by law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it is aware that the confidentiality of the PHI has been breached;

(c) To de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c), using the Safe Harbor method described at 45 C.F.R. § 164.514(b). De-identified data is not subject to the restrictions of this BAA and may be used as described in Section 8 of the Terms of Service;

(d) To provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), including the aggregation of de-identified appeal outcome data to generate Payer Intelligence analytics;

(e) To create a limited data set for purposes of research, public health, or health care operations, provided that a data use agreement meeting the requirements of 45 C.F.R. § 164.514(e) is in place.

2.2 Minimum Necessary Standard

Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.502(b) and 45 C.F.R. § 164.514(d).

2.3 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the HIPAA Security Rule at 45 C.F.R. Part 164, Subpart C. These safeguards include, without limitation:

(a) Encryption of ePHI at rest using AES-256 encryption;

(b) Encryption of ePHI in transit using TLS 1.3 or higher;

(c) Access controls limiting access to ePHI to authorized personnel with a legitimate need;

(d) Audit logging of all access to and modifications of ePHI, with logs retained for a minimum of six (6) years;

(e) Regular vulnerability assessments and security testing;

(f) Workforce training on HIPAA requirements and information security practices;

(g) Business continuity and disaster recovery procedures to protect ePHI.

2.4 Subcontractors

Business Associate shall ensure that any Subcontractor to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this BAA, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.504(e)(2)(ii)(D). Business Associate's current Subcontractors who may access ePHI include:

(a) Amazon Web Services, Inc. (cloud infrastructure and AI model inference via AWS Bedrock) — BAA executed via AWS Artifact;

(b) Supabase, Inc. (database hosting and storage) — BAA available on Supabase Pro plan and above;

(c) Clerk, Inc. (authentication services) — BAA available on request.

Business Associate shall notify Covered Entity of any material changes to its Subcontractor list by updating the information available through the Service.

2.5 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Security Incident, within the timeframes specified in Section 3 of this BAA.

2.6 Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524, within thirty (30) days of a written request. Business Associate provides this access through the Service's data export functionality and upon written request to support@healthclaimagent.ai.

2.7 Amendment of PHI

Business Associate shall make any amendments to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 C.F.R. § 164.526, within thirty (30) days of a written request, or take other measures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.526.

2.8 Accounting of Disclosures

Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528, within sixty (60) days of a written request.

2.9 Access by HHS

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) for purposes of determining Covered Entity's and Business Associate's compliance with the HIPAA Rules.

2.10 Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

3. Breach Notification

3.1 Discovery and Notification

Following the discovery of a Breach of Unsecured Protected Health Information, Business Associate shall notify Covered Entity of such Breach without unreasonable delay and in no case later than thirty (30) calendar days after discovery. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

3.2 Content of Notification

Business Associate's notification to Covered Entity shall include, to the extent possible:

(a) The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;

(b) A brief description of what happened, including the date of the Breach and the date of discovery;

(c) A description of the types of Unsecured PHI involved in the Breach (such as full name, date of birth, diagnosis codes, claim numbers);

(d) Any steps individuals should take to protect themselves from potential harm resulting from the Breach;

(e) A brief description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches.

3.3 Covered Entity Obligations

Covered Entity is responsible for providing notification to affected individuals and to HHS as required by 45 C.F.R. §§ 164.404 and 164.408. Business Associate shall cooperate with Covered Entity in fulfilling these notification obligations.

3.4 Burden of Proof

Business Associate bears the burden of demonstrating that any acquisition, access, use, or disclosure of PHI did not constitute a Breach, consistent with 45 C.F.R. § 164.402(2).

3.5 Security Incidents

Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware within thirty (30) calendar days of discovery. The Parties acknowledge that unsuccessful Security Incidents (such as pings, port scans, unsuccessful log-on attempts, and similar events) occur routinely and do not require individual notification; Business Associate shall provide a summary of such incidents upon Covered Entity's written request no more frequently than once per calendar quarter.

4. Obligations of Covered Entity

4.1 Minimum Necessary

Covered Entity shall provide Business Associate with only the minimum PHI necessary for Business Associate to perform its obligations under the Terms of Service. Covered Entity shall not input full medical records, psychotherapy notes, or substance use disorder records protected under 42 C.F.R. Part 2 into the Service unless specifically required for appeal generation and with appropriate patient consent.

4.2 Permissions and Restrictions

Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices under 45 C.F.R. § 164.520 to the extent that such limitations may affect Business Associate's use or disclosure of PHI. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

4.3 Impermissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5. Term and Termination

5.1 Term

This BAA shall be effective as of the date Covered Entity accepts this BAA through the Service's electronic acceptance process and shall terminate when all PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if return or destruction is infeasible, protections are extended to such information in accordance with Section 5.4 of this BAA.

5.2 Termination for Cause

Upon Covered Entity's knowledge of a material breach of this BAA by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach within thirty (30) days of written notice. If Business Associate does not cure the breach or end the violation within such time period, Covered Entity may terminate the Terms of Service and this BAA. If cure is not possible, Covered Entity may immediately terminate the Terms of Service and this BAA.

5.3 Termination by Business Associate

If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity's obligations under this BAA, Business Associate shall notify Covered Entity and provide an opportunity to cure. If Covered Entity does not cure within thirty (30) days, Business Associate may terminate the Terms of Service and this BAA.

5.4 Effect of Termination

(a) Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within sixty (60) days of termination. This provision applies to PHI that is in the possession of Subcontractors of Business Associate.

(b) If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

(c) De-identified data and Platform Data (as defined in the Terms of Service) are not PHI and are not subject to the return or destruction requirements of this Section.

6. General Provisions

6.1 Regulatory References

Any reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended from time to time, and for which compliance is required.

6.2 Amendment

The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Business Associate may amend this BAA by providing thirty (30) days' written notice to Covered Entity, in the same manner as amendments to the Terms of Service.

6.3 Interpretation

Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

6.4 No Third-Party Beneficiaries

Nothing in this BAA shall confer upon any person other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities.

6.5 Governing Law

This BAA shall be governed by federal law, specifically the HIPAA Rules. To the extent that state law applies, this BAA shall be governed by the laws of the State of Texas.

6.6 Survival

The obligations of Business Associate under Sections 2.3, 2.6, 2.7, 2.8, 3, and 5.4 shall survive termination of this BAA.

6.7 Entire BAA

This BAA, together with the Terms of Service, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings relating to the protection of PHI.

Acknowledgment

By accepting this Business Associate Agreement through the HealthClaimAgent.AI platform, Covered Entity acknowledges that it has read, understood, and agrees to be bound by the terms of this BAA. Covered Entity represents that it has the authority to enter into this BAA and that it is a Covered Entity or a business associate of a Covered Entity as defined under HIPAA.