HIPAA Business Associate Agreement

1. Parties and Recitals

RECITALS

WHEREAS, Covered Entity is a "covered entity" as defined in the HIPAA Regulations;

WHEREAS, Business Associate provides clinical decision support services to Covered Entity pursuant to a Service Agreement (the "Underlying Agreement");

WHEREAS, Business Associate may receive, create, maintain, or transmit Protected Health Information (PHI) on behalf of Covered Entity in performing services under the Underlying Agreement;

WHEREAS, Business Associate is a "business associate" of Covered Entity as defined in the HIPAA Regulations;

WHEREAS, Covered Entity and Business Associate desire to enter into this Agreement to comply with the requirements of HIPAA, the HITECH Act, and their implementing regulations;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

2. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Regulations (45 CFR Parts 160 and 164).

• "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
• "Business Associate" has the meaning given in 45 CFR 160.103.
• "Covered Entity" has the meaning given in 45 CFR 160.103.
• "Designated Record Set" has the meaning given in 45 CFR 164.501.
• "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.
• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
• "HIPAA Regulations" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
• "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009.
• "Individual" has the meaning given in 45 CFR 160.103 and includes a person who qualifies as a personal representative under 45 CFR 164.502(g).
• "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
• "Protected Health Information" or "PHI" has the meaning given in 45 CFR 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• "Required by Law" has the meaning given in 45 CFR 164.103.
• "Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.
• "Security Incident" has the meaning given in 45 CFR 164.304.
• "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
• "Subcontractor" has the meaning given in 45 CFR 160.103.
• "Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary.

3. Obligations of Business Associate

3.1 Permitted Uses and Disclosures

Business Associate agrees:

• Not to use or disclose PHI other than as permitted or required by this BAA or as Required by Law;
• To use and disclose PHI only as necessary to perform services for Covered Entity as specified in the Underlying Agreement;
• Not to use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

3.2 Safeguards

Business Associate agrees to:

• Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 (Security Rule) to prevent use or disclosure of PHI other than as provided for by this BAA;
• Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI;
• Comply with the Security Rule requirements applicable to business associates.

3.3 Reporting

Business Associate agrees to report to Covered Entity:

• Any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI;
• Any Security Incident of which it becomes aware;
• Such reports shall be made without unreasonable delay and in no case later than as specified in Section 8 (Breach Notification).

3.4 Mitigation

Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

3.5 Prohibited Uses

Business Associate agrees:

• Not to use or disclose PHI for fundraising or marketing purposes without prior written authorization;
• Not to sell PHI or receive remuneration in exchange for PHI;
• Not to use or disclose genetic information for underwriting purposes.

4. Permitted Uses and Disclosures

4.1 Performance of Services

Business Associate may use and disclose PHI as necessary to perform the clinical decision support services specified in the Underlying Agreement, including:

• AI-powered pre-consultation interviews and health history collection;
• Clinical summarisation and decision support suggestions;
• Generation of differential diagnoses and treatment considerations;
• Billing code suggestions and validation.

4.2 Management and Administration

Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures:

• Are Required by Law; or
• Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed.

4.3 De-Identification

Business Associate may use PHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c). De-identified information is not PHI and may be used for any lawful purpose.

4.4 Minimum Necessary

Business Associate agrees to make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, except as otherwise permitted under the HIPAA Regulations.

5. Obligations of Covered Entity

5.1 Permissions and Restrictions

Covered Entity agrees to:

• Notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity that may affect Business Associate's use or disclosure of PHI;
• Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI;
• Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by.

5.2 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

6. Security Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect ePHI in accordance with the Security Rule:

6.1 Administrative Safeguards (45 CFR 164.308)

• Security management process including risk analysis and risk management;
• Workforce security and information access management;
• Security awareness and training program;
• Security incident procedures;
• Contingency plan including data backup and disaster recovery;
• Periodic evaluation of security policies and procedures.

6.2 Physical Safeguards (45 CFR 164.310)

• Facility access controls;
• Workstation use and security policies;
• Device and media controls.

6.3 Technical Safeguards (45 CFR 164.312)

• Access controls including unique user identification and automatic logoff;
• Audit controls to record and examine activity in systems containing ePHI;
• Integrity controls to protect ePHI from improper alteration or destruction;
• Transmission security including encryption (TLS 1.3) for ePHI in transit;
• Encryption of ePHI at rest (AES-256);
• Multi-factor authentication for system access.

6.4 Documentation

Business Associate shall maintain documentation of its security policies and procedures as required by 45 CFR 164.316.

7. Subcontractors and Agents

7.1 Subcontractor Agreements

Business Associate agrees that it shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

7.2 Agent Supervision

Business Associate agrees to ensure that any agent, including a Subcontractor, to whom it provides PHI agrees to implement reasonable and appropriate safeguards to protect it.

7.3 Current Subcontractors

Business Associate's current Subcontractors that may have access to PHI include:

• Cloud infrastructure providers (data hosting and processing);
• AI language model providers (clinical decision support);
• Communication service providers (SMS and email delivery).

A complete list is available upon request to legal@preconsult.ai.

7.4 Changes to Subcontractors

Business Associate shall provide Covered Entity with at least 30 days' notice before engaging any new Subcontractor that will have access to PHI.

8. Breach Notification

8.1 Discovery of Breach

A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate (including any employee, officer, or agent of Business Associate) or should reasonably have been known to Business Associate.

8.2 Notification Timing

Following the discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity:

• Without unreasonable delay;
• In no case later than 30 days after discovery of the Breach;
• Unless a law enforcement official determines that notification would impede a criminal investigation or cause damage to national security.

8.3 Content of Notification

Business Associate's notification shall include, to the extent possible:

• Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• A brief description of what happened, including the date of the Breach and the date of discovery;
• A description of the types of Unsecured PHI involved (e.g., full name, Social Security number, diagnosis);
• Any steps Individuals should take to protect themselves from potential harm;
• A brief description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches;
• Contact procedures for Individuals to ask questions or learn additional information.

8.4 Cooperation

Business Associate shall cooperate with Covered Entity in:

• Investigating the Breach;
• Meeting Covered Entity's notification obligations to affected Individuals, the Secretary, and media (if applicable);
• Mitigating harmful effects of the Breach.

8.5 Security Incidents

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (such as pings, port scans, or unsuccessful log-in attempts) may be provided in summary or aggregate form.

9. Individual Rights

9.1 Access

Business Associate agrees to make PHI maintained in a Designated Record Set available to Covered Entity within 15 days of a request, to enable Covered Entity to fulfill its obligations under 45 CFR 164.524.

9.2 Amendment

Business Associate agrees to make PHI maintained in a Designated Record Set available to Covered Entity within 30 days for amendment, and to incorporate any amendments as directed by Covered Entity, pursuant to 45 CFR 164.526.

9.3 Accounting of Disclosures

Business Associate agrees to:

• Document disclosures of PHI as required for Covered Entity to respond to Individual requests for an accounting of disclosures under 45 CFR 164.528;
• Make information about disclosures available to Covered Entity within 30 days of a request;
• Maintain documentation of disclosures for at least 6 years from the date of disclosure.

9.4 Restrictions

Business Associate agrees to comply with any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, provided that Covered Entity notifies Business Associate of such restriction.

9.5 Confidential Communications

Business Associate agrees to accommodate reasonable requests for confidential communications of PHI by alternative means or at alternative locations.

10. Audit and Compliance

10.1 Books and Records

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Regulations.

10.2 Covered Entity Audit

Upon reasonable notice (at least 30 days), Business Associate shall permit Covered Entity or its designated agent to conduct an audit of Business Associate's compliance with this BAA, subject to:

• Audits during normal business hours;
• Confidentiality obligations regarding Business Associate's proprietary information;
• No more than one audit per 12-month period (unless required by the Secretary).

10.3 Alternative Documentation

Business Associate may satisfy audit requirements by providing:

• Third-party security assessments or certifications (e.g., SOC 2, HITRUST);
• Completed HIPAA security questionnaires;
• Documentation of policies and procedures.

11. Term and Termination

11.1 Term

This BAA shall be effective as of the Effective Date and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended in accordance with Section 11.3.

11.2 Termination for Cause

Covered Entity may terminate this BAA and the Underlying Agreement if Covered Entity determines that Business Associate has violated a material term of this BAA and Business Associate has not cured the breach or ended the violation within 30 days of written notice.

11.3 Return or Destruction of PHI

Upon termination of this BAA, Business Associate shall, at Covered Entity's election:

• Return all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity; or
• Destroy all such PHI and provide certification of destruction.

This provision shall apply to PHI in the possession of Subcontractors. Business Associate shall retain no copies of the PHI.

11.4 Infeasibility of Return or Destruction

If return or destruction of PHI is infeasible, Business Associate shall:

• Extend the protections of this BAA to such PHI;
• Limit further uses and disclosures to those purposes that make the return or destruction infeasible;
• Return or destroy such PHI when return or destruction becomes feasible.

11.5 Survival

The obligations of Business Associate under Section 11.3 and 11.4 shall survive termination of this BAA.

12. Miscellaneous Provisions

12.1 Regulatory References

A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended.

12.2 Amendment

The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Regulations and any other applicable law.

12.3 Interpretation

Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Regulations.

12.4 Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, losses, damages, penalties, fines, or expenses arising out of or related to Business Associate's breach of this BAA or violation of the HIPAA Regulations.

12.5 No Third Party Beneficiaries

Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.

12.6 Entire Agreement

This BAA, together with the Underlying Agreement, constitutes the entire agreement between the Parties regarding the subject matter hereof and supersedes all prior agreements and understandings.

12.7 Governing Law

This BAA shall be governed by and construed in accordance with federal law, including HIPAA and the HITECH Act. To the extent federal law does not preempt state law, this BAA shall be governed by the laws of the State of [Covered Entity's State].