Business Associate Agreement.

This Business Associate Agreement ("BAA") is entered into by and between the entity identified below ("Covered Entity") and IntakeBella, operated by IntakeBella ("Business Associate"), collectively referred to as the "Parties." This BAA supplements and is made a part of the Service Agreement between the Parties and is intended to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 C.F.R. Parts 160 and 164.

1. Definitions

For purposes of this BAA, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meanings assigned to them under HIPAA, HITECH, and their implementing regulations.

• Business Associate means IntakeBella, which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity in connection with the services provided under the Service Agreement.
• Covered Entity means the health care provider, health plan, or health care clearinghouse that executes this BAA and is subject to HIPAA Privacy and Security Rules.
• Protected Health Information (PHI) means individually identifiable health information, as defined in 45 C.F.R. Section 160.103, that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• Electronic Protected Health Information (ePHI) means Protected Health Information that is transmitted or maintained in electronic media, as defined in 45 C.F.R. Section 160.103.
• Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. Section 164.304.
• Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 C.F.R. Section 164.402.

2. Obligations of Business Associate

Business Associate agrees to the following obligations with respect to PHI received from, or created or received on behalf of, Covered Entity:

2.1 Use and Disclosure Restrictions

Business Associate shall not use or disclose PHI except as permitted or required by this BAA, the Service Agreement, or as required by law. Business Associate shall not use or disclose PHI in a manner that would violate the requirements of the HIPAA Privacy Rule if done by the Covered Entity.

2.2 Appropriate Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. These safeguards include, but are not limited to:

• AES-256 encryption for all PHI at rest in storage systems
• TLS 1.3 encryption for all PHI in transit
• Role-based access controls limiting PHI access to authorized personnel only
• Comprehensive audit logging of all access to, and modifications of, PHI
• Multi-factor authentication for all systems containing PHI
• Regular vulnerability assessments and penetration testing

2.3 Reporting of Security Incidents and Breaches

Business Associate shall report to Covered Entity any Security Incident or Breach of unsecured PHI of which Business Associate becomes aware. Such report shall be made without unreasonable delay and in no event later than twenty-four (24) hours after discovery. The report shall include, to the extent available: identification of each individual whose PHI has been or is reasonably believed to have been affected; a description of the nature of the incident; the date of discovery; the steps being taken to investigate and mitigate the incident; and contact information for further inquiries.

2.4 Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to such PHI. Business Associate shall enter into a written agreement with each such subcontractor that contains terms no less restrictive than those set forth in this BAA.

2.5 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within thirty (30) days of a request from Covered Entity, make available PHI to Covered Entity or, as directed by Covered Entity, to an individual, in order to satisfy Covered Entity's obligations under 45 C.F.R. Section 164.524. Business Associate shall provide such PHI in the form and format requested by the individual, if readily producible, or in a mutually agreed-upon alternative format.

2.6 Amendment of PHI

Business Associate shall, within thirty (30) days of receiving a request from Covered Entity, make any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. Section 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under that section.

2.7 Accounting of Disclosures

Business Associate shall maintain and make available to Covered Entity or an individual the information required to provide an accounting of disclosures in accordance with 45 C.F.R. Section 164.528. Business Associate shall maintain such information for at least six (6) years from the date of disclosure.

2.8 Return or Destruction of PHI

Upon termination of this BAA or the Service Agreement, or upon request of the Covered Entity, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall retain no copies of PHI except as required by law. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

• To perform services under the Service Agreement, including but not limited to fax reception, AI-powered document classification, routing, delivery, and storage services.
• As required by law, including but not limited to compliance with court orders, subpoenas, or other legal process, or as otherwise required by applicable federal or state law.
• For the proper management and administration of Business Associate, provided that: (i) the disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

4. Obligations of Covered Entity

• Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices in accordance with 45 C.F.R. Section 164.520, to the extent that such limitations may affect Business Associate's use or disclosure of PHI.
• Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
• Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.

5. Term and Termination

5.1 Term

This BAA shall become effective upon the date of electronic execution by the Covered Entity and shall remain in effect for the duration of the Service Agreement between the Parties, unless sooner terminated in accordance with this Section.

5.2 Termination for Cause

Either Party may terminate this BAA if it determines that the other Party has materially breached a provision of this BAA. The non-breaching Party shall provide the breaching Party with written notice of the breach and afford the breaching Party thirty (30) days to cure the breach. If the breach is not cured within the thirty (30) day cure period, the non-breaching Party may terminate this BAA and the Service Agreement.

5.3 Effect of Termination

Upon termination of this BAA, Business Associate shall comply with Section 2.8 regarding the return or destruction of PHI. The obligations of Business Associate under this BAA shall survive the termination of this BAA with respect to any PHI that Business Associate retains after termination.

6. IntakeBella Security Commitments

In addition to the safeguards described in Section 2.2, IntakeBella commits to maintaining the following security measures for the protection of PHI:

• AES-256 encryption at rest for all stored documents, fax images, extracted text, and associated metadata containing PHI
• TLS 1.3 encryption in transit for all data transmissions between clients, servers, and third-party services
• Role-based access controls ensuring only authorized personnel and systems can access PHI based on their specific role and need-to-know
• Comprehensive audit logging on all PHI access, including user identity, timestamp, action performed, and data accessed, with logs retained for a minimum of six (6) years
• 10-year document retention policy for all faxes and associated documents, ensuring long-term availability for compliance and audit purposes
• Annual security assessments including risk analyses, vulnerability scans, and penetration testing conducted by qualified security professionals
• Incident response within 24 hours with a dedicated incident response team, documented procedures, and notification to affected Covered Entities within the timeframe specified in Section 2.3

7. Miscellaneous

7.1 Regulatory References

Any reference in this BAA to a section of HIPAA, HITECH, or their implementing regulations shall mean the section as in effect or as amended. This BAA shall be interpreted in a manner consistent with applicable HIPAA and HITECH requirements.

7.2 Amendment

The Parties agree to take such action as is necessary to amend this BAA to comply with the requirements of HIPAA, HITECH, and any other applicable law. No amendment to this BAA shall be effective unless agreed to in writing by both Parties.

7.3 Governing Law

This BAA shall be governed by and construed in accordance with applicable federal law, including HIPAA and HITECH, and the laws of the State of Texas, without regard to conflict of law principles.

7.4 Entire Agreement

This BAA, together with the Service Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, and agreements relating to this subject matter.