HIPAA Business Associate Agreement

The purpose of this Agreement is to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and HITECH Act, as applicable to the limited services provided by Business Associate.

Business Associate provides EZAppointo as a scheduling and appointment coordination platform and not as an electronic health record system, medical records repository, medical billing platform, or clinical documentation system.

Terms used but not otherwise defined in this Agreement shall have the meanings assigned under HIPAA.

2.1 Protected Health Information ("PHI")

For purposes of this Agreement, PHI is limited to information created, received, transmitted, or maintained by Business Associate on behalf of Covered Entity in connection with scheduling services, including:

• patient first and last name
• phone number
• email address
• appointment scheduling information
• provider assignment information
• appointment timing and availability information

PHI does not include medical records, diagnoses, treatment histories, prescriptions, laboratory data, imaging, psychotherapy notes, insurance claims data, or clinical charting information unless voluntarily entered by Covered Entity personnel or end users into open-text fields.

2.2 Security Incident

"Security Incident" shall have the meaning defined under 45 CFR §164.304.

2.3 Breach

"Breach" shall have the meaning defined under 45 CFR §164.402.

Business Associate may use and disclose PHI solely:

• to provide scheduling and appointment coordination services;
• to operate, maintain, support, secure, and improve the EZAppointo platform;
• as required by law; or
• as otherwise permitted under HIPAA.

Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.

NEW — Added to satisfy 45 CFR §164.504(e)(2)(ii)(E): Business Associate minimum necessary obligation was absent from the prior draft.

Business Associate shall request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose of providing the Services, consistent with the HIPAA Rules and applicable guidance issued by the Secretary.

Covered Entity acknowledges and agrees that:

• EZAppointo is designed solely for scheduling and appointment coordination functions;
• EZAppointo is not intended to function as an electronic health record system, medical charting system, or long-term PHI repository;
• Covered Entity shall not intentionally upload or store clinical records, diagnoses, treatment histories, prescriptions, laboratory results, imaging, or other unnecessary medical information within the platform.

Business Associate does not provide medical advice, diagnosis, treatment recommendations, emergency services, or clinical decision-making functionality.

Covered Entity acknowledges that patients or users may voluntarily include incidental PHI in appointment notes, intake comments, or other open-text fields despite platform restrictions.

Covered Entity agrees to:

• limit PHI collection to the minimum necessary;
• avoid requesting unnecessary clinical details through scheduling workflows; and
• train its workforce appropriately regarding permissible platform usage.

Business Associate shall apply HIPAA-compliant safeguards to such incidental PHI to the extent received or maintained within the platform.

Business Associate shall implement reasonable and appropriate administrative, physical, and technical safeguards designed to protect PHI, including:

• encryption of PHI in transit using TLS;
• encryption of PHI at rest;
• role-based access controls;
• authentication and access management procedures;
• secure backup procedures;
• audit logging and monitoring;
• incident response procedures; and
• workforce confidentiality obligations.

Business Associate may use subcontractors, subprocessors, cloud hosting providers, infrastructure providers, communication providers, or other third parties in connection with operation of the platform.

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to implement appropriate safeguards as required by HIPAA, in accordance with 45 CFR §§164.314(a) and 164.504(e).

8.1 Impermissible Use or Disclosure — Reporting

NEW — Added to satisfy 45 CFR §164.504(e)(2)(ii)(C): The prior draft only covered Security Incidents and Breaches. HIPAA separately requires reporting of any impermissible use or disclosure.

Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware, without unreasonable delay and in no event later than fifteen (15) business days after discovery.

8.2 Security Incidents

Business Associate shall report known Security Incidents involving PHI to Covered Entity within fifteen (15) business days after confirmation of such incident.

The Parties acknowledge that this Section constitutes notice of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access, use, disclosure, modification, loss, or destruction of PHI (such as pings, port scans, unsuccessful log-on attempts, and similar network events). Business Associate shall provide additional detail regarding such events upon reasonable written request.

8.3 Breach Notification

Business Associate shall notify Covered Entity without unreasonable delay and no later than sixty (60) calendar days after discovery of a Breach involving unsecured PHI, as required under 45 CFR §164.410(b).

Such notification shall include, to the extent known:

• the nature of the Breach;
• the categories of information involved;
• corrective actions taken; and
• recommended mitigation steps.

NEW — Revised to remove the prior 'commercially reasonable' qualifier, which is inconsistent with HIPAA's mandatory patient rights under 45 CFR §§164.524, 164.526, 164.528. Scope protection is achieved through the Designated Record Set limitation instead.

9.1 Access

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity, in a manner consistent with 45 CFR §164.524, so that Covered Entity may fulfill Individual access requests. If an Individual submits an access request directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity. Covered Entity is responsible for responding to such requests.

9.2 Amendment

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and shall incorporate amendments as directed by Covered Entity in accordance with 45 CFR §164.526. If an Individual submits an amendment request directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity.

9.3 Accounting of Disclosures

Business Associate shall document disclosures of PHI and make such documentation available to Covered Entity within ten (10) business days after receipt of a written request, to the extent required for Covered Entity to respond to an accounting of disclosures request under 45 CFR §164.528. Documentation shall include: (a) the date of the disclosure; (b) the name and address of the recipient; (c) a brief description of the PHI disclosed; and (d) the purpose of and basis for the disclosure. This obligation applies only to disclosures for which an accounting is required under HIPAA.

NEW — Added to satisfy 45 CFR §164.504(e)(2)(ii)(H): This mandatory provision was entirely absent from the prior draft. Government audit access is a non-waivable HIPAA requirement.

Business Associate shall make its internal practices, books, records, policies, and procedures relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. No attorney-client or other legal privilege shall be deemed waived by Business Associate solely by virtue of compliance with this provision.

This Agreement shall remain in effect for as long as Business Associate maintains PHI on behalf of Covered Entity.

Either party may terminate this Agreement if the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days after written notice.

Upon termination of the Underlying Agreement, Business Associate shall delete or destroy PHI maintained in active production systems within a commercially reasonable timeframe, except where retention is required by law or technically infeasible.

Covered Entity acknowledges that:

• residual copies of PHI may remain temporarily within encrypted backup systems, disaster recovery archives, immutable storage systems, or automated backup media;
• immediate selective deletion from such systems may be technically infeasible;
• retained backup data shall remain protected under the safeguards of this Agreement; and
• such backup data shall be permanently deleted in accordance with Business Associate's standard retention and overwrite schedules.

Business Associate shall not access retained backup PHI except as necessary for disaster recovery, legal compliance, or security purposes.

NEW — Added to satisfy 45 CFR §164.504(e)(2)(ii)(J): The prior draft lacked an explicit survival clause for PHI retained post-termination.

Business Associate's obligations under this Agreement regarding PHI retained after termination, including all safeguards, use limitations, and disclosure restrictions, shall survive termination of this Agreement and remain in full force and effect until such retained PHI is permanently deleted or destroyed.

This Agreement does not create any separate or additional liability obligations beyond those set forth in the Underlying Agreement.

Any limitations of liability, disclaimers, indemnification provisions, damage caps, arbitration clauses, or exclusions of damages contained in the Underlying Agreement shall apply to this Agreement to the fullest extent permitted by law.

This Agreement shall be governed by and construed in accordance with:

• the governing law specified in the Underlying Agreement; or
• if none is specified, the laws of the State of New York, without regard to conflict-of-law principles.

All notices under this Agreement shall be sent to the addresses specified in the Underlying Agreement or to:

A reference in this Agreement to a section of HIPAA means the section as currently in effect or as amended. Upon the effective date of any regulation or binding guidance that amends HIPAA and is applicable to this Agreement, the relevant obligations shall automatically update to remain in compliance.

This Agreement supplements and forms part of the Underlying Agreement between the parties. To the extent of any conflict between this Agreement and the Underlying Agreement regarding PHI obligations, this Agreement shall control solely with respect to HIPAA compliance obligations.