Business Associate Agreement

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). "Protected Health Information" or "PHI" means any information received by Business Associate from or on behalf of Covered Entity that relates to the past, present, or future health condition of an individual, the provision of health care, or payment for health care, and that identifies the individual or could reasonably be used to identify the individual.

2. Obligations of Business Associate

• Not use or disclose PHI other than as permitted by this BAA or as required by law
• Implement administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI
• Report any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any security incident or breach of unsecured PHI
• Ensure that any sub-processors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions
• Make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under HIPAA
• Make its internal practices, records, and books relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance
• Maintain an audit log of all access to PHI, including the identity of the person accessing the data, the date and time, and the nature of the access

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely for the following purposes:

• To provide the chatbot and lead management services described in the service agreement
• To process conversations through AI systems for the purpose of generating responses
• For the proper management and administration of the Business Associate
• As required by law

4. Safeguards

Business Associate shall implement and maintain safeguards including:

• Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
• Application-layer encryption for sensitive credentials (AES-256-GCM)
• Role-based access controls with Row-Level Security
• Immutable audit logging of all PHI access
• PHI-free notifications (email and SMS contain no patient data)
• Regular security assessments and vulnerability monitoring

5. Breach Notification

Business Associate shall report to Covered Entity any breach of unsecured PHI within 24 hours of discovery. The notification shall include: (a) identification of each individual whose PHI has been or is believed to have been accessed, (b) a description of the breach, (c) steps taken to mitigate harm, and (d) corrective actions planned.

6. Term and Termination

This BAA remains in effect for the duration of the service agreement. Upon termination:

• Business Associate shall return or destroy all PHI received from Covered Entity
• If return or destruction is not feasible, protections are extended to the retained PHI
• Covered Entity may export all data prior to termination
• Business Associate shall certify destruction of PHI upon request

7. Sub-processors

Business Associate uses the following sub-processors that may have access to PHI. Business Associate maintains agreements with each that impose equivalent obligations:

• Supabase — Database hosting and authentication
• Anthropic — AI language model processing
• Vercel — Application hosting infrastructure

Email (Resend) and SMS (Twilio) services do not receive PHI — notifications contain only non-identifying alerts with dashboard links.

8. Obligations of Covered Entity

• Obtain any necessary consents or authorizations from individuals before sharing PHI through the chatbot
• Notify Business Associate of any restrictions on the use or disclosure of PHI
• Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA