Patient Prevue

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as Required by Law. Business Associate is authorized to use and disclose PHI solely for the following purposes:

• To perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Service, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity;
• For the proper management and administration of Business Associate, provided that any disclosures are Required by Law or Business Associate obtains reasonable assurances that the information will be held confidentially;
• To de-identify PHI in accordance with 45 C.F.R. Section 164.514(a)-(c);
• To provide data aggregation services to Covered Entity as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B);
• To report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. Section 164.502(j)(1).

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in compliance with 45 C.F.R. Part 164, Subpart C. These safeguards include, but are not limited to:

• Encryption of ePHI at rest and in transit using AES-256 or equivalent standards;
• Access controls including unique user identification, automatic logoff, and role-based access;
• Audit controls that record and examine activity in systems containing ePHI;
• Integrity controls to protect ePHI from improper alteration or destruction;
• Transmission security measures including encryption and integrity controls;
• Regular risk assessments and vulnerability testing.

Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. Business Associate shall report any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach.

Such report shall include, to the extent available:

• Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
• A description of the nature of the Breach, including types of PHI involved;
• A description of what Business Associate is doing to investigate, mitigate losses, and protect against further Breaches;
• Contact information for individuals who can provide additional information.

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to such PHI, in accordance with 45 C.F.R. Sections 164.502(e)(1)(ii) and 164.308(b)(2).

Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, as necessary to satisfy Covered Entity's obligations under 45 C.F.R. Section 164.524. Business Associate shall respond to any such request within fifteen (15) business days.

Business Associate shall make PHI available for amendment and shall incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 C.F.R. Section 164.526.

Business Associate shall maintain and make available the information required to provide an accounting of disclosures to Covered Entity or an Individual, in accordance with 45 C.F.R. Section 164.528. Business Associate shall maintain such information for a period of six (6) years from the date of the disclosure.

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules, in accordance with 45 C.F.R. Section 164.504(e)(2)(ii)(H).

Business Associate shall, to the extent practicable, limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. Section 164.502(b) and the HITECH Act Section 13405(b).

Business Associate may use and disclose PHI as necessary to perform functions, activities, and services as described in the Terms of Service, including but not limited to: processing patient intake questionnaires, generating AI-assisted clinical summaries, facilitating secure communication between providers and patients, and storing clinical documents.

Covered Entity acknowledges and agrees that the Platform uses artificial intelligence and automated processing technologies to analyze PHI for the purposes described in the Terms of Service. Business Associate shall ensure that AI processing of PHI complies with the safeguards described in Section 3.2 and the minimum necessary standard described in Section 3.9.

Business Associate may use PHI to create de-identified health information in accordance with 45 C.F.R. Section 164.514(a)-(c). De-identified information is not subject to the terms of this BAA.

This BAA shall be effective upon electronic acceptance and shall remain in effect for the duration of the Terms of Service, unless earlier terminated as provided herein.

Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA and the breaching party has not cured the violation within thirty (30) days after receiving written notice of the violation. If cure is not feasible, the non-breaching party may terminate this BAA immediately.

Upon termination of this BAA, Business Associate shall, at the direction of Covered Entity:

• Return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate still maintains in any form;
• Retain no copies of the PHI, except as required for Business Associate's proper management and administration or as Required by Law;
• If return or destruction is not feasible, extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

The obligations of Business Associate under Sections 3.2, 3.3, 3.7, and 6.3 shall survive the termination of this BAA.

Any reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended. All references to regulatory provisions include any successor provisions.

The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the HIPAA Rules and any other applicable law. Business Associate may amend this BAA by providing notice through the Platform or via email, and Covered Entity's continued use of the Platform following such notice constitutes acceptance of the amended BAA.

Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules. In the event of a conflict between the terms of this BAA and the Terms of Service, the terms of this BAA shall prevail with respect to the protection of PHI.

Nothing in this BAA shall confer upon any person other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.

This BAA shall be governed by federal law, including the HIPAA Rules. To the extent not preempted by federal law, this BAA shall be governed by the laws of the state in which Patient Prevue, LLC is organized.

Each party shall indemnify and hold harmless the other party from any claims, losses, damages, penalties, fines, or expenses (including reasonable attorneys' fees) arising from the indemnifying party's breach of its obligations under this BAA.

The parties agree that electronic acceptance of this BAA through the Platform's registration process constitutes a valid and binding execution of this BAA, with the same force and effect as a manually signed document, in accordance with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. Section 7001 et seq.) and applicable state electronic signature laws.