Business Associate Agreement

1. Definitions

Business Associate means HIPAAPal (the service provider).

Covered Entity means the healthcare practice subscribing to HIPAAPal.

Protected Health Information (PHI) has the meaning given under 45 CFR § 160.103.

HIPAA Rules means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.

2. Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as necessary to perform compliance management services for Covered Entity, as described in the HIPAAPal Terms of Service. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule.

3. Obligations of Business Associate (HIPAAPal)

• Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Report to Covered Entity any use or disclosure of PHI not provided for in this Agreement within 60 days of discovery
• Ensure any subcontractors agree to equivalent restrictions on PHI
• Make PHI available to Covered Entity upon request
• Return or destroy PHI upon termination of this Agreement

4. Obligations of Covered Entity

• Notify Business Associate of any restriction on use or disclosure of PHI that affects Business Associate's activities
• Not request Business Associate to use or disclose PHI in a manner that would violate HIPAA
• Obtain any necessary patient authorizations before providing PHI to Business Associate

5. Term and Termination

This Agreement is effective upon acceptance and remains in effect for the duration of the HIPAAPal subscription. Either party may terminate upon 30 days written notice. Upon termination, Business Associate will return or securely destroy all PHI within 90 days.

6. Miscellaneous

This Agreement shall be construed in accordance with applicable federal law. Any ambiguity shall be resolved in favor of a meaning that complies with HIPAA. The parties agree to amend this Agreement as necessary to comply with changes to HIPAA regulations.