HIPAA Business Associate Agreement

1.1 This BAA governs the parties’ obligations regarding Protected Health Information “PHI” that Dentistry Dashboard handles on behalf of Covered Entity in connection with the Services.

1.2 This BAA is intended to satisfy the requirements of 45 CFR 164.502(e) and 45 CFR 164.504(e).

1.3 If there is a conflict between this BAA and any other agreement between the parties regarding PHI, this BAA controls to the extent of the conflict.

2.1 Terms used but not defined in this BAA have the meanings set out in HIPAA, including the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and HITECH.

2.2 “Business Associate” and “Subcontractor” have the meanings set out at 45 CFR 160.103.

2.3 “Protected Health Information” and “Unsecured PHI” have the meanings set out in HIPAA and its implementing regulations.

2.4 "Breach" has the meaning in 45 CFR 164.402.

3.1 Except as otherwise limited in this BAA, Business Associate may use and disclose PHI to perform its obligations and provide the Services for Covered Entity, including:

• a. Hosting, storing, transmitting, backing up, and displaying PHI as directed by Covered Entity or its Users
• b. Processing PHI to provide product functionality, including transcription, note drafting, document generation, task management, and related features selected by Covered Entity
• c. Providing customer support, troubleshooting, security monitoring, fraud prevention, and service improvement activities, provided that such activities are consistent with HIPAA and this BAA
• d. Disclosing PHI to Subcontractors as necessary to provide the Services, provided the Subcontractors are bound as described in Section 6

3.2 Business Associate may use PHI for proper management and administration of Business Associate or to carry out its legal responsibilities, provided that disclosures for those purposes are only made as permitted by HIPAA.

3.3 Business Associate may de identify PHI only in accordance with HIPAA de identification requirements and may use and disclose de identified information for lawful purposes.

3.4 Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except as expressly permitted in this BAA.

4.1 Business Associate shall not sell PHI or use PHI for marketing in a manner prohibited by HIPAA.

4.2 Business Associate shall not use PHI for training public models or for any purpose not required to provide the Services, unless authorised by Covered Entity in writing and permitted by HIPAA.

5.1 Business Associate shall implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI in accordance with the HIPAA Security Rule.

5.2 Business Associate shall implement reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA.

6.1 Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions that are at least as protective as those in this BAA, as required by HIPAA.

7.1 Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, without unreasonable delay.

7.2 Business Associate shall report to Covered Entity any Security Incident involving PHI of which it becomes aware, and shall provide information reasonably requested by Covered Entity to support Covered Entity's compliance.

7.3 Breach notification

• a. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI as required by 45 CFR 164.410.
• b. Such notice shall be made without unreasonable delay and in no case later than sixty 60 days after discovery, and shall include, to the extent available, the information Covered Entity needs to comply with 45 CFR 164.404 and 45 CFR 164.406.

8.1 Access To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity or as directed by Covered Entity to satisfy Covered Entity’s obligations under 45 CFR 164.524.

8.2 Amendment To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available for amendment and incorporate amendments as directed by Covered Entity to satisfy Covered Entity’s obligations under 45 CFR 164.526.

8.3 Accounting of disclosures Business Associate shall document disclosures of PHI and provide information reasonably necessary for Covered Entity to respond to a request for an accounting of disclosures under 45 CFR 164.528, to the extent applicable.

Business Associate shall, where applicable, use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose, consistent with HIPAA requirements.

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the US Department of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA, as required by 45 CFR 164.504(e).

11.1 Term: This BAA becomes effective on the date the Covered Entity accepts it and remains in effect until terminated as provided below.

11.2 Termination for cause: If Covered Entity determines that Business Associate has materially breached this BAA, Covered Entity may provide notice and an opportunity to cure. If not cured within a reasonable time, Covered Entity may terminate this BAA and the Services.

11.3 Obligations upon termination: Upon termination of this BAA for any reason, Business Associate shall, at Covered Entity's option and to the extent feasible, return or destroy all PHI that Business Associate maintains in any form. If return or destruction is not feasible, Business Associate shall continue to protect the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

12.1 Regulatory references: A reference in this BAA to a section in the CFR means the section as in effect or as amended.

12.2 Interpretation: This BAA shall be interpreted to permit Covered Entity and Business Associate to comply with HIPAA.

12.3 No third party beneficiaries: Nothing in this BAA creates any rights in any third party.

12.4 Notices HIPAA related notices under this BAA must be sent to:

13.1 This BAA may be incorporated by reference into the US Terms and Conditions for Dentistry Dashboard. Acceptance of the US Terms that incorporate this BAA constitutes acceptance of this BAA.

13.2 If you do not agree to this BAA, you must not use the Services with PHI.