Business Associate Agreement

Article 1 — Definitions

Unless otherwise defined herein, capitalized terms shall have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 C.F.R. Parts 160 and 164, as amended.

1.1 "Protected Health Information" or "PHI" means individually identifiable health information, including demographic information, that relates to the past, present, or future physical or mental health of an individual; the provision of health care to an individual; or the past, present, or future payment for health care to an individual, and that identifies or could reasonably be used to identify the individual. For purposes of this Agreement, PHI includes Electronic Protected Health Information ("ePHI").

1.2 "Services" means the Medicaid and insurance eligibility verification, batch processing, audit logging, TRN (Trace Reference Number) capture, OIG exclusion screening, and related functions provided by Eliverity to the Covered Entity through the Eliverity platform.

1.3 "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined at 45 C.F.R. § 164.402.

1.4 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 C.F.R. § 164.304.

1.5 "Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI on behalf of Business Associate.

Article 2 — Obligations of Business Associate

2.1 Permitted Uses and Disclosures. Business Associate may only use or disclose PHI as necessary to perform the Services described in this Agreement and the Terms of Service, or as required by law. Business Associate shall not use or disclose PHI in any manner that would violate the requirements of the HIPAA Privacy Rule if done by Covered Entity.

2.2 Prohibited Uses. Business Associate shall not:

• Use or disclose PHI for any purpose other than as permitted or required by this Agreement;
• Sell PHI or use PHI for marketing purposes without prior written authorization from Covered Entity;
• Use or disclose PHI in a manner that violates any applicable federal or state law;
• Use PHI to create, compile, or transmit data to any third party for purposes unrelated to providing the Services.

2.3 Appropriate Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, and to protect the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). Such safeguards shall include, without limitation:

• Encryption of all ePHI at rest and in transit using AES-256 or equivalent;
• Role-based access controls limiting PHI access to authorized personnel only;
• Multi-tenant data isolation ensuring each practice's data is logically separated;
• Audit logging of all access to and processing of PHI;
• Immutable FHIR R4 audit records written to Google Cloud Healthcare API;
• Regular security assessments and vulnerability remediation;
• Employee training on HIPAA requirements and data handling procedures.

2.4 Reporting of Breaches and Security Incidents. Business Associate shall:

• Report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach, in accordance with 45 C.F.R. § 164.410;
• Report to Covered Entity any Security Incident of which Business Associate becomes aware, including attempted Security Incidents, within 10 business days of discovery;
• Provide sufficient information for Covered Entity to fulfill its breach notification obligations under 45 C.F.R. §§ 164.404–164.408, including the identification of each individual whose PHI was involved, a description of what occurred, the date of the Breach, and the PHI involved.

2.5 Mitigation. Business Associate shall take prompt steps to mitigate, to the extent practicable, any harmful effects known to Business Associate resulting from a use or disclosure of PHI in violation of this Agreement.

2.6 Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to restrictions and conditions at least as stringent as those that apply to Business Associate under this Agreement. Current Subcontractors with access to PHI include:

• Google Cloud Platform (Google LLC) — cloud infrastructure, database hosting, and FHIR R4 audit log storage. Google LLC has executed a HIPAA BAA with Eliverity covering Google Cloud services.
• Availity, LLC — health information network used to submit eligibility inquiries (270 transactions) and receive responses (271 transactions). Availity operates as a HIPAA-covered entity and trading partner.

Business Associate shall notify Covered Entity of any material changes to Subcontractors with access to PHI no later than 30 days prior to such change taking effect.

Article 3 — Individual Rights

3.1 Access. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity within 15 business days of a written request so that Covered Entity may fulfill its obligations under 45 C.F.R. § 164.524 to provide individuals access to their PHI.

3.2 Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and shall incorporate any amendments to PHI directed by Covered Entity pursuant to 45 C.F.R. § 164.526 within 15 business days of a written request.

3.3 Accounting of Disclosures. Business Associate shall document and make available to Covered Entity information required to provide an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528 within 15 business days of a written request. Business Associate maintains a complete audit log of every eligibility inquiry, accessible via the Eliverity platform and exportable in CSV format.

3.4 Minimum Necessary. Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.514(d).

Article 4 — Obligations of Covered Entity

4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that would affect Business Associate's use or disclosure of PHI.

4.2 Permissions and Restrictions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permissions by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

4.3 Lawful Instructions. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.

4.4 Accurate Data. Covered Entity represents that all PHI submitted to the Service is accurate and that Covered Entity has a lawful basis for submitting such PHI for eligibility verification purposes.

4.5 Workforce Training. Covered Entity is responsible for ensuring its workforce members who access the Service are trained on applicable HIPAA requirements and this Agreement.

Article 5 — Permitted Uses by Business Associate

Notwithstanding any other provision of this Agreement, Business Associate may:

5.1 Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities;

5.2 Disclose PHI for the proper management and administration of Business Associate, provided that (a) the disclosure is required by law, or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed;

5.3 Use PHI to provide Data Aggregation services to Covered Entity relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Such aggregation shall only be used to improve the quality and performance of the Services;

5.4 De-identify PHI in accordance with 45 C.F.R. § 164.514(b) and use such de-identified data to improve the Service, train algorithms, or generate aggregate industry benchmarks, provided that such de-identified data can no longer be used to identify an individual.

Article 6 — Term and Termination

6.1 Term. This Agreement shall be effective as of the date Covered Entity accepts this Agreement during account registration and shall remain in effect for the duration of the Services relationship between the Parties, unless earlier terminated as provided herein.

6.2 Termination for Cause. Either Party may terminate this Agreement immediately upon written notice if the other Party materially breaches any provision of this Agreement and fails to cure such breach within 30 calendar days of receiving written notice of the breach.

6.3 Effect of Termination — Return or Destruction of PHI. Upon termination of this Agreement for any reason, Business Associate shall, at the election of Covered Entity:

• Return all PHI to Covered Entity in a mutually agreed upon format within 30 days of termination; or
• Destroy all PHI and certify in writing to Covered Entity that all PHI has been destroyed within 30 days of termination.

If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further use or disclosure to those purposes that make the return or destruction of the PHI infeasible, for as long as Business Associate maintains such PHI.

6.4 Survival. The obligations of Business Associate under Section 6.3 and any provision of this Agreement necessary to enforce Section 6.3 shall survive the termination of this Agreement.

Article 7 — Indemnification and Liability

7.1 Business Associate Indemnification. Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, losses, damages, penalties, fines, and reasonable attorneys' fees arising from a Breach of Unsecured PHI caused by Business Associate's failure to comply with its obligations under this Agreement or applicable law.

7.2 Covered Entity Indemnification. Covered Entity shall indemnify, defend, and hold harmless Business Associate from and against any claims, losses, damages, penalties, fines, and reasonable attorneys' fees arising from Covered Entity's failure to comply with its obligations under this Agreement, applicable law, or from inaccurate or unlawfully submitted PHI.

7.3 Limitation of Liability. In no event shall either Party be liable to the other for any indirect, incidental, consequential, or punitive damages arising out of or related to this Agreement, even if advised of the possibility of such damages. Business Associate's total cumulative liability arising out of or related to this Agreement shall not exceed the total fees paid by Covered Entity to Business Associate in the 12 months preceding the claim.

Article 8 — General Provisions

8.1 Amendment. Business Associate may amend this Agreement from time to time to comply with changes in applicable law or regulation. Business Associate shall provide Covered Entity with at least 30 days written notice of any material amendment. Continued use of the Service after the effective date of an amendment constitutes acceptance of the amended Agreement.

8.2 Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, HITECH, and their implementing regulations. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with applicable law.

8.3 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights or remedies upon any person other than the Parties and their respective successors and permitted assigns.

8.4 Governing Law. This Agreement shall be governed by and construed in accordance with the federal laws of the United States applicable to HIPAA and HITECH, and to the extent not preempted by federal law, the laws of the state in which Covered Entity is located.

8.5 Entire Agreement. This Agreement, together with the Eliverity Terms of Service, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings relating to PHI.

8.6 Severability. If any provision of this Agreement is found to be unenforceable, the remaining provisions shall remain in full force and effect.

8.7 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section in effect or as amended.

8.8 Electronic Acceptance. The Parties agree that electronic acceptance of this Agreement during account registration, including the recording of the accepting party's name, email address, IP address, and timestamp, constitutes a valid and binding signature for all purposes, including legal and regulatory compliance.

Article 9 — Contact Information

All notices, requests, and communications under this Agreement shall be directed to: