Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into by and between ChiroInABox, Inc. ("Business Associate") and you, the healthcare provider or covered entity ("Covered Entity") using the ChiroInABox platform. This Agreement supplements your Terms of Service and governs the handling of Protected Health Information (PHI).

1. Definitions

For purposes of this Agreement:

• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended.
• "HITECH" means the Health Information Technology for Economic and Clinical Health Act.
• "Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium.
• "Electronic PHI" (ePHI) means PHI transmitted or maintained in electronic media.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
• "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of the PHI.

2. Obligations of Business Associate

2.1 Use and Disclosure

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this Agreement or as required by law
• Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement
• Mitigate, to the extent practicable, any harmful effect from improper use or disclosure of PHI
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware

2.2 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect:

• The confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity
• Against any reasonably anticipated threats or hazards to the security or integrity of such information
• Against any reasonably anticipated uses or disclosures not permitted or required under HIPAA

2.3 Reporting

Business Associate shall report to Covered Entity:

• Any Security Incident of which it becomes aware, including those that may not constitute a Breach
• Any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery
• Any use or disclosure of PHI not provided for by this Agreement

2.4 Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

2.5 Access Rights

Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations to provide access to individuals under HIPAA. Business Associate shall make PHI available within 30 days of a request.

2.6 Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity in accordance with HIPAA requirements.

2.7 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity the information required for an accounting of disclosures in accordance with HIPAA. Business Associate shall maintain such records for at least 6 years.

2.8 Access to Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI:

• To perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Service
• For the proper management and administration of Business Associate, provided that any disclosure requires reasonable assurances from the recipient that PHI will be held confidentially
• To provide data aggregation services relating to the healthcare operations of Covered Entity
• As required by law
• To de-identify PHI in accordance with HIPAA requirements

4. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any changes in or revocation of authorization by an individual relating to the use or disclosure of PHI
• Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA
• Obtain any consents or authorizations required under HIPAA prior to furnishing PHI to Business Associate

5. Term and Termination

5.1 Term

This Agreement shall be effective as of the date you first use the ChiroInABox platform and shall terminate when all PHI is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended.

5.2 Termination for Cause

Either party may terminate this Agreement if the other party has materially breached any provision of this Agreement and fails to cure such breach within 30 days after receiving written notice.

5.3 Effect of Termination

Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

6. Security Requirements

Business Associate shall implement the following security measures for ePHI:

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Unique user identification, automatic logoff, encryption and decryption
• Audit Controls: Hardware, software, and procedural mechanisms to record and examine access
• Integrity Controls: Policies and procedures to protect ePHI from improper alteration or destruction
• Transmission Security: Technical security measures to guard against unauthorized access during transmission
• Contingency Planning: Data backup, disaster recovery, and emergency mode operation plans

7. Breach Notification Procedures

In the event of a Breach affecting PHI, Business Associate shall:

• Notify Covered Entity within 60 calendar days of discovering the Breach
• Provide Covered Entity with identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• Provide any other information required to be included in the notification to individuals
• Cooperate with Covered Entity in investigating the Breach and mitigating harmful effects

8. Miscellaneous

8.1 Amendments

This Agreement may be amended only with the mutual written consent of the parties. The parties agree to negotiate in good faith to amend this Agreement to comply with changes in HIPAA regulations.

8.2 Survival

The obligations of Business Associate under this Agreement shall survive the termination of this Agreement.

8.3 Interpretation

Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA.

8.4 Regulatory References

References in this Agreement to HIPAA sections or regulations are to such sections or regulations as may be amended from time to time, and include any successor provisions.

9. Contact Information

For questions about this Business Associate Agreement or to request a signed copy: