Business Associate Agreement

Purpose

The Covered Entity uses GlowScript to manage practice operations, which may involve the creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and its implementing regulations including the Privacy Rule, Security Rule, and Breach Notification Rule (45 CFR Parts 160 and 164). This BAA establishes the obligations of the Business Associate with respect to PHI.

Definitions

Terms used in this BAA that are defined in HIPAA shall have the same meaning as set forth in 45 CFR Parts 160 and 164. “PHI” includes any individually identifiable health information created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity. “Electronic PHI” (“ePHI”) means PHI that is created, received, maintained, or transmitted in electronic form.

Obligations of the Business Associate

The Business Associate agrees to:

• —Permitted uses only: Not use or disclose PHI other than as permitted by this BAA, the Terms of Service, or as required by law. The Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.
• —Safeguards: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 CFR §§ 164.308, 164.310, and 164.312.
• —Breach reporting: Report to the Covered Entity any use or disclosure of PHI not permitted by this BAA, any Security Incident, or any Breach of Unsecured PHI without unreasonable delay and no later than 60 days after discovery. Reports shall include the identification of each individual whose PHI has been, or is reasonably believed to have been, affected.
• —Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate under this BAA. Currently, Amazon Web Services (AWS) is the primary subcontractor, operating under an AWS Business Associate Addendum.
• —Access to PHI: Make PHI available to the Covered Entity or, as directed by the Covered Entity, to individuals, in accordance with 45 CFR § 164.524. The platform provides data export features to facilitate this requirement.
• —Amendment of PHI: Make PHI available for amendment and incorporate amendments to PHI as directed by the Covered Entity, in accordance with 45 CFR § 164.526.
• —Accounting of disclosures: Make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. The platform maintains audit logs of PHI access for a minimum of six years.
• —HHS access: Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.
• —Minimum necessary: Use, disclose, and request only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure, or request.

Obligations of the Covered Entity

The Covered Entity agrees to:

• —Notify the Business Associate of any limitations in its Notice of Privacy Practices that may affect the Business Associate's use or disclosure of PHI
• —Notify the Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI
• —Notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR § 164.522
• —Obtain all required consents and authorizations from patients before entering PHI into the platform
• —Manage user access and permissions within the platform appropriately and ensure all Authorized Users complete multi-factor authentication enrollment

Permitted Uses & Disclosures

The Business Associate may use or disclose PHI only as follows:

• —To perform functions, activities, or services as specified in the Terms of Service, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity
• —For the proper management and administration of the Business Associate, provided that any disclosure is required by law or the Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially
• —To de-identify PHI in accordance with 45 CFR § 164.514(a)–(c), provided that de-identified data is used only for platform improvement and is never re-identified

The Business Associate shall not use or disclose PHI for marketing purposes, sell PHI, or use PHI for underwriting purposes.

Security Measures

The Business Associate maintains the following safeguards to protect ePHI:

• —Encryption of ePHI at rest using AES-256 with customer-managed keys (AWS KMS)
• —Encryption of ePHI in transit using TLS 1.2 or higher
• —Mandatory multi-factor authentication (TOTP) for all user accounts
• —Role-based access controls limiting data access to authorized users
• —Comprehensive audit logging with six-year retention
• —Network isolation with private subnets for database and application infrastructure
• —All infrastructure hosted on AWS within the United States under an AWS BAA

Term & Termination

This BAA is effective for the duration of the Covered Entity's subscription to GlowScript and shall survive termination of the subscription to the extent necessary for the Business Associate to fulfill its obligations regarding PHI.

Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure the breach within 30 days of receiving written notice. If cure is not feasible, the non-breaching party may terminate this BAA immediately.

Upon termination, the Business Associate shall, at the direction of the Covered Entity, return or destroy all PHI received from, or created or received on behalf of, the Covered Entity. If return or destruction is not feasible, the Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. The platform provides a 90-day data export period following account termination.

Regulatory References

This BAA is intended to comply with the requirements of 45 CFR § 164.504(e) and the HITECH Act (42 USC § 17931 et seq.). To the extent that any provision of this BAA conflicts with HIPAA or the HITECH Act, the more stringent requirement shall control. The terms of this BAA shall be construed in light of any applicable interpretation and guidance issued by the U.S. Department of Health and Human Services.

Governing Law

This BAA is governed by and construed in accordance with HIPAA, the HITECH Act, and their implementing regulations. To the extent not preempted by federal law, this BAA shall be governed by the laws of the State of Texas.

Contact

For questions regarding this BAA, contact our Privacy Officer at privacy@glowscript.ai.