BUSINESS ASSOCIATE AGREEMENT (BAA)

Between The Covered Entity (as defined below) and BIRPNotes (“Business Associate”)

Effective Date: The date on which the Covered Entity accepts this Agreement online by checking the acceptance box during account registration on https://birpnotes.com.

RECITALS

WHEREAS, the Covered Entity is either an individual therapist, healthcare professional, or healthcare organization organized under the laws of its applicable jurisdiction, which provides healthcare services and, in connection with such services, creates, receives, maintains, or transmits Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations;

WHEREAS, BIRPNotes (“Business Associate”) provides an online software platform, including tools for electronic documentation, therapy note generation, storage, and related administrative or analytical functions, which may involve the access, maintenance, use, or disclosure of PHI on behalf of the Covered Entity;

WHEREAS, pursuant to the requirements of HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), a Business Associate Agreement is required to ensure that PHI is appropriately safeguarded and that both parties comply with their respective obligations under law;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and intending to be legally bound, the parties agree as follows:

1. DEFINITIONS

Unless otherwise specified, all capitalized terms used in this Agreement shall have the same meaning as in HIPAA and HITECH. The following definitions apply for clarity:

1.1 Business Associate means BIRPNotes, its subsidiaries, affiliates, employees, contractors, and agents who perform services or functions involving the use or disclosure of PHI on behalf of the Covered Entity.

1.2 Covered Entity means the individual therapist, clinic, or healthcare organization that has registered for and utilizes the BIRPNotes platform and that is subject to HIPAA as a covered healthcare provider.

1.3 Protected Health Information (PHI) refers to individually identifiable health information, whether oral or recorded in any form or medium, that is created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity, as defined in 45 CFR §160.103.

1.4 Electronic Protected Health Information (ePHI) means PHI that is transmitted or maintained in electronic media.

1.5 HIPAA Rules means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

1.6 HITECH Act refers to Title XIII of the American Recovery and Reinvestment Act of 2009, and its implementing regulations, which strengthen HIPAA privacy and security requirements.

1.7 Breach means the unauthorized acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of such information, as defined in 45 CFR §164.402.

1.8 Secretary means the Secretary of the U.S. Department of Health and Human Services (HHS).

1.9 Subcontractor means a person or entity to whom the Business Associate delegates a function, activity, or service involving PHI on behalf of the Business Associate.

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

2.1 Permitted Uses and Disclosures.
Business Associate may use and disclose PHI only as necessary to perform the services set forth in its Terms of Use or Subscription Agreement with the Covered Entity, and only as permitted or required by this Agreement or as required by law.

2.2 Appropriate Safeguards.
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, as required by the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312, and 164.316).

2.3 Minimum Necessary Standard.
Business Associate shall make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 CFR §164.502(b).

2.4 Reporting of Breaches and Security Incidents.
(a) Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement within fifteen (15) business days of discovery.
(b) Business Associate shall report any Breach of Unsecured PHI, as defined by 45 CFR §164.410, without unreasonable delay and in no case later than sixty (60) calendar days after discovery.
(c) Such reports shall include, to the extent possible, the nature of the breach, the PHI involved, the identity of affected individuals, and steps taken to mitigate harm.

2.5 Subcontractors and Agents.
Business Associate shall ensure that any subcontractor or agent who receives PHI on its behalf agrees, in writing, to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to PHI.

2.6 Access to PHI.
Upon request by the Covered Entity, Business Associate shall make PHI available to the Covered Entity or to the individual who is the subject of the information in accordance with 45 CFR §164.524.

2.7 Amendment of PHI.
Business Associate shall make PHI available for amendment and incorporate any amendments as directed by the Covered Entity in accordance with 45 CFR §164.526.

2.8 Accounting of Disclosures.
Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request for an accounting of disclosures under 45 CFR §164.528.

2.9 Availability to the Secretary.
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA.

2.10 Return or Destruction of PHI.
Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI received or created on behalf of the Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

3.1 Service Delivery.
Business Associate may use PHI to provide software and platform services, including data storage, backup, note generation, analytics, and customer support.

3.2 Management and Administration.
Business Associate may use PHI for its own proper management and administration, or to fulfill its legal responsibilities, provided that any disclosures for such purposes are either (a) required by law, or (b) made pursuant to reasonable assurances from the recipient that the information will remain confidential and used only as required by law or for the purpose for which it was disclosed.

3.3 Data Aggregation.
Business Associate may use PHI to provide data aggregation services relating to the healthcare operations of the Covered Entity, as permitted by 45 CFR §164.504(e)(2)(i)(B).

3.4 De-identified Information.
Business Associate may de-identify PHI in accordance with 45 CFR §164.514(b) and may use such de-identified information for lawful business, research, or analytical purposes, provided no individual can be identified.

4. OBLIGATIONS OF THE COVERED ENTITY

4.1 Notice of Privacy Practices.
Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate’s use or disclosure of PHI.

4.2 Changes in Authorization or Restrictions.
Covered Entity shall inform Business Associate of any changes in authorization, restriction, or revocation of permission by an individual that may affect Business Associate’s ability to use or disclose PHI.

4.3 Minimum Necessary.
Covered Entity shall only disclose to Business Associate the minimum PHI necessary for Business Associate to perform its duties.

4.4 Accuracy of Information.
Covered Entity shall ensure that PHI provided to Business Associate is accurate, complete, and updated to the extent necessary for proper service performance.

4.5 Compliance.
Covered Entity shall comply with all applicable HIPAA, HITECH, and other federal and state privacy and security laws.

5. SECURITY INCIDENTS AND BREACH NOTIFICATION

5.1 Security Incident Definition.
A “Security Incident” means any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system containing ePHI.

5.2 Incident Reporting.
Business Associate shall promptly report to Covered Entity any Security Incident of which it becomes aware, even if no PHI compromise is known to have occurred.

5.3 Breach Notification Procedures.
Upon discovery of a Breach, Business Associate shall:
(a) Investigate the incident immediately;
(b) Notify Covered Entity without unreasonable delay and within sixty (60) days;
(c) Cooperate with Covered Entity in determining whether notification to individuals, media, or HHS is required under the HITECH Act;
(d) Maintain documentation of the breach, findings, and mitigation steps for at least six (6) years.

5.4 Mitigation.
Business Associate shall mitigate, to the extent practicable, any harmful effects resulting from a known unauthorized use or disclosure of PHI.

6. TERM AND TERMINATION

6.1 Term.
This Agreement shall commence on the Effective Date and remain in effect until terminated by either party in accordance with this Section.

6.2 Termination for Cause.
Upon the Covered Entity’s knowledge of a material breach by Business Associate, the Covered Entity may:
(a) Provide written notice and opportunity to cure the breach within thirty (30) days; or
(b) Immediately terminate this Agreement if cure is not possible or if the breach poses a significant risk to PHI.

6.3 Termination by Business Associate.
Business Associate may terminate this Agreement if continued performance would violate applicable law or if the Covered Entity fails to comply with HIPAA requirements that materially impede Business Associate’s obligations.

6.4 Effect of Termination.
Upon termination, Business Associate shall return or destroy all PHI as provided in Section 2.10. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement and limit uses to those purposes that make return or destruction infeasible.

6.5 Survival.
The obligations of Business Associate with respect to PHI shall survive termination of this Agreement for so long as Business Associate maintains such PHI.

7. COMPLIANCE WITH LAWS

7.1 General Compliance.
Each party agrees to comply with all applicable federal and state privacy and security laws, including HIPAA and HITECH.

7.2 HITECH Act Incorporation.
The requirements of the HITECH Act (42 U.S.C. §§17931–17939) and its implementing regulations are hereby incorporated into this Agreement, including but not limited to:
(a) Breach notification obligations;
(b) Restrictions on marketing and sale of PHI; and
(c) Provisions regarding electronic access to information.

8. INDEMNIFICATION

Business Associate agrees to indemnify, defend, and hold harmless the Covered Entity and its officers, employees, and agents from and against any claims, liabilities, damages, costs, or expenses (including reasonable attorneys’ fees) arising out of or related to any breach of this Agreement or violation of HIPAA or HITECH by Business Associate or its subcontractors.

Covered Entity likewise agrees to indemnify and hold harmless Business Associate from any claims arising from the Covered Entity’s own non-compliance with applicable privacy or security regulations.

9. LIMITATION OF LIABILITY

In no event shall either party be liable to the other for any indirect, incidental, consequential, punitive, or special damages arising out of this Agreement, even if advised of the possibility of such damages. The total liability of Business Associate under this Agreement shall not exceed the fees paid by the Covered Entity for the twelve (12) months preceding the event giving rise to such claim.

10. MISCELLANEOUS

10.1 Amendment.
This Agreement may be amended by Business Associate upon reasonable notice to the Covered Entity to ensure compliance with changes in applicable law. Continued use of the platform after such amendment constitutes acceptance.

10.2 No Third-Party Beneficiaries.
Nothing in this Agreement shall be construed to create any rights or remedies in any third party.

10.3 Independent Contractors.
The relationship between the parties is that of independent contractors. Nothing herein shall be construed to create a partnership, joint venture, or agency relationship.

10.4 Notices.
Any notices required under this Agreement shall be in writing and delivered electronically or by certified mail to the contact information provided during registration or via the BIRPNotes platform.

10.5 Governing Law.
This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws provisions.

10.6 Severability.
If any provision of this Agreement is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.

10.7 Entire Agreement.
This Agreement constitutes the entire understanding between the parties with respect to PHI protection and supersedes all prior agreements, oral or written, regarding the subject matter.

10.8 Counterparts and Electronic Acceptance.
This Agreement may be executed in counterparts and accepted electronically. The act of checking the acceptance box during registration shall constitute execution of this Agreement.

11. ADDITIONAL PROVISIONS

11.1 Audit Rights.
Covered Entity may, upon reasonable notice, request documentation sufficient to verify Business Associate’s compliance with HIPAA security and privacy obligations.

11.2 Data Ownership.
All PHI remains the sole property of the Covered Entity and/or the individual to whom the information pertains. Business Associate acquires no ownership or other rights in PHI except as expressly granted herein.

11.3 Data Backup and Retention.
Business Associate shall maintain secure backups of PHI in encrypted form and retain such data only for as long as necessary to provide services or comply with law.

11.4 Encryption and Access Control.
All ePHI transmitted or stored by Business Associate shall be encrypted using industry-standard encryption technologies (e.g., AES-256 or equivalent). Access to PHI shall be restricted to authorized personnel who require such access to perform their duties.

11.5 Incident Documentation.
Business Associate shall maintain written documentation of any Security Incident or Breach and make such documentation available to the Covered Entity upon request.

12. TRAINING AND AWARENESS

Business Associate shall ensure that all members of its workforce who may come into contact with PHI receive training on the requirements of HIPAA, HITECH, and this Agreement. Such training shall be documented and refreshed periodically, at least annually.

13. INSURANCE

Business Associate shall maintain, at its own expense, appropriate cyber liability or professional liability insurance covering data breaches and privacy violations in amounts customary for comparable businesses in the health technology industry.

14. COOPERATION IN INVESTIGATIONS

In the event of an investigation by HHS, the Office for Civil Rights (OCR), or any other governmental authority regarding compliance with HIPAA or HITECH, Business Associate agrees to cooperate fully with Covered Entity and such authorities.

15. RECORD RETENTION

Business Associate shall retain all documentation required to demonstrate compliance with this Agreement and applicable law for a minimum period of six (6) years from the date of creation or last effective date, whichever is later.

16. ASSIGNMENT

Neither party may assign its rights or obligations under this Agreement without the prior written consent of the other party, except that Business Associate may assign this Agreement to a successor in connection with a merger, acquisition, or sale of substantially all of its assets.

17. FORCE MAJEURE

Neither party shall be liable for any failure or delay in performance under this Agreement due to circumstances beyond its reasonable control, including but not limited to acts of God, fire, flood, war, terrorism, or governmental actions.

18. INTERPRETATION

Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA and HITECH. The headings are for reference only and do not affect interpretation.

IN WITNESS WHEREOF

By checking the acceptance box during registration or otherwise electronically accepting this Agreement on https://birpnotes.com, the Covered Entity acknowledges and agrees to all terms and conditions contained herein, effective as of the date of acceptance.

BIRPNotes
By: Authorized Representative
Title: Business Associate
Email: support@birpnotes.com
Website: https://birpnotes.com

Covered Entity
By: The Individual or Organization Registering on the Platform
Title: Healthcare Provider / Therapist / Organization Representative
Effective Date: Date of Online Acceptance