Business Associate Agreement

1. Definitions

Capitalized terms used but not defined in this BAA have the meanings given in the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164), as amended, including by the HITECH Act. Key terms used throughout:

• "Business Associate" means IMFUTECH, the developer and operator of CARE RCM.
• "Covered Entity" means the Customer — the healthcare practice, provider, or billing organization that has executed a subscription agreement for CARE RCM and is subject to HIPAA as a covered entity (or as a business associate of one, in the case of billing companies acting on behalf of providers).
• "PHI" means Protected Health Information as defined at 45 CFR §160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity through the Service.
• "Services Agreement" means the Terms of Service and any applicable order form governing Covered Entity's subscription to CARE RCM.

2. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA or as required by law
• Use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C)
• Report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including security incidents and Breaches, in accordance with Section 6
• Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate with respect to such PHI (see Section 4)
• Make PHI available to support Covered Entity's obligations to respond to individual rights requests (access, amendment, accounting of disclosures) under 45 CFR §§164.524, 164.526, and 164.528
• Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA
• Maintain and make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528

3. Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as necessary to:

• Perform the functions, activities, or services specified in the Services Agreement, including appointment scheduling, clinical documentation, claims generation and submission, payment posting, and reporting
• Perform data aggregation services relating to the healthcare operations of Covered Entity, where requested
• Manage and administer Business Associate's own business, including for proper management and administration, and to carry out its legal responsibilities, provided any further disclosure is either required by law or Business Associate obtains reasonable assurances regarding confidentiality from the recipient
• Report violations of law to appropriate federal or state authorities, consistent with 45 CFR §164.502(j)(1)

Business Associate will not de-identify PHI for its own use, sell PHI, or use PHI for marketing purposes without specific authorization from Covered Entity and, where applicable, the patient.

4. Subcontractors

In order to provide the Service, Business Associate engages certain subcontractors that may create, receive, maintain, or transmit PHI on its behalf. Business Associate maintains a signed Business Associate Agreement (or equivalent contractual data protection terms) with each such subcontractor. Current categories of subcontracted Business Associates include:

Business Associate will provide Covered Entity with notice of any change in subcontracted Business Associates that materially affects the handling of PHI, and will not engage a new subcontractor to handle PHI without ensuring that subcontractor agrees in writing to restrictions and conditions at least as protective as those in this BAA.

5. Security Safeguards

Business Associate implements safeguards consistent with the HIPAA Security Rule, including:

• Administrative safeguards: workforce training, role-based access control, periodic access review, and a designated security officer
• Physical safeguards: PHI is hosted in SOC 2-audited data centers with physical access controls; Business Associate's own personnel do not maintain local copies of PHI on portable media
• Technical safeguards: encryption of PHI in transit (TLS 1.2+) and at rest (AES-256), multi-factor authentication for all accounts with PHI access, automatic session timeouts, and comprehensive immutable audit logging of all PHI access, consistent with 45 CFR §164.312

6. Breach Notification

Business Associate will notify Covered Entity of any Breach of unsecured PHI without unreasonable delay, and in no case later than 30 calendar days after discovery, in accordance with 45 CFR §164.410. Such notification will include, to the extent known:

• A description of what happened, including the date of the Breach and the date of discovery
• The types of unsecured PHI involved
• Identification of each individual whose PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• A description of what Business Associate is doing to investigate the Breach, mitigate harm, and prevent further breaches

Business Associate will reasonably cooperate with Covered Entity's own breach notification obligations to affected individuals and, where applicable, the Department of Health and Human Services.

7. Patient Rights Assistance

Business Associate will provide reasonable assistance to Covered Entity in fulfilling patient rights requests under HIPAA, including requests for access to records, amendment of records, and accounting of disclosures. Because Covered Entity — not Business Associate — is the entity legally obligated to respond to such requests, patients should direct all record requests to their healthcare practice directly. Business Associate will respond to Covered Entity's requests for assistance within a commercially reasonable time.

8. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitation(s) in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent such changes affect Business Associate's permitted uses
• Not request Business Associate to use or disclose PHI in a manner that would not be permissible under HIPAA if done directly by Covered Entity
• Obtain any consent or authorization required under HIPAA or applicable state law prior to furnishing PHI to Business Associate

9. Term and Termination

This BAA is effective as of the date Covered Entity first accepts the Terms of Service and remains in effect for as long as Business Associate possesses PHI received from or on behalf of Covered Entity. Either party may terminate this BAA if the other party violates a material term, subject to a reasonable opportunity to cure. If cure is not possible, the non-breaching party may terminate the underlying Services Agreement and report the violation to the Secretary of Health and Human Services if required by law.

10. Return or Destruction of PHI

Upon termination of the Services Agreement, Business Associate will, at Covered Entity's election and where feasible, return or securely destroy all PHI received from Covered Entity that Business Associate still maintains, retaining no copies, except where retention is required by law (in which case Business Associate will extend the protections of this BAA to such retained PHI for as long as it is retained, and limit further uses and disclosures to those purposes that make return or destruction infeasible). Standard data export and retention practices are described in our Privacy Policy.

11. General Terms

11.1 Relationship to Services Agreement

This BAA supplements and is incorporated into the Services Agreement between the parties. In the event of a conflict between this BAA and the Services Agreement with respect to the treatment of PHI, this BAA controls.

11.2 Amendment

The parties agree to amend this BAA as necessary for Business Associate to comply with HIPAA and the HITECH Act, as they may be amended from time to time.

11.3 No Third-Party Beneficiaries

Nothing in this BAA confers any rights, remedies, or claims upon any third party, including individual patients, except as expressly required by HIPAA.

11.4 Interpretation

Any ambiguity in this BAA will be resolved in favor of an interpretation that permits compliance with HIPAA.

12. Execution

This BAA is automatically incorporated into your agreement with IMFUTECH at the time you accept the Terms of Service and create a CARE RCM account. No separate signature is required to make this BAA effective; electronic acceptance of the Terms of Service constitutes execution of this BAA by both parties for all purposes under HIPAA.

If your organization requires a separately countersigned copy for internal compliance records, contact us using the information below and we will provide one at no additional cost.