WHEREAS, the Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act, 45 CFR Parts 160, 162, and 164 (HIPAA); and

WHEREAS, the Business Associate will access, receive, or create protected health information (PHI) in connection with providing ShrinkDocs platform services, which include patient management, clinical documentation, assessments, and AI-assisted clinical support features;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the parties agree as follows:

1.1 Definitions. As used herein, the terms "Business Associate," "Covered Entity," "Subcontractor," "Protected Health Information (PHI)," and "HIPAA" shall have the meanings given to them in the HIPAA Privacy, Security, and Breach Notification Rules, 45 CFR Parts 160, 162, and 164.

1.2 Compliance with HIPAA. This BAA is intended to satisfy the requirements of 45 CFR §164.504(e) and shall be interpreted to enable the parties to comply with HIPAA.

1.3 Interpretation. In the event of an ambiguity between the provisions of this BAA and any other document, the provisions of this BAA shall prevail.

1.4 Incorporation of Definitions. The definitions, requirements, and implements specifications of HIPAA, 45 CFR §160.103 and §164.304, are incorporated into this BAA by reference.

1.5 Permitted and Required Uses and Disclosures of PHI. The Business Associate shall use or disclose PHI only as permitted or required by this BAA or as required by law.

1.6 Services. The Business Associate shall provide the ShrinkDocs platform services, which include patient management, clinical documentation, assessments, and AI-assisted clinical support features, in accordance with the terms and conditions of this BAA.

2.1 Safeguards. The Business Associate shall implement and maintain appropriate physical, technical, and administrative safeguards that meet or exceed the requirements of the HIPAA Security Rule, 45 CFR Part 164, Subpart C.

2.2 Access Control. The Business Associate shall implement policies and procedures to ensure that only authorized individuals have access to PHI. This includes administrative, physical, and technical controls as required by 45 CFR §164.312(a).

2.3 Audit Controls. The Business Associate shall implement hardware, software, and procedural mechanisms to record and examine access to PHI as required by 45 CFR §164.312(b).

2.4 Integrity Controls. The Business Associate shall implement policies and procedures to ensure the integrity of PHI, including protections against improper alteration or destruction as required by 45 CFR §164.312(c).

2.5 Transmission Security. The Business Associate shall implement technical security measures to protect PHI that is being transmitted over electronic networks, including encryption where appropriate as required by 45 CFR §164.312(e).

2.6 Encryption and Destruction. The Business Associate shall implement encryption and secure destruction procedures for PHI in accordance with the HIPAA Security Rule and NIST guidelines.

2.7 Subcontractors and Agents. The Business Associate shall ensure that any agents or subcontractors that access PHI are subject to the same restrictions and conditions contained in this BAA or in other contracts or agreements that provide at least the same level of protection as this BAA.

2.8 AI Processing. AI features utilize Anthropic's Claude API under HIPAA-compliant configurations. The Business Associate warrants that all AI processing of PHI shall be limited to clinical decision support purposes and shall not be used for model training, improvement, or other secondary purposes unless explicitly authorized by the Covered Entity.

2.9 Incident Response. The Business Associate shall report to the Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a breach of security involving unsecured PHI.

2.10 Termination and Return of PHI. Upon termination of this BAA, the Business Associate shall return or securely destroy all PHI received from or created on behalf of the Covered Entity. If return or destruction is infeasible, the Business Associate shall extend the protections of this BAA to such PHI and limit further use or disclosure as permitted under 45 CFR §164.504(e)(2)(ii)(j).

3.1 General Rule. Except as otherwise limited in this BAA, the Business Associate shall use and disclose PHI only upon the receipt of a specific written request from the Covered Entity and for the purposes stated in such request.

3.2 PHI Uses for Operational Purposes. The Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, including:

• De-identification of PHI as permitted by HIPAA
• Serving as a business associate of the Covered Entity
• Resolving disputes or complaints and addressing compliance issues

4.1 Term. This BAA shall become effective on the date of acceptance and shall continue until terminated as provided herein.

4.2 Termination for Cause. The Covered Entity may terminate this BAA immediately if the Business Associate materially breaches this BAA and fails to cure the breach within thirty (30) days after receiving written notice from the Covered Entity.

4.3 Termination for Convenience. Either party may terminate this BAA by providing written notice to the other party.

5.1 Compliance. The Business Associate shall comply with applicable HIPAA requirements and all applicable laws, rules, and regulations.

5.2 Amendment. The parties may amend this BAA as necessary to comply with changes in HIPAA requirements.

5.3 Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of Oregon.