Business Associate Agreement

1. Definitions

This Business Associate Agreement (“BAA”) is entered into between the entity subscribing to CaseMgmt services (“Covered Entity”) and CaseMgmt, operated by Case Management Solutions LLC (“Business Associate”). This BAA supplements and is made part of the CaseMgmt Terms of Service.

• “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended.
• “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act.
• “PHI” means Protected Health Information as defined under 45 CFR 160.103.
• “ePHI” means Electronic Protected Health Information as defined under 45 CFR 160.103.
• “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations in an information system, as defined in 45 CFR 164.304.
• “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
• “Designated Record Set” means a group of records maintained by or for a Covered Entity as defined in 45 CFR 164.501.
• “Required by Law” has the meaning set forth in 45 CFR 164.103.
• “Secretary” means the Secretary of the U.S. Department of Health and Human Services (“HHS”).

2. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law
• Use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, consistent with the requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C)
• Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Security Incident or Breach, in accordance with Section 6 of this BAA
• In accordance with 45 CFR 164.502(e)(1)(ii), require any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA
• Make available PHI in a Designated Record Set in accordance with 45 CFR 164.524, within thirty (30) days of a request
• Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR 164.526
• Make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528
• To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations
• Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA
• At termination of this BAA, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is not feasible, extend the protections of this BAA to the PHI retained and limit further uses and disclosures to the purposes that make return or destruction infeasible

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

• As necessary to perform services under the Terms of Service on behalf of and for the benefit of Covered Entity, including but not limited to: case management, referral tracking, billing, document management, communication services, and AI-assisted clinical documentation
• For the proper management and administration of Business Associate, provided that disclosures are Required by Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the person notifies Business Associate of any instances of which it is aware that the confidentiality of the PHI has been breached
• To provide data aggregation services relating to the health care operations of Covered Entity, provided that any such aggregated data is de-identified in accordance with 45 CFR 164.514(a)-(c) prior to any use or disclosure
• As Required by Law

Business Associate shall not use or disclose PHI for marketing purposes, shall not sell PHI, and shall not use or disclose PHI in a manner that would violate the requirements of Subpart E of 45 CFR Part 164 if done by Covered Entity, except as otherwise permitted in this Section.

4. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitations in its notice of privacy practices in accordance with 45 CFR 164.520 that may affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's permitted uses and disclosures
• Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restrictions may affect Business Associate's use or disclosure of PHI
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as expressly permitted in Section 3
• Obtain all necessary consents, authorizations, and permissions from individuals as required by applicable federal and state law prior to furnishing PHI to Business Associate
• Ensure that any PHI provided to Business Associate is accurate, complete, and up to date to the best of Covered Entity's knowledge
• Be responsible for implementing appropriate privacy and security safeguards to protect PHI within its own systems and operations

5. Security Safeguards

Business Associate shall implement and maintain reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI, including but not limited to:

6. Breach Notification

Business Associate shall report to Covered Entity any Breach of unsecured PHI without unreasonable delay and in no case later than sixty (60) days after discovery of the Breach, as required by 45 CFR 164.410. Such notification shall include, to the extent available:

• The nature of the Breach, including the types of PHI involved and the types of unsecured PHI involved
• The identity of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
• A description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and prevent future occurrences
• Contact information for individuals to ask questions or obtain additional information
• Any other details required by 45 CFR 164.410

Business Associate shall cooperate with Covered Entity in the investigation of any Breach and shall provide all information reasonably requested by Covered Entity to enable Covered Entity to fulfill its notification obligations under 45 CFR 164.404 and 164.408. The parties acknowledge that the determination of whether a Breach has occurred and the responsibility for providing notice to affected individuals and the Secretary shall rest with Covered Entity, except to the extent that Business Associate is required by 45 CFR 164.410 to provide such notices.

7. Subcontractors

Business Associate may engage the following categories of subcontractors to assist in providing services, each of which shall be bound by written agreements containing substantially similar restrictions, conditions, and requirements as this BAA with respect to the protection of PHI:

• Amazon Web Services (AWS) — Cloud infrastructure, hosting, and data storage (HIPAA-eligible, BAA in place)
• Stripe — Payment processing (PCI DSS compliant; limited PHI exposure)
• Deepgram — Speech-to-text transcription services (BAA available)
• Anthropic (Claude AI) — AI-assisted clinical documentation (data processing agreement in place)
• Amazon Chime SDK — HIPAA-eligible video and audio communication services
• Twilio — SMS and fax communication services (HIPAA-eligible, BAA available)

Business Associate shall maintain an up-to-date list of subcontractors who access PHI and shall notify Covered Entity of any material changes to its subcontractor list within thirty (30) days. Business Associate remains responsible and liable for the acts and omissions of its subcontractors to the same extent as if such acts or omissions were performed by Business Associate.

8. Term and Termination

This BAA shall be effective upon Covered Entity's acceptance and shall remain in effect for the duration of the Terms of Service between the parties. Upon termination of the Terms of Service:

• Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity within ninety (90) days of termination
• If return or destruction is not feasible, Business Associate shall extend protections of this BAA to retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible
• The obligations of Business Associate under this Section shall survive the termination of this BAA

Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure the breach within thirty (30) days of receiving written notice of such breach. In addition, either party may terminate this BAA immediately if the other party has engaged in a pattern of activity or practice that constitutes a material breach of this BAA, provided the non-breaching party has given written notice and a reasonable opportunity to cure.

9. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BUSINESS ASSOCIATE'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS BAA SHALL NOT EXCEED THE TOTAL FEES PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

IN NO EVENT SHALL BUSINESS ASSOCIATE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITY, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER BUSINESS ASSOCIATE WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE LIMITATIONS IN THIS SECTION SHALL NOT APPLY TO (A) EITHER PARTY'S INDEMNIFICATION OBLIGATIONS, (B) DAMAGES ARISING FROM A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, OR (C) REGULATORY FINES OR PENALTIES IMPOSED DIRECTLY ON A PARTY BY A GOVERNMENTAL AUTHORITY.

10. Indemnification

Covered Entity shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Covered Entity's breach of its obligations under this BAA or the Terms of Service
• Covered Entity's failure to obtain required consents or authorizations from individuals prior to disclosing PHI to Business Associate
• Covered Entity's use of the services in a manner not contemplated by this BAA or the Terms of Service
• Any claim by a third party arising from the actions or omissions of Covered Entity or its workforce regarding PHI

Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to Business Associate's breach of its obligations under this BAA, to the extent such claims are caused by Business Associate's negligence or willful misconduct, subject to the limitations set forth in Section 9.

11. Disclaimer of Warranties

EXCEPT AS EXPRESSLY SET FORTH IN THIS BAA, BUSINESS ASSOCIATE PROVIDES THE SERVICES “AS IS” AND MAKES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, OR NON-INFRINGEMENT. BUSINESS ASSOCIATE DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE. COVERED ENTITY ACKNOWLEDGES THAT NO DATA TRANSMISSION OR STORAGE SYSTEM CAN BE GUARANTEED TO BE 100% SECURE.

12. Miscellaneous

• Governing Law: This BAA shall be governed by and construed in accordance with the laws of the State of Nevada and applicable federal law, including HIPAA and the HITECH Act, without regard to conflict of law principles. Any disputes arising under this BAA shall be subject to the exclusive jurisdiction of the state and federal courts located in Clark County, Nevada.
• Amendment: This BAA may be amended only by written agreement of both parties. Notwithstanding the foregoing, Business Associate may update this BAA as necessary to comply with changes in HIPAA regulations, applicable law, or guidance from the Secretary, with thirty (30) days' prior written notice to Covered Entity
• Survival: The obligations of both parties regarding the protection and handling of PHI shall survive termination of this BAA for as long as either party retains PHI
• Interpretation: Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA and the HITECH Act
• No Third-Party Beneficiaries: Nothing in this BAA shall confer upon any person other than the parties and their permitted successors and assigns any rights, remedies, obligations, or liabilities
• Entire Agreement: This BAA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, representations, and understandings
• Severability: If any provision of this BAA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect
• Waiver: No waiver of any provision of this BAA shall be effective unless in writing and signed by the waiving party. No failure to exercise or delay in exercising any right shall operate as a waiver
• Force Majeure: Neither party shall be liable for any failure or delay in performance due to causes beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, pandemics, government actions, or failures of third-party infrastructure providers

13. Contact Information

For questions about this Business Associate Agreement, HIPAA compliance, or to report a security concern, please contact: