Business Associate Agreement

Agreement Overview

This Business Associate Agreement (“Agreement”) is entered into between you (the “Covered Entity” or healthcare provider) and HealingFactor (“Business Associate”) to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

1. Permitted Uses and Disclosures

Business Associate may use or disclose Protected Health Information (PHI) only to:

• Provide differential diagnosis support and clinical decision support services
• Perform functions as specified in our Terms of Service
• Comply with legal requirements when required by law

2. Security Safeguards

Business Associate implements appropriate safeguards including:

• Encryption: All PHI encrypted at rest (AES-256) and in transit (TLS 1.3)
• Access Controls: Role-based access with multi-factor authentication
• Audit Logging: Comprehensive logging of all PHI access
• Infrastructure: HIPAA-compliant AWS services under executed AWS BAA

3. Breach Notification

Business Associate will notify Covered Entity within 60 days of discovering any breach of unsecured PHI, including details of the incident and mitigation steps.

4. Individual Rights

Business Associate will:

• Provide access to PHI within 30 days upon request
• Make amendments to PHI as directed within 60 days
• Provide accounting of disclosures for HIPAA compliance

5. Return of Information

Upon termination, Business Associate will return or destroy all PHI, or if not feasible, extend protections of this Agreement to such information.

6. Compliance and Auditing

Business Associate agrees to make its practices and records available to HHS for determining Covered Entity's compliance with HIPAA Rules.