This Business Associate Agreement ("Agreement") is entered into as of [Effective Date] by and between [Customer Legal Name] ("Covered Entity") and MedFetch AI LLC, an Idaho limited liability company ("Business Associate"). Covered Entity and Business Associate are each a "Party" and together the "Parties."
RECITALS
A. The Parties have entered into, or will enter into, an underlying agreement under which Business Associate provides medical-record retrieval, aggregation, and AI-assisted summarization services (the "Services Agreement").
B. In performing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity.
C. The Parties enter into this Agreement to comply with the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (45 CFR Parts 160 and 164), as amended by the HITECH Act (the "HIPAA Rules").
1. DEFINITIONS
Capitalized terms not defined here have the meanings in the HIPAA Rules. "PHI" and "ePHI" mean Protected Health Information and electronic PHI, respectively, limited to information Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
Business Associate shall:
2.1 Limit use/disclosure. Not use or disclose PHI other than as permitted by this Agreement, the Services Agreement, or as Required by Law.
2.2 Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with the Security Rule (45 CFR Part 164, Subpart C) with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
2.3 Report. Report to Covered Entity (a) any use or disclosure of PHI not provided for by this Agreement of which it becomes aware; (b) any Security Incident; and (c) any Breach of Unsecured PHI, without unreasonable delay and no later than five (5) business days after discovery, with the information required by 45 CFR 164.410.
2.4 Subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as restrictive as those that apply to Business Associate (45 CFR 164.502(e)(1)(ii), 164.308(b)).
2.5 Access. Make PHI in a Designated Record Set available to Covered Entity (or, as directed, to the individual) as needed to satisfy Covered Entity's obligations under 45 CFR 164.524.
2.6 Amendment. Make PHI in a Designated Record Set available for amendment and incorporate amendments per 45 CFR 164.526.
2.7 Accounting. Document and make available the information required for an accounting of disclosures per 45 CFR 164.528.
2.8 Covered Entity's obligations. To the extent Business Associate carries out an obligation of Covered Entity under the Privacy Rule, comply with the requirements that apply to Covered Entity in performing that obligation.
2.9 HHS access. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for determining compliance.
2.10 Minimum necessary. Request, use, and disclose only the minimum necessary PHI to accomplish the purpose.
2.11 Designated Record Set. The Parties acknowledge that Business Associate provides record retrieval, storage, and AI-assisted summarization, and does not create or maintain the Covered Entity’s official medical record or any other Designated Record Set on the Covered Entity’s behalf. Accordingly, Sections 2.5 and 2.6 apply only to PHI, if any, that Business Associate in fact maintains in a Designated Record Set.
2.12 Subprocessors. Business Associate may use subcontractors and subprocessors (including, without limitation, cloud-hosting, database, storage, backup, optical-character-recognition (OCR), artificial-intelligence and machine-learning, and email-delivery providers) in connection with providing the Services, provided that each such subcontractor that creates, receives, maintains, or transmits PHI is bound by a written agreement meeting the applicable requirements of the HIPAA Rules. This Section supplements, and does not limit, Section 2.4.
2.13 Routine Security Incidents; cooperation. Notwithstanding Section 2.3, the Parties acknowledge that routine, unsuccessful Security Incidents (including, without limitation, pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, blocked malware, and similar events that do not result in unauthorized access to, or unauthorized use or disclosure of, PHI) occur frequently, and Business Associate is not required to report such events individually; this Agreement constitutes notice of their ongoing occurrence. Business Associate shall reasonably cooperate with Covered Entity in the investigation, mitigation, and required notification of any Breach or reportable Security Incident affecting PHI, including reasonable cooperation with inquiries from the U.S. Department of Health and Human Services, Office for Civil Rights.
3. PERMITTED USES AND DISCLOSURES
3.1 Business Associate may use and disclose PHI only as necessary to perform the Services, as permitted by this Agreement, or as Required by Law.
3.2 Business Associate may use and disclose PHI for its own proper management and administration and to carry out its legal responsibilities, provided that disclosures are Required by Law or made under reasonable written assurances of confidentiality and breach-notification from the recipient.
3.3 De-identification / aggregation. Business Associate may de-identify PHI per 45 CFR 164.514(a)–(c) and may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B).
3.4 Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted under 3.2.
3.5 AI-assisted processing. Covered Entity authorizes Business Associate to perform machine-assisted and artificial-intelligence-assisted processing of PHI, including automated extraction, indexing, categorization, and AI-assisted summarization, solely as necessary to provide the Services. Such processing is performed within Business Associate’s HIPAA-covered environment and is subject to the safeguards and restrictions of this Agreement.
3.6 De-identified data. De-identified information created in accordance with 45 CFR 164.514(a)-(c) is not PHI. Business Associate may retain, use, and disclose such de-identified information for any lawful business purpose, including service improvement, analytics, benchmarking, and product development, and, as between the Parties, Business Associate owns such de-identified information and any derivatives of it.
4. OBLIGATIONS OF COVERED ENTITY
4.1 Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices, any changes in or revocation of an individual's authorization, and any restriction on use/disclosure it has agreed to or is required to abide by, to the extent they affect Business Associate's use or disclosure of PHI.
4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permitted under the HIPAA Rules if done by Covered Entity, except as permitted under 3.2.
4.3 Covered Entity represents that it has obtained any consents, authorizations, or patient permissions necessary for Business Associate to perform the Services.
4.4 Authorized and lawful disclosures. Covered Entity is solely responsible for determining that its disclosures of PHI to Business Associate, and the uploads, submissions, and requests it and its authorized users make through the Services, are authorized and lawful, and that Covered Entity has the right to disclose such PHI to Business Associate for the purposes of the Services.
5. TERM AND TERMINATION
5.1 Term. This Agreement is effective on the Effective Date and continues until all PHI is returned or destroyed, or protections are extended per 5.3.
5.2 Termination for cause. If a Party materially breaches this Agreement, the non-breaching Party may provide written notice and an opportunity to cure within thirty (30) days; if not cured, the non-breaching Party may terminate this Agreement and the Services Agreement.
5.3 Effect of termination. Upon termination, Business Associate shall return or destroy all PHI it maintains, and retain no copies, if feasible. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to that PHI and limit further use/disclosure to the purposes that make return or destruction infeasible.
6. MISCELLANEOUS
6.1 Regulatory references are to the cited section as in effect or amended.
6.2 Amendment. The Parties shall amend this Agreement as necessary to comply with changes to the HIPAA Rules.
6.3 Interpretation. Ambiguities are resolved to permit compliance with the HIPAA Rules.
6.4 Survival. Obligations that by their nature should survive termination (including 5.3) survive.
6.5 No third-party beneficiaries. Nothing confers rights on any person other than the Parties.
6.6 Governing law. Idaho, except where preempted by federal law.
6.7 Liability; relationship to Services Agreement. Except to the extent required by the HIPAA Rules, the Parties’ respective liability, indemnification obligations, limitations of liability, and allocation of costs (including breach-related costs) are governed by the Services Agreement. This Agreement does not independently establish those commercial terms, and the Parties intend that a Services Agreement containing them is, or will be, in effect.
SIGNATURES
COVERED ENTITY BUSINESS ASSOCIATE
[Customer Legal Name] MedFetch AI LLC
By: __________________ By: __________________
Name: ________________ Name: Dr. Dax Sirucek
Title: _______________ Title: Owner / Authorized Signatory
Date: ________________ Date: ________________