Business Associate Agreement

(HIPAA / HITECH)

Note: This Business Associate Agreement ("Agreement" or "BAA") is entered into by and between the healthcare provider, practice, or organization ("Covered Entity") and NoBackOffice, Inc., a Delaware corporation ("Business Associate"). This Agreement is effective as of the date of execution ("Effective Date").

1. Purpose

This Agreement is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and implementing regulations at 45 C.F.R. Parts 160 and 164.

Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity in connection with the services provided under the parties' primary agreement ("Services Agreement").

2. Definitions

Capitalized terms not otherwise defined shall have the meanings set forth in HIPAA and its implementing regulations.

• "Protected Health Information" (PHI) has the meaning set forth in 45 C.F.R. §160.103.
• "Electronic PHI" (ePHI) means PHI transmitted or maintained in electronic media.
• "Security Incident" means attempted or successful unauthorized access, use, disclosure, modification, or destruction of information systems.

3. Permitted Uses and Disclosures

Business Associate may use and disclose PHI solely to:

• Perform services for Covered Entity as specified in the Services Agreement
• Carry out Business Associate's legal responsibilities
• Perform data aggregation services related to healthcare operations (if applicable)
• As otherwise permitted or required by law

Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.

4. Safeguards

4.1 Administrative, Technical, and Physical Safeguards

Business Associate shall implement and maintain appropriate safeguards to protect PHI, including compliance with:

• 45 C.F.R. §164.308 (Administrative Safeguards)
• 45 C.F.R. §164.310 (Physical Safeguards)
• 45 C.F.R. §164.312 (Technical Safeguards)

4.2 Encryption

Business Associate shall encrypt ePHI:

• In transit
• At rest, where commercially reasonable

5. Reporting Obligations

5.1 Security Incidents

Business Associate shall report any Security Incident involving PHI to Covered Entity without unreasonable delay.

5.2 Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI as defined under 45 C.F.R. §164.402 no later than 60 days after discovery, and shall include:

• Nature of the breach
• Types of PHI involved
• Steps taken to mitigate harm
• Cooperation with Covered Entity's response obligations

6. Subcontractors

Business Associate shall ensure that any subcontractor who creates, receives, maintains, or transmits PHI on its behalf:

• Enters into a written agreement with equivalent HIPAA obligations
• Implements appropriate safeguards

7. Access, Amendment, and Accounting

Business Associate shall, to the extent applicable:

• Provide PHI to Covered Entity to allow access requests under 45 C.F.R. §164.524
• Make amendments to PHI under §164.526
• Provide accounting of disclosures under §164.528

8. Minimum Necessary

Business Associate shall limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose.

9. Data Return or Destruction

Upon termination of this Agreement:

• Business Associate shall, at Covered Entity's request, return or destroy PHI, unless retention is required by law
• If destruction is infeasible, Business Associate shall continue to protect PHI and limit further use

10. Term and Termination

10.1 Term

This Agreement remains in effect until terminated.

10.2 Termination for Cause

Covered Entity may terminate if Business Associate materially breaches this Agreement and fails to cure within a reasonable time.

10.3 Effect of Termination

Sections concerning PHI protection survive termination.

11. Regulatory Compliance

Business Associate agrees to:

• Make internal practices available to the U.S. Department of Health and Human Services (HHS) for compliance review
• Comply with all applicable federal and state privacy laws

12. No Third-Party Beneficiaries

Nothing in this Agreement creates rights in any third party.

13. Relationship to Other Agreements

If there is a conflict between this Agreement and the Services Agreement, this BAA controls with respect to PHI.

14. Amendments

This Agreement may be amended as necessary to comply with changes in applicable law.

15. Governing Law

This Agreement shall be governed by the laws of the State of Delaware, unless HIPAA preemption requires otherwise.

16. Counterparts & Electronic Signatures

This Agreement may be executed electronically and in counterparts, each of which shall be deemed an original.

17. Signatures