Business Associate Agreement

1. Introduction & Recitals

This Business Associate Agreement (“BAA” or “Agreement”) is entered into by and between the healthcare practice or organization identified in the applicable Order Form (“Covered Entity”) and Jazmine Inc. (“Business Associate” or “Jazmine”), a Delaware corporation.

RECITALS

WHEREAS, Covered Entity is a healthcare provider or entity subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations (collectively, the “HIPAA Rules”);

WHEREAS, Business Associate provides an AI-powered lead management platform (the “Services”) that involves the receipt, creation, maintenance, and transmission of Protected Health Information on behalf of Covered Entity;

WHEREAS, the parties wish to establish the terms and conditions under which Business Associate will handle PHI in compliance with the HIPAA Rules;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

2. Definitions

Capitalized terms used in this Agreement and not otherwise defined herein shall have the meanings ascribed to them in the HIPAA Rules, including 45 CFR Parts 160 and 164. The following terms shall have the meanings set forth below:

• “Protected Health Information” or “PHI” has the meaning set forth in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity
• “Electronic Protected Health Information” or “ePHI” has the meaning set forth in 45 CFR § 160.103
• “Breach” has the meaning set forth in 45 CFR § 164.402
• “Security Incident” has the meaning set forth in 45 CFR § 164.304
• “Designated Record Set” has the meaning set forth in 45 CFR § 164.501
• “Required by Law” has the meaning set forth in 45 CFR § 164.103
• “Secretary” means the Secretary of the U.S. Department of Health and Human Services
• “Subcontractor” has the meaning set forth in 45 CFR § 160.103
• “Unsecured PHI” has the meaning set forth in 45 CFR § 164.402

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely as follows:

• As necessary to perform its obligations under the Services agreement between the parties, including lead management, AI-powered scoring and response generation, surgeon matching, patient communication facilitation, and related operational functions
• As Required by Law
• For the proper management and administration of Business Associate, provided that: (i) disclosures are Required by Law; or (ii) Business Associate obtains reasonable assurances from any third party to whom the information is disclosed that such information will be held confidentially and that the third party will notify Business Associate of any instances in which the confidentiality of the information has been breached
• To de-identify PHI in accordance with 45 CFR § 164.514, provided that de-identified data may be used for product improvement, benchmarking, and aggregate analytics
• To provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B)

Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted above.

4. Obligations of Business Associate

Business Associate agrees to:

4.1 Safeguards

Implement and maintain appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement, including compliance with the Security Rule requirements applicable to business associates under 45 CFR §§ 164.308, 164.310, 164.312, and 164.316.

4.2 Reporting

Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI and any Security Incident, without unreasonable delay and in no case later than the timeframes set forth in Section 7.

4.3 Subcontractors

Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information, by entering into a written agreement with such Subcontractor that complies with 45 CFR § 164.504(e).

4.4 Access

Make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, within fifteen (15) business days of a request, in order to meet the requirements of 45 CFR § 164.524.

4.5 Amendment

Make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set within fifteen (15) business days of receipt of a request from Covered Entity, in accordance with 45 CFR § 164.526.

4.6 Accounting of Disclosures

Maintain and make available to Covered Entity information required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain such information for a period of six (6) years from the date of the disclosure.

4.7 HHS Access

Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s and Business Associate’s compliance with the HIPAA Rules.

5. Obligations of Covered Entity

Covered Entity agrees to:

• Provide Business Associate with a copy of its Notice of Privacy Practices and any subsequent changes or limitations thereto
• Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes affect Business Associate’s use or disclosure of PHI
• Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522
• Not request that Business Associate use or disclose PHI in any manner that would violate the HIPAA Rules
• Obtain all necessary patient consents and authorizations prior to submitting PHI to the Services

6. Security Standards

Business Associate represents and warrants that it has implemented and will maintain the following security measures to protect ePHI:

6.1 Encryption at Rest

All ePHI stored by Business Associate is encrypted using AES-256 encryption via AWS Key Management Service (KMS) customer-managed keys. Encrypted services include: Aurora PostgreSQL (primary database), Amazon S3 (document and media storage), Amazon DynamoDB (audit and session data), Amazon ElastiCache for Redis (cache layer), and Amazon SQS (message queues). Encryption keys are subject to automatic annual rotation.

6.2 Encryption in Transit

All ePHI in transit is encrypted using TLS 1.2 or higher. All platform endpoints enforce HTTPS. Internal service-to-service communication is conducted via VPC endpoints, ensuring ePHI never traverses the public internet.

6.3 Multi-Factor Authentication

All user access to the platform requires multi-factor authentication (MFA) via Amazon Cognito. Time-based one-time password (TOTP) is the preferred MFA method. MFA cannot be bypassed or disabled by end users or administrators.

6.4 Audit Logging

All access to ePHI is logged via AWS CloudTrail (infrastructure-level) and application-level audit events stored in Amazon DynamoDB. Audit logs are encrypted with KMS, stored for a minimum of six (6) years, and are available for inspection by Covered Entity upon reasonable request. No PHI is included in log messages; only resource identifiers and event types are recorded.

6.5 Network Segmentation

All data services (database, cache, queues) operate within isolated private subnets with no direct internet access. Access is restricted via security groups permitting only authorized application-layer connections. AWS WAF provides OWASP Top 10 protection and rate limiting at the network edge.

7. Breach Notification

7.1 Timeline

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the Breach. Discovery occurs on the first day on which the Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

7.2 Content

The breach notification shall include, to the extent available at the time of notification:

• Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
• A description of the nature of the Breach, including the types of Unsecured PHI involved
• The date of the Breach and the date of its discovery
• A description of what Business Associate is doing to investigate the Breach, mitigate harm, and prevent further breaches
• Contact information for Covered Entity to obtain additional information

7.3 Cooperation

Business Associate shall cooperate with Covered Entity in the investigation and remediation of any Breach and shall provide Covered Entity with all information reasonably necessary to enable Covered Entity to fulfill its notification obligations under 45 CFR §§ 164.404 through 164.408.

7.4 Cost Allocation

If a Breach is caused by Business Associate’s failure to comply with its obligations under this Agreement or the HIPAA Rules, Business Associate shall bear all reasonable costs of investigation, notification, credit monitoring, and remediation associated with such Breach. If a Breach is caused by Covered Entity’s actions or instructions, Covered Entity shall bear such costs.

8. Minimum Necessary Standard

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 45 CFR § 164.502(b) and 45 CFR § 164.514(d). Business Associate has implemented role-based access controls and multi-tenant data isolation to enforce the minimum necessary standard at the application level.

9. Prohibition on Sale of PHI

Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual unless permitted by the HIPAA Rules. Business Associate confirms that it does not sell, rent, trade, or otherwise make available PHI for commercial advantage or monetary compensation.

10. De-identification

Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)–(c). De-identification shall use either the Expert Determination method or the Safe Harbor method as described in the HIPAA Rules. De-identified information is no longer considered PHI and is not subject to this Agreement, provided that Business Associate shall not attempt to re-identify such information.

11. Subcontractor Management

Business Associate uses Amazon Web Services (AWS) as its primary infrastructure Subcontractor. Business Associate has executed a BAA with AWS, and all PHI is processed within HIPAA-eligible AWS services. Business Associate shall:

• Maintain a current list of Subcontractors that process PHI, available to Covered Entity upon request
• Execute a BAA-compliant written agreement with each Subcontractor before permitting access to PHI
• Notify Covered Entity within thirty (30) days of engaging any new Subcontractor that will process PHI
• Remain fully responsible for the acts and omissions of its Subcontractors

12. Term & Termination

12.1 Term

This Agreement shall be effective as of the date of last signature and shall remain in effect for the duration of the Services agreement between the parties, unless earlier terminated as provided herein.

12.2 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) days of written notice. If cure is not reasonably possible, the non-breaching party may terminate this Agreement immediately upon written notice.

12.3 Automatic Termination

This Agreement shall automatically terminate upon the termination or expiration of the Services agreement between the parties.

13. Return or Destruction of PHI

Upon termination of this Agreement, Business Associate shall, at Covered Entity’s election:

• Return all PHI to Covered Entity in a standard, machine-readable format within thirty (30) days of termination; or
• Destroy all PHI in Business Associate’s possession, including all copies, backups, and archives, using NIST SP 800-88 compliant methods, and certify such destruction in writing within thirty (30) days of termination

If return or destruction is not feasible (for example, because PHI is embedded in backup systems subject to retention policies), Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI. PHI retained for legal or regulatory compliance purposes shall remain subject to the protections of this Agreement.

14. Insurance Requirements

Business Associate shall maintain the following insurance coverage throughout the term of this Agreement:

• Commercial General Liability: not less than $1,000,000 per occurrence and $2,000,000 aggregate
• Professional Liability / Errors & Omissions: not less than $2,000,000 per occurrence and $4,000,000 aggregate
• Cyber Liability / Data Breach Insurance: not less than $5,000,000 per occurrence, covering notification costs, credit monitoring, regulatory fines, and forensic investigation

Business Associate shall provide certificates of insurance to Covered Entity upon request.

15. Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees and costs of regulatory proceedings) arising out of or related to: (a) Business Associate’s breach of this Agreement; (b) Business Associate’s violation of the HIPAA Rules; or (c) any Breach of Unsecured PHI caused by Business Associate’s failure to implement the safeguards required by this Agreement.

16. Amendment for Regulatory Changes

The parties agree to negotiate in good faith to amend this Agreement as necessary to comply with changes to the HIPAA Rules or other applicable laws and regulations. If the parties are unable to agree on an amendment within sixty (60) days of a change becoming effective, either party may terminate this Agreement upon thirty (30) days’ written notice.

17. Survival

The obligations of Business Associate under Sections 4 (Obligations of Business Associate), 7 (Breach Notification), 13 (Return or Destruction of PHI), 14 (Insurance Requirements), and 15 (Indemnification) shall survive termination of this Agreement for so long as Business Associate retains any PHI.

18. Miscellaneous

18.1 Governing Law

This Agreement shall be governed by federal law, including the HIPAA Rules, and to the extent not preempted by federal law, by the laws of the State of Delaware, without regard to its conflict of laws principles.

18.2 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves the original intent to the greatest extent possible.

18.3 Entire Agreement

This Agreement, together with the Services agreement and any applicable Order Form, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements, representations, and understandings, whether oral or written, relating to the handling of PHI between the parties.

18.4 Notices

All notices required or permitted under this Agreement shall be in writing and shall be delivered by email (with confirmed receipt) or by nationally recognized overnight courier to the addresses specified in the applicable Order Form.

18.5 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their permitted successors and assigns any rights, remedies, obligations, or liabilities whatsoever. However, individuals whose PHI is the subject of this Agreement are intended third-party beneficiaries of the protections set forth herein to the extent required by the HIPAA Rules.

19. Contact

To execute this BAA or for questions regarding this Agreement, please contact:

• Email: support@jazmine.app
• Privacy Officer: support@jazmine.app
• Mailing Address: Jazmine Inc., [Address to be provided]