Business Associate Agreement (BAA)

1. Introduction

This Business Associate Agreement (“BAA”) is entered into by and between Neuromnia, Inc. (hereinafter “Business Associate”) and you (“ Covered Entity” or “Customer”), each a “Party” and collectively the “Parties.” This BAA supplements any existing agreements between the Parties (the “Underlying Agreement(s)”) under which Neuromnia provides certain services (the “Services”) that involve the use or disclosure of Protected Health Information (“PHI”). The Parties intend to comply with all relevant federal regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the “HIPAA Rules” or “HIPAA Regulations”).

If any conflict exists between this BAA and any Underlying Agreement, the terms of this BAA shall control with respect to PHI.

2. Definitions

Unless otherwise stated, terms used in this BAA shall have the meanings given to them in HIPAA, and if not defined by HIPAA, such terms shall have the meanings set forth in the Underlying Agreement(s).

  • “Business Associate” means Neuromnia, Inc. or any subsidiary/affiliate that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.
  • “Covered Entity” or “Customer” means the entity or individual that qualifies as a covered entity (or business associate, if applicable) under the HIPAA Regulations and that has contracted with Neuromnia for the Services.
  • “Protected Health Information” or “PHI” shall have the meaning set forth in 45 CFR § 160.103, limited to the PHI Neuromnia creates, receives, maintains, or transmits on behalf of Customer in the course of performing the Services.
  • “Services” means Neuromnia’s products and services for hosting, processing, managing, or otherwise handling PHI as described in the Underlying Agreement(s).
  • “Secretary” means the Secretary of the U.S. Department of Health and Human Services (HHS) or any other officer or employee of HHS to whom authority has been delegated.

Where used but not otherwise defined herein, capitalized terms have the meaning set forth at 45 CFR Parts 160 and 164.

3. Permitted Uses and Disclosures of PHI

  • Provision of Services. Business Associate may use and disclose PHI solely for the purpose of performing the Services, and only as would be permissible under HIPAA if done by Customer itself, or as otherwise required by law.
  • Management and Administration. Business Associate may use or disclose PHI for its own management and administration or to carry out its legal responsibilities, provided such use or disclosure is (i) required by law, or (ii) Business Associate obtains reasonable assurances from any third party recipient that the PHI will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed.
  • Data Aggregation & De‐Identification.
    • Data Aggregation. To the extent permitted by 45 CFR § 164.504(e)(2)(i)(B), Business Associate may use or combine Customer’s PHI with PHI received by Business Associate in its capacity as a business associate of other covered entities, to conduct data aggregation activities relating to the health care operations of Customer.
    • De‐Identification. Business Associate may de‐identify PHI in accordance with 45 CFR § 164.514. Any de‐identified information created by Business Associate will no longer be considered PHI, and Business Associate will own such de‐identified data. Business Associate may use or disclose de‐identified data for any lawful purpose, including, without limitation, product improvement, analytics, and research.

4. Obligations of Business Associate

Business Associate agrees to:

  • Limitations on Use and Disclosure. Not use or disclose PHI in any manner other than as permitted or required by this BAA, the Underlying Agreement(s), or as Required by Law. Business Associate shall make reasonable efforts to use or disclose only the minimum necessary PHI to accomplish the intended purpose.
  • Appropriate Safeguards.
    • Administrative, Physical & Technical Measures. Implement appropriate safeguards (in compliance with 45 CFR Part 164, Subpart C) to protect PHI from unauthorized use or disclosure.
    • Encryption & Access Management. Where PHI is processed, stored, or transmitted using Microsoft Azure or other platforms, Business Associate shall use robust, HIPAA‐compliant security features, including, but not limited to, AES‐256 encryption at rest, TLS/SSL in transit, strict role‐based access controls, and multi‐factor authentication.
    • Monitoring & Logging. Maintain comprehensive logging and monitoring (e.g., Azure Security Center, Azure Monitor, or similar) to detect unauthorized access or use.
  • Reporting.
    • Non‐Permitted Disclosures. Report to Customer any use or disclosure of PHI not permitted by this BAA or HIPAA of which Business Associate becomes aware.
    • Security Incidents. Report to Customer any Security Incident that results in an unauthorized use, access, or disclosure of PHI, as required by law.
    • Breach Notification. Notify Customer without unreasonable delay—and in no event later than five (5) business days after Business Associate determines that a Breach of Unsecured PHI has occurred—so that Customer may satisfy any breach notification obligations.
    • Unsuccessful Incidents. The Parties agree that frequent, routine, and unsuccessful attempts (e.g., pings, port scans, unsuccessful log‐in attempts) do not require separate notice.
  • Subcontractors. Ensure any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same (or stricter) restrictions and conditions that apply to Business Associate.
  • Access to PHI. Upon request, make PHI in a Designated Record Set available to Customer to satisfy Customer’s obligations under 45 CFR § 164.524, generally within fifteen (15) days.
  • Amendment of PHI. Incorporate any amendments or corrections to PHI in a Designated Record Set when requested by Customer pursuant to 45 CFR § 164.526, generally within fifteen (15) days.
  • Accounting of Disclosures. Document and provide an accounting of any disclosures of PHI in accordance with 45 CFR § 164.528, generally within fifteen (15) days of Customer’s request.
  • Access by Secretary. Make available to the Secretary Business Associate’s internal practices, books, and records relating to the use or disclosure of PHI to determine compliance with HIPAA.
  • Performance of Customer’s Obligations. To the extent Business Associate carries out an obligation of Customer under the Privacy Rule, Business Associate will comply with the requirements applicable to Customer’s obligation.

5. Obligations of Customer

  • Customer agrees to:
    • Provide PHI in Compliance With Law. Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Customer.
    • Contact Information. Maintain accurate and up‐to‐date contact information to facilitate any breach notifications or urgent communications regarding PHI.
    • Appropriate Uses of PHI. Implement appropriate safeguards within Customer’s own systems, and avoid transmitting PHI outside secure channels or as part of unencrypted support requests.
    • Permissions & Authorizations. Obtain and maintain any required authorizations, consents, or notifications needed under HIPAA prior to disclosing PHI to Business Associate.

    6. Term and Termination

    • Term. This BAA shall be effective as of the date Customer begins using the Services (or the last date of signature, if signatures are collected), and shall remain in effect until the earlier of:
      • Termination or expiration of the Underlying Agreement(s), or
      • Termination for cause under the next section.
    • Termination for Cause. If either Party discovers a material breach or violation of this BAA, the non‐breaching Party shall notify the breaching Party in writing and provide an opportunity to cure within thirty (30) days. If the breach is not cured within such period, the non‐breaching Party may terminate this BAA and any Underlying Agreement(s).
    • Obligations Upon Termination.
      • Return or Destruction. Upon termination of this BAA or the Underlying Agreement(s), Business Associate shall return or destroy all PHI if feasible. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to any retained PHI for as long as it is maintained, and will limit further uses and disclosures to those purposes that make return or destruction infeasible.
      • Survival. All obligations in this BAA concerning the protection of PHI shall survive termination for so long as PHI remains in Business Associate’s possession or control.

    6. Miscellaneous

    • Regulatory References. A reference in this BAA to a section of HIPAA means the section as in effect or as amended.
    • Interpretation. Any ambiguity shall be resolved to permit compliance with HIPAA and its implementing regulations.
    • Amendment. This BAA may be amended or modified only in a writing signed by both Parties.
    • No Third‐Party Beneficiaries. Nothing in this BAA is intended, nor shall be deemed, to confer any benefits on any third party.
    • Independent Contractors. The Parties acknowledge that Business Associate is an independent contractor and not an agent of Customer. Nothing in this BAA is intended to create an agency relationship, joint venture, or partnership between the Parties.
    • Severability. If any provision of this BAA is determined to be invalid or unenforceable, the remainder shall not be affected and shall remain in full force and effect.
    • Governing Law. This BAA shall be governed by and construed in accordance with applicable federal law and, to the extent not preempted, the laws of the jurisdiction set forth in the Underlying Agreement(s).