Business Associate Agreement (BAA)

Overview

This Business Associate Agreement (“BAA”) supplements and forms part of the Master Services Agreement (“MSA”) between Solid Gold Technologies LLC d/b/a MediChatApp (“Business Associate”) and the healthcare organization utilizing MediChatApp’s products or services (“Covered Entity”). The BAA ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations.

1) Permitted Uses & Disclosures

Business Associate may use and disclose PHI solely to perform services defined in the MSA and this BAA, provided such use or disclosure would not violate HIPAA if done by the Covered Entity, or as otherwise required by law. De-identification of data may be performed in accordance with 45 CFR §164.514.

• Operate, support, and enhance contracted services (e.g., patient communications, portal, check-in, analytics).
• Implement quality assurance, availability, security monitoring, and troubleshooting.
• Produce de-identified or aggregated data sets for analytics and service improvement, without re-identification.

2) Safeguards & Compliance

Business Associate implements administrative, physical, and technical safeguards as required by 45 CFR §§164.308, 164.310, and 164.312, including:

• Access controls, least-privilege role design, MFA, and audit logging with immutable retention.
• Encryption in transit and at rest for PHI; key management aligned to industry best practices.
• Secure development lifecycle, change management, and vulnerability management.
• Workforce training and sanction policies; annual security and privacy reviews.

Business Associate maintains a security and privacy program aligned with HIPAA and SOC 2 Type II controls applicable to the services.

3) Subcontractors

Business Associate ensures that any subcontractor who creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and safeguards substantially similar to those set forth in this BAA.

4) Minimum Necessary

Both parties shall adhere to the “minimum necessary” standard under HIPAA. Covered Entity will provide only the PHI necessary for Business Associate to perform the services.

5) Security Incidents & Breach Notification

Business Associate will report to Covered Entity any unauthorized use or disclosure of PHI of which it becomes aware, including breaches as defined by 45 CFR §164.402, without unreasonable delay and no later than ten (10) business days after confirmation. Notifications will include information reasonably available to assist Covered Entity with its obligations.

6) Individual Rights & Access Requests

To the extent required by law and practicable, Business Associate shall assist Covered Entity in responding to requests for access, amendment, accounting of disclosures, restrictions, and confidential communications relating to PHI.

7) Term & Termination; Return/Destruction of PHI

This BAA is effective for the duration of services involving PHI and terminates upon expiration or termination of the MSA. Upon termination, Business Associate will return or securely destroy PHI that it still maintains, if feasible. If return or destruction is infeasible (e.g., backup archives, legal holds), Business Associate will extend protections under this BAA and limit further uses to those that make return or destruction infeasible.

8) Miscellaneous

• Precedence. In any conflict between this BAA and the MSA regarding PHI, this BAA controls.
• Amendments. The parties will amend this BAA as needed to comply with changes in applicable law.
• Governing Law. This BAA is governed by the laws of the State of New York, without regard to conflicts principles.
• Notices. Legal notices may be sent to [email protected].