DyZen Med Business Associate Agreement

1. Purpose

DyZen Med provides a physician-assist platform that processes, organizes, structures, and presents medical record information to support clinical review and medical-legal workflows. In connection with providing the Services, DyZen Med may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Customer. The purpose of this BAA is to set forth the parties’ obligations regarding PHI in compliance with HIPAA.

2. Definitions

Capitalized terms not otherwise defined in this BAA shall have the meanings assigned to them under HIPAA.

“Breach” shall have the meaning set forth in 45 C.F.R. § 164.402.

“Designated Record Set” shall have the meaning set forth in 45 C.F.R. § 164.501.

“Electronic Protected Health Information” or “ePHI” shall have the meaning set forth in 45 C.F.R. § 160.103.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the regulations promulgated thereunder, including 45 C.F.R. Parts 160 and 164.

“Individual” shall have the meaning set forth in 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).

“Protected Health Information” or “PHI” shall have the meaning set forth in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Customer.

“Required by Law” shall have the meaning set forth in 45 C.F.R. § 164.103.

“Security Incident” shall have the meaning set forth in 45 C.F.R. § 164.304.

“Services” means the DyZen Med platform and related services provided to Customer under the Underlying Agreement.

“Subcontractor” shall have the meaning set forth in 45 C.F.R. § 160.103.

“Unsecured PHI” shall have the meaning set forth in 45 C.F.R. § 164.402.

3. Relationship of the Parties

Customer is the Covered Entity or Business Associate, as applicable, and DyZen Med is the Business Associate of Customer for purposes of HIPAA, to the extent DyZen Med creates, receives, maintains, or transmits PHI on Customer’s behalf in providing the Services.

If Customer is itself a Business Associate, Customer represents and warrants that it has obtained all permissions, authorizations, and contractual rights necessary to disclose PHI to DyZen Med and to bind DyZen Med to the obligations set forth herein.

4. Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as permitted or required by this BAA, the Underlying Agreement, or as Required by Law.

Subject to the terms of this BAA, Business Associate may use and disclose PHI to:

1. provide, operate, maintain, support, secure, and improve the Services for Customer;
2. process, structure, summarize, organize, retrieve, display, and transmit medical record information as directed by Customer and its authorized users;
3. create data outputs, summaries, work-product drafts, and related assistive materials requested through the Services for human review by Customer;
4. perform internal administrative functions, quality assurance, troubleshooting, system maintenance, fraud prevention, abuse prevention, billing support, auditing, legal compliance, and security operations related to the Services;
5. disclose PHI to Subcontractors as permitted under Section 8 of this BAA; and
6. use or disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that any disclosure for such purposes is Required by Law or Business Associate obtains reasonable assurances from the recipient that:
   1. the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient; and
   2. the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

Business Associate shall not:

1. use or disclose PHI in a manner that would violate HIPAA if done by Customer, except as expressly permitted for Business Associate under HIPAA;
2. sell PHI;
3. use PHI for marketing except as expressly permitted by HIPAA and authorized by Customer;
4. use PHI to train public, shared, or general-purpose AI models not dedicated to Customer’s permitted workflow; or
5. de-identify PHI except as expressly authorized in writing by Customer or as otherwise permitted by HIPAA and the Underlying Agreement.

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request, to the extent the minimum necessary standard applies.

5. Prohibited Uses and Functional Limits

The Services are assistive in nature. Business Associate does not provide medical advice, legal advice, diagnoses, causation determinations, impairment ratings, disability determinations, treatment recommendations, or clinical judgments through this BAA or by virtue of providing the Services.

Customer acknowledges and agrees that:

1. all output generated through the Services must be reviewed by qualified human professionals;
2. Customer retains sole responsibility for medical interpretation, legal conclusions, compliance decisions, and actions taken based on the Services; and
3. Business Associate does not assume any duty of care to patients or third parties by processing PHI under this BAA.

6. Safeguards

Business Associate shall implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI and ePHI, including safeguards designed to prevent any use or disclosure of PHI other than as provided for by this BAA.

Without limiting the foregoing, Business Associate shall maintain safeguards appropriate to the nature of the Services, including as applicable:

1. access controls designed to restrict access to PHI to authorized personnel, systems, and processes;
2. authentication mechanisms and credential management controls;
3. encryption of PHI in transit and at rest where applicable and feasible within the architecture of the Services;
4. audit logging, monitoring, and security event review processes;
5. workforce training and role-based access limitations;
6. secure hosting and infrastructure practices using commercially reasonable cloud and platform controls;
7. policies and procedures addressing incident response, data handling, and PHI protection; and
8. measures reasonably designed to protect against anticipated threats or hazards to the security or integrity of ePHI and against unauthorized uses or disclosures.

7. Reporting of Improper Use, Disclosure, Security Incidents, and Breaches

Business Associate shall report to Customer, without unreasonable delay:

1. any use or disclosure of PHI not permitted by this BAA of which Business Associate becomes aware;
2. any Breach of Unsecured PHI, in no event later than thirty (30) calendar days after discovery by Business Associate; and
3. any Security Incident of which Business Associate becomes aware involving Customer PHI, except that unsuccessful or immaterial incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI, such as routine port scans, pings, failed login attempts, malware blocked by preventive controls, or other noise at the digital gate, may be reported on an aggregate basis or deemed reported by this Section.

To the extent known and available, any Breach notification shall include:

1. a brief description of what happened, including the date of the Breach and the date of discovery, if known;
2. the categories of PHI involved;
3. the identities of affected Individuals, if known and reasonably ascertainable;
4. the steps Business Associate has taken or plans to take to investigate, mitigate, and remediate the Breach; and
5. any information reasonably requested by Customer to support Customer’s compliance with applicable breach notification obligations.

8. Subcontractors

Business Associate may use Subcontractors to perform functions, activities, or services on its behalf involving PHI, provided that Business Associate enters into a written agreement with each such Subcontractor that requires the Subcontractor to comply with restrictions and conditions on PHI that are at least as restrictive as those that apply to Business Associate under this BAA, to the extent required by HIPAA.

Business Associate remains responsible for the acts and omissions of its Subcontractors to the extent provided by HIPAA and applicable law.

Customer acknowledges that Business Associate may use infrastructure providers, cloud hosting providers, storage providers, communications providers, and AI processing providers in delivering the Services, and that such providers may be engaged as Subcontractors where PHI is involved.

9. Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set and Customer determines that access is required under 45 C.F.R. § 164.524, Business Associate shall, taking into account the nature of the Services, make PHI available to Customer or, at Customer’s written direction, to the Individual, in order to enable Customer to fulfill its obligations under HIPAA.

Business Associate’s obligation under this Section is limited to PHI maintained by Business Associate in a manner that is retrievable and reasonably capable of being provided through the Services or Business Associate’s standard support processes.

10. Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set and Customer determines that amendment is required under 45 C.F.R. § 164.526, Business Associate shall, upon written request by Customer, make reasonable efforts to incorporate amendments to PHI as directed by Customer, subject to the technical limitations of the Services and Business Associate’s retention, system integrity, security, and legal obligations.

11. Accounting of Disclosures

To the extent required by 45 C.F.R. § 164.528 and to the extent such information is available to Business Associate, Business Associate shall make available to Customer information regarding disclosures of PHI by Business Associate that would be required for Customer to provide an accounting of disclosures to an Individual.

Business Associate shall have no obligation to account for disclosures that are exempt from the accounting requirement under HIPAA.

12. Internal Practices, Books, and Records

To the extent required by 45 C.F.R. § 164.504(e)(2)(ii)(I), Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer’s or Business Associate’s compliance with HIPAA.

13. Customer Obligations

Customer shall:

1. use the Services in compliance with HIPAA and all other applicable laws;
2. disclose only PHI that Customer is legally permitted to disclose to Business Associate;
3. obtain all required consents, authorizations, notices, and permissions related to PHI disclosed to Business Associate;
4. ensure that its authorized users access and use the Services only as permitted;
5. implement appropriate administrative, technical, and physical safeguards on its own systems and accounts;
6. not request that Business Associate use or disclose PHI in any manner that would violate HIPAA if done by Customer, except where expressly permitted for Business Associate;
7. remain solely responsible for the accuracy, quality, legality, and appropriateness of the PHI and other data uploaded to the Services; and
8. remain solely responsible for all medical, legal, operational, and business decisions made based on the Services or output from the Services.

Customer shall promptly notify Business Associate of any restriction on the use or disclosure of PHI that may materially affect Business Associate’s performance of the Services, but only to the extent such restriction is legally binding on Business Associate and operationally feasible within the Services.

14. Term and Termination

This BAA shall commence on the Effective Date and shall remain in effect until the earlier of:

1. termination or expiration of the Underlying Agreement; or
2. termination of this BAA pursuant to this Section.

If either party knows of a material breach of this BAA by the other party, the non-breaching party may provide written notice describing the breach and an opportunity to cure within a reasonable period. If the breach is not cured within that period, the non-breaching party may terminate the Underlying Agreement and this BAA to the extent permitted by applicable law and contract.

If termination of this BAA is not feasible, the non-breaching party may report the breach to the Secretary of the U.S. Department of Health and Human Services to the extent required by HIPAA.

15. Effect of Termination; Return or Destruction of PHI

Upon termination of this BAA or the Underlying Agreement for any reason, Business Associate shall, if feasible and consistent with applicable law and Business Associate’s standard retention and backup practices, return or destroy PHI received from Customer or created, received, maintained, or transmitted by Business Associate on behalf of Customer.

If return or destruction is not feasible, Business Associate shall:

1. extend the protections of this BAA to the retained PHI;
2. limit further uses and disclosures of the retained PHI to those purposes that make return or destruction infeasible or that are otherwise Required by Law; and
3. continue to protect such retained PHI for so long as it is retained.

Customer acknowledges that temporary residual copies of PHI may remain in routine backup systems, disaster recovery media, archival logs, or security monitoring records for a limited period consistent with Business Associate’s standard retention and deletion cycles, provided such retained PHI remains protected in accordance with this BAA.

16. Audit Trail and Acceptance

This BAA becomes binding when accepted through the DyZen Med platform by a person representing that they have authority to bind Customer.

Business Associate may record and maintain evidence of acceptance, including:

1. organization identifier;
2. user identifier;
3. date and timestamp of acceptance;
4. BAA version;
5. acceptance status; and
6. related metadata reasonably necessary to maintain an audit trail of assent.

Customer agrees that such electronic records shall be admissible to demonstrate acceptance of this BAA.

17. Limitation of Scope of Services

Nothing in this BAA expands the scope of the Services beyond what is described in the Underlying Agreement. Business Associate’s obligations under this BAA apply only to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Customer in connection with the Services.

This BAA does not require Business Associate to:

1. provide functions not included in the Services;
2. redesign its systems to support workflows outside the Services;
3. retain PHI longer than required by applicable law, contract, or documented retention schedules;
4. provide direct patient communications or notices, unless expressly agreed in writing; or
5. assume Customer’s compliance responsibilities except as expressly stated in this BAA.

18. Liability

Each party shall be responsible for its own acts and omissions and those of its workforce, agents, and Subcontractors to the extent provided by applicable law.

Nothing in this BAA shall be construed to:

1. create liability where none would otherwise exist under the Underlying Agreement or applicable law;
2. waive any limitations of liability, disclaimers, or exclusions in the Underlying Agreement, except to the extent prohibited by law; or
3. make Business Associate responsible for Customer’s compliance obligations, patient care, medical decisions, legal strategies, or use of outputs from the Services.

19. Regulatory References

Any reference in this BAA to a section of HIPAA, HITECH, or their implementing regulations means the section as in effect or as amended from time to time, and this BAA shall be interpreted to permit compliance with such amendments.

20. Miscellaneous

20.1 Entire Agreement

This BAA, together with the Underlying Agreement, constitutes the entire agreement between the parties with respect to PHI handled by Business Associate on behalf of Customer and supersedes prior discussions or agreements on that subject.

20.2 Amendment

Business Associate may update this BAA from time to time to reflect changes in law, regulation, business operations, Subcontractor structure, or service architecture. No updated version shall retroactively alter the version previously accepted by Customer for audit purposes. Continued use of the Services after notice of a new BAA version may require acceptance of the updated version where legally or operationally necessary.

20.3 Severability

If any provision of this BAA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

20.4 No Third-Party Beneficiaries

Nothing in this BAA is intended to create any rights in any third party, except as required by HIPAA or applicable law.

20.5 Survival

The obligations of Business Associate under Sections 7, 8, 11, 12, 15, 18, and any other provisions that by their nature should survive, shall survive termination of this BAA for so long as Business Associate retains PHI.

20.6 Authority

The individual accepting this BAA on behalf of Customer represents and warrants that they have full authority to bind Customer to this BAA.

21. Contact Information

Questions regarding this BAA may be directed to:

DyZen Med
info@dyzenmed.com