This Business Associate Agreement ("BAA" or "Agreement") is entered into as of ("Effective Date") by and between:
Covered Entity: ("Covered Entity" or "Practice"), a medical practice located at , and
Business Associate: MAIA Medical, Inc. ("Business Associate" or "MAIA"), a company organized under the laws of the State of Florida.
Collectively referred to as the "Parties."
Recitals
WHEREAS, the Covered Entity is a healthcare provider that is subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), and the regulations promulgated thereunder by the U.S. Department of Health and Human Services ("HHS"), including the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule") at 45 CFR Part 160 and Part 164, Subparts A and E, and the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") at 45 CFR Part 160 and Part 164, Subparts A and C, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act");
WHEREAS, the Business Associate provides administrative automation services to the Covered Entity through the MAIA platform, including prior authorization drafting and submission, medical coding, clinical documentation, and fax processing (the "Services"), as described in the Terms of Service between the Parties;
WHEREAS, in the course of providing the Services, the Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of the Covered Entity;
WHEREAS, the Parties wish to establish the terms and conditions under which the Business Associate will handle PHI in compliance with HIPAA, the HITECH Act, and applicable state law;
NOW, THEREFORE, in consideration of the mutual promises and obligations contained herein, the Parties agree as follows:
1. Definitions
Terms used in this Agreement that are defined in HIPAA, the HITECH Act, or their implementing regulations shall have the same meaning as set forth therein. In addition:
"Breach" has the meaning set forth in 45 CFR 164.402, and refers to the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.
"Protected Health Information" or "PHI" means individually identifiable health information, as defined in 45 CFR 160.103, that is created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity in connection with the Services.
"Required by Law" has the meaning set forth in 45 CFR 164.103.
"Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.
"Security Incident" has the meaning set forth in 45 CFR 164.304.
"Subcontractor" means a person or entity to whom the Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI on behalf of the Business Associate.
2. Obligations of the Business Associate
2.1 Permitted Uses and Disclosures
The Business Associate shall use and disclose PHI only as necessary to perform the Services on behalf of the Covered Entity, as described in the Terms of Service, or as otherwise permitted or required by this Agreement or by law. Specifically, the Business Associate may use and disclose PHI to:
(a) Perform the administrative automation functions described in the Terms of Service, including prior authorization processing, medical coding, clinical documentation generation, and fax processing;
(b) Carry out the legal responsibilities of the Business Associate under this Agreement;
(c) Provide data aggregation services to the Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B), provided that such aggregation does not identify individual patients and is used solely for the Covered Entity's healthcare operations;
(d) Report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1).
2.2 Prohibited Uses and Disclosures
The Business Associate shall not:
(a) Use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
(b) Use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, except as expressly authorized under this Agreement;
(c) Use PHI for the Business Associate's own independent purposes, including but not limited to marketing, fundraising, sale of PHI, or research unrelated to the Services;
(d) Use PHI to train, fine-tune, improve, or develop machine learning models, artificial intelligence systems, algorithms, or any other technology, whether owned by the Business Associate or a third party;
(e) Sell PHI, as defined in 45 CFR 164.502(a)(5)(ii), without the express written authorization of the individual to whom the PHI relates;
(f) Disclose PHI to any Subcontractor unless the requirements of Section 2.5 are satisfied.
2.3 Safeguards
The Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including ePHI, in accordance with the Security Rule. These safeguards shall include, at a minimum:
(a) Encryption of ePHI in transit using TLS 1.3 or equivalent;
(b) Encryption of ePHI at rest using AES-256 or equivalent;
(c) Access controls that limit access to PHI to workforce members and Subcontractors who require access to perform the Services;
(d) Audit controls that record access to systems containing PHI;
(e) Integrity controls to protect PHI from improper alteration or destruction;
(f) Transmission security measures to guard against unauthorized access to PHI during electronic transmission;
(g) A workforce training program on HIPAA compliance and the handling of PHI.
2.4 Reporting
(a) Security Incidents. The Business Associate shall report to the Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (such as pings, port scans, unsuccessful login attempts, or similar events) shall be provided upon the Covered Entity's written request in the form of summary reports at reasonable intervals agreed upon by the Parties, rather than on a per-incident basis.
(b) Breaches. The Business Associate shall report to the Covered Entity any Breach of Unsecured PHI without unreasonable delay, and in no event later than sixty (60) calendar days after the Business Associate discovers the Breach or, by exercising reasonable diligence, would have discovered the Breach, consistent with 45 CFR 164.410. The Business Associate shall use commercially reasonable efforts to notify the Covered Entity within thirty (30) days where feasible, to afford the Covered Entity sufficient time to meet its own notification obligations under 45 CFR 164.404. The timeline may be extended as permitted under 45 CFR 164.412 in the event of a law-enforcement delay. The report shall include, to the extent available:
- The identification of each individual whose PHI has been, or is reasonably believed to have been, affected;
- A description of the nature of the Breach, including the types of PHI involved;
- The date of the Breach and the date of its discovery;
- A description of what the Business Associate is doing to investigate the Breach, mitigate harm, and prevent future occurrences;
- Any other information reasonably requested by the Covered Entity to enable it to fulfill its notification obligations under 45 CFR 164.404 through 164.408.
(c) Impermissible Uses or Disclosures. The Business Associate shall report to the Covered Entity any use or disclosure of PHI not permitted or required by this Agreement of which the Business Associate becomes aware.
2.5 Subcontractors
The Business Associate shall ensure that any Subcontractor to whom it provides PHI agrees in writing to the same restrictions, conditions, and requirements that apply to the Business Associate under this Agreement with respect to such PHI. The Business Associate shall remain responsible for the acts and omissions of its Subcontractors to the extent required by HIPAA and the HITECH Act.
2.6 Access to PHI
The Business Associate shall, within fifteen (15) business days of a written request from the Covered Entity, make available to the Covered Entity (or, at the Covered Entity's direction, to an individual) any PHI in the Business Associate's possession that is necessary for the Covered Entity to respond to an individual's request for access under 45 CFR 164.524.
2.7 Amendment of PHI
The Business Associate shall, within fifteen (15) business days of a written request from the Covered Entity, make PHI available for amendment and incorporate any amendments to PHI as directed by the Covered Entity, in accordance with 45 CFR 164.526.
2.8 Accounting of Disclosures
The Business Associate shall maintain a log of disclosures of PHI made by the Business Associate as required for the Covered Entity to respond to an individual's request for an accounting of disclosures under 45 CFR 164.528. The Business Associate shall make this log available to the Covered Entity within fifteen (15) business days of a written request. The log shall cover at least the six (6) year period preceding the request, or such shorter period as required by the Covered Entity.
2.9 Government Access
The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining the Covered Entity's or the Business Associate's compliance with HIPAA, subject to applicable legal privileges.
2.10 Minimum Necessary Standard
In performing the Services, the Business Associate shall use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose, in accordance with the minimum necessary standard set forth in 45 CFR 164.502(b) and 164.514(d).
3. Obligations of the Covered Entity
3.1 Notices and Permissions
The Covered Entity shall:
(a) Notify the Business Associate in writing of any limitations in the Covered Entity's notice of privacy practices under 45 CFR 164.520, to the extent that such limitations may affect the Business Associate's use or disclosure of PHI;
(b) Notify the Business Associate in writing of any changes in, or revocation of, the authorization of an individual relating to the Business Associate's permitted use or disclosure of PHI;
(c) Notify the Business Associate in writing of any restrictions on the use or disclosure of PHI to which the Covered Entity has agreed under 45 CFR 164.522, to the extent that such restrictions may affect the Business Associate's performance of the Services.
3.2 Permissible Requests
The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would violate HIPAA, the HITECH Act, or applicable state law if done by the Covered Entity, except as expressly permitted for a Business Associate under HIPAA.
3.3 Authority and Access
The Covered Entity represents and warrants that:
(a) It has the authority to disclose PHI to the Business Associate for the purposes described in this Agreement;
(b) It has obtained all necessary consents and authorizations required under applicable law for the disclosure of PHI to the Business Associate and for the Business Associate's use of PHI as described in this Agreement;
(c) It will provide the Business Associate with access to its EHR system and other practice systems as necessary for the Business Associate to perform the Services, and that such access is authorized under the Covered Entity's agreements with the applicable EHR vendor and other third parties;
(d) It is responsible for the accuracy and completeness of PHI that it provides to the Business Associate or that the Business Associate accesses from the Covered Entity's systems in the course of performing the Services.
3.4 EHR System Responsibility
The Covered Entity acknowledges that the Services interact with the Covered Entity's EHR system through operating system-level automation (simulated user input such as mouse movements, clicks, and keystrokes) running on the Covered Entity's local hardware, using credentials and access privileges provided by the Covered Entity. The Service operates the EHR in the same manner as a human user at the workstation. The Covered Entity is responsible for:
(a) Ensuring that it has the right to permit the Business Associate to access its EHR system through operating system-level automation;
(b) Maintaining appropriate access controls, audit logging, and security configurations on its EHR system;
(c) Ensuring that the credentials provided to the Business Associate for EHR access are appropriately scoped and do not provide broader access than necessary for the Services;
(d) Reviewing and approving all actions taken by the Service within the EHR system before such actions result in submissions to payers, updates to patient records, or other consequential outcomes.
3.5 Indemnification by Covered Entity
The Covered Entity shall indemnify, defend, and hold harmless the Business Associate and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:
(a) The Covered Entity's failure to comply with its obligations under this Agreement, HIPAA, or applicable state law;
(b) The Covered Entity's failure to review, verify, and approve Service Outputs before acting on them, as required by the Terms of Service;
(c) Any claim arising from the Covered Entity's use of Service Outputs in billing, coding, prior authorization submissions, or patient records;
(d) Any claim that the Covered Entity's provision of EHR access to the Business Associate violates the Covered Entity's agreements with its EHR vendor;
(e) The Covered Entity's failure to obtain necessary patient consents or authorizations for the disclosure of PHI to the Business Associate;
(f) Any inaccuracy or incompleteness in the PHI provided by the Covered Entity or maintained in the Covered Entity's systems.
4. Term and Termination
4.1 Term
This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the Terms of Service between the Parties, unless earlier terminated as provided herein.
4.2 Termination for Cause
Either Party may terminate this Agreement if the other Party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) calendar days after receiving written notice specifying the breach. If the breach is not susceptible to cure, the non-breaching Party may terminate this Agreement immediately upon written notice.
4.3 Termination for Convenience
Either Party may terminate this Agreement for any reason by providing sixty (60) days' written notice to the other Party.
4.4 Effect of Termination
Upon termination of this Agreement for any reason, the Business Associate shall:
(a) Cease all uses and disclosures of PHI;
(b) Return to the Covered Entity or destroy all PHI in the Business Associate's possession, including all copies in any form, within thirty (30) calendar days of termination. The Business Associate shall certify in writing to the Covered Entity that such return or destruction has been completed;
(c) If return or destruction of PHI is not feasible (for example, because PHI is embedded in backup systems that cannot be selectively purged), the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for as long as the Business Associate maintains such PHI;
(d) The obligations of the Business Associate under this Section 4.4 shall survive termination of this Agreement.
4.5 Effect on Services
Termination of this Agreement shall also terminate the Terms of Service between the Parties, to the extent the Services cannot be performed without the use or disclosure of PHI.
5. Liability and Limitations
5.1 Scope of Business Associate's Responsibility
The Business Associate's obligations under this Agreement relate solely to the safeguarding, use, and disclosure of PHI in connection with the Services. The Business Associate is not responsible for:
(a) The clinical accuracy or appropriateness of decisions made by the Covered Entity or its providers based on Service Outputs;
(b) Compliance failures attributable to the Covered Entity's own acts, omissions, or instructions;
(c) The security of the Covered Entity's own systems, networks, hardware, or EHR environment, except to the extent the Business Associate's Services directly caused a vulnerability;
(d) Errors in PHI that originate from the Covered Entity's records and are not introduced or caused by the Business Associate's processing.
5.2 Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE BUSINESS ASSOCIATE'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY THE COVERED ENTITY TO THE BUSINESS ASSOCIATE DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED THOUSAND U.S. DOLLARS ($100,000). THIS LIMITATION SHALL NOT APPLY TO LIABILITY ARISING FROM THE BUSINESS ASSOCIATE'S WILLFUL MISCONDUCT, GROSS NEGLIGENCE, FRAUD, OR KNOWING VIOLATION OF HIPAA OR APPLICABLE STATE PRIVACY LAW.
5.3 No Third-Party Beneficiaries
This Agreement is between the Covered Entity and the Business Associate. Nothing in this Agreement confers any rights or remedies upon any individual patient or other third party. Individuals seeking to exercise their rights under HIPAA must direct such requests to the Covered Entity.
5.4 Indemnification by Business Associate
The Business Associate shall indemnify, defend, and hold harmless the Covered Entity from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising directly from the Business Associate's material breach of this Agreement or its willful, knowing, or grossly negligent violation of HIPAA in the handling of PHI.
6. Regulatory Changes
If any provision of this Agreement is rendered invalid or unenforceable by a change in HIPAA, the HITECH Act, or their implementing regulations, the Parties shall negotiate in good faith to amend this Agreement to comply with the revised requirements while preserving the original intent of the Parties to the extent possible. If the Parties cannot agree on an amendment within sixty (60) days of the regulatory change taking effect, either Party may terminate this Agreement upon thirty (30) days' written notice.
7. Miscellaneous
7.1 Governing Law
This Agreement shall be governed by and construed in accordance with federal law, including HIPAA and the HITECH Act. To the extent that state law applies, this Agreement shall be governed by the laws of the State of Florida, without regard to its conflict of law provisions.
7.2 Entire Agreement
This Agreement, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings relating to the handling of PHI between the Parties.
7.3 Amendments
This Agreement may not be amended except in writing signed by both Parties. Notwithstanding the foregoing, the Parties acknowledge that this Agreement may need to be amended from time to time to comply with changes in HIPAA, the HITECH Act, or their implementing regulations, and the Parties agree to cooperate in good faith to make such amendments as described in Section 6.
7.4 Interpretation
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA and the HITECH Act.
7.5 Notices
All notices under this Agreement shall be in writing and shall be delivered by email with confirmation of receipt, or by certified mail, return receipt requested, to the following addresses:
To Business Associate:
MAIA Medical, Inc.
Email: legal@maiamed.ai
To Covered Entity:
Email:
7.6 Counterparts
This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed valid and binding.