HIPAA Business Associate Agreement
Preamble
This HIPAA Business Associate Agreement (this “BAA”) is entered into between Mykare Technologies Inc., a Delaware corporation operating as Mykare AI (“Business Associate”), and the Customer identified in the underlying Service Contract or Master Services Agreement (“Covered Entity”). Business Associate and Covered Entity are each a “Party” and collectively the “Parties.”
This BAA is effective on the date Covered Entity first transmits Protected Health Information to Business Associate, or, if earlier, the effective date of the Service Contract or Master Services Agreement between the Parties (the “Underlying Agreement” and, together with this BAA, the “Agreement”).
Recitals
WHEREAS, Business Associate provides AI-powered healthcare automation services, including AI voice and text agents and the KareOS platform, to Covered Entity under the Underlying Agreement;
WHEREAS, in providing such services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;
WHEREAS, the Parties intend to comply with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”); and
WHEREAS, the Parties wish to set forth their respective obligations in accordance with HIPAA;
NOW, THEREFORE, in consideration of the mutual promises set forth herein, the Parties agree as follows:
1. Definitions
Capitalized terms used but not defined in this BAA have the meanings given them in HIPAA. The following terms have the meanings indicated:
- “Breach” has the meaning given at 45 C.F.R. § 164.402.
- “Covered Entity” has the meaning given at 45 C.F.R. § 160.103 and refers to the Customer that is a party to this BAA.
- “Designated Record Set” has the meaning given at 45 C.F.R. § 164.501.
- “Electronic Protected Health Information” or “ePHI” has the meaning given at 45 C.F.R. § 160.103.
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164, including the Privacy Rule, the Security Rule, and the Breach Notification Rule.
- “Protected Health Information” or “PHI” has the meaning given at 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
- “Security Incident” has the meaning given at 45 C.F.R. § 164.304.
- “Subcontractor” has the meaning given at 45 C.F.R. § 160.103.
- “Unsecured PHI” has the meaning given at 45 C.F.R. § 164.402.
2. Obligations of Business Associate
2.1 Permitted Uses and Disclosures
Business Associate may use and disclose PHI only as necessary to perform the services set forth in the Underlying Agreement, as required by law, or as otherwise permitted under this BAA. Without limiting the foregoing, Business Associate may:
- Use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities.
- Disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed, and the recipient notifies Business Associate of any breaches of confidentiality.
- Provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- De-identify PHI in accordance with 45 C.F.R. § 164.514(b), provided that the resulting de-identified data is not PHI and may be used by Business Associate as permitted by law and the Underlying Agreement, including for product improvement, analytics, and benchmarking.
Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as expressly permitted by this BAA.
2.2 Safeguards
Business Associate shall implement and maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. Such safeguards include, at a minimum:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent) for ePHI.
- Role-based access controls, least-privilege provisioning, and multi-factor authentication for administrative access.
- Logging, monitoring, and intrusion detection.
- Regular vulnerability assessments and penetration testing.
- Workforce training, background checks, and confidentiality obligations.
- A documented written information security program aligned with the HIPAA Security Rule, the NIST 800-66 / NIST CSF frameworks, and SOC 2 controls.
2.3 Mitigation
Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.
2.4 Reporting of Unauthorized Uses, Disclosures, Security Incidents, and Breaches
Business Associate shall report to Covered Entity:
- Any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, without unreasonable delay and in any event within five (5) business days of discovery.
- Any Security Incident of which Business Associate becomes aware involving ePHI, without unreasonable delay and in any event within ten (10) business days of discovery. The Parties acknowledge and agree that this BAA constitutes notice of, and Covered Entity hereby consents to receive only consolidated periodic reporting of, unsuccessful Security Incidents that do not result in any unauthorized access, use, disclosure, modification, or destruction of ePHI (such as pings, port scans, attempts to access systems through default credentials, denial-of-service attempts that did not affect availability, and similar low-impact events).
- Any Breach of Unsecured PHI of which Business Associate becomes aware, without unreasonable delay and in any event within thirty (30) calendar days of discovery.
Breach notifications shall include, to the extent then known: the identification of each individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; a description of the nature of the Breach; the date of discovery; the steps Business Associate is taking to investigate and mitigate the Breach; and the steps individuals should take to protect themselves. Business Associate will reasonably cooperate with Covered Entity’s investigation and notification activities, at Business Associate’s expense to the extent the Breach is caused by Business Associate or its Subcontractors.
2.5 Subcontractors
In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI. A current list of Subcontractors is available at mykare.ai/trust-center.
2.6 Access by Individuals
Business Associate shall make PHI maintained by Business Associate in a Designated Record Set available to Covered Entity, or to an individual designated by Covered Entity, within fifteen (15) business days of a written request, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.
2.7 Amendment of PHI
Business Associate shall make available, and incorporate, amendments to PHI maintained by Business Associate in a Designated Record Set in accordance with 45 C.F.R. § 164.526, within thirty (30) business days of a written request from Covered Entity.
2.8 Accounting of Disclosures
Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall provide such documentation to Covered Entity within thirty (30) business days of a written request.
2.9 Access to Records
Business Associate shall make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the U.S. Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA, subject to Business Associate’s reasonable confidentiality obligations and at Business Associate’s sole discretion to redact unrelated proprietary information.
2.10 Minimum Necessary
Business Associate shall request, use, and disclose only the minimum amount of PHI reasonably necessary to accomplish the intended purpose of the request, use, or disclosure, in accordance with 45 C.F.R. § 164.502(b) and any minimum-necessary guidance issued by the Secretary.
3. Obligations of Covered Entity
Covered Entity shall:
- Provide Business Associate with the Notice of Privacy Practices of Covered Entity, including any changes thereto, that may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, an authorization or permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Obtain and maintain any consents, authorizations, and other permissions from individuals (including patients, prospective patients, and accompanying attendants) required under applicable law for Business Associate to perform the services, including consents for call recording in two-party-consent jurisdictions and consents required under the TCPA, state telemarketing and autodialer laws, biometric privacy laws, and the GDPR, as further detailed in the Underlying Agreement and Mykare AI’s Privacy Policy.
- Not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except where expressly permitted under this BAA for Business Associate’s management and administration or for data aggregation.
- Implement appropriate safeguards in its own systems to protect PHI before and after transmission to or from Business Associate.
4. Term and Termination
4.1 Term
This BAA shall be effective as described in the Preamble and shall continue in effect until the earlier of (a) the termination of the Underlying Agreement, or (b) termination of this BAA in accordance with this Section 4.
4.2 Termination for Breach
If Covered Entity determines that Business Associate has materially breached this BAA, Covered Entity shall provide Business Associate with written notice of such breach and a thirty (30) day cure period. If Business Associate does not cure the breach within the cure period, Covered Entity may terminate this BAA and the Underlying Agreement, in whole or in part, effective immediately upon written notice. If cure is not feasible, Covered Entity may terminate this BAA upon thirty (30) days’ written notice. Business Associate has equivalent termination rights with respect to any material breach by Covered Entity.
4.3 Effect of Termination
Upon termination of this BAA for any reason:
- Business Associate shall, within sixty (60) days, return or destroy all PHI received from, or created, maintained, or received on behalf of, Covered Entity that Business Associate (and any Subcontractors) still maintains in any form, and shall retain no copies of such PHI.
- If return or destruction is not feasible (for example, because PHI is contained in backups, archives, conversation analytics logs required for service continuity, de-identified data sets, or audit trails required by law), Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
- Business Associate shall provide Covered Entity with written certification of return, destruction, or extension of protections within ninety (90) days of termination.
5. Indemnification
Business Associate shall indemnify, defend, and hold harmless Covered Entity and its directors, officers, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees and the costs of regulatory investigations and individual notifications) arising out of or related to a Breach of Unsecured PHI to the extent caused by the negligence or willful misconduct of Business Associate or its Subcontractors, subject to the limitations of liability set forth in the Underlying Agreement; provided that the carve-outs from the limitation of liability for breach of data protection laws caused by gross negligence or willful misconduct, as set out in the Underlying Agreement, shall apply.
Covered Entity shall indemnify, defend, and hold harmless Business Associate and its directors, officers, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to (a) Covered Entity’s breach of this BAA or HIPAA, (b) the absence of any required notice, authorization, or consent from individuals that was Covered Entity’s responsibility to obtain under Section 3 (including TCPA, call-recording, and biometric consents), or (c) Covered Entity’s instructions to Business Associate that, if followed, would cause Business Associate to violate HIPAA or applicable law.
6. Miscellaneous
6.1 Regulatory References
A reference in this BAA to a section in HIPAA means the section as in effect or as amended from time to time.
6.2 Amendment
The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the Parties to comply with the requirements of HIPAA or other applicable law.
6.3 Survival
The respective rights and obligations of Business Associate and Covered Entity under Sections 4.3 (Effect of Termination), 5 (Indemnification), and 6 (Miscellaneous), and any other provisions that by their nature should survive, shall survive the termination of this BAA.
6.4 Interpretation
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA. The provisions of this BAA shall prevail over any conflicting provisions of the Underlying Agreement with respect to the handling of PHI.
6.5 No Third-Party Beneficiaries
Nothing in this BAA is intended to confer any rights, remedies, obligations, or liabilities upon any person or entity other than the Parties.
6.6 Notices
All notices required or permitted under this BAA shall be in writing and delivered as set out in the Underlying Agreement. Notices to Business Associate may also be sent by email to legal@mykare.ai.
6.7 Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-laws principles, and by applicable U.S. federal law, including HIPAA.
6.8 Entire Agreement; Severability; Counterparts
This BAA, together with the Underlying Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements and understandings on the same subject. If any provision of this BAA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. This BAA may be executed in counterparts, including electronic counterparts via an E-Sign platform, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.
Signatures
This document is offered as the standard form of HIPAA Business Associate Agreement of Mykare Technologies Inc. Execution is by countersigned electronic signature via Mykare AI’s e-sign platform at the time of Customer onboarding. To request a signed copy of this BAA pre-populated with your organization’s details, please contact legal@mykare.ai.