Business Associate Agreement

Preamble

This Business Associate Agreement (“Agreement”) is entered into by and between:

• Covered Entity: The medical practice or healthcare organization subscribing to Aiging US services (“Covered Entity” or “You”)
• Business Associate: Aiging US LLC, a Delaware limited liability company, with principal offices at 10777 Caminto Alvarez, San Diego, CA 92126 (“Business Associate” or “We”)

This Agreement supplements and is incorporated into the Terms of Service between the parties and governs the handling of Protected Health Information (PHI).

1. Definitions

Terms used in this Agreement shall have the same meaning as defined in HIPAA and HITECH regulations (45 C.F.R. Parts 160 and 164). Key definitions include:

• “Protected Health Information” (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 C.F.R. § 160.103.
• “Electronic Protected Health Information” (ePHI): PHI that is transmitted or maintained in electronic media.
• “Breach”: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402.
• “Security Incident”: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2. Permitted Uses and Disclosures

2.1 Services

Business Associate may use or disclose PHI solely to perform functions, activities, or services specified in the Terms of Service on behalf of Covered Entity, provided such use or disclosure would not violate HIPAA if done by Covered Entity.

2.2 Business Associate’s Operations

Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided:

• The use is required by law; or
• Business Associate obtains reasonable assurances from any third party to whom it discloses PHI that the information will be held confidentially and used only for the purposes for which it was disclosed.

2.3 Minimum Necessary

Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b).

3. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
• Implement safeguards to prevent unauthorized use or disclosure of PHI, including administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of ePHI.
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach or Security Incident.
• Ensure subcontractors agree to the same restrictions and conditions that apply to Business Associate with respect to PHI.
• Make PHI available to Covered Entity or individuals as required to satisfy Covered Entity’s obligations under HIPAA’s access requirements.
• Make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity.
• Maintain and make available information required to provide an accounting of disclosures.
• Make practices and records available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.

4. Security Requirements

Business Associate shall implement and maintain security measures including:

4.1 Administrative Safeguards

• Designated security officer responsible for HIPAA compliance
• Workforce training on PHI handling and security
• Access management and authorization procedures
• Security incident response and reporting procedures
• Periodic risk assessments and security reviews

4.2 Physical Safeguards

• Facility access controls
• Workstation and device security
• Secure disposal of media containing PHI

4.3 Technical Safeguards

• Encryption of ePHI in transit and at rest
• Unique user identification and authentication
• Automatic session timeout
• Audit controls and activity logging
• Integrity controls to prevent improper alteration

5. Breach Notification

5.1 Discovery and Reporting

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 30 calendar days after discovery of the Breach. A Breach is considered discovered on the first day it is known or reasonably should have been known.

5.2 Content of Notice

Breach notifications shall include, to the extent known:

• Identification of each individual whose PHI was or is believed to have been accessed, acquired, or disclosed
• Description of what happened, including the date of the Breach and date of discovery
• Description of the types of PHI involved
• Steps individuals should take to protect themselves
• Steps Business Associate is taking to investigate, mitigate harm, and prevent future breaches

5.3 Cooperation

Business Associate shall cooperate with Covered Entity in investigating the Breach and meeting notification obligations under HIPAA.

6. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate’s use or disclosure of PHI
• Notify Business Associate of any changes in, or revocation of, individual authorizations to use or disclose PHI
• Notify Business Associate of any restrictions on use or disclosure of PHI that Covered Entity has agreed to
• Not request Business Associate to use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity
• Obtain appropriate patient consents and authorizations as required under HIPAA

7. Term and Termination

7.1 Term

This Agreement shall be effective upon execution and shall remain in effect for the duration of the underlying Terms of Service, unless earlier terminated as provided herein.

7.2 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches any provision and fails to cure the breach within 30 days of written notice. If cure is not possible, termination may be immediate.

7.3 Effect of Termination

Upon termination, Business Associate shall:

• Return or destroy all PHI received from or created on behalf of Covered Entity, if feasible
• If return or destruction is not feasible, extend the protections of this Agreement to retained PHI and limit further uses and disclosures
• Certify in writing the destruction or return of PHI, or the reasons why destruction or return is not feasible

7.4 Survival

The obligations of Business Associate under this Section 7 shall survive termination of this Agreement.

8. Miscellaneous

8.1 Regulatory References

Any reference to a regulatory provision means the provision as amended from time to time, including successor provisions.

8.2 Amendment

This Agreement may be amended only by written agreement signed by both parties. The parties agree to amend this Agreement as necessary to comply with changes in HIPAA regulations.

8.3 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both parties to comply with HIPAA.

8.4 No Third-Party Beneficiaries

This Agreement does not create any rights in third parties, including patients.

8.5 Governing Law

This Agreement shall be governed by federal law, including HIPAA and HITECH, and, to the extent not preempted, by the laws of the State of California.

9. Contact Information

For questions about this BAA or to request execution of this Agreement:

Aiging US LLC — HIPAA Compliance
10777 Caminto Alvarez
San Diego, CA 92126
Email: connect@aigingus.com
Phone: +1 (858) 864-0192