HIPAA Business Associate Agreement

1. Definitions

Terms used in this BAA (including "Protected Health Information," "PHI," "ePHI," "Breach," and "Security Incident") have the meanings given in HIPAA and its implementing regulations (45 CFR Parts 160 and 164), as amended from time to time.

2. Permitted Uses and Disclosures

Business Associate may use or disclose Protected Health Information (PHI) only:

• To provide the ReportQuill services (including report generation, data storage, intake processing, and AI-assisted writing support)
• For Business Associate's proper management and administration
• As required by law

3. Obligations of Business Associate

Business Associate agrees to:

• •Implement technical safeguards (including encryption in transit and at rest, audit logs, access controls, and transmission security) to protect ePHI.
• •Report any Breach of unsecured PHI to Covered Entity without unreasonable delay and no later than 60 days after discovery.
• •Require any subcontractors handling PHI to sign BAAs with equivalent protections.
• •Provide Covered Entity with access to PHI for individual rights requests (access, amendment, accounting of disclosures) as required by HIPAA.
• •Upon termination of services, return or destroy all PHI (or extend protections if return/destruction is infeasible).
• •Make internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance investigations.

4. Obligations of Covered Entity

Covered Entity is responsible for:

• •Obtaining necessary patient authorizations and consents
• •Implementing administrative and physical safeguards
• •Proper configuration and use of the Services
• •Ensuring compliance with all HIPAA obligations not delegated to Business Associate

5. Term and Termination

• •This BAA is effective upon your acceptance and continues until terminated.
• •Either party may terminate for material breach (with 30 days to cure, if feasible).
• •Upon termination, Business Associate will return or destroy all PHI.

6. Miscellaneous

• •Governing Law: Delaware law, without regard to conflict of laws principles.
• •No Third-Party Beneficiaries: No agency, partnership, or joint venture is created, and there are no third-party beneficiaries to this BAA.
• •Amendments: This BAA may be amended as required for compliance with law or by mutual written agreement.
• •Digital Acceptance: Your continued use of ReportQuill after viewing this BAA, or your explicit electronic acceptance during onboarding, constitutes binding acceptance.
• •Limitation of Liability: Any liability arising under this BAA is subject to the limitation of liability and disclaimer of damages provisions in our Terms of Service.
• •No Assumption of Covered Entity Obligations: Business Associate is not responsible for Covered Entity's overall HIPAA compliance or any obligations not expressly delegated in this BAA.
• •Public Version: This BAA is available at https://reportquill.com/legal/baa.