Your patients’ information stays protected.

Example Business Associate Agreement (BAA) This Business Associate Agreement (this “Agreement”) is entered into effective as of Effective Date by and between: Covered Entity: [Legal Name of Healthcare Provider] [Address of Healthcare Provider] (Hereinafter, “Covered Entity”) Business Associate: Catapult Business Innovations LLC Philadelphia, PA (Hereinafter, “Business Associate”) WHEREAS, Covered Entity is a Covered Entity as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations (collectively, “HIPAA Rules”); WHEREAS, Covered Entity and Business Associate have entered into a separate agreement or understanding for services (the “Service Agreement”) under which Business Associate provides practice growth and patient communication solutions to Covered Entity; WHEREAS, in connection with the services provided under the Service Agreement, Business Associate may create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of Covered Entity, making Business Associate a “Business Associate” as defined by the HIPAA Rules; WHEREAS, the parties desire to establish the terms and conditions under which Business Associate will use and disclose PHI to comply with the HIPAA Rules. NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the parties agree as follows: ARTICLE 1: DEFINITIONS 1.1. Terms used in this Agreement and not otherwise defined shall have the same meaning as those terms in the HIPAA Rules. 1.2. “Protected Health Information” (PHI): Shall have the meaning given to such term in 45 CFR § 160.103, including electronic PHI (ePHI). 1.3. “Covered Entity”: Shall have the meaning given to such term in 45 CFR § 160.103. 1.4. “Business Associate”: Shall have the meaning given to such term in 45 CFR § 160.103. 1.5. “Breach”: Shall have the meaning given to such term in 45 CFR § 164.402. 1.6. “Security Incident”: Shall have the meaning given to such term in 45 CFR § 164.304. 1.7. “Service Agreement”: The underlying agreement(s) between the Covered Entity and the Business Associate under which Business Associate provides services to Covered Entity. ARTICLE 2: OBLIGATIONS OF BUSINESS ASSOCIATE 2.1. Permitted Uses and Disclosures of PHI. Business Associate may use or disclose PHI only as necessary to perform the services set forth in the Service Agreement, as permitted or required by this Agreement, or as required by law. Specific to Catapult services: Business Associate may use and disclose PHI to provide AI powered patient communication and practice growth services to Covered Entity, including but not limited to: Operating the AI Phone Receptionist to manage inbound and outbound patient calls for scheduling and inquiries. Operating the Unified Messaging Agent to manage patient communications via SMS, Facebook, Instagram, and website chat. Operating the On Site Voice Agent to provide accessible, voice based website navigation and booking. Managing patient contact information, appointments, and communications within the HIPAA compliant CRM. Facilitating patient review generation and managing AI powered reputation management responses. Managing marketing campaigns (SEO, Google or Microsoft Ads, Social Media Ads) that capture and transmit lead information to the secure CRM. Business Associate may also use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided such uses are in accordance with 45 CFR § 164.504(e)(4). 2.2. Restrictions on Uses and Disclosures. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity. 2.3. Safeguards. Business Associate shall implement appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, as required by 45 CFR Part 164, Subpart C. 2.4. Reporting of Security Incidents and Breaches. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware within 48 hours of discovery. Business Associate shall report to Covered Entity any Breach of unsecured PHI as soon as reasonably practicable, but in no event later than 60 calendar days from discovery. Such report shall include all information required by 45 CFR § 164.404. 2.5. Subcontractors. Business Associate shall ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this Agreement and the HIPAA Rules. 2.6. Access to PHI. Business Associate shall make PHI available to Covered Entity to permit Covered Entity to meet its access obligations under 45 CFR § 164.524. 2.7. Amendment of PHI. Business Associate shall make PHI available to Covered Entity for amendment and incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR § 164.526. 2.8. Accounting of Disclosures. Business Associate shall make available information required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528. 2.9. Internal Practices and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. ARTICLE 3: OBLIGATIONS OF COVERED ENTITY 3.1. Permitted Disclosures. Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices under 45 CFR § 164.520, or any restriction to the use or disclosure of PHI that Covered Entity has agreed to, that may affect Business Associate’s use or disclosure of PHI. 3.2. Legal Authorizations. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity. ARTICLE 4: TERM AND TERMINATION 4.1. Term. This Agreement shall be effective as of the Effective Date and shall terminate when all PHI is destroyed or returned to Covered Entity, or, if such destruction or return is not feasible, is extended to ensure the continued protection of the PHI. 4.2. Termination for Cause. Either party may terminate this Agreement if the other party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) days after written notice thereof. 4.3. Effect of Termination. Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures. ARTICLE 5: MISCELLANEOUS 5.1. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Pennsylvania. 5.2. Amendment. The parties agree to amend this Agreement from time to time as is necessary to comply with the HIPAA Rules. 5.3. Survival. The respective rights and obligations of Business Associate under Section 4.3 shall survive the termination of this Agreement. 5.4. Entire Agreement. This Agreement, in conjunction with the Service Agreement, constitutes the entire agreement between the parties. IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date. COVERED ENTITY: [Legal Name of Healthcare Provider] By: Name: Title: Date: BUSINESS ASSOCIATE: Catapult Business Innovations LLC By: Name: Title: Date: This page is for informational purposes. A finalized Business Associate Agreement will be executed by both parties upon enrollment in our services.