Business Associate Agreement

1. Definitions

Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, “HIPAA Rules”). Key definitions include:

• “Protected Health Information” or “PHI” means any information, whether oral or recorded in any form or medium, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual or could reasonably be used to identify the individual, as further defined under 45 CFR § 160.103.
• “Electronic Protected Health Information” or “ePHI” means PHI that is transmitted by or maintained in electronic media, as defined under 45 CFR § 160.103.
• “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined under 45 CFR § 164.402.
• “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined under 45 CFR § 164.304.
• “Designated Record Set” means a group of records maintained by or for a Covered Entity as defined under 45 CFR § 164.501.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as required by law. Business Associate may use or disclose PHI solely for the following purposes:

• To perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
• For the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that any disclosures are required by law or Business Associate obtains reasonable assurances from any third party that the PHI will be held confidentially.
• To provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
• To de-identify PHI in accordance with 45 CFR § 164.514(a)–(c).

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by 45 CFR §§ 164.308, 164.310, and 164.312.

Health Data Encryption and Access Controls: MySummitKeep protects health-related data fields using multiple layers of security:

• Health data fields are encrypted at rest using AES-256 encryption.
• All data is encrypted in transit via TLS 1.2+.
• Azure SQL Transparent Data Encryption (TDE) protects database storage at the infrastructure level.
• Access to health data requires role-based authorization; only users with a Leader or Admin role may view or modify health records.
• All health data access is audit-logged to support breach detection and compliance reporting.

These safeguards supplement, but do not replace, the obligations set forth in this BAA.

2.3 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2).

2.4 Reporting

Business Associate shall report to Covered Entity any Breach of Unsecured PHI, as defined at 45 CFR § 164.402, without unreasonable delay and in no event later than thirty (30) calendar days after discovery. The report shall include, to the extent available:

• The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• A description of the nature of the Breach, including the types of PHI involved;
• A description of what Business Associate has done or is doing to investigate, mitigate losses, and protect against further Breaches; and
• Contact information for individuals who can provide additional information.

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (such as pings, port scans, or unsuccessful login attempts) shall be provided upon Covered Entity’s written request and no more frequently than quarterly.

2.5 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within fifteen (15) business days of receiving a written request from Covered Entity, make available to Covered Entity such PHI for purposes of satisfying Covered Entity’s obligations under 45 CFR § 164.524.

2.6 Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within fifteen (15) business days of receiving a written request from Covered Entity, make any amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526.

2.7 Accounting of Disclosures

Business Associate shall maintain and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall make such information available within thirty (30) days of a written request.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

2.9 Minimum Necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR §§ 164.502(b) and 164.514(d).

3. Obligations of Covered Entity

Covered Entity shall:

• Notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
• Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
• Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restrictions may affect Business Associate’s use or disclosure of PHI.
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

4. Term and Termination

4.1 Term

This BAA shall be effective as of the Effective Date and shall remain in effect for the duration of the Underlying Agreement, unless sooner terminated as provided herein.

4.2 Termination for Cause

Either Party may terminate this BAA if it determines that the other Party has violated a material term of this BAA. The non-breaching Party shall provide the breaching Party with written notice of the breach and afford the breaching Party thirty (30) days to cure. If the breach is not cured within such period, the non-breaching Party may terminate this BAA and the Underlying Agreement.

4.3 Effect of Termination

Upon termination of this BAA, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further use and disclosure to those purposes that make return or destruction infeasible.

5. Miscellaneous

5.1 Regulatory References

A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

5.2 Amendment

The Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

5.3 Survival

The respective rights and obligations of Business Associate under Section 4.3 of this BAA shall survive the termination of this BAA.

5.4 Interpretation

Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

5.5 Governing Law

This BAA shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of laws principles, to the extent not preempted by federal law.