Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between the undersigned Covered Entity ("You" or "Covered Entity") and Angel Intelligence LLC ("Business Associate").

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.

2. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA or as required by law
• Use appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing administrative, physical, and technical safeguards as required by the HIPAA Security Rule
• Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Security Incident or Breach of Unsecured PHI
• In accordance with 45 CFR § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions
• Make available PHI in accordance with 45 CFR § 164.524 to satisfy Covered Entity's obligations regarding individual access rights
• Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526
• Maintain and make available information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528
• Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as necessary to:

• Perform services on behalf of Covered Entity as specified in the Terms of Service
• Provide data aggregation services relating to the health care operations of Covered Entity
• Report violations of law to appropriate federal and state authorities
• Perform its own management and administration or carry out its legal responsibilities, provided disclosures are required by law or Business Associate obtains reasonable assurances from recipients

4. Breach Notification

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 30 calendar days after discovery. The notification shall include: identification of each individual affected, a description of the PHI involved, the date of the breach and discovery, a description of what Business Associate is doing to mitigate harm, and contact procedures for affected individuals.

5. Term and Termination

This BAA shall be effective upon execution and shall terminate when all PHI is destroyed or returned to Covered Entity, or if not feasible, protections are extended to such information. Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the remaining PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

6. Security Standards

Business Associate implements the following safeguards:

• 256-bit AES encryption for PHI at rest
• TLS 1.3 encryption for PHI in transit
• Role-based access controls with audit logging
• Automatic session timeout and multi-factor authentication
• Regular risk assessments and vulnerability testing
• Workforce training on HIPAA requirements
• Incident response and disaster recovery procedures
• Physical safeguards for data center access (cloud infrastructure provider)

7. Miscellaneous

This BAA shall be governed by the laws of the State of Georgia. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA. This BAA may not be modified except in writing signed by both parties. This BAA supersedes any prior agreements relating to the subject matter herein.