Business Associate Agreement

Parties

This Business Associate Agreement ("BAA") is entered into between DenialIQ ("Business Associate") and the healthcare provider or practice creating an account ("Covered Entity"). This BAA is incorporated into and made part of the DenialIQ Terms of Service.

1. Definitions

As used in this BAA:

• Protected Health Information (PHI) has the meaning given in 45 CFR § 160.103, and includes individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• Electronic PHI (ePHI) means PHI that is created, received, maintained, or transmitted in electronic form.
• HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended, and all implementing regulations including the HIPAA Privacy Rule (45 CFR Parts 160 and 164) and the HIPAA Security Rule (45 CFR Parts 160 and 164).
• HITECH means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
• Breach has the meaning given in 45 CFR § 164.402.
• Services means the ERA file analysis, denial review, and appeal letter drafting services provided by Business Associate to Covered Entity through the DenialIQ platform.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

• To perform the Services described herein and in the Terms of Service on behalf of Covered Entity.
• For the proper management and administration of Business Associate's operations, provided such uses comply with HIPAA.
• As required by law.
• Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.
• Business Associate shall not use PHI for marketing purposes, shall not sell PHI, and shall not use PHI to train any artificial intelligence model beyond what is necessary to provide the Services.

3. Safeguards

Business Associate agrees to:

• Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI in accordance with 45 CFR Part 164, Subpart C.
• Encrypt all ePHI at rest using AES-256 or equivalent encryption.
• Encrypt all ePHI in transit using TLS 1.2 or higher.
• Implement access controls to limit access to PHI to authorized personnel only.
• Conduct regular risk assessments in accordance with 45 CFR § 164.308(a)(1).
• Maintain an audit log of access to ePHI as required by 45 CFR § 164.312(b).

4. Subcontractors

Business Associate shall enter into a written agreement with any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, requiring the subcontractor to comply with the same restrictions and conditions as apply to Business Associate under this BAA. Current subcontractors that may process PHI include: Supabase Inc. (database infrastructure), Anthropic PBC (AI analysis services), and Amazon Web Services (cloud infrastructure). Business Associate will update this list as material changes occur.

5. Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall:

• Notify Covered Entity without unreasonable delay, and in no case later than 60 calendar days after discovery of the Breach.
• Provide notification that includes, to the extent possible: the identification of each individual whose PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed; a brief description of what happened; the types of PHI involved; steps individuals should take to protect themselves; what Business Associate is doing to investigate, mitigate harm, and protect against further breaches; and contact information for Covered Entity to ask questions.
• Cooperate fully with Covered Entity in notifying affected individuals as required under 45 CFR § 164.400 et seq.

6. Individual Rights

Business Associate agrees to:

• Make PHI available to Covered Entity to fulfill individuals' rights of access under 45 CFR § 164.524.
• Make PHI available for amendment and incorporate amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526.
• Make available the information required to provide an accounting of disclosures as required by 45 CFR § 164.528.

7. Term and Termination

• This BAA shall remain in effect for the duration of the Services agreement and shall terminate when the Services agreement terminates.
• Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within 30 days of written notice.
• Upon termination, Business Associate shall, at the direction of Covered Entity, either return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is infeasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

8. Return or Destruction of PHI

ERA files and associated claim data are retained for a maximum of 2 years from the date of upload, after which they are permanently deleted. Covered Entity may request deletion of their data at any time by submitting a deletion request through their account settings or by contacting us through the website. Business Associate will confirm deletion within 30 days of such request.

9. Miscellaneous

• This BAA shall be governed by the laws of the State of Indiana.
• This BAA is intended to comply with HIPAA, HITECH, and their implementing regulations as currently in effect and as amended. Any ambiguity shall be construed to permit compliance with HIPAA.
• If any provision of this BAA is found to be unenforceable, the remaining provisions shall remain in full force and effect.
• This BAA constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior agreements relating to PHI.