Business Associate Agreement

Effective Date: May 7, 2026 (Updated). By completing registration and checking the agreement checkbox, you electronically execute this legally binding agreement.

Parties

This Business Associate Agreement ("BAA") is entered into between:

  • Business Associate: Bradley Scott, operating as DenialIQ ("Business Associate," "we," or "us"), a provider of ERA file analysis and appeal letter services.
  • Covered Entity: The healthcare provider or practice creating a DenialIQ account ("Covered Entity" or "you").

This BAA is incorporated into and made part of the DenialIQ Terms of Service. Capitalized terms not defined here have the meanings given in HIPAA and its implementing regulations.


1. Definitions

  • Protected Health Information (PHI) has the meaning given in 45 CFR § 160.103, and includes individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in any form or medium.
  • Electronic PHI (ePHI) means PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 CFR § 160.103.
  • HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH, and all implementing regulations including the Privacy Rule (45 CFR Parts 160 and 164, Subpart E) and the Security Rule (45 CFR Parts 160 and 164, Subparts A and C).
  • HITECH means the Health Information Technology for Economic and Clinical Health Act, enacted as part of ARRA (Pub. L. 111-5, 2009), as amended.
  • Breach has the meaning given in 45 CFR § 164.402 — the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule and that compromises its security or privacy.
  • Services means the ERA/835 file parsing, AI-assisted denial analysis, and appeal letter drafting services provided through the DenialIQ platform.
  • Subcontractor means any agent to whom Business Associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI on behalf of Business Associate.

2. Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as follows:

  • To perform the Services on behalf of Covered Entity as described in the Terms of Service.
  • For the proper management and administration of Business Associate's own operations, provided that such uses or disclosures are permitted by law or that Business Associate obtains reasonable assurances that the information will be held confidentially.
  • To provide data aggregation services relating to the healthcare operations of Covered Entity, as permitted by 45 CFR § 164.504(e)(2)(i)(B).
  • As required by law.
  • Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done directly by Covered Entity, except as permitted by 45 CFR § 164.504(e).
  • Business Associate shall not use PHI for marketing, shall not sell PHI, and shall not use PHI to train artificial intelligence models beyond what is minimally necessary to provide the Services.

3. Safeguards — Privacy Rule Obligations

Business Associate agrees to:

  • Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by this BAA or required by law.
  • Mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of this BAA of which Business Associate becomes aware.
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including Breaches as specified in Section 6.
  • Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate under this BAA, in accordance with 45 CFR § 164.504(e)(1)(ii).

4. Safeguards — Security Rule Obligations (ePHI)

In accordance with 45 CFR §§ 164.308, 164.310, 164.312, and 164.316, Business Associate agrees to:

  • Implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits on behalf of Covered Entity.
  • Encrypt all ePHI at rest using AES-256 or equivalent encryption standard.
  • Encrypt all ePHI in transit using TLS 1.2 or higher.
  • Implement access controls to limit access to ePHI to authorized workforce members only, based on minimum necessary principles.
  • Implement audit controls that record and examine activity in information systems that contain or use ePHI (45 CFR § 164.312(b)).
  • Conduct periodic risk analyses to identify reasonably anticipated threats and vulnerabilities to ePHI (45 CFR § 164.308(a)(1)).
  • Implement policies and procedures to address security incidents, including identification, response, and documentation (45 CFR § 164.308(a)(6)).
  • Implement row-level security controls in its database infrastructure to enforce practice-level data isolation, ensuring no Covered Entity can access another Covered Entity's PHI.

5. Subcontractor Pass-Through Obligations

Business Associate shall enter into a written agreement with each Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, requiring the Subcontractor to comply with the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, as required by 45 CFR § 164.504(e)(1)(ii) and 45 CFR § 164.308(b). Current Subcontractors that may process PHI on behalf of Business Associate include: Amazon Web Services (AWS) (application hosting, RDS database, S3 file storage, and CloudTrail audit logging; BAA in effect) and Anthropic (AI analysis; BAA in effect). Business Associate will update this list as material changes occur and will not engage new Subcontractors that process PHI without first executing an appropriate written agreement.

6. Breach Notification Obligations

In the event of a Breach of Unsecured PHI, Business Associate shall:

  • Notify Covered Entity without unreasonable delay, and in no case later than 60 calendar days after discovery of the Breach (45 CFR § 164.410).
  • Provide a written breach notification that includes, to the extent possible and available at the time of notice: (a) a description of the Breach, including the date of the Breach and date of discovery; (b) the types of PHI involved (e.g., patient names, claim IDs, dates of service); (c) identification of each individual whose PHI was or is reasonably believed to have been affected; (d) a description of steps Business Associate is taking to investigate the Breach, mitigate harm, and prevent further Breaches; and (e) contact information for questions.
  • Supplement the initial notification with additional information as it becomes available.
  • Cooperate fully with Covered Entity in any notifications to affected individuals and to the Secretary of HHS as required by 45 CFR §§ 164.404–408.
  • Maintain documentation of all discovered Breaches and response actions for a minimum of 6 years.

7. Individual Rights — Covered Entity Access

To support Covered Entity's compliance with individual patient rights under HIPAA, Business Associate agrees to:

  • Make PHI in a Designated Record Set available to Covered Entity for inspection and copying to facilitate access requests under 45 CFR § 164.524.
  • Incorporate amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR § 164.526.
  • Maintain and make available an accounting of disclosures of PHI as required by 45 CFR § 164.528.
  • Make Business Associate's internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance, as required by 45 CFR § 164.504(e)(2)(ii)(I).

8. Term and Termination

  • This BAA is effective upon Covered Entity's electronic acceptance during account creation and shall remain in effect for the duration of the Services agreement.
  • Either party may terminate this BAA if the other party materially breaches any provision and fails to cure such breach within 30 days of written notice specifying the breach.
  • Covered Entity may terminate this BAA immediately if Business Associate has breached a material term and cure is not possible.
  • In the event of material breach by Business Associate that cannot be cured, Business Associate authorizes Covered Entity to report the breach to the Secretary of HHS.
  • This BAA terminates automatically upon termination of the Terms of Service for any reason.

9. Return or Destruction of PHI on Termination

Upon termination of this BAA for any reason, Business Associate shall:

  • At the direction of Covered Entity, return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, and retain no copies in any form.
  • If return or destruction of any PHI is not feasible, Business Associate shall: (a) notify Covered Entity in writing of the reasons return or destruction is not feasible; (b) extend the protections of this BAA to such PHI; and (c) limit further use and disclosure of such PHI to those purposes that make return or destruction infeasible, for as long as Business Associate retains such PHI.

ERA files and associated claim data are retained for a maximum of 2 years from the date of upload, after which they are permanently and irreversibly deleted. Covered Entity may request earlier deletion at any time through account settings or by contacting us. Deletion will be confirmed within 30 days of a verified request. Audit logs are retained for 6 years as required by HIPAA.

10. Miscellaneous

  • Governing law: This BAA shall be governed by the laws of the State of Indiana.
  • HIPAA compliance construction: This BAA is intended to comply with HIPAA, HITECH, and all implementing regulations as currently in effect and as amended from time to time. Any ambiguity in this BAA shall be resolved in a manner that permits compliance with HIPAA.
  • Amendment: This BAA shall automatically amend to incorporate changes required by amendments to HIPAA and HITECH. The parties agree to negotiate in good faith any additional amendments necessary to comply with applicable law.
  • Severability: If any provision of this BAA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
  • Entire agreement: This BAA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements relating to PHI.
  • No third-party beneficiaries: This BAA does not create any rights in any third party, including patients whose PHI is processed through the Service.

11. Founding Member Pricing

The first 5 customers who subscribe to DenialIQ are eligible for Founding Member Pricing at $79/month for life. This rate is locked for as long as the subscription remains active and is subject to the following terms:

  • Locked rate: The $79/month founding rate will not increase regardless of future changes to standard subscription pricing.
  • Non-transferable: Founding Member Pricing applies only to the original subscribing account and may not be transferred, assigned, or applied to any other account.
  • Forfeited on cancellation: Founding Member Pricing is permanently forfeited if the subscription is cancelled for any reason, including voluntary cancellation, non-payment, or account termination. Re-subscribing after cancellation will be billed at the then-current standard rate.
  • Available to the first 5 subscribing customers only. Not combinable with other promotional offers.

Electronic Signature

By completing registration and checking the BAA agreement checkbox during account creation, the individual creating the account: (1) confirms they have read and understand this Business Associate Agreement; (2) represents that they are authorized to execute this agreement on behalf of the Covered Entity; and (3) agrees that the Covered Entity is bound by the terms of this BAA. This electronic acceptance constitutes a legally binding signature pursuant to the Electronic Signatures in Global and National Commerce Act (E-Sign Act, 15 U.S.C. § 7001) and applicable state electronic signature laws.