Business Associate Agreement

1. Definitions

Capitalised terms in this BAA have the meanings set out below or, where not defined here, the meanings given in 45 C.F.R. Parts 160 and 164 (the "HIPAA Rules").

• "BA" / "Business Associate" means Docuplete, Inc., acting as a business associate of the Covered Entity.
• "CE" / "Covered Entity" means the organisation that has executed this BAA with Docuplete.
• "PHI" means Protected Health Information as defined in 45 C.F.R. § 160.103, limited to PHI BA creates, receives, maintains, or transmits on behalf of CE.
• "Electronic PHI" / "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.
• "Breach" has the meaning given in 45 C.F.R. § 164.402.
• "Security Incident" has the meaning given in 45 C.F.R. § 164.304.
• "Services" means the document automation, e-signature, and related services provided by Docuplete under the Terms of Service.

2. Business Associate Obligations

BA agrees to:

1. Not use or further disclose PHI other than as permitted or required by this BAA or as required by law.
2. Use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
3. Report to CE any use or disclosure of PHI not provided for by this BAA of which BA becomes aware, including any Breach of Unsecured PHI, in accordance with Section 6 of this BAA.
4. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of BA agree to the same restrictions, conditions, and requirements that apply to BA under this BAA.
5. Make available PHI in a Designated Record Set to CE as necessary to satisfy CE's obligations under 45 C.F.R. § 164.524.
6. Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by CE pursuant to 45 C.F.R. § 164.526.
7. Maintain and make available the information required to provide an accounting of disclosures to CE as necessary to satisfy CE's obligations under 45 C.F.R. § 164.528.
8. To the extent BA is to carry out one or more of CE's obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to CE in the performance of such obligation(s).
9. Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures

BA may use or disclose PHI only:

1. As necessary to perform the Services — including processing, storing, and generating documents on behalf of CE.
2. For BA's proper management and administration — provided that disclosures are required by law, or BA obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or disclosed only as required by law or for the purpose for which it was disclosed.
3. To provide Data Aggregation services relating to CE's health care operations, if explicitly agreed in the order form.
4. As required by law.

BA shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by CE.

4. Covered Entity Obligations

CE agrees to:

1. Notify BA of any limitation(s) in the Notice of Privacy Practices to the extent such limitation may affect BA's use or disclosure of PHI.
2. Notify BA of any changes in, or revocation of, permission by an Individual to use or disclose PHI.
3. Notify BA of any restriction to the use or disclosure of PHI that CE has agreed to in accordance with 45 C.F.R. § 164.522.
4. Not request BA to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by CE.

5. Subcontractors and Sub-Business Associates

BA shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of BA enters into a written agreement with BA that imposes the same restrictions, conditions, and requirements with respect to PHI that apply to BA under this BAA.

Key sub-processors that may process PHI are listed in Docuplete's Sub-Processor List, available at docuplete.com/legal/dpa/.

6. Breach Notification

1. Discovery. BA shall notify CE without unreasonable delay, and in no event later than 60 calendar days after discovery of a Breach of Unsecured PHI, as required by 45 C.F.R. § 164.410.
2. Content of Notice. Such notice shall include, to the extent possible: (i) the identification of each individual whose PHI has been or is reasonably believed to have been affected; (ii) a brief description of what happened; (iii) the types of Unsecured PHI involved; (iv) steps individuals should take to protect themselves from potential harm; (v) a brief description of what BA is doing to investigate the Breach; and (vi) contact information for questions.
3. Security Incidents. BA shall report to CE any Security Incident of which it becomes aware. Reporting of unsuccessful Security Incidents may be provided in summary form on a quarterly basis.

7. Individual Rights

1. Access. BA shall make PHI available to CE (or, if directed by CE, to an Individual) to enable CE to fulfil its obligations under 45 C.F.R. § 164.524 within 30 days of a written request.
2. Amendment. BA shall amend PHI maintained in a Designated Record Set as directed by CE pursuant to 45 C.F.R. § 164.526.
3. Accounting of Disclosures. BA shall document disclosures of PHI and information related to such disclosures as required to permit CE to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.

8. Security Safeguards

BA shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI in accordance with 45 C.F.R. §§ 164.308, 164.310, and 164.312. These include but are not limited to:

• AES-256 encryption of PHI at rest and TLS 1.2+ in transit.
• Per-account Data Encryption Keys (DEKs) wrapped by versioned master keys.
• Access controls limited to personnel with a need-to-know basis.
• Regular vulnerability assessments and penetration testing.
• Background checks and HIPAA training for workforce members who handle PHI.
• Incident response and disaster recovery procedures tested at least annually.

9. Audit and Inspection

BA shall make available to CE, upon reasonable written notice (no less than 10 business days), such books and records relating to BA's use or disclosure of PHI as are necessary to permit CE to verify BA's compliance with this BAA. CE may conduct such audits no more than once per calendar year, at CE's expense, unless a Breach or regulatory investigation requires additional audits.

10. Term and Termination

1. Term. This BAA is effective as of the date both parties have executed it and shall remain in effect until all PHI received from CE, or created or received by BA on CE's behalf, is destroyed or returned to CE.
2. Termination for Cause. Either party may terminate this BAA if the other party materially breaches a provision and fails to cure such breach within 30 days of written notice.
3. Effect of Termination. Upon termination for any reason, BA shall, if feasible, return or destroy all PHI received from CE. If not feasible to return or destroy, BA shall continue to protect such PHI in accordance with this BAA and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

11. Liability

Each party's liability under this BAA shall be governed by the limitations and exclusions set out in the Docuplete Terms of Service, except to the extent prohibited by applicable law. Nothing in this BAA limits either party's liability to the extent required by HIPAA or applicable state law.

12. General Provisions

1. Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules.
2. Survival. BA's obligations regarding the protection of PHI shall survive the termination or expiration of this BAA.
3. Interpretation. Any ambiguity in this BAA shall be resolved in favour of a meaning that permits CE to comply with the HIPAA Rules.
4. Governing Law. This BAA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles.
5. Entire Agreement. This BAA, together with the Docuplete Terms of Service and any applicable order form, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings.

13. Execution

To request a countersigned BAA, contact legal@docuplete.com. Docuplete executes BAAs with Covered Entities and Business Associates on qualifying plans. The parties may execute this BAA by electronic signature, which shall be deemed an original for all purposes.