Home / Business Associate Agreement
Business Associate Agreement
Lyfe AI - HIPAA Compliance Agreement
Lyfe AI - HIPAA Compliance Agreement
Lyfe AI - HIPAA Compliance Agreement
Effective Date: [EFFECTIVE_DATE]
BAA ID: BAA-[AGREEMENT_ID]
Related MSA: MSA-[MSA_ID]
PARTIES
PARTIES
PARTIES
COVERED ENTITY: [PROVIDER_NAME]
("Covered Entity," "Provider," "you")
Address: [PROVIDER_ADDRESS]
NPI: [PROVIDER_NPI]
BUSINESS ASSOCIATE: LyfeVault LLC, d.b.a. Lyfe AI
("Business Associate," "Lyfe AI," "we," "us," "our")
Address: [LYFE_AI_ADDRESS]
HIPAA Privacy Officer: support@lyfeco.ai
HIPAA Security Officer: support@lyfeco.ai
Incident Response: [PHONE_NUMBER]
1. DEFINITIONS
1. DEFINITIONS
1. DEFINITIONS
Terms used but not defined in this Agreement shall have the meanings set forth in 45 CFR § 160.103 and 164.501.
Terms used but not defined in this Agreement shall have the meanings set forth in 45 CFR § 160.103 and 164.501.
Terms used but not defined in this Agreement shall have the meanings set forth in 45 CFR § 160.103 and 164.501.
1.1 Breach: Shall have the same meaning as the term "breach" in 45 CFR § 164.402.
1.2 Business Associate: Shall have the same meaning as the term "business associate" in 45 CFR § 160.103.
1.3 Covered Entity: Shall have the same meaning as the term "covered entity" in 45 CFR § 160.103.
1.4 Designated Record Set: Shall have the same meaning as the term "designated record set" in 45 CFR § 164.501.
1.5 Individual: Shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.6 Protected Health Information (PHI): Shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.7 Security Incident: Shall have the same meaning as the term "security incident" in 45 CFR § 164.304.
1.8 Subcontractor: Shall have the same meaning as the term "subcontractor" in 45 CFR § 164.502.
1.9 Unsecured Protected Health Information: Shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402.
1.1 Breach: Shall have the same meaning as the term "breach" in 45 CFR § 164.402.
1.2 Business Associate: Shall have the same meaning as the term "business associate" in 45 CFR § 160.103.
1.3 Covered Entity: Shall have the same meaning as the term "covered entity" in 45 CFR § 160.103.
1.4 Designated Record Set: Shall have the same meaning as the term "designated record set" in 45 CFR § 164.501.
1.5 Individual: Shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.6 Protected Health Information (PHI): Shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.7 Security Incident: Shall have the same meaning as the term "security incident" in 45 CFR § 164.304.
1.8 Subcontractor: Shall have the same meaning as the term "subcontractor" in 45 CFR § 164.502.
1.9 Unsecured Protected Health Information: Shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402.
1.1 Breach: Shall have the same meaning as the term "breach" in 45 CFR § 164.402.
1.2 Business Associate: Shall have the same meaning as the term "business associate" in 45 CFR § 160.103.
1.3 Covered Entity: Shall have the same meaning as the term "covered entity" in 45 CFR § 160.103.
1.4 Designated Record Set: Shall have the same meaning as the term "designated record set" in 45 CFR § 164.501.
1.5 Individual: Shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.6 Protected Health Information (PHI): Shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.7 Security Incident: Shall have the same meaning as the term "security incident" in 45 CFR § 164.304.
1.8 Subcontractor: Shall have the same meaning as the term "subcontractor" in 45 CFR § 164.502.
1.9 Unsecured Protected Health Information: Shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402.
2. PERMITTED USES AND DISCLOSURES OF PHI
2. PERMITTED USES AND DISCLOSURES OF PHI
2. PERMITTED USES AND DISCLOSURES OF PHI
2.1 General Use and Disclosure Provisions: Business Associate may only use or disclose PHI as permitted or required by this Agreement or as required by law. Business Associate may not use or disclose PHI in any manner that would constitute a violation of HIPAA if done by Covered Entity.
2.2 Specific Uses and Disclosures: Business Associate may use and disclose PHI for the following purposes:
a) Healthcare SaaS Services: To provide cloud-based healthcare technology services including:
• Multi-tenant SaaS platform operations
• AI/ML-powered document processing and clinical insights
• FHIR-compliant data interoperability
• Real-time secure communication and collaboration
• Automated care plan management and clinical workflows
• Population health analytics and quality reporting
• 24/7 platform monitoring, maintenance, and support
• Continuous platform updates and feature releases
b) Business Associate's Management and Administration: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided such use is limited to de-identified information whenever possible.
c) Data Aggregation Services: Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
2.3 Prohibited Uses and Disclosures:
• Business Associate shall not use PHI for marketing purposes without written authorization
• Business Associate shall not sell PHI without written authorization
• Business Associate shall not use PHI for underwriting purposes
2.1 General Use and Disclosure Provisions: Business Associate may only use or disclose PHI as permitted or required by this Agreement or as required by law. Business Associate may not use or disclose PHI in any manner that would constitute a violation of HIPAA if done by Covered Entity.
2.2 Specific Uses and Disclosures: Business Associate may use and disclose PHI for the following purposes:
a) Healthcare SaaS Services: To provide cloud-based healthcare technology services including:
• Multi-tenant SaaS platform operations
• AI/ML-powered document processing and clinical insights
• FHIR-compliant data interoperability
• Real-time secure communication and collaboration
• Automated care plan management and clinical workflows
• Population health analytics and quality reporting
• 24/7 platform monitoring, maintenance, and support
• Continuous platform updates and feature releases
b) Business Associate's Management and Administration: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided such use is limited to de-identified information whenever possible.
c) Data Aggregation Services: Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
2.3 Prohibited Uses and Disclosures:
• Business Associate shall not use PHI for marketing purposes without written authorization
• Business Associate shall not sell PHI without written authorization
• Business Associate shall not use PHI for underwriting purposes
2.1 General Use and Disclosure Provisions: Business Associate may only use or disclose PHI as permitted or required by this Agreement or as required by law. Business Associate may not use or disclose PHI in any manner that would constitute a violation of HIPAA if done by Covered Entity.
2.2 Specific Uses and Disclosures: Business Associate may use and disclose PHI for the following purposes:
a) Healthcare SaaS Services: To provide cloud-based healthcare technology services including:
• Multi-tenant SaaS platform operations
• AI/ML-powered document processing and clinical insights
• FHIR-compliant data interoperability
• Real-time secure communication and collaboration
• Automated care plan management and clinical workflows
• Population health analytics and quality reporting
• 24/7 platform monitoring, maintenance, and support
• Continuous platform updates and feature releases
b) Business Associate's Management and Administration: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided such use is limited to de-identified information whenever possible.
c) Data Aggregation Services: Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
2.3 Prohibited Uses and Disclosures:
• Business Associate shall not use PHI for marketing purposes without written authorization
• Business Associate shall not sell PHI without written authorization
• Business Associate shall not use PHI for underwriting purposes
3. OBLIGATIONS OF BUSINESS ASSOCIATE
3. OBLIGATIONS OF BUSINESS ASSOCIATE
3. OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Healthcare Security Safeguards: Business Associate shall implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including:
• Technical Safeguards (45 CFR § 164.312):
AES-256 encryption at rest and TLS 1.3+ in transit
Strong authentication with multi-factor authentication
Role-based access controls
API security and rate limiting
Regular vulnerability scanning and patch management
• Cloud Infrastructure:
HIPAA-eligible cloud services (AWS/Azure/GCP)
Geographic redundancy with disaster recovery
Comprehensive audit logging
Real-time security monitoring
• Administrative Safeguards:
HIPAA training for all personnel
Regular security risk assessments
Incident response procedures
Business continuity planning
3.2 Minimum Necessary: Business Associate shall limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose of the use or disclosure.
3.3 Administrative Safeguards: Business Associate shall:
• Designate a Privacy Officer and Security Officer
• Implement workforce training on HIPAA requirements
• Establish access management procedures
• Conduct periodic security evaluations
• Maintain incident response procedures
• Implement contingency planning for emergencies
3.4 Physical Safeguards: Business Associate shall:
• Control physical access to facilities and workstations
• Implement workstation use restrictions
• Control access to electronic media containing PHI
• Maintain inventory of hardware and electronic media
3.5 Technical Safeguards: Business Associate shall:
• Control access to PHI through unique user identification
• Implement automatic logoff procedures
• Use encryption and decryption for PHI transmission
• Maintain audit logs of PHI access and modifications
• Implement data integrity controls
3.6 Breach Notification and Incident Response:
a) Rapid Response SLA: Business Associate shall notify Covered Entity within 4 hours of discovery of any confirmed breach, or within 24 hours of any suspected security incident involving PHI.
a1) Automated Detection: Business Associate employs 24/7 automated security monitoring with machine learning-based anomaly detection to identify potential breaches in real-time.
b) Investigation: Business Associate shall promptly investigate and document any suspected or actual breach.
c) Notification Content: Breach notification shall include:
• Description of the breach and PHI involved
• Identification of individuals whose PHI was breached
• Date of breach and date of discovery
• Description of corrective actions taken or planned
• Contact information for follow-up
d) Assistance: Business Associate shall provide reasonable assistance to Covered Entity in meeting Covered Entity's breach notification obligations under 45 CFR § 164.404-410.
3.1 Healthcare Security Safeguards: Business Associate shall implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including:
• Technical Safeguards (45 CFR § 164.312):
AES-256 encryption at rest and TLS 1.3+ in transit
Strong authentication with multi-factor authentication
Role-based access controls
API security and rate limiting
Regular vulnerability scanning and patch management
• Cloud Infrastructure:
HIPAA-eligible cloud services (AWS/Azure/GCP)
Geographic redundancy with disaster recovery
Comprehensive audit logging
Real-time security monitoring
• Administrative Safeguards:
HIPAA training for all personnel
Regular security risk assessments
Incident response procedures
Business continuity planning
3.2 Minimum Necessary: Business Associate shall limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose of the use or disclosure.
3.3 Administrative Safeguards: Business Associate shall:
• Designate a Privacy Officer and Security Officer
• Implement workforce training on HIPAA requirements
• Establish access management procedures
• Conduct periodic security evaluations
• Maintain incident response procedures
• Implement contingency planning for emergencies
3.4 Physical Safeguards: Business Associate shall:
• Control physical access to facilities and workstations
• Implement workstation use restrictions
• Control access to electronic media containing PHI
• Maintain inventory of hardware and electronic media
3.5 Technical Safeguards: Business Associate shall:
• Control access to PHI through unique user identification
• Implement automatic logoff procedures
• Use encryption and decryption for PHI transmission
• Maintain audit logs of PHI access and modifications
• Implement data integrity controls
3.6 Breach Notification and Incident Response:
a) Rapid Response SLA: Business Associate shall notify Covered Entity within 4 hours of discovery of any confirmed breach, or within 24 hours of any suspected security incident involving PHI.
a1) Automated Detection: Business Associate employs 24/7 automated security monitoring with machine learning-based anomaly detection to identify potential breaches in real-time.
b) Investigation: Business Associate shall promptly investigate and document any suspected or actual breach.
c) Notification Content: Breach notification shall include:
• Description of the breach and PHI involved
• Identification of individuals whose PHI was breached
• Date of breach and date of discovery
• Description of corrective actions taken or planned
• Contact information for follow-up
d) Assistance: Business Associate shall provide reasonable assistance to Covered Entity in meeting Covered Entity's breach notification obligations under 45 CFR § 164.404-410.
3.1 Healthcare Security Safeguards: Business Associate shall implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including:
• Technical Safeguards (45 CFR § 164.312):
AES-256 encryption at rest and TLS 1.3+ in transit
Strong authentication with multi-factor authentication
Role-based access controls
API security and rate limiting
Regular vulnerability scanning and patch management
• Cloud Infrastructure:
HIPAA-eligible cloud services (AWS/Azure/GCP)
Geographic redundancy with disaster recovery
Comprehensive audit logging
Real-time security monitoring
• Administrative Safeguards:
HIPAA training for all personnel
Regular security risk assessments
Incident response procedures
Business continuity planning
3.2 Minimum Necessary: Business Associate shall limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose of the use or disclosure.
3.3 Administrative Safeguards: Business Associate shall:
• Designate a Privacy Officer and Security Officer
• Implement workforce training on HIPAA requirements
• Establish access management procedures
• Conduct periodic security evaluations
• Maintain incident response procedures
• Implement contingency planning for emergencies
3.4 Physical Safeguards: Business Associate shall:
• Control physical access to facilities and workstations
• Implement workstation use restrictions
• Control access to electronic media containing PHI
• Maintain inventory of hardware and electronic media
3.5 Technical Safeguards: Business Associate shall:
• Control access to PHI through unique user identification
• Implement automatic logoff procedures
• Use encryption and decryption for PHI transmission
• Maintain audit logs of PHI access and modifications
• Implement data integrity controls
3.6 Breach Notification and Incident Response:
a) Rapid Response SLA: Business Associate shall notify Covered Entity within 4 hours of discovery of any confirmed breach, or within 24 hours of any suspected security incident involving PHI.
a1) Automated Detection: Business Associate employs 24/7 automated security monitoring with machine learning-based anomaly detection to identify potential breaches in real-time.
b) Investigation: Business Associate shall promptly investigate and document any suspected or actual breach.
c) Notification Content: Breach notification shall include:
• Description of the breach and PHI involved
• Identification of individuals whose PHI was breached
• Date of breach and date of discovery
• Description of corrective actions taken or planned
• Contact information for follow-up
d) Assistance: Business Associate shall provide reasonable assistance to Covered Entity in meeting Covered Entity's breach notification obligations under 45 CFR § 164.404-410.
4. PERMITTED REQUESTS BY COVERED ENTITY
4. PERMITTED REQUESTS BY COVERED ENTITY
4. PERMITTED REQUESTS BY COVERED ENTITY
4.1 Inspection: Covered Entity may inspect Business Associate's policies, procedures, and safeguards related to PHI protection with reasonable advance notice.
4.2 Restrictions: Upon request by Covered Entity, Business Associate shall restrict use or disclosure of PHI to comply with Individual's requests under 45 CFR § 164.522.
4.3 Amendment: Business Associate shall make any amendment to PHI in a designated record set as requested by Covered Entity under 45 CFR § 164.526.
4.4 Accounting: Business Associate shall provide information necessary for Covered Entity to respond to Individual requests for accounting of disclosures under 45 CFR § 164.528.
4.5 Access: Business Associate shall provide access to PHI in a designated record set to Covered Entity or Individual as requested under 45 CFR § 164.524.
4.1 Inspection: Covered Entity may inspect Business Associate's policies, procedures, and safeguards related to PHI protection with reasonable advance notice.
4.2 Restrictions: Upon request by Covered Entity, Business Associate shall restrict use or disclosure of PHI to comply with Individual's requests under 45 CFR § 164.522.
4.3 Amendment: Business Associate shall make any amendment to PHI in a designated record set as requested by Covered Entity under 45 CFR § 164.526.
4.4 Accounting: Business Associate shall provide information necessary for Covered Entity to respond to Individual requests for accounting of disclosures under 45 CFR § 164.528.
4.5 Access: Business Associate shall provide access to PHI in a designated record set to Covered Entity or Individual as requested under 45 CFR § 164.524.
4.1 Inspection: Covered Entity may inspect Business Associate's policies, procedures, and safeguards related to PHI protection with reasonable advance notice.
4.2 Restrictions: Upon request by Covered Entity, Business Associate shall restrict use or disclosure of PHI to comply with Individual's requests under 45 CFR § 164.522.
4.3 Amendment: Business Associate shall make any amendment to PHI in a designated record set as requested by Covered Entity under 45 CFR § 164.526.
4.4 Accounting: Business Associate shall provide information necessary for Covered Entity to respond to Individual requests for accounting of disclosures under 45 CFR § 164.528.
4.5 Access: Business Associate shall provide access to PHI in a designated record set to Covered Entity or Individual as requested under 45 CFR § 164.524.
5. OBLIGATIONS OF COVERED ENTITY
5. OBLIGATIONS OF COVERED ENTITY
5. OBLIGATIONS OF COVERED ENTITY
5.1 Permitted Disclosures: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
5.2 Notice of Privacy Practices: Covered Entity shall notify Business Associate of any limitation in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
5.3 Restrictions: Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI.
5.4 Patient Requests: Covered Entity shall notify Business Associate of any restriction on use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
5.1 Permitted Disclosures: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
5.2 Notice of Privacy Practices: Covered Entity shall notify Business Associate of any limitation in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
5.3 Restrictions: Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI.
5.4 Patient Requests: Covered Entity shall notify Business Associate of any restriction on use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
5.1 Permitted Disclosures: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
5.2 Notice of Privacy Practices: Covered Entity shall notify Business Associate of any limitation in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
5.3 Restrictions: Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI.
5.4 Patient Requests: Covered Entity shall notify Business Associate of any restriction on use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
6. SUBCONTRACTORS
6. SUBCONTRACTORS
6. SUBCONTRACTORS
6.1 Subcontractor Agreements: Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement.
6.2 Pre-Approved Healthcare Subcontractors:
• Cloud Infrastructure: AWS/Azure/GCP (HIPAA-eligible services only)
• AI/ML Services: OpenAI (with PHI de-identification), Google Cloud AI
• Communication: Twilio (HIPAA-compliant), SendGrid (encrypted email)
• Monitoring: Datadog, New Relic (with PHI masking)
• Authentication: Auth0, Okta (HIPAA-compliant)
• Updated list can be provided upon written request
• 30-day notice provided for any new subcontractor additions
6.3 Subcontractor Liability: Business Associate shall be liable for any breaches by its subcontractors as if such breaches were committed by Business Associate directly.
6.1 Subcontractor Agreements: Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement.
6.2 Pre-Approved Healthcare Subcontractors:
• Cloud Infrastructure: AWS/Azure/GCP (HIPAA-eligible services only)
• AI/ML Services: OpenAI (with PHI de-identification), Google Cloud AI
• Communication: Twilio (HIPAA-compliant), SendGrid (encrypted email)
• Monitoring: Datadog, New Relic (with PHI masking)
• Authentication: Auth0, Okta (HIPAA-compliant)
• Updated list can be provided upon written request
• 30-day notice provided for any new subcontractor additions
6.3 Subcontractor Liability: Business Associate shall be liable for any breaches by its subcontractors as if such breaches were committed by Business Associate directly.
6.1 Subcontractor Agreements: Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement.
6.2 Pre-Approved Healthcare Subcontractors:
• Cloud Infrastructure: AWS/Azure/GCP (HIPAA-eligible services only)
• AI/ML Services: OpenAI (with PHI de-identification), Google Cloud AI
• Communication: Twilio (HIPAA-compliant), SendGrid (encrypted email)
• Monitoring: Datadog, New Relic (with PHI masking)
• Authentication: Auth0, Okta (HIPAA-compliant)
• Updated list can be provided upon written request
• 30-day notice provided for any new subcontractor additions
6.3 Subcontractor Liability: Business Associate shall be liable for any breaches by its subcontractors as if such breaches were committed by Business Associate directly.
7. TERM AND TERMINATION
7. TERM AND TERMINATION
7. TERM AND TERMINATION
7.1 Term: This Agreement shall commence on the Effective Date and shall continue until termination of the Master Services Agreement or until all PHI is returned or destroyed.
7.2 Termination for Cause: Either party may immediately terminate this Agreement if the other party breaches a material term and fails to cure such breach within 10 days of written notice.
7.3 Effect of Termination: Upon termination of this Agreement:
a) Data Portability and Destruction: Business Associate shall:
• Provide PHI export in FHIR R4, CSV, or JSON formats within 5 business days
• Use NIST 800-88 compliant secure deletion methods
• Provide certificate of destruction within 30 days
• Maintain audit logs of destruction for 7 years
• Exception: PHI required for legal/regulatory compliance will be retained under continued protection
b) Retained PHI: If return or destruction is not feasible, Business Associate shall:
• Extend protections of this Agreement to retained PHI
• Limit further uses and disclosures to purposes that make return or destruction infeasible
• Not permit further use or disclosure of retained PHI
c) Subcontractor PHI: Ensure that all subcontractors return or destroy all PHI in accordance with this section.
7.1 Term: This Agreement shall commence on the Effective Date and shall continue until termination of the Master Services Agreement or until all PHI is returned or destroyed.
7.2 Termination for Cause: Either party may immediately terminate this Agreement if the other party breaches a material term and fails to cure such breach within 10 days of written notice.
7.3 Effect of Termination: Upon termination of this Agreement:
a) Data Portability and Destruction: Business Associate shall:
• Provide PHI export in FHIR R4, CSV, or JSON formats within 5 business days
• Use NIST 800-88 compliant secure deletion methods
• Provide certificate of destruction within 30 days
• Maintain audit logs of destruction for 7 years
• Exception: PHI required for legal/regulatory compliance will be retained under continued protection
b) Retained PHI: If return or destruction is not feasible, Business Associate shall:
• Extend protections of this Agreement to retained PHI
• Limit further uses and disclosures to purposes that make return or destruction infeasible
• Not permit further use or disclosure of retained PHI
c) Subcontractor PHI: Ensure that all subcontractors return or destroy all PHI in accordance with this section.
7.1 Term: This Agreement shall commence on the Effective Date and shall continue until termination of the Master Services Agreement or until all PHI is returned or destroyed.
7.2 Termination for Cause: Either party may immediately terminate this Agreement if the other party breaches a material term and fails to cure such breach within 10 days of written notice.
7.3 Effect of Termination: Upon termination of this Agreement:
a) Data Portability and Destruction: Business Associate shall:
• Provide PHI export in FHIR R4, CSV, or JSON formats within 5 business days
• Use NIST 800-88 compliant secure deletion methods
• Provide certificate of destruction within 30 days
• Maintain audit logs of destruction for 7 years
• Exception: PHI required for legal/regulatory compliance will be retained under continued protection
b) Retained PHI: If return or destruction is not feasible, Business Associate shall:
• Extend protections of this Agreement to retained PHI
• Limit further uses and disclosures to purposes that make return or destruction infeasible
• Not permit further use or disclosure of retained PHI
c) Subcontractor PHI: Ensure that all subcontractors return or destroy all PHI in accordance with this section.
8. INDIVIDUAL RIGHTS
8. INDIVIDUAL RIGHTS
8. INDIVIDUAL RIGHTS
8.1 Access Rights: Business Associate acknowledges that Individuals have the right to access their PHI in designated record sets maintained by Business Associate.
8.2 Amendment Rights: Business Associate shall cooperate with Covered Entity in responding to Individual requests to amend PHI.
8.3 Accounting Rights: Business Associate shall maintain records necessary to provide accounting of disclosures as required by HIPAA.
8.4 Restriction Rights: Business Associate shall honor restrictions on PHI use and disclosure as agreed to by Covered Entity.
8.1 Access Rights: Business Associate acknowledges that Individuals have the right to access their PHI in designated record sets maintained by Business Associate.
8.2 Amendment Rights: Business Associate shall cooperate with Covered Entity in responding to Individual requests to amend PHI.
8.3 Accounting Rights: Business Associate shall maintain records necessary to provide accounting of disclosures as required by HIPAA.
8.4 Restriction Rights: Business Associate shall honor restrictions on PHI use and disclosure as agreed to by Covered Entity.
8.1 Access Rights: Business Associate acknowledges that Individuals have the right to access their PHI in designated record sets maintained by Business Associate.
8.2 Amendment Rights: Business Associate shall cooperate with Covered Entity in responding to Individual requests to amend PHI.
8.3 Accounting Rights: Business Associate shall maintain records necessary to provide accounting of disclosures as required by HIPAA.
8.4 Restriction Rights: Business Associate shall honor restrictions on PHI use and disclosure as agreed to by Covered Entity.
9. AUDIT AND COMPLIANCE
9. AUDIT AND COMPLIANCE
9. AUDIT AND COMPLIANCE
9.1 Compliance Monitoring:
• Regular Auditing: Internal HIPAA compliance audits with quarterly reports
• Security Assessments: Annual third-party security assessments
• Penetration Testing: Annual third-party penetration testing
• Risk Assessments: Annual HIPAA risk assessments
• Compliance Tracking: HIPAA compliance tracking and remediation
9.2 Regulatory Cooperation: Business Associate shall reasonably cooperate with any regulatory investigations or audits related to PHI handling.
9.3 Documentation: Business Associate shall maintain documentation of all required HIPAA policies, procedures, and training records.
9.4 Certification: Business Associate represents that it has implemented appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI.
9.1 Compliance Monitoring:
• Regular Auditing: Internal HIPAA compliance audits with quarterly reports
• Security Assessments: Annual third-party security assessments
• Penetration Testing: Annual third-party penetration testing
• Risk Assessments: Annual HIPAA risk assessments
• Compliance Tracking: HIPAA compliance tracking and remediation
9.2 Regulatory Cooperation: Business Associate shall reasonably cooperate with any regulatory investigations or audits related to PHI handling.
9.3 Documentation: Business Associate shall maintain documentation of all required HIPAA policies, procedures, and training records.
9.4 Certification: Business Associate represents that it has implemented appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI.
9.1 Compliance Monitoring:
• Regular Auditing: Internal HIPAA compliance audits with quarterly reports
• Security Assessments: Annual third-party security assessments
• Penetration Testing: Annual third-party penetration testing
• Risk Assessments: Annual HIPAA risk assessments
• Compliance Tracking: HIPAA compliance tracking and remediation
9.2 Regulatory Cooperation: Business Associate shall reasonably cooperate with any regulatory investigations or audits related to PHI handling.
9.3 Documentation: Business Associate shall maintain documentation of all required HIPAA policies, procedures, and training records.
9.4 Certification: Business Associate represents that it has implemented appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI.
10. MISCELLANEOUS
10. MISCELLANEOUS
10. MISCELLANEOUS
10.1 Regulatory References: References to regulatory sections in this Agreement include any successor regulations.
10.2 Amendment: This Agreement may only be amended in writing and signed by both parties.
10.3 Survival: The obligations of Business Associate under this Agreement shall survive termination of the Master Services Agreement.
10.4 Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA.
10.5 No Third-Party Beneficiaries: Nothing in this Agreement shall confer any rights upon any person other than the parties and their successors and assigns.
10.1 Regulatory References: References to regulatory sections in this Agreement include any successor regulations.
10.2 Amendment: This Agreement may only be amended in writing and signed by both parties.
10.3 Survival: The obligations of Business Associate under this Agreement shall survive termination of the Master Services Agreement.
10.4 Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA.
10.5 No Third-Party Beneficiaries: Nothing in this Agreement shall confer any rights upon any person other than the parties and their successors and assigns.
10.1 Regulatory References: References to regulatory sections in this Agreement include any successor regulations.
10.2 Amendment: This Agreement may only be amended in writing and signed by both parties.
10.3 Survival: The obligations of Business Associate under this Agreement shall survive termination of the Master Services Agreement.
10.4 Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA.
10.5 No Third-Party Beneficiaries: Nothing in this Agreement shall confer any rights upon any person other than the parties and their successors and assigns.
SIGNATURES
SIGNATURES
SIGNATURES
COVERED ENTITY - [PROVIDER_NAME]
Signature: _
Name: [PROVIDER_SIGNATORY_NAME]
Title: [PROVIDER_SIGNATORY_TITLE]
Date: _
BUSINESS ASSOCIATE - LyfeVault LLC, d.b.a. Lyfe AI
Signature: _
Name: [LYFE_AI_SIGNATORY_NAME]
Title: [LYFE_AI_SIGNATORY_TITLE]
Date: _
COVERED ENTITY - [PROVIDER_NAME]
Signature: _
Name: [PROVIDER_SIGNATORY_NAME]
Title: [PROVIDER_SIGNATORY_TITLE]
Date: _
BUSINESS ASSOCIATE - LyfeVault LLC, d.b.a. Lyfe AI
Signature: _
Name: [LYFE_AI_SIGNATORY_NAME]
Title: [LYFE_AI_SIGNATORY_TITLE]
Date: _
COVERED ENTITY - [PROVIDER_NAME]
Signature: _
Name: [PROVIDER_SIGNATORY_NAME]
Title: [PROVIDER_SIGNATORY_TITLE]
Date: _
BUSINESS ASSOCIATE - LyfeVault LLC, d.b.a. Lyfe AI
Signature: _
Name: [LYFE_AI_SIGNATORY_NAME]
Title: [LYFE_AI_SIGNATORY_TITLE]
Date: _