This Business Associate Agreement (“BAA”) is entered into by and between Heal.me (“Business Associate”) and any healthcare provider or practitioner using Heal.me’s services to manage Protected Health Information (PHI) (“Covered Entity”). By using Heal.me’s practice management application, lightweight EHR, and marketing platform, you agree to the terms of this BAA.

This BAA is incorporated into and is subject to the terms and conditions of Heal.me’s Terms of Service, and governs the handling of PHI in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).

1. Definitions

• Business Associate: Heal.me, as defined under 45 C.F.R. § 160.103.
• Covered Entity: Healthcare providers and practitioners using Heal.me services.
• Protected Health Information (PHI): As defined in 45 C.F.R. § 160.103, any individually identifiable health information handled or maintained by the Business Associate on behalf of the Covered Entity.
• HIPAA Rules: Refers collectively to the Privacy, Security, Breach Notification, and Enforcement Rules under HIPAA.

2. Obligations of Business Associate

• Permitted Use and Disclosure: Heal.me shall only use and disclose PHI as necessary to provide services described in the Terms of Service, in accordance with HIPAA Rules, or as required by law.
• Safeguards: Heal.me shall implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, in compliance with the Security Rule (45 C.F.R. §§ 164.308, 164.310, and 164.312).
• Reporting: Heal.me shall report to the Covered Entity any unauthorized use or disclosure of PHI or breaches of unsecured PHI as required by the Breach Notification Rule (45 C.F.R. § 164.410).
• Subcontractors: Heal.me may disclose PHI to subcontractors for purposes of providing services. Heal.me shall ensure that its subcontractors agree to the same restrictions and conditions that apply to Heal.me under this BAA.

3. Covered Entity Obligations

• Compliance: Covered Entity agrees to notify Heal.me of any changes in the privacy practices that may affect the use or disclosure of PHI.
• Minimum Necessary: Covered Entity will only provide the minimum necessary PHI required for Heal.me to perform the agreed services.
• Authorization: Covered Entity will ensure that necessary patient authorizations are obtained before transmitting PHI to Heal.me, in compliance with the Privacy Rule.

4. Use of PHI for Marketing

Heal.me may use PHI to assist Covered Entities in marketing efforts, provided that the Covered Entity has obtained proper patient authorization, in accordance with the HIPAA Privacy Rule. Any marketing communications facilitated by Heal.me will comply with HIPAA’s minimum necessary standard.

5. Termination

• For Cause: Heal.me reserves the right to terminate this BAA if Covered Entity violates its obligations under this BAA. If termination is not feasible, Heal.me will report the violation to the Department of Health and Human Services (HHS).
• Effect of Termination: Upon termination of the BAA, Heal.me will, where feasible, return or destroy all PHI received from Covered Entity. If return or destruction is not feasible, Heal.me will continue to protect such PHI in accordance with this BAA.

6. Limitation of Liability

Except as expressly provided in this BAA, each Party’s liability for damages shall be limited to direct damages and shall not include any indirect, consequential, special, or punitive damages.

7. Governing Law

This BAA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of law principles.

8. Amendments

Heal.me may modify this BAA from time to time. Any modifications will be effective upon posting of the updated BAA on the Heal.me website, or as otherwise required by law to comply with changes to the HIPAA Rules.

9. Miscellaneous

• Entire Agreement: This BAA, together with Heal.me’s Terms of Service, constitutes the entire agreement between the Parties with respect to the handling of PHI.
• Severability: If any provision of this BAA is determined to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

---

Effective Date: 07/01/2024

By continuing to use Heal.me’s services, Covered Entities agree to comply with this Business Associate Agreement.