Business Associate Agreement

Business Associate Agreement

Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (this "BAA") is entered into by and between you (herein “Covered Entity”) and Headlamp Health, Inc. (herein “Business Associate”) upon your registration and initial access to the Services (as hereinafter defined) and acceptance of Business Associate’s online terms of service until you terminate your use of the Services as provided for in the Services Agreement (as hereinafter defined) and this BAA. Each party is referred to herein as a “Party” and, together, as the “Parties.”

R E C I T A L S:

WHEREAS, Business Associate operates a technology platform that allows health care providers and individuals to access ePHI maintained by Business Associate on the technology platform (“Technology Platform”).

WHEREAS, Covered Entity and Business Associate have entered into the Services Agreement under which Business Associate may create, receive, transmit and store Protected Health Information (as hereinafter defined) provided by or on behalf of Covered Entity to Business Associate; and

WHEREAS, in order to protect the confidentiality, privacy, and security of Protected Health Information and to comply with HIPAA (as hereinafter defined), the Parties are entering into this BAA.  

NOW, THEREFORE, in consideration of the promises and covenants set forth herein, 

Covered Entity and Business Associate hereby agree as follows:

I. DEFINITIONS 

“Breach” shall have the same meaning as the term “breach” in 45 C.F.R. §164.402, limited to breaches of PHI not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under Section 13402(h) of Public Law 111-5.

"Electronic Protected Health Information" or “ePHI” means a subset of Protected Health Information that is maintained or transmitted in electronic media.

“HHS” means the United States Department of Health and Human Services.

“HIPAA” means, collectively, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and all regulations, guidance, and standards promulgated thereunder.

“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160, 162 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act that forms Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5), and all regulations, guidance, and standards promulgated thereunder.

"Individual" has the same meaning as the term “individual” in 45 C.F.R. §160.103, and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).

"Protected Health Information" or “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. Section 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Provider pursuant to this Agreement.  

“Secretary” means the Secretary of the U.S. Department of Health and Human Services.

“Security Breach” means any unauthorized, improper, or prohibited access to, or acquisition, use, disclosure, loss, or theft of, Protected Health Information that compromises the security, confidentiality, or integrity of any such information or that otherwise gives rise to an obligation under any data or security breach notification law of any applicable jurisdiction to notify the Individuals who are the subject of the information or to whom the information otherwise pertains.  

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.

“Services” means the provision of medical records and advanced AI tools to support personalized health insights and decision-making.

“Services Agreement” means Business Associate’s online Terms of Service agreed to by Covered Entity for the provision of the Services.

Other terms used but not defined herein shall have the meanings set forth in the HIPAA Rules.

II.  OBLIGATIONS OF BUSINESS ASSOCIATE  

2.1  Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.  

2.2  Business Associate shall comply with the provisions of the HIPAA Rules concerning minimum necessary uses, disclosures, and requests for PHI.  Except as expressly otherwise permitted by this BAA, when using or disclosing Protected Health Information, or when requesting or receiving Protected Health Information from Covered Entity,  Business Associate shall limit the Protected Health Information, to the extent practicable, to the minimum Protected Health Information necessary to accomplish the intended purpose of the use, disclosure, or request.

2.3  Business Associate shall mitigate, to the extent practicable, any harmful effect that is or becomes known to Business Associate or Covered Entity of a use or disclosure of PHI by Business Associate or any of its employees, agents, contractors in violation of the requirements of this BAA or in violation of the HIPAA Rules.   

2.4  To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity  in the performance of such obligation(s).

2.5  Business Associate shall not use or disclose Protected Health Information in any manner that would constitute a violation of HIPAA if such use or disclosure was made by Covered Entity, except as provided in this BAA. 

 2.6  In accordance with 45 C.F.R. §164.308(b)(2) and §164.502(e)(1)(ii), Business Associate agrees to enter into a written contract with subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate. Such contract shall require that the subcontractor agree to the same restrictions and conditions that apply to Business Associate with respect to PHI in this BAA.

2.7  Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining compliance with HIPAA.   

2.8  Business Associate will establish and maintain reasonable and appropriate administrative, physical, and technical safeguards, and comply with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as such use or disclosure is permitted by this BAA.

2.9  Business Associate shall promptly notify Covered Entity of any Security Incident; provided that notice hereby is deemed provided to Covered Entity, and no further notice will be provided, for (i) unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction, such as pings or other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.  

2.10  To the extent permitted by HIPAA, Business Associate shall notify Covered Entity within five (5) business days of Business Associate’s receipt of any request or subpoena for Protected Health Information and allow Covered Entity the opportunity to challenge the request or otherwise seek appropriate protective action, cooperating fully with Covered Entity in any such actions except as prohibited by HIPAA.

2.11  Business Associate shall use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted under this BAA.

2.12  Business Associate shall report to Covered Entity, in writing, any use or disclosure of Protected Health Information that is not permitted or required by this BAA or the HIPAA Rules of which Business Associate becomes aware, immediately upon becoming aware thereof (but, in any event, within five (5) business days after becoming aware thereof).  

2.13  Business Associate shall ensure that each agent, including a subcontractor, that transmits and stores Protected Health Information on behalf of Business Associate agrees in writing, prior to any disclosure, to the same restrictions and conditions that apply to Business Associate with respect to such information hereunder.  In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ or agents’ actions or omissions do not cause Business Associate to breach the terms of this BAA.

2.14  To the extent that Business Associate maintains Protected Health Information in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity,  Business Associate shall provide access to the Individual's PHI in a Designated Record Set pursuant to 45 C.F.R. §164.524 within fifteen (15) days of a written request from Covered Entity or the Individual. Business Associate's response will be made to Covered Entity. If the request for access relates to PHI that is maintained electronically in a Designated Record Set in Business Associate’s control or custody, Business Associate shall provide an electronic copy in the form and format specified in the request if it is readily producible in such format. If the electronic copy is not readily producible in such format, Business Associate will work with Covered Entity to determine an alternative form and format that enable Covered Entity to meet its electronic access obligations under 45 C.F.R. §164.524.

2.15  To the extent that Business Associate maintains Protected Health Information in a Designated Record set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate shall make Protected Health Information maintained by Business Associate in a Designated Record Set available to Covered Entity for the purpose of amendment and incorporate such amendments into Protected Health Information within the time and in such a manner specified by Covered Entity.

2.16  Upon receiving a written request from Covered Entity, Business Associate shall, as directed by, and in the time and manner reasonably designated by, Covered Entity, provide to Covered Entity the information relating to disclosures of Protected Health Information made by Business Associate, as applicable, in order for Covered Entity to provide an applicable Individual with an accounting of disclosures in accordance with 45 C.F.R. § 164.528.  To allow Covered Entity to comply with the requirements of 45 C.F.R. § 164.528, Business Associate shall maintain reasonable written or electronic records of any disclosures of Protected Health Information made by Business Associate (other than disclosures falling within the exceptions set forth in 45 C.F.R. § 164.528) for at least six (6) years after the date of the respective disclosures.  In the event an Individual requests an accounting of disclosures directly from Business Associate, Business Associate shall, within five (5) business days after receipt, forward such request, in writing, to Covered Entity.

III.  PERMITTED USES AND DISCLOSURES OF PHI

3.1  Business Associate may: (a) use Protected Health Information received by Business Associate in its performance under the Agreement for the proper management and administration of Business Associate and to fulfill its legal responsibilities; and (b) disclose Protected Health Information received by Business Associate in its performance under the Agreement to a third party for the purpose of the proper management and administration of Business Associate, and to fulfill any present or future legal responsibilities of Business Associate, if:  (i) the disclosure is Required by Law; or (ii) Business Associate has obtained from the third party to which the Protected Health Information is disclosed reasonable written assurances that such Protected Health Information shall be held confidentially and used and further disclosed only as Required by Law or for the purpose for which such Protected Health Information was disclosed to such third party, and such third party notifies Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.

3.2  Covered Entity acknowledges and agrees that Business Associate will collect registration information directly from users of the Technology Platform, rather than by or on behalf of Covered Entity, such as telephone number and email address, that may use be used by Business Associate for any purpose described in Business Associate’s online Privacy Policy.  Users may receive promotional notices about products, services, and clinical trials that may be of interest.  In some circumstances, users may choose to sign Authorizations allowing Business Associate to disclose Protected Health Information maintained by Business Associate on the Technology Platform to sponsors of clinical trials for purposes of determining eligibility for and enrolling in clinical trials. If requested or approved by users of the Technology Platform, Business Associate may continue its Service arrangement with such users upon termination of the Agreement and this BAA, in which case, Business Associate shall continue to apply the protections of HIPAA to any PHI that it continues to maintain on the Technology Platform.

3.3  Business Associate may use Protected Health Information to improve and develop its products and services.

3.4  Business Associate may use Protected Health Information for reviews preparatory to research as permitted by 45 C.F.R. § 164.512(i)(1)(ii).  In accordance with such regulation, Business Associate represents to Covered Entity that: (i) it will review Protected Health Information (“PHI”) solely to identify individuals who are eligible to participate in clinical research and for similar purposes preparatory to research; (ii) no PHI will be permanently removed from Covered Entity by Business Associate in the course of the review; and (iii) the PHI for which use, or access is sought is necessary for the research purposes. While Business Associate may securely encrypt, download and store PHI on its server and other devices temporarily, PHI will be securely and permanently deleted as soon as the PHI is no longer needed for its review preparatory to research.  

3.5  Business Associate may de-identify any and all Protected Health Information in accordance with the provisions of 45 C.F.R. § 164.514(a).  The parties acknowledge and agree that de-identified data does not constitute Protected Health Information, is not subject to the terms of this BAA, and may be used by Business Associate in any manner permitted by law and Business Associate’s online Privacy Policy.

3.6  Business Associate may use Protected Health Information to provide Data Aggregation Services relating to the health care operations of Covered Entity in accordance with the definition of Data Aggregation Services in 45 C.F.R. iv§ 164.501.   

IV.  BREACH NOTIFICATION

(a)  In the event of a Breach, Business Associate shall provide Covered Entity with the following information within ten (10) business days of the Breach: (i) a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; (ii) a description of the types of PHI involved in the Breach; (iii) the identity of each individual whose PHI was, or is reasonably believed to have been, involved in the Breach; (iv) the steps Business Associate has taken or will take to mitigate any harmful effect of such use or disclosure; and (v) the corrective actions Business Associate has taken or will take to prevent future, similar unauthorized use, disclosure or Breach. If this information cannot be provided within the time period required under this Section 4(a), Business Associate shall supplement its original report with the missing information as soon as it is reasonably available, but in no event later than thirty (30) days from the date of its original report. Business Associate agrees to prepare one or more draft notices, which comply with the Covered Entity’s notification requirements under the Breach Notification Rule. Business Associate further agrees to send such notice(s) directly to Individuals affected by the Breach and to provide a copy of any such notice to Covered Entity no less than five (5) days before such notice is sent to the affected Individuals.

(b) After notifying Covered Entity of a HIPAA Breach or other Security Breach, Business Associate shall promptly:  (i) assist and cooperate with Covered Entity (and, as directed by Covered Entity, with law enforcement officials) in any investigation of the Breach, regardless of whether such investigation is conducted by Covered Entity, any State Attorney General or State Consumer Affairs Department (or their respective agents), HHS, law enforcement officials, or others; (ii) as directed by Covered Entity, mitigate, to the greatest extent practicable, any harmful effects of the Breach; (iii) assist and cooperate with Covered Entity, as directed by Covered Entity, in notifying affected Individuals of the Breach; and (iv) confer and discuss with Covered Entity any necessary or appropriate steps to be taken to prevent further breaches, and promptly implement any such steps that are mutually agreed upon by the parties or otherwise reasonably required.  

V.  ACCESS TO COVERED ENTITY’S ELECTRONIC MEDICAL RECORDS

In connection with providing the Services to Covered Entity and accessing Covered Entity’s electronic medical record, Business Associate shall:

(a) Use reasonable efforts to maintain the confidentiality of any user ID, password, or other access control device provided by the Covered Entity to the Business Associate and will not disclose such user ID, password, or other access control device to any third party, except as expressly authorized by the Services Agreement or by other written instructions provided by Covered Entity to Business Associate;

(b) Not attempt to access any data or systems which are not necessary for the Business Associate’s authorized purposes as set forth in the Services Agreement or in other written instructions provided by Covered Entity to Business Associate, and shall terminate access to such data or systems whenever Business Associate ceases to have a need to access such data or systems;

(c) Not tamper with, compromise, or attempt to circumvent, or bypass any security pertaining to Covered Entity’s  systems, electronic or otherwise (any of which may be referred to as a “Security Violation”), and, to that end, Business Associate assumes responsibility and liability for any access to data or systems arising out of or resulting in any Security Violation; 

(d) Take reasonable precautions not to allow entry of any virus or any other contaminant codes, commands, or instructions that may be used to access, alter, delete, damage, or disable Covered Entity’s data, systems, or other software or property;

(e) Not install or download any unauthorized software;

(f) Maintain the confidentiality of any data and systems to which Business Associate has access and use such data and systems only as expressly authorized by the Services Agreement or in other written instructions provided by Covered Entity to Business Associate; 

(g) Notify Covered Entity immediately in the event that Business Associate suspects that its network connection or any data or systems to which Business Associate has access has been compromised, or in the event that Business Associate suspects or knows of a breach of any of the foregoing;

(h)  Business Associate shall implement and maintain, throughout the term of the Agreement, reasonable and appropriate systems and security measures for the detection, prevention, and prompt reporting of HIPAA Breaches and Security Breaches; and

(i)  By providing Business Associate access to Covered Entity’s data and systems, Provider does not grant Business Associate any license or right, by implication or otherwise, to use such access for any purpose other than as expressly authorized by the Services Agreement and this BAA.

V. TERM AND TERMINATION OF BUSINESS ASSOCIATE AGREEMENT

5.1 This BAA shall become effective upon Covered Entity’s registration and initial access to the Services and is effective until Covered Entity terminates the Services Agreement.  

5.2 If Business Associate breaches this BAA, Covered Entity shall promptly provide written notice to Business Associate describing the breach.  If Business Associate does not cure the breach within a period of ten (10) days after receipt of such notice, Covered Entity shall have the right to terminate this BAA and the Services Agreement.  Either party may terminate this BAA on thirty (30) days written notice, for any or no reason, in the event the Services Agreement is terminated.

5.3 Upon termination or expiration of the Services Agreement, Business Associate shall, to the extent feasible, and subject to the provisions of Section 3.2, promptly return or destroy all Protected Health Information received from or created or received by Business Associate by or on behalf of Covered Entity that Business Associate still maintains in any form, retaining no copies thereof.  To the extent that such return or destruction is infeasible, the Individual requests that Business Associate continue to retain the Individual’s PHI on the Technology Platform, or Covered Entity does not otherwise request the return or destruction of such Protected Health Information, the protections of this BAA with respect to Protected Health Information shall be extended, and shall continue to apply, to any Protected Health Information retained by Business Associate (or its subcontractors) for so long as it is retained, and Business Associate shall limit any further uses and disclosures of such Protected Health Information to the purposes that make the return or destruction thereof infeasible.

VI. LIMITATION ON LIABILITY

UNDER NO CIRCUMSTANCE AND UNDER NO LEGAL THEORY, INCLUDING, BUT NOT LIMITED TO, TORT, CONTRACT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, SHALL BUSINESS ASSOCIATE BE LIABLE TO COVERED ENTITY OR ANY OTHER PERSON (I) FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER (INCLUDING, WITHOUT LIMITATION, ANY LOST DATA, LOST PROFITS OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES) EVEN IF SUCH DAMAGES WERE REASONABLY FORESEEABLE OR BUSINESS ASSOCIATE WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, (II) FOR ANY AMOUNTS IN THE AGGREGATE IN EXCESS OF THE FEES PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE FOR THE THEN-CURRENT TERM (BUT, IF NO AMOUNTS HAVE BEEN PAID, SUCH CAP WILL BE US$100).  

VII.  MISCELLANEOUS

7.1  Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

7.2  Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as may be required for Covered Entity to comply with the requirements of the HIPAA Rules.   This Agreement may only be amended in a writing signed by both Parties.

7.3  Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules. 

7.4  Governing Agreement. The terms and conditions of this Agreement shall supersede all conflicting terms and conditions of all prior agreements, including the Services Agreement, with respect to the subject matter set forth herein. 

7.5  Severability.  The invalidity or unenforceability of any provisions of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect.

7.6  Construction and Interpretation.  The section headings contained in this Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement. 

7.7  Notices.  All notices and communications required by this Agreement shall be in writing to the other party in accordance with the notice information set forth in the Services Agreement.  

7.8  Entire Agreement.  This Agreement constitutes the entire agreement between the Parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the Parties, written or oral, with regard to this same subject matter.

Learn more about Headlamp

Schedule time with our team or request a video walkthrough

Copyright © 2025 Headlamp Health, Inc.

Images designed by Freepik

Learn more about Headlamp

Schedule time with our team or request a video walkthrough

Copyright © 2025 Headlamp Health, Inc.

Images designed by Freepik

Learn more about Headlamp

Schedule time with our team or request a video walkthrough

Copyright © 2025 Headlamp Health, Inc.

Images designed by Freepik