Business Associate Agreement

This Business Associate Agreement (this “Agreement”) is made and entered into this ___ _______________ (the “Effective Date”), by and between ___________________, a/an ____________ ___________ (the “Covered Entity”), and PSYNTH, INC., a Delaware corporation (“Business Associate”) in connection with the Psynth, Inc. SaaS License Agreement, between the Covered Entity and Business Associate (the “Master Agreement”).  Each capitalized term in this Agreement shall have the meaning specified in the HIPAA Rules, unless otherwise defined in this Agreement.  “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164 (available at www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html). 

Uses and Disclosures of PHI

  1. Services.  Business Associate provides certain services pursuant to the terms of the Master Agreement (the “Services”) to Covered Entity and may use, create, receive, transmit or maintain protected health information (“PHI”) on behalf of Covered Entity in connection with provision of the Services.  
  2. General Prohibition and Limitations.  Business Associate shall neither use nor disclose PHI, nor copy, duplicate or otherwise reproduce any part of the PHI except as required to perform the Services, and in accordance with this Agreement or as required by law.  Except as otherwise provided in this Agreement or the Master Agreement, Business Associate may use or disclose PHI on behalf of Covered Entity or in connection with its performance of the Services, if that use or disclosure would not violate the HIPAA Rules if done by Covered Entity, or the minimum necessary policies and procedures of Covered Entity.  If any limitation, restriction, or prohibition contained in this Agreement upon Business Associate’s use or disclosure of PHI could reasonably be expected to result in Business Associate’s violation or breach of any professional obligation or ethical responsibility of Business Associate to Covered Entity, then that limitation, restriction, or prohibition shall be of no force or effect and shall be disregarded with respect to that use or disclosure.  
  3. Business Associate’s Use of PHI.  Business Associate may use PHI as necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. 
  4. Business Associate’s Disclosure of PHI.  Business Associate may disclose PHI as necessary for the proper management and administration of Business Associate if:
    1. the disclosure is required by law; or
    2. prior to the disclosure, Business Associate obtains reasonable assurances from the Person to whom Business Associate will disclose the PHI that the Person will: (i) hold the PHI in confidence and use or further disclose the PHI only as required by law or for the lawful purpose for which Business Associate disclosed it to the Person; and (ii) promptly notify Business Associate of each instance of which the Person becomes aware in which the confidentiality of the PHI is breached.
  5. Safeguards.  
    1. Privacy Safeguards.  Business Associate will develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the privacy of PHI to the extent required by the HIPAA Rules.  The safeguards will reasonably protect PHI from any intentional or unintentional use or disclosure in violation of the HIPAA Rules and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement.  To the extent the parties agree that the Business Associate will carry out directly one or more of Covered Entity’s obligations under the HIPAA Rules, Business Associate will directly comply with the requirements of such rules that apply to the Covered Entity.
    2. Compliance with Security Rules.  Business Associate will comply with the Security Rule and use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits on Covered Entity’s behalf.
  6. Subcontractors.  In each instance that Business Associate engages any other Person (including any agents, representatives, contractors and others but excluding a member of Business Associate’s Workforce) to assist Business Associate with respect to the Services who will have access to PHI, Business Associate shall enter in a written agreement with the Person requiring that Person to (a) appropriately safeguard PHI created, received, maintained, or transmitted on behalf of Business Associate; and (b) comply with the same restrictions and conditions imposed under this Agreement upon Business Associate with respect to PHI.
  7. Prohibition on Sale of PHI.  Business Associate shall not engage in any sale (as defined in the HIPAA Rules) of PHI.
  8. De-Identified PHI. Business Associate may de-identify any PHI in accordance with 45 CFR. § 164.514(b). Covered Entity acknowledges and agrees that de-identified information is not PHI, and that Business Associate may use such de-identified information for any lawful purpose.
  9. Use of Third-Party Companies. Business Associate hereby discloses that it contracts with third-party companies including Anthropic (Claude), and Google (Gemini) for certain artificial intelligence and large language model (“AI Models”) technologies used in connection with providing the Services. Business Associate has entered into business associate agreements with such third-party providers that include the same or more stringent protections for PHI as outlined in this Agreement. Such business associate agreements specifically prohibit the third-party companies from using PHI for training their AI Models. Any de-identified data that may be used for improving Business Associate's proprietary technology will be de-identified in accordance with HIPAA standards as outlined in Section 1.8 of this Agreement. Covered Entity may request documentation of these third-party business associate agreements and may opt-out of having any of their data, even in de-identified information, used for Business Associate's technological improvements by providing written notice to Business Associate.

Breaches and Security Incidents

  1. Reporting.  
    1. Impermissible Use or Disclosure.  Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Agreement no more than 30 days after Business Associate discovers such non-permitted use or disclosure.
    2. Breach of Unsecured PHI.  Business Associate will report to Covered Entity any potential Breach of Unsecured PHI no more than 30 days after discovery of such potential Breach.  Business Associate will treat a potential Breach as being discovered in accordance with 45 C.F.R. § 164.410.  Business Associate will make the report to Covered Entity’s privacy officer.  If a delay is requested by a law enforcement official in accordance with 45 C.F.R. § 164.412, Business Associate may delay notifying Covered Entity for the applicable time period.  Business Associate’s report will include at least the following, provided that absence of any information will not be cause for Business Associate to delay the report:
      1. The nature of the Breach, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of any Breach;
      2. The nature and extent of the PHI involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, or other information was involved) and the likelihood of re-identification;
      3. Who made the non-permitted use or disclosure and who received the non-permitted disclosure;
      4. Whether the PHI was actually acquired or viewed;
      5. The corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and to protect against any further Breaches; and
      6. Other information, including a written report and risk assessment under 45 C.F.R § 164.402, as Covered Entity may reasonably request.
    3. Security Incidents.  Business Associate will report to Covered Entity any Security Incident involving PHI of which Business Associate becomes aware.  Business Associate will make this report quarterly, except if any such Security Incident resulted in a disclosure not permitted by this Agreement or Breach of Unsecured PHI, Business Associate will make the report in accordance with the provisions set forth above.
  2. Mitigation.  Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate resulting from a use or disclosure of PHI in violation of this Agreement.
  3. Breach Notification to Third Parties.  To the extent requested by Covered Entity, Business Associate shall reasonably assist Covered Entity in preparing or sending breach notifications.

    Access, Amendment, and Disclosure Accounting

    1. Access.  If Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within a reasonable time after Covered Entity’s written request, make it available to Covered Entity as necessary to satisfy the Covered Entity’s obligation to provide an individual the right to access PHI in 45 C.F.R. § 164.524.  
    2. Amendment.  If Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within a reasonable time after Covered Entity’s written request, amend or to take other measures to the extent necessary for Covered Entity to satisfy its obligations to provide an individual the right to amend PHI under 45 C.F.R. § 164.526.
    3. Accounting of PHI Disclosures.  Business Associate will maintain a written record of each disclosure of PHI made by Business Associate to any other Person that would be required to be disclosed by Covered Entity in an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.  That record should include, if reasonably available, (a) the disclosure date, (b) the name and (if known) address of the Person to whom Business Associate made the disclosure, (c) a brief description of the PHI disclosed, and (d) a brief statement of the purpose of the disclosure that reasonably sets forth the basis for the disclosure (the “Disclosure Information”).  If, during the period covered by an accounting of disclosures, Business Associate made multiple disclosures to the same Person (including Covered Entity) for a single purpose or pursuant to an authorization, Business Associate may provide with respect to that accounting period (x) the Disclosure Information for the first of the repetitive disclosures, (y) the frequency, period or number of the repetitive disclosures and (z) the date of the last repetitive disclosure.  Business Associate will make this Disclosure Information available to Covered Entity within a reasonable time after Covered Entity’s written request to enable Covered Entity to timely respond to an individual’s request for an accounting of disclosures.
    4. Restriction Agreements and Confidential Communications.  Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices under 45 C.F.R. § 164.520, if such limitation may affect Business Associate’s use or disclosure of PHI.  Business Associate will comply with any notice from Covered Entity to (a) restrict use or disclosure of PHI pursuant to 45 C.F.R. § 164.522(a), or (b) provide for confidential communications of PHI pursuant to 45 C.F.R. § 164.522(b), provided that Covered Entity notifies Business Associate in writing of the restriction or confidential communications obligations that Business Associate must follow.  Covered Entity will promptly notify Business Associate in writing of the termination of any such restriction or confidential communications requirement and instruct Business Associate whether any PHI will remain subject to the terms of the restriction agreement.
    5. Department of Health and Human Services.  Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services (“DHHS”) for purposes of determining compliance with federal law during the term of the Agreement and for a period of five years after termination of the Agreement.  Business Associate shall submit such compliance reports as may be required by DHHS, cooperate with the Secretary of DHHS in any investigation or compliance review, and permit access by the Secretary of DHHS during normal business hours to its facilities, books and records and other information pertinent to HIPAA compliance.  By complying with this provision, neither party shall be deemed to have waived any attorney-client, accountant-client or other privilege.

    Term and Termination

    1. Term.  This Agreement shall be effective on the Effective Date and shall terminate automatically upon termination of the Master Agreement.  This Agreement replaces and supersedes any previous HIPAA business associate agreement between the parties with respect to the Services.
    2. Termination.  If Covered Entity determines that Business Associate has breached any material provision of this Agreement, Covered Entity shall promptly notify Business Associate in writing of the breach and provide that Business Associate shall have 30 days after its receipt of the notice to cure the breach.  If Business Associate does not cure the breach within that 30-day period, Covered Entity may terminate the Master Agreement.  Any such termination will be effective immediately or at such date specified by Covered Entity or Business Associate in the written notice.
    3. Obligations upon Termination; Return or Destruction.  Upon termination of the Services and to the extent permitted by applicable law and consistent with its ethical and professional obligations, Business Associate will return the PHI in its possession or under its reasonable control to Covered Entity, or destroy or permanently delete the PHI, regardless of the form or medium (including in any electronic medium under Business Associate’s custody or control) in which the PHI is maintained by Business Associate.  Business Associate will complete such return, destruction, or deletion as promptly as reasonably possible.  Business Associate will identify all PHI that cannot feasibly be returned to Covered Entity, or destroyed or deleted, and will limit its further use or disclosure of that PHI to those purposes that make its return, destruction or deletion infeasible.  Business Associate will inform Covered Entity in writing that such return, destruction, or deletion has been completed and identify any PHI for which return, destruction or deletion is infeasible.  This provision shall apply to PHI that is in the possession of any Subcontractors of Business Associate.  Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned to Business Associate or destroyed all such information which could be returned or destroyed.  Business Associate will complete these obligations as promptly as possible.  The respective rights and obligations of Business Associate under this Section shall survive the termination of this Agreement.
    4. Continuing Obligations.  Business Associate’s obligation to protect the privacy and safeguard the security of PHI as specified in the Agreement will be continuous and survive termination of this Agreement.

    General Provisions

    1. Master Agreement.  This Agreement is hereby incorporated into the Master Agreement as an addendum to the Master Agreement.  In the event of any inconsistency between the provisions of this Agreement and the Master Agreement, the provisions of this Agreement will prevail, unless the applicable terms of the Master Agreement would be more protective of PHI.
    2. Notices.  Any notices required or permitted hereunder shall be deemed to be duly given if in writing and delivered personally, sent by the United States certified or registered mail, postpaid, sent by email, or sent via fax to the addresses and numbers set forth below the signatures of the parties, or such addresses or numbers as may be specified in writing by the parties.
    3. Change in Regulations; Amendment to Agreement.  Upon the effective date of any final regulation or amendment to the HIPAA Rules that conflicts with any term or condition of this Agreement or which imposes any requirement, condition or obligation upon Business Associate or Covered Entity not imposed by this Agreement, then Covered Entity and Business Associate shall exercise their respective utmost good faith and commercially reasonable efforts to amend this Agreement to incorporate the applicable terms and conditions of that regulation or amendment such that this Agreement contractually imposes those terms and conditions upon the parties as applicable.  Each regulatory reference in this Agreement means, as applicable, the regulatory section as then in effect or as amended.
    4. Interpretation.  Any ambiguity in this Agreement shall be resolved in favor of a meaning that results in Covered Entity complying with the HIPAA Rules.
    5. Binding Effect.  This Agreement shall be binding upon and inure to the benefit of the parties hereto, and their respective successors and assigns.
    6. Counterparts.  This Agreement may be executed in any number of counterparts, which taken together shall constitute one and the same instrument and each of which shall be considered an original for all purposes. 
    7. Invalidity.  In the event any provision of this Agreement is determined to be invalid or unenforceable, then the remainder of this Agreement shall not be affected thereby.
    8. Governing Law.  This Agreement shall be governed by and construed in accordance with the laws of the State of Oklahoma applicable to contracts made and performed entirely therein shall govern this Agreement.
    9. Waivers.  No party's rights under this Agreement will be deemed waived except by a writing signed by such party.
    10. Entire Agreement.  This Agreement constitutes the entire understanding and agreement of the parties with respect to its subject matter, and may not be altered or modified except by an instrument in writing signed by the parties.

    [SIGNATURE(S) TO FOLLOW]

    IN WITNESS WHEREOF and intending to be legally bound hereby, Covered Entity and Business Associate have each caused this Agreement to be executed by a duly authorized officer as of the day and year first above written.

    BUSINESS ASSOCIATE:

    PSYNTH, INC.

    By: _______________________

    Name: Stephen Stearman

    Title: CEO

    Address:

    301 E. Archer St. 

    Tulsa OK 74120

    Email:  Stephen@psynth.ai

    COVERED ENTITY:

    [__________________]

    By: ________________________

    Name:

    Address:

    Email: _____________________

    Psynth, Inc.
    301 E. Archer St.
    Tulsa, OK 74120
    Privacy PolicyCareersGlossaryKnowledge Base