Business Associate Agreement (HIPAA)

This Business Associate Agreement ("BAA") supplements and is made part of the agreement (the "Master Agreement" — see Terms of Service or the executed order form) between [Customer Legal Name], a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("Covered Entity"), and 5CEOs, Inc. ("Business Associate" or "5CEOs"). This BAA is required by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (collectively, the "HIPAA Rules") and is intended to satisfy the contract requirements of 45 CFR §164.504(e) and §164.314(a).

Effective Date: [Effective Date — typically the date of the last signature below, or the Master Agreement effective date, whichever is later].

Definitions

Capitalized terms not defined in this BAA have the meaning given in the HIPAA Rules. The following are restated here for clarity:

• PHI means Protected Health Information, as defined at 45 CFR §160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
• Electronic PHI or ePHI means PHI that is transmitted by or maintained in electronic media (45 CFR §160.103).
• Required by Law has the meaning given at 45 CFR §164.103.
• Security Incident has the meaning given at 45 CFR §164.304.
• Subcontractor means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of Business Associate's workforce.
• Service means the CircaOS Service described in the Master Agreement and at cogos.5ceos.com.

1. Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as follows:

• To provide the Service: Business Associate may use and disclose PHI only as necessary to perform the services set forth in the Master Agreement and described at cogos.5ceos.com, and as Covered Entity instructs in its use of the Service.
• Business Associate's own management and administration: Business Associate may use PHI for the proper management and administration of Business Associate or to carry out Business Associate's legal responsibilities, provided that any disclosure is Required by Law or the recipient agrees in writing (i) to hold the PHI confidentially and (ii) to notify Business Associate of any breach.
• Data aggregation: Business Associate may aggregate PHI received from Covered Entity for the data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR §164.504(e)(2)(i)(B).
• De-identification: Business Associate may de-identify PHI in accordance with 45 CFR §164.514(a)-(c), and the resulting de-identified information is no longer PHI.

Business Associate will not use or further disclose PHI other than as permitted or required by this BAA or as Required by Law.

2. Safeguards for PHI

Business Associate will use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 (the HIPAA Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided by this BAA. The safeguards correspond to the measures described in DPA §4 and the verifiable claims at SECURITY.md §3, including:

• Access control (45 CFR §164.312(a)(1)) — workforce access to PHI is granted on a need-to-know basis; administrative endpoints are gated by a separate X-Admin-Key; customer API keys are stored as SHA-256 hashes.
• Audit controls (45 CFR §164.312(b)) — every API request emits an audit-log entry (timestamp, tenant identifier, request ID, status); the log is append-only.
• Integrity (45 CFR §164.312(c)(1)) — response bodies are signed with an HMAC-SHA256 keyed by a per-tenant secret; Covered Entity can verify the integrity of any response.
• Transmission security (45 CFR §164.312(e)(1)) — all connections use TLS 1.2 or higher; the inference engine has internal-only ingress.
• Person or entity authentication (45 CFR §164.312(d)) — API keys are individually issued and revocable; admin keys are separate from customer keys.

3. Mitigation

Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA. This includes immediate API-key revocation, restoration of integrity from audit logs, and coordination with Covered Entity on data-subject remediation.

4. Reporting Uses and Disclosures Not Provided for by the BAA

Business Associate will report to Covered Entity:

• Any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR §164.410, without unreasonable delay and in no event later than seventy-two (72) hours after discovery;
• Any Security Incident (45 CFR §164.314(a)(2)(i)(C)) of which it becomes aware. The parties acknowledge that unsuccessful Security Incidents (e.g., pings, port scans, denied login attempts) occur frequently and that reporting of these is satisfied by this paragraph as a single ongoing notice; Business Associate will provide specific notice of successful Security Incidents.

The report will include, to the extent known: the identification of each individual whose PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed; the nature of the unauthorized use or disclosure; the corrective action taken; and the steps Covered Entity may take in response. Covered Entity's designated breach contact is: [Covered Entity Privacy Officer — Name, Title, Email, Phone].

5. Subcontractors

In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), Business Associate will require any Subcontractor to whom it provides PHI to enter into a written agreement that imposes on the Subcontractor the same restrictions and conditions that apply to Business Associate under this BAA. The current list of Subcontractors that may receive PHI is maintained at cogos.5ceos.com/sub-processors.

6. Access to PHI by Individuals (45 CFR §164.524)

Within fifteen (15) business days of a written request from Covered Entity, Business Associate will provide access to PHI in a Designated Record Set to enable Covered Entity to meet its obligations under 45 CFR §164.524. If an individual requests access directly to Business Associate, Business Associate will forward the request to Covered Entity without independently responding.

7. Amendment of PHI (45 CFR §164.526)

Within fifteen (15) business days of a written request from Covered Entity, Business Associate will make any amendment to PHI in a Designated Record Set that Covered Entity directs or agrees to, to enable Covered Entity to meet its obligations under 45 CFR §164.526.

8. Accounting of Disclosures (45 CFR §164.528)

Business Associate will document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures under 45 CFR §164.528. Within thirty (30) business days of a written request from Covered Entity, Business Associate will provide an accounting of disclosures from the preceding six (6) years.

9. HHS Access

Business Associate will make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from Covered Entity, available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining Covered Entity's compliance with the HIPAA Rules. Business Associate will promptly notify Covered Entity of any such request, unless prohibited by law.

10. Compliance with Covered Entity's Obligations

To the extent Business Associate is required to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation. Business Associate is not, by virtue of this BAA, performing any function of Covered Entity not specifically delegated in the Master Agreement.

11. Term and Termination

• Term. This BAA is effective on the Effective Date and continues for the term of the Master Agreement.
• Termination for cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity will provide a reasonable opportunity to cure (not less than thirty (30) days). If Business Associate does not cure, Covered Entity may terminate the Master Agreement, this BAA, or both. If termination is not feasible, Covered Entity will report the violation to the Secretary of HHS.
• Return or destruction of PHI at termination. Upon termination of this BAA for any reason, Business Associate will return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. This applies to PHI in the possession of Business Associate's Subcontractors. If return or destruction is not feasible, the protections of this BAA will extend to such PHI and further use or disclosure will be limited to those purposes that make return or destruction infeasible. Destruction will be carried out in a manner consistent with 45 CFR §164.310(d)(2) and HHS guidance. A certificate of destruction will be provided to Covered Entity on request.

12. Indemnification

Indemnification obligations of the parties with respect to breaches of this BAA are governed by the Master Agreement. Nothing in this BAA expands either party's indemnification obligations beyond what the Master Agreement provides, except to the extent applicable law requires otherwise.

13. Miscellaneous

• Regulatory amendments. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the parties to comply with the HIPAA Rules as they may be amended.
• Interpretation. Any ambiguity in this BAA will be resolved to permit the parties to comply with the HIPAA Rules.
• No third-party beneficiaries. Nothing in this BAA confers any rights upon any person other than the parties and their respective successors and permitted assigns.
• Order of precedence. In the event of a conflict between this BAA and the Master Agreement with respect to PHI, this BAA controls. In the event of a conflict between this BAA and the HIPAA Rules, the HIPAA Rules control.

14. Signatures

The parties have caused this BAA to be executed by their authorized representatives as of the Effective Date.