BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into between you (the "Covered Entity") and ChiroApp (the "Business Associate") pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
1. Definitions. "Protected Health Information" or "PHI" shall have the same meaning as the term defined in 45 CFR § 160.103.
2. Obligations of Business Associate. Business Associate agrees to: (a) not use or disclose PHI other than as permitted by this Agreement or as required by law; (b) use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI; (c) report to Covered Entity any use or disclosure of PHI not provided for by this Agreement; (d) ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions; (e) make available PHI as required under 45 CFR § 164.524; (f) make PHI available for amendment as required under 45 CFR § 164.526; (g) maintain and make available information required to provide an accounting of disclosures as required under 45 CFR § 164.528.
3. Permitted Uses and Disclosures. Business Associate may use or disclose PHI solely: (a) to perform functions, activities, or services as described in the service agreement; (b) for the proper management and administration of Business Associate; (c) as required by law.
4. Breach Notification. Business Associate shall report to Covered Entity any Breach of Unsecured PHI within 30 days of discovery.
5. Term, Termination, and Data Retention. This BAA shall remain in effect for the duration of the Covered Entity's active ChiroApp subscription. (a) Data Export. Prior to cancellation of the subscription, the Covered Entity is solely responsible for exporting and downloading any records, data, or PHI stored within ChiroApp. ChiroApp provides data export tools for this purpose. (b) Post-Cancellation Retention. Upon cancellation or expiration of the subscription, ChiroApp shall retain the Covered Entity's account and all associated data, including PHI, for a period of thirty (30) calendar days following the effective date of cancellation (the "Retention Period"). During the Retention Period, the Covered Entity may reactivate the subscription to regain access to their data. (c) Automatic Deletion. Upon expiration of the Retention Period, ChiroApp shall automatically and permanently delete the Covered Entity's account and all associated data, including all PHI, from its systems. This deletion is irreversible. (d) Destruction of PHI. Following deletion, Business Associate shall have no further obligation to retain or make available any PHI previously maintained on behalf of the Covered Entity. The obligations of this BAA shall survive termination to the extent necessary to address any Breach discovered during the Retention Period.