Business Associate Agreement

1. Purpose and Scope

This Business Associate Agreement ("BAA") is entered into between TXLLabs ("Business Associate") and the Covered Entity ("Covered Entity") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

This BAA governs the use and disclosure of Protected Health Information ("PHI") by TXLLabs when providing software services, data hosting, and related services to Covered Entities.

2. Definitions

For purposes of this BAA, the following terms shall have the meanings set forth below:

• Business Associate: TXLLabs, which performs functions or activities on behalf of the Covered Entity that involve the use or disclosure of PHI.
• Covered Entity: The healthcare provider, health plan, or healthcare clearinghouse that is a party to this BAA.
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
• Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule.

3. Permitted Uses and Disclosures

TXLLabs may use or disclose PHI only as permitted or required by this BAA or as required by law. TXLLabs agrees to:

• Use PHI solely for the purpose of providing services to the Covered Entity as specified in the underlying service agreement
• Disclose PHI only as necessary to perform its obligations under the service agreement or as required by law
• Not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by the Covered Entity
• Implement appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in this BAA

4. Safeguards and Security

TXLLabs shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI. These safeguards include:

• Access controls to ensure only authorized personnel can access PHI
• Encryption of PHI in transit and at rest
• Regular security assessments and vulnerability testing
• Employee training on HIPAA compliance and data security
• Incident response procedures for potential security breaches
• Audit logs and monitoring systems to track access to PHI

5. Reporting of Breaches

TXLLabs shall report to the Covered Entity any Breach of Unsecured PHI without unreasonable delay, and in no case later than 60 days after discovery of the Breach. The report shall include:

• The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
• A brief description of what happened, including the date of the Breach and the date of discovery
• A description of the types of Unsecured PHI that were involved in the Breach
• Steps taken to investigate, mitigate, and prevent future Breaches

6. Subcontractors

TXLLabs shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of TXLLabs agree to the same restrictions and conditions that apply to TXLLabs under this BAA. TXLLabs shall be responsible for the compliance of its subcontractors with the terms of this BAA.

7. Access to PHI

In accordance with 45 CFR § 164.524, TXLLabs shall provide access to PHI in a Designated Record Set to the Covered Entity or, as directed by the Covered Entity, to an Individual, within 30 days of a request. If TXLLabs maintains PHI in an Electronic Health Record, access shall be provided in the electronic form and format requested by the Covered Entity.

8. Amendment of PHI

In accordance with 45 CFR § 164.526, TXLLabs shall make any amendment to PHI in a Designated Record Set that the Covered Entity directs or agrees to, within 60 days of the request. TXLLabs shall incorporate any amendments to PHI in accordance with this section.

9. Accounting of Disclosures

TXLLabs shall document and make available to the Covered Entity, upon request, an accounting of disclosures of PHI made by TXLLabs in the six years prior to the date of the request. This accounting shall include:

• The date of the disclosure
• The name and address of the entity or person who received the PHI
• A brief description of the PHI disclosed
• A brief statement of the purpose of the disclosure

10. Return or Destruction of PHI

Upon termination of this BAA, TXLLabs shall return or destroy all PHI received from, or created or received by TXLLabs on behalf of, the Covered Entity. If return or destruction is not feasible, TXLLabs shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

11. Compliance with HIPAA Rules

TXLLabs agrees to comply with the applicable requirements of the HIPAA Security Rule (45 CFR Parts 160 and 164, Subparts A and C) and the HIPAA Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) to the extent that such provisions apply to Business Associates.

12. HITRUST Certification

TXLLabs maintains HITRUST CSF certification, demonstrating our commitment to comprehensive information security management. Our HITRUST certification validates that we have implemented appropriate administrative, physical, and technical safeguards to protect PHI in accordance with industry best practices.

13. Audit Rights

The Covered Entity shall have the right to audit TXLLabs' compliance with this BAA. TXLLabs shall make available to the Covered Entity, or its authorized representatives, its internal practices, books, and records relating to the use and disclosure of PHI for purposes of enabling the Covered Entity to determine TXLLabs' compliance with this BAA.

14. Term and Termination

This BAA shall remain in effect until terminated. Either party may terminate this BAA if the other party has breached a material term of this BAA and the breach is not cured within 30 days of written notice. Upon termination, TXLLabs shall return or destroy all PHI as provided in Section 10.

15. Miscellaneous

This BAA shall be interpreted in a manner consistent with HIPAA and the HITECH Act. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Covered Entity to comply with HIPAA and the HITECH Act. This BAA may not be amended except in writing signed by both parties.