Business Associate Agreement (BAA)

1. Definitions

For purposes of this Business Associate Agreement ("BAA"), the following terms shall have the meanings set forth below, in addition to the definitions provided in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164.

"Protected Health Information" or "PHI" means individually identifiable health information that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, as defined in 45 CFR 160.103.

"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402, subject to the exclusions set forth therein.

"Business Associate" means MisFit Innovations LLC, d/b/a Praxo.

"Covered Entity" means the Subscriber that has entered into a services agreement with Business Associate and is a covered entity as defined under HIPAA.

2. Obligations of Business Associate

Permitted Uses and Disclosures. Business Associate shall use and disclose PHI only as permitted or required by this BAA, the underlying services agreement (Terms of Service), or as required by law. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Privacy Rule if done by Covered Entity, except as specifically permitted herein.

Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards shall include, at a minimum: encryption of ePHI in transit and at rest, role-based access controls, audit logging of all access to PHI, workforce training on HIPAA requirements, and regular risk assessments.

Minimum Necessary Principle. Business Associate shall limit its use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose, in accordance with 45 CFR 164.502(b) and 164.514(d).

Subcontractors. Business Associate shall enter into written agreements with each subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, ensuring that the subcontractor agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA. Business Associate's current subcontractors that may access PHI include: Supabase (database hosting and storage), Stripe (payment processing for billing data that may include PHI), Twilio (SMS communications that may contain PHI), email service providers (email delivery of communications that may contain PHI), and Anthropic (AI processing of clinical data; note: Anthropic processes data in real-time via API and does not store or train on data sent through their API).

Access to PHI. Business Associate shall make PHI available to Covered Entity or, as directed by Covered Entity, to an individual, within thirty (30) days of receiving a written request, to satisfy Covered Entity's obligations under 45 CFR 164.524.

Amendment of PHI. Business Associate shall make PHI available for amendment and shall incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR 164.526.

Accounting of Disclosures. Business Associate shall make available the information required to provide an accounting of disclosures, as required by 45 CFR 164.528. Business Associate maintains comprehensive audit logs that record all access to and disclosures of PHI, which shall serve as the basis for any accounting of disclosures.

Government Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining compliance with HIPAA, in accordance with 45 CFR 164.504(e)(2)(ii)(I).

3. Breach Notification

Business Associate shall notify Covered Entity without unreasonable delay, and in no event later than sixty (60) calendar days after the discovery of a Breach of Unsecured PHI. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

The notification shall include, to the extent available: the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; a brief description of the nature of the Breach, including the date of the Breach and the date of discovery; a description of the types of Unsecured PHI that were involved in the Breach; any steps individuals should take to protect themselves from potential harm resulting from the Breach; a description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches; and contact information for Business Associate.

Security Incidents. Business Associate shall report to Covered Entity any Security Incident that results in the unauthorized access, use, disclosure, modification, or destruction of PHI. Business Associate shall not be required to report unsuccessful or routine attempts at unauthorized access, such as automated port scans, failed login attempts, denial-of-service attacks, or other routine security events that do not result in actual unauthorized access to PHI.

4. Obligations of Covered Entity

Covered Entity shall: (a) obtain all necessary consents, authorizations, and permissions from individuals as required by HIPAA and applicable law before providing PHI to Business Associate; (b) notify Business Associate of any limitations in Covered Entity's notice of privacy practices to the extent that such limitations may affect Business Associate's use or disclosure of PHI; (c) notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI; and (d) not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

5. Term and Termination

This BAA shall become effective upon electronic acceptance by Covered Entity through the Platform and shall continue in effect for the duration of the services agreement between the parties, including any data retention period following termination of services.

Either party may terminate this BAA if the other party materially breaches any provision of this BAA and the breach is not cured within thirty (30) calendar days after written notice of the breach is provided to the breaching party.

Upon termination of this BAA, Business Associate shall, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible. Business Associate shall retain PHI for a minimum of seven (7) years after termination in accordance with applicable healthcare record retention requirements.

6. Miscellaneous

Regulatory References. Any reference in this BAA to a section of HIPAA, the HITECH Act, or their implementing regulations shall mean the section as in effect or as amended from time to time, and for which compliance is required.

Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act, and their implementing regulations.

Conflict. In the event of any conflict between the provisions of this BAA and the Terms of Service or any other agreement between the parties, the provisions of this BAA shall control with respect to the use, disclosure, and protection of PHI.

Amendment. Business Associate may amend this BAA with thirty (30) days prior written notice to Covered Entity to ensure compliance with changes in HIPAA, the HITECH Act, or their implementing regulations. Covered Entity's continued use of the Services after the effective date of any amendment constitutes acceptance of the amended BAA.

No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities.

Indemnification. Each party shall indemnify, defend, and hold harmless the other party from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from the indemnifying party's breach of its obligations under this BAA.