Business Associate Agreement (BAA)

Agreement Overview

This Business Associate Agreement ("BAA") is entered into between Scarlet Plus ("Business Associate") and healthcare providers or covered entities ("Covered Entity") who engage our services. This BAA supplements our Terms of Service and Service Agreements to ensure HIPAA compliance.

1. Definitions

Unless otherwise specified, all capitalized terms used in this BAA have the meanings given to them in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, and its implementing regulations, including the Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) and the Security Rule (45 CFR Part 160 and Part 164, Subparts A and C).

• Protected Health Information (PHI): Information that relates to the past, present, or future physical or mental health of an individual and identifies the individual or could be used to identify the individual.
• Electronic PHI (ePHI): PHI that is transmitted by or maintained in electronic media.
• Business Associate: Scarlet Plus, which performs services for or on behalf of Covered Entity that involve the use or disclosure of PHI.
• Covered Entity: The healthcare provider, practice, or organization that is subject to HIPAA compliance requirements.

2. Permitted Uses and Disclosures of PHI

2.1 Services to Covered Entity

Business Associate may use and disclose PHI only as necessary to perform the services outlined in the Service Agreement, including but not limited to:

• Website development, hosting, and maintenance
• Search engine optimization (SEO) and digital marketing analytics
• Pay-per-click advertising campaign management
• Patient intake form processing and automation
• AI-powered medical documentation and transcription services
• Marketing automation and patient communication systems
• HIPAA compliance management and monitoring

2.2 Minimum Necessary Standard

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.

2.3 De-Identified Data

Business Associate may use PHI to create de-identified data or aggregate data for internal analytics and service improvement purposes, provided that such data meets the de-identification requirements of 45 CFR § 164.514 (safe harbor or expert determination method).

2.4 Security Rule Compliance

To the extent Business Associate creates, receives, maintains, or transmits ePHI on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C).

2.5 No PHI to Advertising/Third-Party Analytics

Business Associate shall not disclose PHI to advertising networks, remarketing platforms, or third-party analytics platforms (including but not limited to Google Ads, Meta/Facebook Ads, Google Analytics, or similar services) except as expressly authorized in writing by Covered Entity, and only to the extent Covered Entity represents such disclosure is permissible under HIPAA and any other applicable law.

Business Associate will configure digital marketing and analytics tooling to prevent PHI transmission, including but not limited to: (a) excluding PHI from URL parameters, query strings, and event tracking; (b) disabling sensitive data logging on patient-facing systems; (c) avoiding session replay tools on patient portals; and (d) implementing proper consent mechanisms where required. Any marketing automation or patient communications performed by Business Associate are conducted solely on behalf of Covered Entity, not for Business Associate's own marketing purposes.

3. Obligations of Business Associate

3.1 Non-Use and Non-Disclosure

Business Associate agrees to not use or further disclose PHI other than as permitted or required by this BAA, the Service Agreement, or as required by law.

3.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards consistent with NIST-aligned security practices to prevent use or disclosure of PHI other than as provided for by this BAA. Where Business Associate controls the technical environment, safeguards include:

• Encryption: ePHI is encrypted at rest using industry-standard encryption (AES-256 or equivalent) and in transit using TLS 1.2 or higher, where technically feasible and applicable
• Access Controls: Role-based access controls (RBAC) limiting PHI access to authorized personnel only
• Audit Logging: Logging of PHI access, modifications, and disclosures as applicable to services provided
• Secure Infrastructure: Cloud hosting with HIPAA-eligible service providers with whom Business Associate maintains BAA agreements (including AWS and Azure where applicable)
• Network Security: Firewalls, intrusion detection/prevention systems, and regular security monitoring where Business Associate controls the network environment
• Workstation Security: Encrypted devices, automatic screen locks, and secure disposal protocols for Business Associate workforce devices
• Data Backup: Encrypted backups and disaster recovery procedures as applicable to services provided

3.3 Workforce Training

Business Associate shall ensure that all workforce members who have access to PHI receive appropriate HIPAA training and are bound by confidentiality obligations regarding PHI.

3.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI. All subcontractors shall execute BAAs before accessing PHI.

Current HIPAA-compliant subcontractors include:

• Amazon Web Services (AWS) - Cloud infrastructure with executed BAA
• Microsoft Azure - Cloud infrastructure with executed BAA
• Cloudflare - CDN and security services with executed BAA
• Twilio - Communication services with executed BAA

3.5 Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI (as defined under 45 CFR § 164.402) without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach, as required by HIPAA. Business Associate will target notification within 24 hours of confirming a Breach. The notification shall include, to the extent known at the time of notification:

• A description of what occurred, including the date of the Breach and the date of discovery (if known)
• The identification of the types of PHI involved in the Breach (e.g., name, SSN, medical record number)
• The number of individuals affected or a good faith estimate
• A brief description of steps individuals should take to protect themselves from potential harm
• What Business Associate is doing to investigate the Breach, mitigate harm, and prevent future occurrences
• Contact information for individuals to ask questions or learn additional information

Business Associate shall provide updates to Covered Entity as additional information becomes available. For purposes of this section, "discovery" means the first day on which the Breach is known or reasonably should have been known to Business Associate.

3.6 Individual Rights

Business Associate shall, within 10 business days of a request from Covered Entity:

• Make available PHI for inspection and copying to enable Covered Entity to fulfill individual access requests
• Make available PHI for amendment and incorporate any amendments to PHI
• Provide an accounting of disclosures of PHI as required under HIPAA
• Make internal practices, books, and records relating to PHI available to HHS for compliance reviews

3.7 Data Retention and Destruction

Upon termination of the Service Agreement, Business Associate shall:

• Return or destroy all PHI received from or created on behalf of Covered Entity, if feasible
• Retain no copies of PHI, except as required by law
• If return or destruction is not feasible, continue to extend protections to PHI and limit further uses and disclosures
• Provide written certification of destruction or return within 30 days of termination

4. Obligations of Covered Entity

4.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and notify Business Associate of any changes to such notice that affect Business Associate's use or disclosure of PHI.

4.2 Restrictions and Permissions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

4.3 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

5. Term and Termination

5.1 Term

This BAA shall become effective on the date of execution and shall remain in effect until all PHI is returned, destroyed, or the obligations with respect to PHI extend beyond termination of the Service Agreement.

5.2 Termination for Breach

Either party may terminate this BAA and the underlying Service Agreement upon 30 days' written notice to the other party if the other party breaches a material term of this BAA and fails to cure such breach within the notice period. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of this BAA, Covered Entity shall take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, Covered Entity shall terminate this BAA and the Service Agreement if feasible.

If Covered Entity determines that termination is not feasible, Covered Entity may report the violation to the Secretary of the U.S. Department of Health and Human Services as permitted under 45 CFR § 164.504(e)(1)(ii).

5.3 Effect of Termination

Upon termination of this BAA, Business Associate shall return or destroy all PHI as specified in Section 3.7. The obligations of Business Associate under Sections 3.5 (Breach Notification), 3.7 (Data Retention and Destruction), and 6 (Liability and Indemnification) shall survive termination of this BAA.

6. Liability and Indemnification

6.1 Limitation of Liability

Except as provided in Section 6.2 (Indemnification), and except in cases of gross negligence, willful misconduct, breach of confidentiality obligations, or security incidents involving PHI, Business Associate's liability for any breach of this BAA shall be limited to direct damages only. Business Associate shall not be liable for any indirect, incidental, consequential, or punitive damages arising from the performance of services under this BAA, except to the extent such limitation is prohibited by applicable law.

Note: The limitation of liability set forth in this Section 6.1 does not apply to Business Associate's indemnification obligations under Section 6.2 below.

6.2 Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity, its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from: (a) Business Associate's material breach of this BAA; (b) Business Associate's violation of HIPAA or other applicable laws; (c) Business Associate's unauthorized use or disclosure of PHI; or (d) negligent or wrongful acts or omissions by Business Associate or its workforce members, except to the extent such claims are directly caused by Covered Entity's actions, omissions, or breach of this BAA.

7. Miscellaneous

7.1 Amendment

The parties agree to amend this BAA to the extent necessary to comply with changes in HIPAA or other applicable laws and regulations. Such amendments shall be effective upon mutual written agreement.

7.2 Survival

The obligations of Business Associate under Sections 3.5 (Breach Notification), 3.7 (Data Retention and Destruction), and 6 (Liability and Indemnification) shall survive termination of this BAA.

7.3 Interpretation

Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA.

7.4 Governing Law

This BAA shall be governed by and construed in accordance with the laws of the State of Georgia, without regard to its conflict of laws provisions.

7.5 Entire Agreement

This BAA, together with the Service Agreement and Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings.

8. Execution and Acceptance

8.1 Effective Date

This BAA becomes effective upon execution by authorized representatives of both parties or upon Covered Entity's acceptance through electronic means (including clickwrap acceptance during service onboarding). Business Associate shall maintain records of BAA acceptance including date, time, and identifying information of the accepting party.

8.2 Incorporation by Reference

This BAA is incorporated by reference into all Service Agreements between Business Associate and Covered Entity where Business Associate may create, receive, maintain, or transmit PHI. By engaging Business Associate's services and providing access to PHI, Covered Entity acknowledges and agrees to the terms of this BAA.

8.3 Signed Counterparts

For Covered Entities requiring a fully executed BAA with original or electronic signatures, please contact our Privacy Officer. Business Associate will execute and return signed BAAs within 10 business days of request.