Business Associate Agreement

1. Purpose

The purpose of this BAA is to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and related regulations codified at 45 CFR Parts 160 and 164.

To the extent Business Associate creates, receives, maintains, transmits, stores, or accesses Protected Health Information (“PHI”) on behalf of Covered Entity in connection with the Services, the parties agree to comply with the terms of this BAA.

2. Definitions

Capitalized terms not otherwise defined herein shall have the meanings assigned under HIPAA and HITECH, including but not limited to:

• Protected Health Information (“PHI”)
• Breach
• Security Incident
• Business Associate
• Covered Entity
• Unsecured PHI
• Use
• Disclosure

3. Permitted Uses and Disclosures

Business Associate may use and disclose PHI solely:

• to perform the Services described in the applicable agreement, including operation and support of the RootLogic platform (CRM, automations, reporting), call tracking and recording where enabled, SMS, voice, email and messaging automations initiated by Client, and analytics, reporting, troubleshooting, and optimization;
• to operate, maintain, support, and improve the Services;
• for management and administration purposes;
• to carry out legal responsibilities;
• as otherwise permitted or required by HIPAA.

Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if performed directly by Covered Entity, except as otherwise permitted by law.

4. Minimum Necessary Standard

Business Associate shall make commercially reasonable efforts to limit access to PHI to the minimum necessary information required to perform the Services.

Covered Entity acknowledges that certain Services, including the RootLogic platform, call tracking, text messaging, lead management, consultation workflows, reporting systems, and automated follow-up systems, may require limited operational access to identifiable patient information.

5. Safeguards

Business Associate shall implement commercially reasonable administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI, including where applicable:

• encryption in transit and at rest;
• role-based access restrictions;
• password protection policies;
• multi-factor authentication;
• workforce confidentiality obligations;
• audit logging;
• device access restrictions;
• secure backup procedures;
• workforce training and access management procedures.

Business Associate does not warrant or guarantee that any system, software, platform, or communication method is completely immune from cyberattack, unauthorized access, or security incidents.

6. Workforce Members, Contractors, and Subprocessors

Business Associate may utilize employees, contractors, subcontractors, consultants, support personnel, hosting providers, communication providers, software vendors, AI-assisted technologies, transcription providers, analytics providers, and cloud infrastructure providers in connection with the Services.

Certain authorized workforce members or subcontractors may be located outside the United States, subject to confidentiality and security obligations consistent with this BAA.

Business Associate shall require workforce members and applicable subcontractors with PHI access to maintain reasonable confidentiality and security obligations consistent with applicable HIPAA requirements.

7. Third-Party Platforms, Tracking Technologies, and Advertising Services

Covered Entity acknowledges that certain Services may involve integration with or utilization of third-party advertising, analytics, tracking, communication, or marketing platforms, including but not limited to:

• Google;
• Meta/Facebook;
• Microsoft/Bing;
• TikTok;
• LinkedIn;
• call tracking providers;
• analytics providers;
• CRM integrations;
• automation systems;
• and related technologies.

Covered Entity understands and acknowledges that certain third-party advertising or analytics platforms may not offer HIPAA-specific contractual protections or Business Associate Agreements.

Covered Entity expressly authorizes Business Associate to implement tracking technologies, advertising technologies, audience-building technologies, conversion tracking, remarketing systems, and campaign optimization tools as directed or approved by Covered Entity. Covered Entity directs and approves all pixel, tag, and tracking technology placements on patient-facing pages.

Covered Entity remains solely responsible for:

• determining whether deployment of such technologies complies with applicable law, including HHS guidance on tracking technologies;
• obtaining any necessary patient consents or authorizations;
• approving implementation of tracking technologies;
• reviewing and approving advertising campaigns;
• and ensuring compliance with applicable privacy, consumer protection, and healthcare marketing laws.

Business Associate does not warrant or guarantee that any third-party advertising or analytics platform is HIPAA compliant.

8. Call Recordings, SMS, and Communications

Covered Entity acknowledges that Services may include:

• call tracking;
• call recordings;
• SMS messaging;
• voicemail systems;
• automated communications;
• consultation workflows;
• and communication automation systems.

Covered Entity is solely responsible for:

• obtaining any legally required call recording consents or disclosures;
• ensuring compliance with federal and state wiretap laws;
• ensuring compliance with TCPA and related communication laws;
• obtaining any required patient communication consents;
• and determining the appropriateness of communications sent through the Services.

Business Associate provides communication systems solely as operational tools and does not provide legal compliance advice regarding communication laws.

9. AI-Assisted Tools and Transcription Services

Business Associate may utilize AI-assisted technologies, automation systems, analytics tools, or transcription providers in connection with the Services.

Business Associate shall use commercially reasonable efforts to minimize unnecessary exposure of PHI when utilizing such technologies.

Covered Entity acknowledges that certain AI or automation providers may not offer HIPAA-specific contractual protections unless expressly stated in writing.

10. Breach Notification

Business Associate shall notify Covered Entity without unreasonable delay following discovery of a Breach of Unsecured PHI and in no event later than thirty (30) calendar days after discovery.

Such notification shall include, to the extent reasonably available:

• the nature of the Breach;
• the categories of PHI involved;
• corrective actions taken;
• mitigation efforts;
• and additional information reasonably necessary for Covered Entity’s compliance obligations.

11. Security Incidents

Business Associate shall report known material Security Incidents involving unauthorized access to PHI.

The parties acknowledge that unsuccessful security incidents occur routinely and shall not constitute reportable incidents unless resulting in unauthorized access, acquisition, use, or disclosure of PHI.

Examples include:

• port scans;
• pings;
• failed login attempts;
• malware attempts blocked by security systems;
• denial-of-service attacks;
• and similar routine network activity.

12. Client Responsibilities

Covered Entity remains solely responsible for:

• HIPAA compliance obligations applicable to Covered Entity;
• lawful disclosure of PHI;
• Notice of Privacy Practices obligations;
• patient authorizations and consents;
• advertising compliance;
• call recording disclosures;
• SMS communication compliance;
• TCPA compliance;
• state privacy law compliance;
• staff training, access permissions, and internal HIPAA compliance;
• what PHI is entered into the RootLogic platform or transmitted through messaging;
• and approval of all marketing, automation, tracking, and communication activities.

Covered Entity acknowledges that Business Associate does not provide legal advice regarding healthcare compliance, advertising compliance, or regulatory obligations unless expressly agreed in writing.

13. Access, Export, Return, and Destruction of PHI

During the term of the Services, Covered Entity may export or retrieve Client data using available system tools or through commercially reasonable assistance requests.

Upon termination of the applicable Services Agreement, Business Associate shall use commercially reasonable efforts to provide Covered Entity with an opportunity to export Client data prior to permanent deletion where feasible.

Business Associate may retain archival or backup copies as required by law, backup procedures, audit obligations, security procedures, or legitimate business continuity requirements, subject to continued protection under this BAA.

To the extent required by HIPAA, Business Associate will assist Covered Entity with responding to requests for access to PHI, amendments of PHI, and accounting of disclosures. Such assistance may be subject to reasonable fees if it requires work outside standard Services.

14. Suspension of Services

Business Associate reserves the right to suspend Services for nonpayment or material breach of the applicable Services Agreement.

Such suspension may include restriction of:

• RootLogic platform functionality;
• campaign management;
• automations;
• forms;
• landing pages;
• communication systems;
• or related Services.

Where commercially reasonable, Business Associate shall provide Covered Entity with an opportunity to retrieve or export Client data prior to permanent termination of access.

15. Limitation of Liability

To the fullest extent permitted by law, Business Associate shall not be liable for:

• acts or omissions of Covered Entity;
• Client-approved tracking technologies;
• third-party platform actions or outages;
• advertising platform policy changes;
• cyberattacks beyond commercially reasonable safeguards;
• improper Client configuration or use of the Services;
• or Covered Entity’s failure to comply with applicable laws.

16. Indemnification

Covered Entity agrees to indemnify and hold harmless Business Associate from claims, damages, losses, and expenses arising out of:

• Covered Entity’s failure to comply with HIPAA or other applicable laws;
• Covered Entity’s misuse of the RootLogic platform, messaging systems, or call tracking;
• actions, permissions, or patient communications of Covered Entity’s staff;
• tracking technologies approved or directed by Covered Entity;
• and advertising or marketing activities approved by Covered Entity.

This indemnification does not apply to breaches caused by Business Associate’s material violation of this BAA.

17. Term and Termination

This BAA shall remain in effect for so long as Business Associate maintains PHI on behalf of Covered Entity.

Either party may terminate this BAA upon material breach by the other party if such breach is not cured within thirty (30) days following written notice.

Upon termination, Business Associate will, where feasible, return or destroy PHI, except where retention is required by law, backup procedures, or as otherwise permitted under Section 13.

18. Governing Law

This BAA is governed by the laws of the State of New York, without regard to conflict-of-law principles.

19. Entire Agreement

This BAA is incorporated into and governed by the applicable MSA and related agreements between the parties.

In the event of conflict between this BAA and the MSA, this BAA shall govern solely with respect to HIPAA-related obligations.

20. No Legal Advice

Business Associate does not provide legal, regulatory, or HIPAA compliance advice unless expressly agreed in writing. Covered Entity is encouraged to consult independent legal counsel regarding compliance obligations.