Recitals

Business Associate provides technology services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI). The parties intend this Agreement to satisfy the requirements of the HIPAA Privacy Rule (45 CFR Part 164) and the HITECH Act amendments thereto.

1. Definitions

Terms used but not defined in this Agreement shall have the meanings ascribed to them in the HIPAA Rules (45 CFR Parts 160 and 164), including:

• PHI — Protected Health Information as defined in 45 CFR § 160.103
• ePHI — Electronic Protected Health Information
• HIPAA Rules — The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164
• Breach — As defined in 45 CFR § 164.402
• Security Incident — As defined in 45 CFR § 164.304

2. Obligations of Business Associate

Business Associate agrees to:

• Use or disclose PHI only as permitted or required by this Agreement or as required by law
• Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided in this Agreement
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any Security Incidents of which it becomes aware
• In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information
• To the extent Business Associate has PHI in a Designated Record Set, make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524
• Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526
• Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528
• To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations
• Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules

3. Permitted Uses and Disclosures by Business Associate

Business Associate may use or disclose PHI only as follows:

• Service Performance: To perform the services described in the CaseFlow Terms of Service, including AI-powered document processing, referral intake, and pre-authorization workflows
• Management and Administration: For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate
• Data Aggregation: To provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B)
• Required by Law: As required by applicable law

Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except as permitted in this Section.

4. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitation(s) in the Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent such changes may affect Business Associate's permitted or required uses or disclosures
• Notify Business Associate of any restriction on use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522
• Not request that Business Associate use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity

5. Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. Notice shall include, to the extent possible:

• The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• A brief description of what happened, including the date of the Breach and the date of discovery
• A description of the types of PHI involved
• Steps individuals should take to protect themselves from potential harm
• A brief description of what Business Associate is doing to investigate, mitigate harm, and protect against future breaches

6. Subcontractors and AI Service Providers

Business Associate uses the following categories of subprocessors that may process PHI on its behalf to perform the CaseFlow service:

• AI Model Providers (e.g., Anthropic): For document classification and data extraction. These providers are bound by data processing agreements that prohibit use of customer data for AI model training and require HIPAA-compliant data handling.
• Cloud Infrastructure (Render, Neon): For hosting and database services under SOC 2 compliant environments.
• Fax Service Providers: For secure fax ingestion where applicable.

Business Associate will ensure each subcontractor is bound by terms that provide equivalent protections for PHI as this Agreement.

7. Term and Termination

Term: This Agreement is effective as of the date the Covered Entity activates a CaseFlow subscription and shall terminate when the subscription is cancelled or the underlying service agreement is terminated.

Termination for Cause: Either party may terminate this Agreement if the other party has breached a material term and has not cured the breach within 30 days of written notice.

Effect of Termination: Upon termination, Business Associate shall, at the direction of Covered Entity, destroy or return all PHI received from, or created or received on behalf of, Covered Entity. Business Associate shall retain no copies of PHI. To the extent return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

8. Miscellaneous

Amendment: The parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of HIPAA Rules and any other applicable law.

Interpretation: Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA Rules.

No Third-Party Beneficiaries: Nothing in this Agreement shall confer any rights or remedies upon any person other than the parties and their respective successors and assigns.

Entire Agreement: This Agreement, together with the CaseFlow Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding Business Associate's obligations with respect to PHI.