Business Associate Agreement.

1. Purpose

This Business Associate Agreement ("BAA") is entered into between Mino MD ("Covered Entity") and the undersigned Business Associate ("BA") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, and all applicable regulations at 45 CFR Parts 160 and 164.

2. Definitions

• Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained by BA on behalf of Covered Entity.
• Electronic PHI (ePHI): PHI in electronic form, including prescription records, intake forms, health metrics, and messaging content.
• Security Incident: Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI.
• Breach: Unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy.

3. Obligations of Business Associate

• Implement administrative, physical, and technical safeguards per 45 CFR 164.308, 164.310, and 164.312
• Encrypt all ePHI at rest (AES-256) and in transit (TLS 1.3)
• Maintain comprehensive audit logs of all PHI access per 45 CFR 164.312(b)
• Report any Security Incident or Breach to Covered Entity within 24 hours of discovery
• Ensure all workforce members with access to PHI receive HIPAA training annually
• Not use or disclose PHI except as permitted by this Agreement or as required by law
• Make PHI available to individuals for access and amendment per 45 CFR 164.524 and 164.526
• Maintain PHI for a minimum of 6 years from the date of its creation or last effective date
• Return or destroy all PHI upon termination of the Agreement

4. Permitted Uses and Disclosures

BA may use or disclose PHI only as necessary to:

• Perform services outlined in the underlying service agreement
• Manage and administer BA's business operations
• Provide data aggregation services relating to healthcare operations
• Report violations of law to appropriate authorities

5. Subcontractors

BA shall require any subcontractor that creates, receives, maintains, or transmits PHI on behalf of BA to agree in writing to the same restrictions and conditions imposed on BA under this Agreement. This includes but is not limited to:

• Vercel Inc. — Application hosting and edge compute (BAA required)
• Neon Inc. — PostgreSQL database hosting (BAA required)
• OpenAI / AI providers — AI assistant services (no PHI transmitted to AI models)

6. Breach Notification

BA shall notify Covered Entity of any Breach of unsecured PHI within 24 hours of discovery. Notification shall include: identification of affected individuals, the nature of the PHI involved, recommended steps for mitigation, and a description of remedial actions taken. Covered Entity is responsible for notifying affected individuals and the Secretary of HHS as required by 45 CFR 164.404–164.408.

7. Term and Termination

This Agreement shall remain in effect for the duration of the underlying service agreement. Either party may terminate for cause if the other party materially breaches any provision and fails to cure within 30 days of written notice. Upon termination, BA shall return or destroy all PHI in its possession within 60 days.

8. Governing Law

This Agreement shall be governed by and construed in accordance with applicable federal law, including HIPAA and the HITECH Act, and the laws of the State of California.