HIPAA Business Associate Agreement (BAA)

This BAA is between the "Covered Entity" (or a Business Associate acting on behalf of a Covered Entity) and Spyface Tech Company, LLC (d/b/a "ClinicBooking"), a "Business Associate" under 45 C.F.R. §160.103, solely to the extent ClinicBooking creates, receives, maintains, or transmits PHI on behalf of the Covered Entity in providing agreed services (the "Services").

• ClinicBooking may use and disclose PHI solely to perform the Services for or on behalf of Covered Entity as described in the underlying agreement and this BAA.
• ClinicBooking may use PHI for proper management and administration or to carry out its legal responsibilities, provided disclosures are (i) required by law; or (ii) made to a person to whom ClinicBooking has obtained reasonable assurances of confidentiality and that PHI will be used or further disclosed only as required by law or for the purpose for which it was disclosed, and the person agrees to notify ClinicBooking of any breach.
• ClinicBooking may use PHI to de-identify data consistent with 45 C.F.R. §164.514(a)-(c).
• ClinicBooking may use PHI to create limited data sets under 45 C.F.R. §164.514(e) and enter data use agreements where applicable.

• No sale of PHI and no marketing communications in violation of 45 C.F.R. §164.502(a)(5) and §164.508(a)(3).
• No use or disclosure in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.
• No combination of PHI across customers except as permitted (e.g., de-identified analytics) and never for profiling of data subjects.

ClinicBooking will request, use, disclose, and retain only the minimum necessary PHI to accomplish the intended purpose as required by 45 C.F.R. §164.502(b).

• Security Incidents: ClinicBooking will report successful Security Incidents involving PHI that ClinicBooking becomes aware of without unreasonable delay after confirmation and not later than five (5) business days. Routine, unsuccessful events (e.g., port scans, pings, blocked malware) are deemed reported by this paragraph.
• Breaches of Unsecured PHI: ClinicBooking will notify Covered Entity without unreasonable delay and no later than ten (10) business days after discovery, providing the information reasonably required by 45 C.F.R. §164.404(c) as it becomes available.
• Covered Entity is responsible for end-user notifications unless otherwise agreed in writing.

ClinicBooking will ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on ClinicBooking's behalf agrees in writing to obligations no less stringent than those applicable to ClinicBooking under this BAA (45 C.F.R. §164.502(e)(1)). A current list of subprocessors used for PHI-relevant functions will be made available upon request under appropriate confidentiality.

• Access: To the extent ClinicBooking maintains PHI in a Designated Record Set, ClinicBooking will make PHI available to Covered Entity (or to the Individual as directed by Covered Entity) consistent with 45 C.F.R. §164.524.
• Amendment: ClinicBooking will incorporate amendments to PHI as directed by Covered Entity pursuant to 45 C.F.R. §164.526.
• Accounting: ClinicBooking will document and provide an accounting of disclosures of PHI as required by 45 C.F.R. §164.528.

ClinicBooking will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with HIPAA (45 C.F.R. §164.504(e)(2)(ii)(H)).

• ClinicBooking will mitigate, to the extent practicable, any harmful effect known to ClinicBooking of a use or disclosure of PHI in violation of this BAA.
• ClinicBooking maintains workforce training appropriate to job function and sanctions for violations of HIPAA policies.

• ClinicBooking may de-identify PHI in accordance with 45 C.F.R. §164.514(a)-(c). De-identified data is not PHI and may be used for analytics, product improvement, and industry insights.
• ClinicBooking may provide data aggregation services relating to the health care operations of Covered Entity (45 C.F.R. §164.501), if applicable.

• Term: This BAA is effective as of the effective date of the underlying Services and remains in effect until all PHI is returned to Covered Entity or destroyed.
• Termination for Cause: Covered Entity may terminate if ClinicBooking has materially breached this BAA and fails to cure within a commercially reasonable period after written notice. If cure is infeasible, Covered Entity must terminate the Services involving PHI to the extent feasible.
• Return/Destruction: Upon termination, ClinicBooking will, if feasible, return or destroy PHI. If return or destruction is infeasible (e.g., backups, legal holds), ClinicBooking will extend the protections hereunder and limit further uses/disclosures to those purposes that make return or destruction infeasible.

• Insurance: ClinicBooking will maintain commercially reasonable cyber/privacy liability coverage.
• Indemnity: Each party will indemnify the other from third-party claims to the extent arising from that party's material breach of this BAA or violation of HIPAA, except to the extent caused by the other party.
• Limitation: Any limitation of liability in the underlying agreement applies to claims under this BAA, except that limitations shall not apply to a party's willful misconduct or obligations to the Secretary of HHS.

ClinicBooking is an independent contractor. Nothing creates an agency, partnership, or joint venture. ClinicBooking does not practice medicine or provide medical services.

• Preemption: If any provision of this BAA is inconsistent with HIPAA, HIPAA controls. State law applies only to the extent not preempted by HIPAA.
• Severability: If any provision is held invalid, the remainder remains in effect.
• Assignment: Neither party may assign this BAA without the other's consent, except to a successor in interest in a merger, acquisition, or sale of substantially all assets.
• Entire Agreement: This BAA and the underlying agreement constitute the entire understanding regarding PHI handling under the Services.
• Governing Law: Except to the extent preempted by HIPAA, this BAA is governed by the laws of the State of Wyoming.
• Counterparts; Electronic Signatures: This BAA may be executed in counterparts and by electronic signature.

• Privacy Policy
• Cookies Policy
• Security & Vulnerability Disclosure
• Terms of Service (includes "Do Not Sell or Share My Personal Information" link)

If the parties have executed a separate paper or e-signature BAA, that signed document governs and supersedes this online form. Otherwise, this BAA is deemed accepted when the Covered Entity (or its Business Associate) (i) executes an order, MSA, or equivalent instrument referencing HIPAA/PHI services with ClinicBooking, or (ii) otherwise instructs ClinicBooking to process PHI under the Services.