This Business Associate Agreement ("BAA") is entered into by and between Isha Health, Inc. ("Business Associate") and the entity agreeing to these terms ("Covered Entity"). This BAA is incorporated into and made part of the Moco Platform Terms of Use.
1. Purpose
This BAA is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and related regulations governing the use and disclosure of Protected Health Information ("PHI").
2. Definitions
**PHI:** Individually identifiable health information transmitted or maintained in any form.**Breach:** Unauthorized acquisition, access, use, or disclosure of PHI that compromises security or privacy.**De-identified Data:** Data that has been stripped of identifying information per HIPAA standards.**Minimum Necessary:** Limiting PHI access to the least amount required to perform duties.3. Obligations of Business Associate
**Permitted Uses and Disclosures:** Business Associate may use or disclose PHI only as required to provide services under the Terms of Use, as required by law, or as permitted under this BAA.**Safeguards:** Business Associate will implement administrative, physical, and technical safeguards to prevent unauthorized access to PHI.**Subcontractors:** Business Associate will ensure that any subcontractors handling PHI agree to the same restrictions and conditions.**Reporting:** Business Associate will promptly report any unauthorized use or disclosure of PHI to Covered Entity.**Access and Amendment:** Business Associate will provide access to PHI and accommodate amendment requests as required by HIPAA.**Accounting of Disclosures:** Business Associate will document disclosures of PHI and provide such information to Covered Entity upon request.4. Obligations of Covered Entity
**Compliance:** Covered Entity will comply with HIPAA, HITECH, and all applicable regulations.**Limitations on Disclosure:** Covered Entity will not request Business Associate to use or disclose PHI in a manner not permitted under HIPAA.**Permissions and Authorizations:** Covered Entity is responsible for obtaining necessary authorizations from individuals for any PHI disclosures required beyond standard operations.5. Breach Notification
In the event of a breach of unsecured PHI, Business Associate will notify Covered Entity without unreasonable delay and in no event later than ten (10) days after discovery. The notification will include:
The nature of the breach.The type of PHI involved.Any steps individuals should take to protect themselves.The actions Business Associate is taking to mitigate harm and prevent future breaches.6. Term and Termination
**Term:** This BAA remains in effect for as long as Business Associate provides services involving PHI.**Termination:** Either party may terminate this BAA for cause if the other party materially breaches any provision and fails to cure within thirty (30) days of notice.**Effect of Termination:** Upon termination, Business Associate will return or securely destroy all PHI. If returning or destroying PHI is not feasible, Business Associate will extend protections to retained PHI.7. Miscellaneous
**No Third-Party Beneficiaries:** This BAA is solely between the parties and does not create rights for any third parties.**Governing Law:** This BAA is governed by the laws of the State of California.**Amendments:** This BAA may be amended as required to comply with changes in HIPAA, HITECH, or other applicable regulations.**Survival:** Obligations concerning PHI security and confidentiality survive termination of this BAA.For any questions regarding this BAA, contact us at info@isha.health.
