Business Associate Agreement

This Business Associate Agreement (“Agreement”) is entered into between Gnosis Concepts Inc. (“Business Associate”), operator of the PsychNote AI / NMPsychNote platform (the “Service”), and the healthcare practice that accepts this Agreement (“Covered Entity”). It governs the Business Associate’s creation, receipt, maintenance, and transmission of Protected Health Information (“PHI”) on behalf of the Covered Entity, and satisfies the requirements of 45 CFR §164.504(e). This Agreement is effective on the date the Covered Entity accepts it electronically.

1. Definitions

Terms used but not otherwise defined have the meanings given in the HIPAA Rules (45 CFR Parts 160 and 164). “PHI” means Protected Health Information, limited to information the Business Associate creates, receives, maintains, or transmits for or on behalf of the Covered Entity. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules.

2. Permitted Uses and Disclosures

The Business Associate may use or disclose PHI only as necessary to perform the services provided through the Service, as permitted or required by this Agreement, or as required by law. Specifically, the Business Associate may:

• Use and disclose PHI to provide the documentation, transcription, storage, and related functions of the Service to the Covered Entity.
• Use PHI for the proper management and administration of the Business Associate and to carry out its legal responsibilities.
• Disclose PHI for such management and administration where disclosure is required by law, or where the Business Associate obtains reasonable assurances that the information will remain confidential and the recipient notifies the Business Associate of any breach.
• De-identify PHI in accordance with 45 CFR §164.514(a)-(c), where applicable.

The Business Associate will not use or disclose PHI in any manner that would violate the HIPAA Rules if done by the Covered Entity, except as expressly permitted above. The Business Associate will limit its uses, disclosures, and requests of PHI to the minimum necessary to accomplish the intended purpose.

3. Obligations of the Business Associate

The Business Associate agrees to:

1. Not use or disclose PHI other than as permitted by this Agreement or required by law.
2. Use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided by this Agreement. The Business Associate maintains safeguards including encryption of PHI in transit and at rest, tenant-level access isolation, role-based access controls, automatic session locking, and append-only audit logging of PHI access.
3. Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR §164.410, without unreasonable delay and no later than sixty (60) calendar days after discovery.
4. In accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate. The Business Associate has entered into written business associate agreements with its subcontractors that handle PHI.
5. Make PHI available to the Covered Entity as necessary to satisfy the Covered Entity’s obligations to provide individuals access to their PHI under 45 CFR §164.524.
6. Make PHI available for amendment and incorporate amendments as directed by the Covered Entity, consistent with 45 CFR §164.526.
7. Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy the Covered Entity’s obligations under 45 CFR §164.528.
8. To the extent the Business Associate carries out any of the Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the Covered Entity in performing those obligations.
9. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

4. Obligations of the Covered Entity

The Covered Entity agrees to:

• Notify the Business Associate of any limitations in its notice of privacy practices, and of any changes in, or revocation of, an individual’s permission to use or disclose PHI, to the extent such changes affect the Business Associate’s use or disclosure of PHI.
• Obtain any consents or authorizations that may be required for the Business Associate to provide the Service, including patient consent to AI-assisted documentation where applicable.
• Not request the Business Associate to use or disclose PHI in any manner that would not be permitted under the HIPAA Rules if done by the Covered Entity.

5. Term and Termination

This Agreement is effective upon the Covered Entity’s electronic acceptance and continues until terminated. Either party may terminate for material breach if the breaching party fails to cure within thirty (30) days of written notice. Upon termination, the Business Associate will, where feasible, return or destroy all PHI received from, or created or received on behalf of, the Covered Entity, and retain no copies. Where return or destruction is not feasible, the Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. Provisions concerning the handling of PHI survive termination.

6. Miscellaneous

This Agreement will be interpreted to permit compliance with the HIPAA Rules; in the event of a conflict, the HIPAA Rules control. The parties agree to amend this Agreement as necessary to comply with changes to the HIPAA Rules. Nothing in this Agreement is intended to confer any rights on any third party. This Agreement constitutes the entire agreement between the parties concerning the handling of PHI and supersedes prior understandings on that subject.

7. Electronic Acceptance

By checking the acceptance box and typing their name as an electronic signature during sign-up, the individual accepting on behalf of the Covered Entity represents that they are authorized to bind the Covered Entity to this Agreement. The Business Associate records the signer’s name, title, email, the version of this Agreement, and the date and time of acceptance as evidence of execution. Electronic acceptance has the same legal effect as a handwritten signature.