Business Associate Agreement

Hint Health BAA

LAST UPDATED: [April 1, 2023]

You and the company, institution or other entity (“Healthcare Entity”) employing, contracting or retaining you, or on whose behalf you are using the Hint Health Service described below (collectively, you and such Healthcare Entity, “you”, the “Covered Entity”) agree to be bound by and become a party to this Hint Health Business Associate Agreement (this "Agreement") with Hint Health Inc (“we”, “us”, “Hint Health”, “Business Associate”). You represent, warrant and agree that you are authorized to enter into this Agreement on behalf of yourself and the Healthcare Entity and to bind yourself and the Healthcare Entity to the terms and conditions herein.

This Agreement is being entered into in connection with your use of our online service for direct-pay, medical care providers, which may include, without limitation billing, membership management, reminder notifications and/or related functionality (the “Hint Health Service”) under the terms and conditions of that certain Hint Health Terms of Service Agreement or related order form (collectively, “TOS Agreement”) entered into between you and us. This Agreement, together with the TOS Agreement, as supplemented by this Agreement, (a) is intended by the parties as a final, complete and exclusive expression of the terms of our agreement regarding the subject matter hereof; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.

Health Entity is a covered entity as such term is defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of PHI.

By providing services pursuant to the TOS Agreement and receiving PHI for or on your behalf, Hint Health shall become a business associate, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of PHI that we receive from or on your behalf.

The parties hereby agree as follows:

1. Definitions

1.1 Business Associate: “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean us.

1.2 Covered Entity: “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean you.

1.3 HIPAA: “HIPAA” shall mean collectively, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, each as amended.

1.4 “Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by us for or on your behalf, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.

The following terms used in this Agreement shall have the same meaning as those terms in HIPAA: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. Our Obligations and Activities

We agree to:

2.1 Not use or disclose PHI other than as permitted or required by this Agreement, the TOS Agreement, or as required by law;
2.2 Not use or disclosure PHI in any manner that violates applicable federal and state laws;
2.3 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement or the TOS Agreement;
2.4 Within ten (10) business days, report to you any use or disclosure of PHI not provided for by the Agreement of which we become aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any successful Security Incident of which we become aware. The parties acknowledge that unsuccessful Security Incidents that occur within the normal course of business shall not be reported pursuant to this Agreement. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings,” and unsuccessful log-on attempts, broadcast attacks on our firewall, denials of service or any combination thereof if such incidents are detected and neutralized by our anti-virus and other defensive software and not allowed past our firewall;

3. Permitted Uses and Disclosures by Business Associate

We shall only use or disclose PHI as necessary to perform the services set forth in the TOS Agreement between the parties, and as outlined in this Agreement.

3.1 We may use or disclose PHI as required by law.
3.2 We agree to use and disclosure the minimum necessary PHI for its specific purposes.
3.3 We shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by you, except for the specific uses and disclosures set forth below.

4. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

4.1 You agree to notify us of any limitations in your notice of privacy practices under 45 CFR 164.520, to the extent that such limitations may affect our use or disclosure of PHI.

4.2 You agree to notify us of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect our use or disclosure of PHI.

6. Term and Termination

6.1 Term: The Term of this Agreement shall be effective as of the date that the parties first exchanged PHI, and shall continue in perpetuity until either party terminates the agreement.

8. Miscellaneous

8.1 Amendment: If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this Agreement inconsistent therewith, the parties shall amend this Agreement to the extent necessary to comply with such amendments or interpretations.

8.2 Interpretation: Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA.

8.3 Conflicting Terms: In the event that any terms of this Agreement conflict with any terms of the TOS Agreement, the terms of this Agreement shall govern and control.

8.4 Severability: The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.