Business Associate Agreement
This Business Associate Agreement ("BAA") is entered into between you (the "Covered Entity") and ProsthoAI ("Business Associate") and governs the handling of Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and all implementing regulations including 45 C.F.R. Parts 160 and 164.
1. Definitions
Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules. "PHI" means Protected Health Information limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
2. Permitted Uses and Disclosures
- Business Associate may use and disclose PHI only as necessary to perform the services set forth in the underlying Service Agreement (the ProsthoAI clinical decision-support platform).
- Business Associate may use PHI for its proper management and administration, and to carry out its legal responsibilities.
- Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity.
3. Safeguards
Business Associate shall implement administrative, physical, and technical safeguards consistent with 45 C.F.R. §164.312 to ensure the confidentiality, integrity, and availability of PHI. These safeguards include, at minimum:
- Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
- Append-only audit logging of every read, write, export, and access event on patient data and clinical artifacts
- Role-based access controls; clinician records are isolated per authenticated user
- Routine access review and revocation; minimum-necessary access by design
4. Reporting of Use or Disclosure Not Provided For
Business Associate shall report to Covered Entity, without unreasonable delay and in no event later than ten (10) business days after discovery, any use or disclosure of PHI not provided for by this BAA, including breaches of unsecured PHI as required by 45 C.F.R. §164.410.
5. Subcontractors
In accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate.
6. Access, Amendment, and Accounting
- Business Associate shall make PHI available to Covered Entity as necessary to satisfy obligations under 45 C.F.R. §164.524.
- Business Associate shall make amendments to PHI available pursuant to 45 C.F.R. §164.526.
- Business Associate shall make available the information required to provide an accounting of disclosures as required by 45 C.F.R. §164.528. ProsthoAI's audit-log system supports this requirement.
7. Term and Termination
This BAA shall be effective as of the date you accept it via the signup flow and shall remain in effect until terminated by either party. Upon termination, Business Associate shall return or destroy all PHI received from or created on behalf of Covered Entity, except where return or destruction is infeasible as permitted under 45 C.F.R. §164.504(e)(2)(ii)(J).
8. Limitations on Clinical Use
ProsthoAI provides clinical decision support only. ProsthoAI is not a substitute for the independent professional judgment of a licensed clinician. The treating clinician retains sole responsibility for all diagnostic and treatment decisions. AI-generated content must be reviewed by the clinician before being relied upon for patient care.
9. Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of Florida and applicable federal law. Acceptance of this BAA is recorded with a timestamp, IP address, and version identifier on the user's account record.
Patent Pending · US Application 64/062,147. Designed by Dr. Ronik Seecharan DMD, Prosthodontist, Boca Raton, Florida.