Business Associate Agreement

Between Cymbiose AI and User

Effective Date:

This Business Associate Agreement ("BAA") is entered into by and between Cymbiose AI, a Delaware corporation ("Cymbiose"), and the user, a HIPAA Covered Entity ("Customer").

Recitals

  • Cymbiose may access Protected Health Information (PHI) to provide services to or on behalf of the Customer.
  • Both parties are committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its implementing regulations (the "HIPAA Rules").

Definitions

  • Business Associate: Cymbiose AI, acting as a Business Associate under HIPAA.
  • Covered Entity: A healthcare provider or organization subject to HIPAA.
  • Protected Health Information (PHI): Any individually identifiable health information.
  • HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.

Obligations of Cymbiose AI

Cymbiose AI shall:

  • Not use or disclose PHI except as permitted or required by this BAA or as required by law.
  • Implement appropriate safeguards to protect the confidentiality, integrity, and availability of PHI.
  • Report to the Customer any unauthorized use or disclosure of PHI, including breaches of unsecured PHI and security incidents.
  • Ensure that any subcontractors or agents handling PHI agree to the same restrictions and conditions as Cymbiose AI.
  • Make PHI available to the Customer as needed to fulfill their obligations under HIPAA.
  • Amend PHI as directed by the Customer.
  • Provide an accounting of disclosures to the Customer.
  • Comply with HIPAA requirements when carrying out any of the Customer's obligations.
  • Comply with the HIPAA Security Rule regarding electronic PHI (ePHI).

Permitted Uses and Disclosures by Cymbiose AI

  • Cymbiose may use or disclose PHI only as necessary to perform the services outlined in the Service Agreement and in accordance with this BAA.
  • Cymbiose may use or disclose PHI only as required by law.
  • Cymbiose will make uses, disclosures, and requests for PHI consistent with the Customer's minimum necessary policies and procedures.
  • Cymbiose may not use or disclose PHI in a manner that would violate HIPAA if done by the Covered Entity.
  • Cymbiose may use de-identified data to improve its services, but only with the Customer's written consent, which can be revoked at any time.
  • Cymbiose will not receive direct or indirect remuneration in exchange for PHI under any circumstances.

Obligations of the Customer

  • The Customer shall comply with its obligations under HIPAA.
  • The Customer shall notify Cymbiose AI of any limitations in its Notice of Privacy Practices, changes in individual permissions, or restrictions on the use or disclosure of PHI that may affect Cymbiose AI's handling of PHI.

Safeguards, Reporting, Mitigation, and Enforcement

  • Cymbiose shall implement administrative, physical, and technical safeguards to protect PHI.
  • Cymbiose shall ensure that its agents and subcontractors agree to the same restrictions and conditions regarding PHI.
  • Cymbiose shall report any unauthorized use or disclosure of PHI or security incidents to the Customer as soon as practicable.
  • Cymbiose shall have procedures in place to mitigate any harmful effects of a breach.
  • Cymbiose shall apply appropriate sanctions against any employee, subcontractor, or agent who violates this BAA or HIPAA.

Term and Termination

  • This BAA is effective as of the Agreement Effective Date and terminates upon termination of the Service Agreement.
  • Upon termination, Cymbiose shall return or destroy all PHI, unless required by law to retain it.

Miscellaneous

  • This BAA is governed by Delaware law.
  • Any ambiguity shall be interpreted to permit compliance with HIPAA.
  • This BAA constitutes the entire agreement between the parties.