Business Associate Agreement

1. Definitions

• Business Associate: CareNotes L.L.C., which performs functions or activities involving PHI on behalf of the Covered Entity.
• Covered Entity: The healthcare provider using CareNotes who is subject to HIPAA regulations.
• PHI (Protected Health Information): Individually identifiable health information maintained or transmitted in any form.
• All other capitalized terms not otherwise defined herein have the meanings set forth in HIPAA.

2. Permitted Uses & Disclosures

CareNotes may use or disclose PHI:

• To provide services as described in our Terms of Service;
• For our internal operations related to performance, security, and compliance;
• As required by law or regulation;
• To de-identify PHI in accordance with 45 CFR § 164.514(b).

CareNotes will not use or disclose PHI in a manner inconsistent with HIPAA or the terms of this Agreement.

3. Safeguards

CareNotes shall:

• Implement appropriate administrative, physical, and technical safeguards as required under 45 CFR §§ 164.308, 164.310, and 164.312;
• Maintain policies to protect the confidentiality, integrity, and availability of ePHI;
• Apply encryption and access controls to protect PHI stored in our systems.

4. Breach Notification

CareNotes will:

• Report to the Covered Entity any use or disclosure of PHI not permitted under this Agreement;
• Notify the Covered Entity of a breach of unsecured PHI without unreasonable delay and in no event later than 60 calendar days after discovery;
• Include in such notice the identity of affected individuals and other information required under 45 CFR § 164.410.

5. Subcontractors & Agents

CareNotes will:

• Ensure that any subcontractor who creates, receives, maintains, or transmits PHI on behalf of CareNotes agrees in writing to comply with the same restrictions and conditions set forth in this Agreement;
• Maintain records of such arrangements upon request by the Covered Entity.

6. Individual Rights

CareNotes will assist the Covered Entity in fulfilling its HIPAA obligations by:

• Providing access to PHI within 30 days of a request by the Covered Entity (45 CFR § 164.524);
• Making PHI available for amendment as required (45 CFR § 164.526);
• Providing an accounting of disclosures if requested (45 CFR § 164.528).

7. Return or Destruction of PHI

Upon termination of the Covered Entity’s use of CareNotes, CareNotes shall:

• Return or securely destroy all PHI received from or created on behalf of the Covered Entity, if feasible; or
• If return or destruction is not feasible, continue to safeguard the PHI and limit further uses and disclosures.

8. Term & Termination

This Agreement remains in effect:

• For as long as CareNotes retains PHI received from the Covered Entity; or
• Until terminated by either party for material breach, upon 30 days’ written notice with an opportunity to cure.

9. No Warranty

CareNotes provides the platform and services  “as-is” and makes no warranties or guarantees except as required by law.

10. Governing Law

This Agreement shall be governed by the laws of the United States and applicable federal HIPAA regulations, without regard to conflict-of-law principles.

11. Incorporation into Terms of Service

This BAA is incorporated by reference into the CareNotes Terms of Service, which governs your use of the platform. By accepting the Terms of Service, you agree to be bound by the terms of this Business Associate Agreement.

12. Contact Information

If you have questions about this Agreement or PHI practices, please reach us at:
Email:  info@cnotes.ai