Business Associate Agreement

1. Definitions

"Business Associate" refers to Layera. "Covered Entity" refers to the healthcare organization using the Platform. "Protected Health Information" (PHI) has the meaning set forth in 45 CFR 160.103. All other capitalized terms have the meanings assigned to them under HIPAA.

2. Obligations of Business Associate

• Not use or disclose PHI other than as permitted by this Agreement or as required by law
• Implement administrative, physical, and technical safeguards to protect ePHI per 45 CFR 164.308, 164.310, and 164.312
• Report any Security Incident or Breach of unsecured PHI to Covered Entity within 5 business days of discovery
• Ensure any subcontractors agree to the same restrictions and conditions that apply to Business Associate
• Make available PHI to Covered Entity to satisfy obligations under 45 CFR 164.524 (individual access rights)
• Maintain audit logs of all PHI access for a minimum of 6 years
• Use AES-256 encryption for PHI at rest and TLS 1.2+ for PHI in transit
• Implement automatic session termination after 15 minutes of inactivity

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely for the purpose of performing compliance management services as described in the service agreement, and as required by law. Business Associate shall not use PHI for marketing, research, or any purpose not directly related to the services provided.

4. Term and Termination

This Agreement shall remain in effect for the duration of the service relationship. Upon termination, Business Associate shall return or destroy all PHI within 60 days and certify destruction in writing. If return or destruction is infeasible, protections shall be extended to the PHI and uses limited to those purposes making return or destruction infeasible.

5. Breach Notification

Business Associate shall notify Covered Entity of any Breach of unsecured PHI within 5 business days of discovery. Notification shall include: identification of individuals affected, a description of the types of information involved, recommended steps individuals should take, a description of what Business Associate is doing to investigate and mitigate the breach, and contact procedures.

6. Miscellaneous

This Agreement shall be governed by federal HIPAA regulations and applicable state law. In the event of conflict between this Agreement and the service agreement, the terms of this Agreement shall prevail with respect to PHI. The Parties agree that any ambiguity shall be resolved in favor of a meaning that complies with HIPAA.