BUSINESS ASSOCIATE AGREEMENT (BAA)

Effective Date: March 17, 2026

Business Associate:

InvisaClaim LLC, a Florida limited liability company

1200 N Federal Hwy, Suite 300

Boca Raton, FL 33432

(collectively, the “Parties”).

Recitals

WHEREAS, Covered Entity is a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), and the regulations promulgated thereunder (collectively, the “HIPAA Rules”);

WHEREAS, Business Associate provides AI-powered healthcare revenue cycle management services (including denial analysis, appeal generation, claims workflow automation, predictive analytics, and related tools) to Covered Entity pursuant to one or more separate agreements (the “Underlying Agreement(s)”);

WHEREAS, in performing these services, Business Associate will create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity;

WHEREAS, the Parties intend for this BAA to satisfy the business associate contract requirements of 45 CFR §§ 164.502(e) and 164.504(e) and to protect the privacy and security of PHI in accordance with the HIPAA Rules;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1. Definitions

All capitalized terms not otherwise defined have the meanings given in the HIPAA Rules (45 CFR Parts 160 and 164). Additional definitions:

“Services” means the AI-powered revenue cycle automation platform described in the Underlying Agreement(s).

“Subcontractor” includes any agent, vendor, or third party (including cloud/AI infrastructure providers) that creates, receives, maintains, or transmits PHI on behalf of Business Associate.

“De-Identified Data” means information that meets the de-identification standards in 45 CFR § 164.514(b).

“Electronic PHI” or “ePHI” has the meaning in 45 CFR § 160.103.

2. Scope and Permitted Uses and Disclosures of PHI

  • 2.1 Business Associate may use and disclose PHI solely to perform the Services for Covered Entity, including AI processing for denial analysis, appeal generation, workflow automation, and analytics.

  • 2.2 Business Associate may use PHI for its proper management, administration, and legal responsibilities, provided any disclosure is required by law or the recipient provides written assurances of confidentiality equivalent to this BAA.

  • 2.3 Business Associate may use De-Identified Data (derived from PHI) for its internal purposes, including training, refining, and improving its AI models and Services. Business Associate shall not use identifiable PHI for model training, public AI development, marketing, or any purpose not expressly permitted herein.

  • 2.4 Business Associate shall limit all uses and disclosures to the minimum necessary amount of PHI (or a limited data set where practicable) and shall apply data minimization principles.

  • 2.5 Business Associate shall not sell PHI, use PHI for marketing, or disclose PHI in violation of the HIPAA Rules or this BAA.

3. Obligations of Business Associate

Business Associate agrees to:

  • 3.1 Safeguards

Implement and maintain administrative, physical, and technical safeguards (including encryption at rest and in transit, access controls, audit logging, multi-factor authentication, and vulnerability management) that meet or exceed the HIPAA Security Rule (45 CFR Part 164, Subpart C) and any applicable 2026 updates. Business Associate shall conduct regular risk analyses and attest annually to Covered Entity (upon request) that required technical safeguards are in place.

  • 3.2 Reporting

Report to Covered Entity without unreasonable delay and no later than five (5) business days after discovery: (a) any use or disclosure of PHI not permitted by this BAA; (b) any Security Incident; or (c) any Breach of Unsecured PHI. Reports shall include the nature, date, affected individuals (to the extent known), and mitigation steps.

  • 3.3 Subcontractors

Ensure every Subcontractor that may access PHI enters into a written BAA containing terms no less protective than this BAA. Business Associate remains fully liable for acts or omissions of its Subcontractors. A current list of material Subcontractors (e.g., AWS, Azure, or AI model providers) is available upon request.

  • 3.4 Individual Rights

  • Access: Make PHI in a Designated Record Set available to Covered Entity or the Individual within ten (10) business days of request.

  • Amendment: Incorporate any amendments to PHI as directed by Covered Entity within ten (10) business days.

  • Accounting of Disclosures: Maintain and provide information for an accounting of disclosures within ten (10) business days.

  • Breach Notification Assistance: Cooperate with Covered Entity to provide individual notices if required.

3.5 Minimum Necessary & Data Aggregation

  • Use or disclose only the minimum necessary PHI and may perform data aggregation for Health Care Operations if requested.

3.6 Books and Records

  • Make its internal practices, books, and records relating to PHI available to Covered Entity or the Secretary of HHS upon request for compliance purposes.

3.7 No Unauthorized Uses

  • Not use or disclose PHI in any manner that would violate the Privacy Rule if done by Covered Entity.

4. Obligations of Covered Entity

  • 4.1 Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that may affect Business Associate’s performance.

  • 4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate the HIPAA Rules.

  • 4.3 Covered Entity represents that it has obtained all necessary authorizations or consents for the PHI provided to Business Associate.

5. Term and Termination

5.1 Term: This BAA commences on the Effective Date and continues until the Underlying Agreement(s) terminate, unless earlier terminated.

5.2 Termination:

  • Either Party may terminate immediately upon written notice if the other Party materially breaches and fails to cure within thirty (30) days.

Covered Entity may terminate if Business Associate violates any material term of this BAA.

5.3 Post-Termination Obligations

  • Upon termination or expiration for any reason:

Covered Entity shall have thirty (30) days to export all PHI via the Services.

Business Associate shall retain PHI for a maximum of thirty (30) days solely to permit export and support transition.

After thirty (30) days, Business Associate shall permanently delete or destroy all PHI (including backups) and certify destruction in writing. If return or destruction is not feasible, Business Associate shall continue to protect the PHI and not use or disclose it except as required by law.

All obligations under this BAA survive termination with respect to any retained PHI until destruction is complete.

6. Breach Notification and Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effects of any unauthorized use or disclosure. Business Associate shall assist Covered Entity with any required notifications to individuals, HHS, or the media at Covered Entity’s direction and expense (except where the Breach is caused solely by Business Associate’s negligence or willful misconduct).

7. Security Rule Compliance (2026 Standards)

Business Associate shall comply with all mandatory technical, administrative, and physical safeguards under the HIPAA Security Rule, including any 2026 updates regarding standardized cybersecurity controls. Business Associate shall provide Covered Entity, upon reasonable request, written verification of compliance with these safeguards.

8. Insurance

Business Associate shall maintain, at its own expense, cyber liability and privacy breach insurance with limits of at least $5,000,000 per occurrence and $10,000,000 annual aggregate. Certificates of insurance shall be provided upon request.

9. Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity, its officers, directors, employees, and agents from any claims, liabilities, damages, costs (including reasonable attorneys’ fees), or penalties arising from Business Associate’s breach of this BAA, violation of the HIPAA Rules, or negligent acts/omissions related to PHI (to the extent permitted by law and subject to the liability limitations in the Underlying Agreement(s)).

10. Miscellaneous

  • 10.1 Governing Law: This BAA is governed by the laws of the State of Florida. Disputes shall be resolved through binding arbitration in Boca Raton, Florida, under AAA Commercial Rules, consistent with the Underlying Agreement(s).

  • 10.2 Entire Agreement: This BAA, together with the Underlying Agreement(s) and any executed amendments, constitutes the entire agreement regarding PHI.

  • 10.3 Amendment: This BAA may be amended only in writing signed by both Parties or as required to comply with changes in the HIPAA Rules.

  • 10.4 Severability: Invalid provisions shall be severed; the remainder remains enforceable.

  • 10.5 Survival: Sections 3, 5.3, 6, 8, 9, and 10 survive termination.

  • 10.6 No Third-Party Beneficiaries: This BAA is solely for the benefit of the Parties.

  • 10.7 Notices: All notices shall be in writing and sent to the addresses above (or as updated in writing).