Business Associate Agreement

Last Updated: November 26, 2025

This Business Associate Agreement ("BAA") is entered into between Medical Appeals AI LLC ("Business Associate") and the customer executing this agreement ("Covered Entity") and is incorporated into the MedAppeals Terms of Service ("Agreement").

If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.

1. Definitions

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

• “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
• "Business Associate" shall have the same meaning as the term "business associate" in 45 CFR § 160.103 of HIPAA, and in this BAA, refers to Medical Appeals AI LLC.
• “Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPAA, and in this BAA, refers to the Customer.
• “HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
• “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.
• “Protected Health Information” (“PHI”) shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such PHI that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity through the use of the Services.
• “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.
• "Services" means the MedAppeals platform and any related services provided by Business Associate to Covered Entity under the Agreement, which includes but is not limited to document uploading, AI-powered analysis of medical documents, and generation of medical appeal letters.

2. Permitted Uses and Disclosures of Protected Health Information

a. Performance of the Agreement. Except as otherwise limited in this BAA, Business Associate may Use and Disclose PHI for, or on behalf of, Covered Entity as specified in the Agreement, primarily for the purpose of providing the Services; provided that any such Use or Disclosure would not violate HIPAA if done by Covered Entity.

b. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Business Associate may Use and Disclose PHI for the proper management and administration of Business Associate and/or to carry out its legal responsibilities, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Business Associate obtains written reasonable assurances from the person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed, and the person notifies Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

3. Responsibilities of the Parties

a. Business Associate’s Responsibilities. Business Associate agrees to the following:

1. Limitations on Use and Disclosure. Business Associate shall not Use and/or Disclose PHI other than as permitted or required by the Agreement and/or this BAA or as otherwise Required by Law. Business Associate shall not use PHI for any advertising, marketing, or other commercial purpose not authorized by the Agreement. Business Associate shall not violate the HIPAA prohibition on the sale of PHI.
2. Safeguards. Business Associate shall use reasonable and appropriate safeguards to prevent the Use and Disclosure of PHI other than as permitted by this BAA and shall comply with the applicable requirements of the HIPAA Security Rule.
3. Reporting. Business Associate shall report to Covered Entity: (1) any Use and/or Disclosure of PHI that is not permitted by this BAA of which Business Associate becomes aware; (2) any Security Incident of which it becomes aware; and/or (3) any Breach of Unsecured PHI that Business Associate may discover, in accordance with 45 CFR § 164.410. Notification of a Breach will be made without unreasonable delay, but in no event more than seventy-two (72) hours after discovery.
4. Subcontractors. Business Associate shall require its Subcontractors who create, receive, maintain, or transmit PHI on its behalf to agree in writing to the same or more stringent restrictions and conditions that apply to Business Associate with respect to such PHI.
5. Disclosure to the Secretary. Business Associate shall make available its internal practices, records, and books relating to the Use and/or Disclosure of PHI to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.
6. Access, Amendment, and Accounting. Business Associate shall make PHI available to Covered Entity as necessary for Covered Entity to meet its obligations to provide access, amendment, and an accounting of disclosures in accordance with 45 CFR §§ 164.524, 164.526, and 164.528, respectively.

b. Covered Entity’s Responsibilities.

1. No Impermissible Requests. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
2. Safeguards. Covered Entity is responsible for implementing appropriate privacy and security safeguards within its own systems, applications, and software, including managing user access credentials and ensuring PHI is not included in inappropriate data fields when using the Services.

4. Term and Termination

a. Term. This BAA shall continue in effect until the expiration or termination of the Agreement.

b. Termination for Breach. Upon written notice, either Party may terminate the Agreement and this BAA if the other Party is in material breach of any obligation in this BAA. The breaching party may be provided a thirty (30) day period to cure the material breach.

c. Return or Destruction of PHI. Upon termination of this BAA, Business Associate shall return or destroy all PHI in its possession, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit any further Use or Disclosure.

5. Miscellaneous

a. Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA.

b. No Third-Party Beneficiaries. Nothing in this BAA is intended to confer any rights, remedies, or obligations upon any person other than the Parties and their respective successors or assigns.

c. Amendments. This BAA may not be modified or amended except in a writing signed by authorized representatives of the Parties.