Business Associate Agreement (BAA)

1. Definitions

For purposes of this Agreement:

• "Breach" has the meaning assigned in 45 CFR § 164.402.
• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
• "Individual" means the person who is the subject of Protected Health Information.
• "Protected Health Information" or "PHI" has the meaning assigned in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
• "Required by Law" has the meaning assigned in 45 CFR § 164.103.
• "Subcontractor" has the meaning assigned in 45 CFR § 160.103.
• "Services" means the AI voice answering, transcription, scheduling integration, recording storage, and related services provided by BookLine AI under the Terms of Service.

2. Permitted Uses and Disclosures of PHI

1. Business Associate may use and disclose PHI only as necessary to perform the Services for Covered Entity and as permitted or required by this Agreement and the HIPAA Rules.
2. Business Associate may use PHI for the proper management and administration of Business Associate's own business, and to carry out its legal responsibilities, provided that any disclosures are Required by Law or made pursuant to written assurances from the recipient that the PHI will be held confidentially.
3. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
4. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted by Section 2(b).
5. Business Associate shall not use PHI to train artificial-intelligence or machine-learning models without express written authorization from Covered Entity.
6. Business Associate shall not sell PHI or use it for marketing purposes.

3. Obligations of Business Associate

Business Associate agrees to:

1. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided by this Agreement;
2. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of unsecured PHI as required by 45 CFR § 164.410, without unreasonable delay and no later than sixty (60) calendar days after discovery;
3. Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate;
4. Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524, within thirty (30) calendar days of a written request;
5. Make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR § 164.526;
6. Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules;
7. Maintain and make available the information required to provide an accounting of disclosures pursuant to 45 CFR § 164.528, for the six (6) years preceding the request;
8. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

4. Obligations of Covered Entity

1. Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI;
2. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose PHI;
3. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522;
4. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except where Business Associate will use or disclose PHI for Data Aggregation or management and administration of Business Associate as permitted by Section 2;
5. Covered Entity shall enable HIPAA compliance mode in the BookLine AI portal for its business account before transmitting PHI to Business Associate, and shall configure access controls (role assignments, 2FA) consistent with its Privacy Policy.

5. Breach Notification

Upon discovery of a Breach of unsecured PHI, Business Associate shall, without unreasonable delay and no later than sixty (60) calendar days after discovery, notify Covered Entity. Such notice shall include, to the extent possible:

• The identification of each Individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• A brief description of what happened, the date of the Breach, and the date of discovery;
• A description of the types of unsecured PHI involved;
• Any steps Individuals should take to protect themselves from potential harm;
• A brief description of what Business Associate is doing to investigate the Breach, mitigate harm, and prevent further Breaches.

6. Term and Termination

1. Term. This Agreement is effective on the date last signed below and continues until terminated as set forth herein.
2. Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall provide a thirty (30) day cure period. If the breach is not cured, Covered Entity may terminate this Agreement and the Services.
3. Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity, within ninety (90) days. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

7. Subcontractors and Downstream BAAs

Business Associate uses the following categories of Subcontractors with access to PHI, each bound by a downstream Business Associate Agreement:

• Voice AI processing — Vapi, Inc.
• Telecommunications — Telnyx LLC
• Object storage — Cloudflare, Inc. (R2)
• Email transactional delivery — Resend, Inc. (PHI-bearing emails restricted to portal-link only)
• Cloud hosting — Underlying infrastructure providers operating SOC 2 Type II facilities

Updated subcontractor lists are maintained at booklineai.com/hipaa and Covered Entity will be notified at least thirty (30) days prior to material additions.

8. Miscellaneous

1. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
2. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
3. Survival. The obligations of Business Associate under Section 6(c) shall survive the termination of this Agreement.
4. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
5. No Third-Party Beneficiaries. Nothing in this Agreement creates rights in any third party.
6. Conflict. In the event of any conflict between this Agreement and any other agreement between the parties, the terms of this Agreement shall control with respect to matters governed by the HIPAA Rules.