Business Associate Agreement

1. Definitions

Terms used in this BAA shall have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, and their implementing regulations, including:

• "Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium.
• "Electronic Protected Health Information" (ePHI) means PHI transmitted or maintained in electronic media.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI.
• "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule.

2. Obligations of Business Associate

The Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA or as required by law
• Implement appropriate administrative, physical, and technical safeguards to protect ePHI
• Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach
• Ensure that any subcontractors who create, receive, maintain, or transmit PHI agree to substantially similar restrictions and conditions
• Make PHI available to the Covered Entity to satisfy its obligations under the HIPAA Privacy Rule
• Make its internal practices and records available for audit purposes
• Return or destroy all PHI upon termination of the agreement, where feasible

3. Permitted Uses and Disclosures

The Business Associate may use or disclose PHI only:

• As necessary to perform functions, activities, or services as specified in the main service agreement
• For the proper management and administration of the Business Associate
• To carry out legal responsibilities of the Business Associate
• To provide data aggregation services relating to the healthcare operations of the Covered Entity

4. Security Controls

Trulit implements the following safeguards to protect ePHI:

4.1 Access Controls

• Role-based access control (RBAC) with owner, admin, member, and tester roles
• Multi-factor authentication (MFA) via authenticator applications
• Automatic session timeout after a period of inactivity
• Unique user identification for all platform users

4.2 Audit Controls

• Comprehensive audit logging of user actions, data access, and system events
• Configurable audit log retention policies
• Audit logs include user identity, timestamp, action type, and affected resources

4.3 Transmission Security

• All data encrypted in transit using TLS
• Data at rest encrypted by our cloud infrastructure provider
• Secure encrypted database connections

4.4 Data Integrity

• Row-level security policies for project-level data isolation
• Automated database backups
• Input validation and sanitization

5. Breach Notification

In the event of a Breach of unsecured PHI, the Business Associate shall notify the Covered Entity without unreasonable delay and no later than 60 days after discovery of the Breach. The notification shall include:

• Identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed
• A description of the nature of the Breach
• The date of discovery and date of the Breach
• A description of the types of unsecured PHI involved
• Steps individuals should take to protect themselves
• What the Business Associate is doing to investigate, mitigate, and prevent future occurrences

6. Term and Termination

This BAA shall be effective for the duration of the main service agreement. Upon termination, the Business Associate shall return or destroy all PHI received from or created on behalf of the Covered Entity within 90 days. If return or destruction is not feasible, protections under this BAA shall extend to any retained PHI.

7. Minimum Necessary Standard

The Business Associate agrees to use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with the Minimum Necessary Rule under HIPAA.

8. Contact

To request a signed BAA or for questions about HIPAA compliance, contact us at compliance@trulit.com.