Business Associate Agreement

Kindhabitlabs Inc.

Effective as of the date of Covered Entity’s acceptance

This Business Associate Agreement (“Agreement”) is entered into by and between Kindhabitlabs Inc., a Utah corporation (“Business Associate”), and the healthcare provider, health plan, or other covered entity that accepts this Agreement by clicking “Agree” or otherwise indicating acceptance through the Roomi platform (“Covered Entity”).

This Agreement supplements and is incorporated into the Master Services Agreement between Business Associate and Covered Entity (the “Underlying Services Agreement”). By accepting the Underlying Services Agreement, Covered Entity also accepts the terms of this Business Associate Agreement.

Article 1: Definitions

1.1 General Definitions. Terms used but not otherwise defined in this Agreement shall have the meanings ascribed to them in 45 CFR Parts 160 and 164 (the “HIPAA Regulations”).

1.2 Specific Definitions.

(a) “Business Associate” means Kindhabitlabs Inc., a Utah corporation, which provides facility management software services through the Roomi application.

(b) “Covered Entity” means the healthcare provider, health plan, or other entity subject to the HIPAA Privacy, Security, and Breach Notification Rules that accepts this Agreement through the Roomi platform.

(c) “Protected Health Information” or “PHI” means individually identifiable health information that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, in any form or medium (electronic, paper, or oral), as defined in 45 CFR §160.103.

(d) “Electronic Protected Health Information” or “ePHI” means PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 CFR §160.103.

(e) “Services” means the facility management services provided by Business Associate to Covered Entity through the Roomi application, including but not limited to: resident management, daily check-ins, curfew tracking, staff communications, reporting, and related administrative functions.

(f) “Underlying Services Agreement” means the Master Services Agreement between Business Associate and Covered Entity that governs the provision of the Services. This Agreement supplements and is incorporated into the Underlying Services Agreement.

Article 2: Permitted and Required Uses and Disclosures

2.1 Permitted Uses and Disclosures by Business Associate.

(a) General Use and Disclosure Provisions. Business Associate may use or disclose PHI only as permitted or required by this Agreement, as required by law, or as otherwise authorized in writing by Covered Entity. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so used or disclosed by Covered Entity.

(b) Specific Permitted Uses and Disclosures. Business Associate may use and disclose PHI as follows:

  • (i) To Perform Services. Business Associate may use and disclose PHI to perform the Services for or on behalf of Covered Entity as specified in the Underlying Services Agreement, provided such use or disclosure would not violate the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) if done by Covered Entity.

  • (ii) For Business Associate’s Management and Administration. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that such use is necessary for Business Associate’s proper management and administration, and Business Associate has policies and procedures in place to protect the PHI.

  • (iii) For Data Aggregation Services. Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), including aggregating and analyzing PHI to provide reports, analytics, and benchmarking data to Covered Entity.

  • (iv) For De-Identification. Business Associate may use PHI to create de-identified information in accordance with 45 CFR §164.514(a)-(c), provided that Business Associate does not use or disclose the code or other means of record identification for any other purpose and does not disclose such mechanism, except as necessary for re-identification by Business Associate.

(c) Disclosure to Third Parties. Business Associate may disclose PHI for Business Associate’s proper management and administration or to carry out its legal responsibilities, provided that:

  • The disclosure is required by law; or

  • Business Associate obtains reasonable assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to such person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

2.2 Prohibition on Unauthorized Use or Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Specifically, Business Associate shall not:

  • (a) Use or disclose PHI for marketing purposes, as defined in 45 CFR §164.501, unless Business Associate obtains an authorization that complies with 45 CFR §164.508;

  • (b) Disclose PHI to a health plan for payment or health care operations purposes if the individual has requested such restriction and has paid out of pocket in full for the health care item or service, as required by 45 CFR §164.522(a)(1)(vi);

  • (c) Sell PHI, as defined in 45 CFR §164.502(a)(5)(ii), unless specifically authorized in writing by Covered Entity and the individual pursuant to 45 CFR §164.508; or

  • (d) Use or disclose genetic information for underwriting purposes, as prohibited by 45 CFR §164.502(a)(5)(i).

Article 3: Obligations of Business Associate

3.1 Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall comply with Subpart C of 45 CFR Part 164 (the Security Rule) with respect to ePHI to prevent use or disclosure of such information other than as provided for by this Agreement.

3.2 Minimum Necessary. Business Associate shall make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR §164.502(b) and §164.514(d), except when disclosure is: (a) for treatment purposes; (b) to the individual; or (c) pursuant to an authorization.

3.3 Reporting.

(a) Security Incidents. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, and any Security Incident of which Business Associate becomes aware. Such reports shall be made without unreasonable delay and in no case later than ten (10) calendar days after discovery. For purposes of this Section, the parties acknowledge that this provision constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents, such as pings, port scans, unsuccessful log-on attempts, denials of service, and interception of encrypted information, for which no additional notice to Covered Entity shall be required.

(b) Breaches of Unsecured PHI. Business Associate shall report to Covered Entity any Breach of Unsecured PHI, as defined in 45 CFR §164.402, of which Business Associate becomes aware. Such report shall be made without unreasonable delay and in no case later than ten (10) calendar days after discovery. Business Associate’s report shall include, to the extent available:

  • Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;

  • A brief description of what happened, including the date of the Breach and the date of discovery;

  • A description of the types of Unsecured PHI involved in the Breach (e.g., full name, Social Security number, date of birth, address, account number);

  • Any steps individuals should take to protect themselves from potential harm;

  • A brief description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against future breaches; and

  • Contact information for individuals to ask questions or obtain additional information.

Business Associate shall cooperate with Covered Entity in Covered Entity’s investigation of the Breach and any resulting notifications to individuals, the Secretary of Health and Human Services, or the media, as required by 45 CFR §164.404-§164.408.

3.4 Subcontractors and Agents. Business Associate shall ensure that any subcontractors or agents to whom it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, in accordance with 45 CFR §164.504(e)(2) and §164.308(b). Business Associate shall implement and maintain sanctions against subcontractors and agents that violate such restrictions and conditions and shall mitigate the effects of any such violation. Business Associate shall ensure subcontractors comply with the applicable requirements of 45 CFR Part 164, Subpart C (the Security Rule) with respect to ePHI.

3.5 Access to PHI. Business Associate shall make available to Covered Entity or, as directed by Covered Entity, to an individual, PHI in a Designated Record Set maintained by Business Associate, to the extent necessary to satisfy Covered Entity’s obligations under 45 CFR §164.524 (right of access). Business Associate shall provide such access within ten (10) business days of receipt of a request from Covered Entity or as otherwise required to enable Covered Entity to meet its obligations under the HIPAA Regulations.

3.6 Amendment of PHI. Business Associate shall make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set maintained by Business Associate, to the extent necessary to satisfy Covered Entity’s obligations under 45 CFR §164.526 (right to amend). Business Associate shall make such amendment within ten (10) business days of receipt of a request from Covered Entity or as otherwise required to enable Covered Entity to meet its obligations under the HIPAA Regulations.

3.7 Accounting of Disclosures. Business Associate shall document and make available to Covered Entity or, as directed by Covered Entity, to an individual, information required to provide an accounting of disclosures, to the extent necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528 (accounting of disclosures). Business Associate shall provide such information within ten (10) business days of receipt of a request from Covered Entity or as otherwise required to enable Covered Entity to meet its obligations under the HIPAA Regulations.

(a) Disclosures Subject to Accounting. Business Associate shall document the following information for each disclosure:

  • Date of disclosure;

  • Name and address of the entity or person who received the PHI (if known);

  • Brief description of the PHI disclosed; and

  • Brief statement of the purpose of the disclosure.

(b) Retention Period. Business Associate shall retain the information required for accounting of disclosures for six (6) years from the date of the disclosure or the date the Agreement terminates, whichever is later.

3.8 Compliance with HIPAA. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164 (the Privacy Rule), Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

3.9 Books and Records; Audits. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Regulations. Business Associate shall also make such information available to Covered Entity upon reasonable request, with at least ten (10) business days’ notice, to enable Covered Entity to determine Business Associate’s compliance with this Agreement. Such access shall be provided during Business Associate’s normal business hours at Business Associate’s facilities, or through secure electronic means.

3.10 Policies and Procedures; Workforce Training. Business Associate shall maintain and comply with written policies and procedures governing the use, disclosure, and security of PHI, and shall provide regular training to its workforce members who have access to PHI.

3.11 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement or the HIPAA Regulations.

Article 4: Obligations of Covered Entity

4.1 Permitted Uses and Disclosures. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Covered Entity, except as provided in Section 2.1(b) and (c) (Business Associate’s own management and administration).

4.2 Notice of Privacy Practices. Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and shall notify Business Associate of any changes or restrictions to which Covered Entity has agreed pursuant to 45 CFR §164.522, to the extent that such changes or restrictions may affect Business Associate’s use or disclosure of PHI.

4.3 Authorization and Consent. Covered Entity shall obtain any authorizations, consents, or permissions that may be required by the HIPAA Regulations prior to furnishing PHI to Business Associate for Business Associate’s use or disclosure.

4.4 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Covered Entity.

Article 5: Term and Termination

5.1 Term. The term of this Agreement shall be effective as of the date of Covered Entity’s acceptance (the “Effective Date”) and shall continue in full force and effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy such PHI, the protections of this Agreement are extended to such information, in accordance with Section 5.3.

5.2 Termination for Cause.

(a) Breach by Business Associate. Covered Entity may terminate this Agreement and the Underlying Services Agreement upon thirty (30) days’ written notice to Business Associate if Covered Entity determines that Business Associate has breached a material term of this Agreement and Business Associate has not cured the breach or ended the violation within the thirty (30) day notice period.

(b) Breach by Covered Entity. Business Associate may terminate this Agreement and the Underlying Services Agreement upon thirty (30) days’ written notice to Covered Entity if Business Associate determines that Covered Entity has breached a material term of this Agreement and Covered Entity has not cured the breach within the thirty (30) day notice period.

(c) Immediate Termination. Either party may terminate this Agreement immediately upon written notice if:

  • The other party has committed a material, uncurable breach of this Agreement;

  • The other party becomes subject to a bankruptcy proceeding;

  • The other party’s license or certification to operate (if applicable) is revoked or suspended; or

  • Required by law or by the Secretary of Health and Human Services.

5.3 Effect of Termination; Return or Destruction of PHI.

(a) Return or Destruction. Upon termination of this Agreement for any reason, Business Associate shall:

  • Return to Covered Entity, or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form;

  • Retain no copies of such PHI; and

  • Require any subcontractors or agents to whom Business Associate has disclosed PHI to return or destroy all PHI in accordance with this Section.

(b) Timeline. Business Associate shall return or destroy PHI within ninety (90) days of termination of this Agreement unless a shorter period is required by law or requested by Covered Entity.

(c) Deletion from Production Systems. Business Associate shall delete all PHI from production databases and operational systems in accordance with this Section.

(d) Infeasibility of Return or Destruction. If Business Associate determines that return or destruction of PHI is infeasible, Business Associate shall:

  • Notify Covered Entity in writing of the conditions that make return or destruction infeasible;

  • Extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible; and

  • Return or destroy such PHI when return or destruction becomes feasible.

(e) Archival Retention and Disaster Recovery Systems. Business Associate maintains secure, encrypted archival storage of clinical PHI (including check-ins, journals, assessments, and related documentation) separate from its production systems and disaster recovery backups. Upon termination of this Agreement:

  • (i) Business Associate shall make all PHI available for export for ninety (90) days following termination. Upon expiration of the ninety (90) day export period, Business Associate shall remove all PHI from production databases and active operational systems;

  • (ii) Notwithstanding subsection (i), Business Associate shall retain clinical PHI in secure, encrypted archival storage for a period of seven (7) years following the date of last clinical activity, in order to support Covered Entity’s audit, investigation, and legal proceeding needs, and to assist Covered Entity in meeting its own recordkeeping obligations under 45 CFR Part 164 and applicable state law. The parties agree this archival retention is necessary because immediate destruction of PHI would be infeasible given Covered Entity’s ongoing recordkeeping and legal obligations, and accordingly the protections of this Agreement shall extend to such archived PHI in accordance with Section 5.3(d);

  • (iii) Archived PHI retained under this subsection remains logically segregated, encrypted at rest and in transit, and accessible only to authorized personnel. Business Associate will access or restore archived PHI only: (a) at Covered Entity’s written request to support an audit, investigation, or legal proceeding; (b) as required by law; or (c) as necessary for Business Associate’s own legal defense in a matter arising from the Services;

  • (iv) Separately, Business Associate maintains encrypted disaster recovery backups of ePHI on a rolling daily/weekly/monthly schedule with a retention period of seven (7) years for business continuity purposes. Business Associate will not restore or access ePHI from disaster recovery backups except for disaster recovery purposes or as required by law;

  • (v) All archived PHI and backup media will be securely destroyed upon expiration of the applicable seven (7) year retention period.

Covered Entity acknowledges and agrees to this archival and backup retention practice by accepting this Agreement.

5.4 Survival. The obligations of Business Associate under Section 5.3 and the obligations of confidentiality under this Agreement shall survive the termination of this Agreement.

Article 6: Indemnification and Liability

6.1 Indemnification by Business Associate. Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, agents, and affiliates from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or resulting from:

  • (a) Any breach by Business Associate of this Agreement;

  • (b) Any use or disclosure of PHI by Business Associate, its subcontractors, or agents in violation of this Agreement or the HIPAA Regulations;

  • (c) Any Security Incident or Breach of Unsecured PHI caused by Business Associate, its subcontractors, or agents; or

  • (d) Any failure by Business Associate to comply with the HIPAA Regulations or applicable state privacy laws.

6.2 Limitation of Liability. Except for Business Associate’s obligations under Section 6.1 (Indemnification), and except for breaches of confidentiality, violations of the HIPAA Regulations, or willful misconduct or gross negligence, neither party’s liability under this Agreement shall exceed the fees paid by Covered Entity to Business Associate under the Underlying Services Agreement in the twelve (12) months preceding the claim.

6.3 Regulatory Penalties. Each party shall be responsible for any civil or criminal penalties assessed against it individually by the Secretary of Health and Human Services or other governmental authority for violations of the HIPAA Regulations. Business Associate acknowledges that it may be subject to civil and criminal penalties under HIPAA for violations of the HIPAA Regulations, including penalties as adjusted annually by the Secretary of Health and Human Services.

Article 7: General Provisions

7.1 Regulatory Changes. The parties acknowledge that the HIPAA Regulations may be amended from time to time and agree that this Agreement shall be amended as necessary to comply with any such changes. Business Associate shall notify Covered Entity within thirty (30) days if it becomes aware of any changes to the HIPAA Regulations that require amendments to this Agreement. The parties agree to negotiate in good faith to incorporate such amendments.

7.2 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Regulations. This Agreement shall be interpreted in a manner consistent with the HIPAA Regulations and applicable guidance issued by the Secretary of Health and Human Services.

7.3 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

7.4 Relationship of the Parties. The parties are independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or employment relationship between the parties. Neither party has the authority to bind the other party or to assume or create any obligation on behalf of the other party.

7.5 Notices. All notices required or permitted under this Agreement shall be in writing and shall be deemed given when sent by confirmed electronic mail.

Notices to Covered Entity shall be sent to the email address associated with Covered Entity’s Roomi account.

Notices to Business Associate shall be sent to:

Kindhabitlabs Inc. Attn: Legal Department 7533 S Center View Ct Ste 210, West Jordan, UT 84084 Email: legal@kindhabitlabs.com

7.6 Amendments. Kindhabitlabs may update or modify this Agreement at any time by posting a revised version on its website or within the Roomi platform and providing Covered Entity with at least thirty (30) days’ written notice (via email or in-app notification) before the changes take effect. Covered Entity’s continued use of the Roomi platform after the effective date of any modification constitutes acceptance of the updated terms. If Covered Entity does not agree to the modified terms, Covered Entity may terminate this Agreement in accordance with Section 5.2 before the changes take effect. Notwithstanding the foregoing, amendments required by changes to the HIPAA Regulations shall take effect as required by law regardless of notice period.

7.7 Waiver. The waiver by either party of any breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provision hereof.

7.8 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

7.9 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Utah, without regard to its conflict of laws principles. However, the parties acknowledge that the HIPAA Regulations are federal law and shall supersede any conflicting state law provisions.

7.10 Entire Agreement. This Agreement, together with the Underlying Services Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral, relating to such subject matter. In the event of any conflict between the terms of this Agreement and the Underlying Services Agreement, the terms of this Agreement shall control with respect to the use and disclosure of PHI.

7.11 Electronic Acceptance. By clicking “Agree” or otherwise indicating acceptance through the Roomi platform, Covered Entity acknowledges that: (a) the individual accepting has the authority to bind the Covered Entity organization; (b) Covered Entity has read, understood, and agrees to be bound by this Agreement; and (c) this electronic acceptance constitutes a legally binding agreement with the same force and effect as a handwritten signature.