Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between Desk Pilot Technologies, Inc. ("Business Associate" or "DeskPilot") and the covered entity identified below ("Covered Entity"), collectively referred to as the "Parties." This BAA supplements and is incorporated into the DeskPilot Terms of Service.

1. Definitions

Unless otherwise defined in this BAA, all capitalized terms have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"), including the HITECH Act amendments and the HIPAA Omnibus Rule (45 CFR Parts 160 and 164).

• "PHI" means Protected Health Information as defined under HIPAA.
• "Services" means the AI receptionist, call management, appointment scheduling, and related services provided by DeskPilot.
• "Breach" has the meaning set forth in 45 CFR §164.402.

2. Permitted Uses and Disclosures of PHI

DeskPilot may use and disclose PHI received from, or created on behalf of, Covered Entity only as follows:

1. To perform the Services specified in the DeskPilot Terms of Service, including call answering, appointment booking, and patient communication.
2. As required by law, including in response to valid legal process.
3. For DeskPilot's proper management and administration, provided that any such disclosure is required by law or DeskPilot obtains reasonable assurances that the PHI will be held confidentially.
4. To report violations of law to appropriate federal and state authorities.

DeskPilot shall not use or disclose PHI for any purpose other than those listed above without prior written authorization from Covered Entity.

3. Safeguards

DeskPilot agrees to implement appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI (ePHI), as required by 45 CFR Part 164, Subpart C. Specifically:

• All call recordings and transcripts containing PHI are encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access to PHI is logged in an append-only audit trail per 45 CFR §164.312(b).
• PHI access is limited to authorized personnel on a need-to-know basis.
• Audit logs are retained for a minimum of 6 years.
• Workforce members with access to PHI receive HIPAA training.

4. Subcontractors

DeskPilot shall ensure that any subcontractor or agent to whom DeskPilot provides PHI agrees to the same restrictions and conditions that apply to DeskPilot under this BAA by entering into a written agreement before disclosing PHI to such subcontractor.

5. Reporting Obligations

Security Incidents: DeskPilot shall report to Covered Entity any Security Incident of which it becomes aware, without unreasonable delay.

Breach Notification: DeskPilot shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. The notification will include: (a) identification of each individual affected; (b) description of the PHI involved; (c) description of what occurred; (d) steps DeskPilot is taking to mitigate harm and protect against further breach.

6. Individual Rights

DeskPilot agrees to:

• Provide access to PHI to Covered Entity or the applicable Individual as directed, in the time and manner designated by Covered Entity, to enable Covered Entity to fulfill its obligations under 45 CFR §164.524.
• Amend PHI or a record about an Individual at the direction of Covered Entity.
• Document disclosures of PHI and provide such documentation to Covered Entity as needed for accounting of disclosures under 45 CFR §164.528.

7. Covered Entity's Obligations

Covered Entity agrees to:

• Provide DeskPilot with a copy of its Notice of Privacy Practices in effect.
• Notify DeskPilot of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by.
• Not request DeskPilot use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
• Obtain any necessary authorizations from patients before disclosing PHI to DeskPilot.

8. Term and Termination

This BAA is effective upon electronic acceptance and shall continue until the DeskPilot Services agreement is terminated or until either party terminates this BAA with 30 days' written notice.

Termination for Cause: Either party may immediately terminate this BAA if it determines that the other party has materially breached the BAA and such breach has not been cured within 30 days of written notice.

Effect of Termination: Upon termination, DeskPilot shall return or destroy all PHI it maintains on behalf of Covered Entity, if feasible. If return or destruction is not feasible, DeskPilot will extend the protections of this BAA indefinitely and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

9. Miscellaneous

This BAA is governed by the laws of the State of Delaware, without regard to its conflict of law principles. Any provision of this BAA that is inconsistent with HIPAA shall be amended to comply with HIPAA. This BAA constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, or agreements relating thereto.

DeskPilot reserves the right to update this BAA when required by changes in law or business practices. Material updates will be communicated via email and will require re-acceptance before continued use of healthcare features.