Business Associate Agreement

This Business Associate Agreement ("Agreement") is entered into by and between the healthcare practice or entity creating an account on the DenialFixer platform ("Covered Entity") and DenialFixer, LLC, a Tennessee limited liability company ("Business Associate"), collectively referred to as the "Parties."

WHEREAS, Covered Entity is a healthcare provider subject to the Administrative Simplification provisions of HIPAA and the HITECH Act; and

WHEREAS, Business Associate provides medical claim denial analysis, appeal letter generation, and appeal submission services that require access to Protected Health Information; and

WHEREAS, the Parties intend to comply with the requirements of HIPAA, the HITECH Act, and all applicable regulations promulgated thereunder, including but not limited to 45 CFR Parts 160 and 164;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). The following definitions apply to this Agreement:

• "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information, as defined in 45 CFR § 164.402.
• "Business Associate" means DenialFixer, LLC, which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity in connection with the Services described herein.
• "Covered Entity" means the healthcare practice, provider, or entity that enters into this Agreement by creating a DenialFixer account and that is subject to HIPAA as a covered entity under 45 CFR § 160.103.
• "Designated Record Set" means a group of records maintained by or for a covered entity as defined in 45 CFR § 164.501.
• "Electronic Protected Health Information" ("ePHI") means Protected Health Information that is transmitted or maintained in electronic media, as defined in 45 CFR § 160.103.
• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended by the HITECH Act.
• "Individual" means the person who is the subject of Protected Health Information, and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
• "Protected Health Information" ("PHI") means individually identifiable health information as defined in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• "Required by Law" has the meaning given in 45 CFR § 164.103.
• "Secretary" means the Secretary of the United States Department of Health and Human Services ("HHS") or the Secretary's designee.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
• "Services" means the medical claim denial analysis, appeal letter generation, appeal submission, ERA/835 file processing, and related denial management services provided by Business Associate to Covered Entity through the DenialFixer platform.
• "Subcontractor" means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.
• "Unsecured PHI" means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under 42 USC § 17932(h)(2).

2. Scope of PHI Use and Disclosure

Business Associate shall access, create, receive, maintain, and transmit PHI solely in connection with the following permitted purposes:

• Parsing and analyzing ERA/835 remittance files to identify denied claims
• Categorizing claim denials by CARC/RARC codes and determining appealability
• Generating appeal letters that reference claim details, diagnosis codes, procedure codes, and clinical justification
• Submitting appeals to payers via electronic transmission, fax, or mail on behalf of Covered Entity
• Tracking appeal outcomes and reconciling recovered payments
• Storing supporting clinical documentation uploaded by Covered Entity for inclusion with appeals
• Producing reports and analytics regarding denial patterns, recovery rates, and financial impact
• Proper management and administration of Business Associate's operations, provided that such uses and disclosures are permitted under the HIPAA Privacy Rule
• Carrying out Business Associate's legal responsibilities

3. Obligations of Business Associate

Business Associate agrees to the following obligations:

3.1 Limits on Use and Disclosure

• Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
• Not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except as provided in Sections 2 and 3 of this Agreement.
• Apply the minimum necessary standard to any use, disclosure, or request for PHI, limiting access to the minimum amount of PHI necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

3.2 Safeguards

• Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 CFR §§ 164.308, 164.310, and 164.312.
• Implement policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule.

3.3 Reporting

• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of Unsecured PHI as required by 45 CFR § 164.410.
• Report to Covered Entity any Security Incident of which Business Associate becomes aware. Business Associate shall provide a summary report of unsuccessful security incidents (e.g., pings on a firewall, unsuccessful login attempts) on a quarterly basis upon request.

3.4 Subcontractors and Agents

• Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate under this Agreement, in accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2).
• Maintain a current list of Subcontractors with access to PHI and make such list available to Covered Entity upon request. As of the effective date, Business Associate's Subcontractors with potential access to PHI include: Amazon Web Services (cloud infrastructure and storage), Anthropic (AI-powered appeal letter generation), Phaxio (HIPAA-compliant fax transmission), and Render (application hosting). Business Associate maintains BAAs with each Subcontractor that handles PHI.

3.5 Access to PHI

• Make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements of 45 CFR § 164.524. Business Associate shall respond to such requests within fifteen (15) business days.
• Make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR § 164.526.

3.6 Accounting of Disclosures

Make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain records of disclosures of PHI and information related to such disclosures for a period of six (6) years from the date of the disclosure.

3.7 Government Access

Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules, in accordance with 45 CFR § 164.504(e)(2)(ii)(I).

3.8 Mitigation

To the extent practicable, mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

4. Security Measures

Business Associate implements the following safeguards to protect PHI in accordance with the HIPAA Security Rule:

4.1 Technical Safeguards

• All ePHI is encrypted at rest using AES-256 encryption (45 CFR § 164.312(a)(2)(iv))
• All data in transit is protected with TLS 1.2 or higher (45 CFR § 164.312(e)(1))
• Patient identifiers are cryptographically hashed (SHA-256) and never stored in cleartext
• Unique user identification and authentication for all system access (45 CFR § 164.312(d))
• Automatic session timeout after a period of inactivity
• Audit controls that record and examine activity in systems containing ePHI (45 CFR § 164.312(b))
• Emergency access procedures for ePHI in the event of an emergency (45 CFR § 164.312(a)(2)(ii))

4.2 Administrative Safeguards

• Designated Security Officer responsible for HIPAA security compliance
• Workforce training on HIPAA privacy and security requirements
• Access management procedures ensuring minimum necessary access on a role-based basis
• Documented security incident response and reporting procedures
• Regular risk assessments conducted at least annually using methodologies consistent with NIST SP 800-30
• Sanction policy for workforce members who violate security policies

4.3 Physical Safeguards

• Infrastructure hosted on HIPAA-eligible cloud platforms (AWS) with signed Business Associate Agreements
• No PHI stored on local devices, workstations, or removable media
• Secure disposal of electronic media containing PHI prior to re-use or disposal

4.4 AI Processing Safeguards

• PHI transmitted to AI services (Anthropic Claude API) for appeal letter generation is processed under a BAA with the AI service provider
• AI service providers are contractually prohibited from using PHI for model training or any purpose other than generating the requested output
• PHI submitted to AI services is limited to the minimum necessary for appeal generation: claim identifiers, procedure codes, diagnosis codes, denial reason codes, and dates of service
• No raw patient names, Social Security numbers, or full addresses are transmitted to AI services

5. Obligations of Covered Entity

• Covered Entity shall notify Business Associate of any limitations in the Covered Entity's notice of privacy practices under 45 CFR § 164.520, to the extent that such limitations may affect Business Associate's use or disclosure of PHI.
• Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
• Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
• Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
• Covered Entity warrants that it has obtained any necessary authorizations, consents, and permissions required under applicable law for the disclosure of PHI to Business Associate for the purposes described in this Agreement.
• Covered Entity is solely responsible for the accuracy, completeness, and appropriateness of any clinical documentation uploaded to the platform for inclusion with appeals.

6. Breach Notification

6.1 Discovery and Notification

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

6.2 Content of Notification

Business Associate's notification to Covered Entity shall include, to the extent reasonably available:

• Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
• A brief description of what happened, including the date of the Breach and the date of its discovery
• A description of the types of Unsecured PHI that were involved in the Breach (e.g., claim numbers, dates of service, diagnosis codes, procedure codes)
• Any steps Individuals should take to protect themselves from potential harm resulting from the Breach
• A description of what Business Associate is doing to investigate the Breach, mitigate harm to Individuals, and protect against further Breaches
• Contact procedures for Individuals to ask questions, including a toll-free telephone number, email address, website, or postal address

6.3 Responsibilities

Business Associate shall cooperate with Covered Entity in the investigation and remediation of any Breach. Covered Entity shall be responsible for providing notifications to affected Individuals, the Secretary, and the media (if applicable) as required under 45 CFR §§ 164.404, 164.406, and 164.408. Business Associate shall bear the reasonable costs of notification and mitigation to the extent the Breach was caused by Business Associate's failure to comply with its obligations under this Agreement.

7. Term and Termination

7.1 Term

This Agreement shall be effective as of the date Covered Entity creates a DenialFixer account and accepts this Agreement, and shall remain in effect until the earlier of: (a) termination of the Services; (b) termination by either Party as provided herein; or (c) all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

7.2 Termination for Cause

Either Party may terminate this Agreement if the other Party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) calendar days after receiving written notice of the breach. If cure is not reasonably possible, the non-breaching Party may terminate this Agreement immediately upon written notice.

7.3 Effect of Termination

• Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) calendar days. This includes PHI in the possession of Subcontractors of Business Associate.
• If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for as long as Business Associate maintains such PHI.
• Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed, or that return or destruction is not feasible and the reasons therefor.
• Termination of this Agreement shall not relieve Business Associate of its obligation to report any Breach discovered after termination.

8. De-Identification and Aggregation

• Business Associate may use PHI to create de-identified health information in accordance with 45 CFR § 164.514(a)-(c). De-identified information is not subject to the terms of this Agreement.
• Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B), limited to aggregate denial rate statistics, recovery analytics, and payer performance benchmarking that does not identify any Individual.

9. Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to any Breach of Unsecured PHI or any violation of this Agreement caused by Business Associate or its Subcontractors, agents, or workforce members. This indemnification obligation shall survive the termination of this Agreement.

10. Limitation of Liability

EXCEPT FOR OBLIGATIONS ARISING UNDER SECTION 9 (INDEMNIFICATION) AND SECTION 6 (BREACH NOTIFICATION), NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER EITHER PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTHING IN THIS SECTION SHALL LIMIT LIABILITY FOR WILLFUL MISCONDUCT OR GROSS NEGLIGENCE.

11. Miscellaneous

11.1 Regulatory References

Any reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

11.2 Amendments

This Agreement may be amended only in a writing signed by both Parties or, with respect to amendments required by changes in applicable law, by Business Associate posting an updated Agreement and providing Covered Entity with thirty (30) days' written notice via email. Continued use of the Services after the effective date of any such amendment shall constitute acceptance of the amended Agreement.

11.3 Survival

The respective rights and obligations of Business Associate under Sections 3.5, 3.6, 6, 7.3, 9, and 10 of this Agreement shall survive the termination of this Agreement.

11.4 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. In the event of a conflict between the terms of this Agreement and the HIPAA Rules, the HIPAA Rules shall prevail.

11.5 Governing Law

This Agreement shall be governed by and construed in accordance with federal law, including HIPAA and the HITECH Act. To the extent federal law does not preempt, this Agreement shall be governed by the laws of the State of Tennessee without regard to its conflict of laws principles.

11.6 Entire Agreement

This Agreement, together with the DenialFixer Terms of Service, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements, representations, or understandings relating to the protection of PHI.

11.7 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities whatsoever. Individuals whose PHI is subject to this Agreement are not third-party beneficiaries.

11.8 Waiver

No failure or delay by either Party in exercising any right under this Agreement shall constitute a waiver of that right. No waiver shall be effective unless made in writing.

11.9 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

11.10 Notices

All notices required or permitted under this Agreement shall be in writing and shall be delivered to the Privacy Officer at the address below, or via email with confirmation of receipt.

12. Contact Information