Introduction & Effective Date
Purpose
This Business Associate Agreement ("BAA") is entered into between Leady Inc. ("Business Associate") and you or your organization ("Covered Entity") as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations ("HIPAA Rules").
Effective Date
This BAA becomes effective upon your acceptance of these terms or your first use of Leady's services that involve Protected Health Information ("PHI").
HIPAA Compliance
Leady is committed to maintaining HIPAA compliance and protecting the privacy and security of PHI in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Definitions
Protected Health Information (PHI)
Individually identifiable health information transmitted or maintained in any form or medium, including: names, dates (birth, admission, discharge, death), phone numbers, geographic identifiers, medical record numbers, health plan beneficiary numbers, device identifiers, and any other unique identifying number or code.
Business Associate
Leady Inc., a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of PHI.
Covered Entity
You, the dental practice or dental support organization that is a covered entity under HIPAA and has engaged Leady to provide services involving PHI.
Electronic Protected Health Information (ePHI)
PHI that is transmitted electronically or maintained in electronic media.
Permitted Uses & Disclosures
Authorized Uses
Leady may use and disclose PHI only as permitted or required by the Covered Entity, or as required by law. Permitted uses include: (a) providing AI voice agent services, (b) scheduling appointments, (c) managing patient communications, and (d) maintaining service quality.
Minimum Necessary Standard
Leady shall not use or disclose more PHI than is necessary to accomplish the intended purpose of the use or disclosure, consistent with the minimum necessary standard under HIPAA.
No Prohibited Uses
Leady shall not use or disclose PHI for: (a) marketing purposes, (b) sale of PHI, (c) employment-related decisions, or (d) any purpose other than those specified in this Agreement without prior written authorization.
Agent Subcontractors
Leady may engage subcontractors to perform services on behalf of the Covered Entity. All subcontractors are bound by equivalent obligations to protect PHI.
Safeguards & Security
Administrative Safeguards
Leady maintains policies and procedures for: (a) security management process, (b) assigned security responsibility, (c) workforce security, (d) information access management, (e) security awareness and training, (f) security incident procedures, and (g) contingency planning.
Physical Safeguards
Leady maintains: (a) facility access controls, (b) workstation use and security policies, (c) device and media controls, and (d) physical access restrictions to data centers.
Technical Safeguards
Leady implements: (a) access controls (unique user IDs, authentication, encryption), (b) audit controls, (c) integrity controls, (d) transmission security, and (e) workstation security.
Encryption
All ePHI is encrypted in transit using TLS 1.3 or higher and at rest using AES-256 encryption or equivalent.
Access Controls
Access to PHI is limited to authorized personnel who require access for their job functions. All access is logged and reviewed regularly.
Breach Notification
Notification Requirements
In the event of a breach of unsecured PHI, Leady shall notify the Covered Entity without unreasonable delay and no later than 60 days after discovery of the breach.
Notification Contents
Breach notifications shall include: (a) description of the breach, (b) types of PHI involved, (c) steps individuals should take to protect themselves, (d) what Leady is doing to investigate and mitigate the breach, and (e) contact information for questions.
Law Enforcement Delay
If a law enforcement official determines that notification would impede a criminal investigation, notification may be delayed as requested by the official.
Smaller Breaches
Breaches affecting fewer than 500 individuals may be notified within 60 days of the end of the calendar year in which the breach occurred.
Termination & Disposal
Termination Triggers
This BAA may be terminated by: (a) mutual agreement of both parties, (b) breach of this BAA if not cured within 30 days notice, or (c) termination of the underlying service agreement.
Obligations Post-Termination
Upon termination, Leady shall: (a) return or destroy all PHI received from the Covered Entity, (b) retain only that PHI required by law, and (c) continue to protect retained PHI in accordance with this BAA.
Document Retention
Leady may retain PHI for: (a) as long as required by law (typically 6 years from creation), (b) as needed for litigation, or (c) as otherwise agreed by the Covered Entity.
Liability & Indemnification
Breach Liability
Leady agrees to report any breach of PHI to the Covered Entity and to comply with all applicable breach notification requirements under HIPAA and state law.
Indemnification
Leady agrees to indemnify and hold harmless the Covered Entity from any claims, damages, or penalties resulting from Leady's breach of this BAA or unauthorized use or disclosure of PHI.
Limitation
Leady's liability under this BAA shall not exceed the amount of fees paid by the Covered Entity to Leady in the 12 months preceding the claim.
Questions About This BAA?
If you have questions about Leady's HIPAA compliance, this BAA, or our data protection practices, please contact our compliance team: