Business Associate Agreement

"Business Associate" refers to CareLX (Loffa Interactive Group), which creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity in connection with providing the CareLX platform services.

"Covered Entity" refers to the home health agency that uses the CareLX platform and is subject to HIPAA regulations.

"Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined under 45 CFR §160.103.

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined under 45 CFR §164.402.

CareLX shall not use or disclose PHI other than as permitted or required by this Agreement, the underlying service agreement, or as required by law.

CareLX shall implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, consistent with the requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C).

CareLX shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured PHI as defined in 45 CFR §164.402.

CareLX shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of CareLX agree to the same restrictions and conditions that apply to CareLX under this Agreement.

CareLX shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, in order to meet the requirements of 45 CFR §164.524.

CareLX shall make PHI available for amendment and incorporate amendments to PHI as directed by Covered Entity pursuant to 45 CFR §164.526.

CareLX may use or disclose PHI solely for the purpose of performing services for the Covered Entity as specified in the service agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by the Covered Entity.

CareLX may use PHI for the proper management and administration of CareLX or to carry out its legal responsibilities, provided that any disclosure is required by law or CareLX obtains reasonable assurances that the information will be held confidentially.

CareLX may de-identify PHI in accordance with 45 CFR §164.514(a)-(c) and may use de-identified information for analytics, product improvement, and aggregate reporting that does not identify individual patients.

CareLX shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay, and in no case later than 30 calendar days after discovery of the Breach.

The notification shall include: (a) the nature of the PHI involved; (b) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (c) the date of the Breach and date of discovery; (d) a description of what CareLX is doing to investigate, mitigate, and prevent future breaches.

CareLX shall cooperate with Covered Entity in meeting its notification obligations under 45 CFR §§164.404-408.

CareLX implements and maintains the following security measures to protect PHI:

Encryption: All PHI is encrypted at rest using AES-256-GCM encryption and in transit using TLS 1.2+.

Access Controls: Role-based access controls (RBAC) restrict access to PHI to authorized personnel. Multi-factor authentication is available for all user accounts.

Audit Controls: All access to PHI is logged in an immutable audit trail, including user identity, timestamp, action performed, and data accessed.

Database Isolation: Each Covered Entity's data is stored in a separate, dedicated database, providing complete logical isolation from other tenants.

Infrastructure: CareLX is hosted on Microsoft Azure with SOC 2 Type II certified data centers. Regular vulnerability assessments and penetration testing are conducted.

This Agreement shall be effective as of the date the Covered Entity first uses the CareLX platform and shall remain in effect until the underlying service agreement is terminated or all PHI is returned or destroyed.

Upon termination, CareLX shall return or destroy all PHI received from Covered Entity, or created or received by CareLX on behalf of Covered Entity. If return or destruction is not feasible, CareLX shall extend the protections of this Agreement to the retained PHI.

CareLX shall retain PHI only as required by law or as necessary to comply with healthcare record retention requirements, and shall continue to protect such PHI in accordance with this Agreement.

This Agreement shall be interpreted consistently with HIPAA, the HITECH Act, and applicable regulations. Any ambiguity shall be resolved in favor of a meaning that permits compliance with HIPAA.

The obligations of CareLX under this Agreement shall survive termination to the extent necessary to protect PHI.

This Agreement may not be assigned by either party without the written consent of the other party.

To request a signed BAA or ask questions about our Business Associate obligations:

Email: compliance@carelx.com

CareLX by Loffa Interactive Group