Business Associate Agreement

Effective Date: March 22, 2026

Table of Contents
  1. Preamble and Recitals
  2. Definitions
  3. Covered Services
  4. Obligations of Business Associate
  5. Permitted Uses and Disclosures
  6. Obligations of Covered Entity
  7. Security Standards
  8. Breach Notification
  9. Term and Termination
  10. Miscellaneous

1. PREAMBLE AND RECITALS

This Business Associate Agreement ("BAA") is entered into by and between the Customer ("Covered Entity") and ESCHEDULEIT INC., a Florida limited liability company ("Business Associate" or "eScheduleIt"), and is incorporated by reference into the Terms of Service (the "Terms of Service" or "TOS").

WHEREAS, Business Associate provides healthcare scheduling and related services to Covered Entity through the eScheduleIt platform (the "Services") that may involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended;

WHEREAS, the parties intend to comply with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law 111-5 (the "HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, "HIPAA");

WHEREAS, Business Associate is a "business associate" of Covered Entity as that term is defined under HIPAA at 45 CFR §160.103, and the parties desire to enter into this BAA to set forth the terms and conditions pursuant to which PHI will be handled by Business Associate in the course of providing the Services;

WHEREAS, this BAA is incorporated by reference into the Terms of Service available at Terms of Service (available at https://landing.eschedule.it/terms.html). By accepting the Terms of Service, Covered Entity agrees to the terms of this BAA without the need for separate execution, in accordance with 45 CFR §164.504(e) and the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. §7001 et seq.). The parties acknowledge that the requirements of 45 CFR §164.504(e) are satisfied by the incorporation of this BAA into the Terms of Service and Covered Entity's manifestation of assent thereto;

NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

2. DEFINITIONS

All capitalized terms used but not otherwise defined in this BAA shall have the meanings ascribed to such terms under HIPAA, including the Privacy Rule at 45 CFR Part 164, Subpart E, the Security Rule at 45 CFR Part 164, Subpart C, and the Breach Notification Rule at 45 CFR Part 164, Subpart D, as each may be amended from time to time. The following terms shall have the meanings set forth below:

"Breach" shall have the meaning given to such term in 45 CFR §164.402, and shall include the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of such PHI, subject to the exclusions set forth in 45 CFR §164.402(1).

"Business Associate" shall have the meaning given to such term in 45 CFR §160.103, and for purposes of this BAA shall refer to ESCHEDULEIT INC.

"Covered Entity" shall have the meaning given to such term in 45 CFR §160.103, and for purposes of this BAA shall refer to the Customer that has accepted the Terms of Service and is subject to HIPAA as a health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a transaction covered by HIPAA.

"Designated Record Set" shall have the meaning given to such term in 45 CFR §164.501, and shall include a group of records maintained by or for a Covered Entity that comprises the medical records and billing records about Individuals maintained by or for a covered health care provider, the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or records used, in whole or in part, by or for the Covered Entity to make decisions about Individuals.

"Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term in 45 CFR §160.103, and shall mean PHI that is transmitted by or maintained in electronic media.

"Individual" shall have the meaning given to such term in 45 CFR §160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

"Protected Health Information" or "PHI" shall have the meaning given to such term in 45 CFR §160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity pursuant to this BAA and the Terms of Service.

"Required by Law" shall have the meaning given to such term in 45 CFR §164.103, and shall include a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law.

"Secretary" shall mean the Secretary of the United States Department of Health and Human Services ("HHS") or the Secretary's designee.

"Security Incident" shall have the meaning given to such term in 45 CFR §164.304, and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

"Subcontractor" shall have the meaning given to such term in 45 CFR §160.103, and shall mean a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.

"Unsecured Protected Health Information" shall have the meaning given to such term in 45 CFR §164.402, and shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under Section 13402(h)(2) of the HITECH Act.

3. COVERED SERVICES

This BAA applies to the following eScheduleIt Services that may involve the creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entity (collectively, the "Covered Services"):

(a) Appointment Scheduling and Management. The creation, modification, cancellation, and management of patient appointments, including associated patient demographic and contact information.

(b) AI-Powered Scheduling Assistant (Chat). The artificial intelligence-powered chat interface that may process patient names, appointment details, and other scheduling-related information that constitutes PHI.

(c) The Scheduler — Voice (AI Phone Agent). The Scheduler's artificial intelligence-powered telephone capability that conducts automated calls for appointment scheduling, confirmation, and reminders, which may involve the verbal transmission of PHI.

(d) The Scheduler — SMS (AI SMS Agent). The Scheduler's artificial intelligence-powered text messaging capability that sends and receives scheduling-related messages that may contain PHI.

(e) The Scheduler — Transcription. The transcription and processing of voice communications that may contain PHI, including recordings of calls handled by the Scheduler.

(f) Reporting and Analytics. The generation of reports and analytics derived from scheduling data that may contain or be derived from PHI.

(g) Resource and Availability Management. The management of provider schedules, resource allocation, and availability information that may be associated with PHI.

(h) Calendar Synchronization. The synchronization of scheduling data with third-party calendar services (including Google Calendar integration) that may involve the transmission of PHI.

(i) Any Other Platform Features. Any other features, functionalities, or services of the eScheduleIt platform that involve the creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entity, whether existing as of the effective date of this BAA or introduced thereafter.

The specific categories of PHI that may be processed through the Covered Services include, but are not limited to: patient names, telephone numbers, email addresses, dates of birth, appointment dates and times, provider names, appointment types, and other scheduling-related information. Business Associate's processing of PHI through the Covered Services is further described in the Privacy Policy and the AI Policy.

4. OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to the following obligations with respect to PHI received from, or created or maintained on behalf of, Covered Entity:

(a) Use and Disclosure Limitations. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Terms of Service, or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the requirements of Subpart E of 45 CFR Part 164 if done by Covered Entity, except as otherwise permitted under Section 5 of this BAA.

(b) Safeguards. Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 CFR Part 164, Subpart C (the Security Rule). Business Associate shall comply with the applicable requirements of the Security Rule, including but not limited to the standards, implementation specifications, and requirements set forth in 45 CFR §§164.308, 164.310, 164.312, 164.314, and 164.316, as further detailed in Section 7 of this BAA.

(c) Reporting of Unauthorized Uses or Disclosures. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 CFR §164.410 and as further detailed in Section 8 of this BAA.

(d) Subcontractors. In accordance with 45 CFR §164.502(e)(1)(ii) and 45 CFR §164.308(b)(2), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to such PHI, by entering into a written agreement with each such Subcontractor that contains terms no less protective than the terms of this BAA. Business Associate shall remain responsible for the acts and omissions of its Subcontractors to the same extent as if such acts or omissions were performed by Business Associate. As of the effective date of this BAA, Business Associate's Subcontractors that may process PHI in the course of providing the Covered Services include:

  • Microsoft Azure — Cloud infrastructure and hosting services (US East region)
  • Twilio — Voice calling and SMS messaging services
  • OpenAI — Artificial intelligence and language model services

Business Associate shall maintain an up-to-date list of Subcontractors that process PHI and shall make such list available to Covered Entity upon reasonable request. Business Associate shall notify Covered Entity of any material changes to its Subcontractors that process PHI.

(e) Access to PHI. Business Associate shall make available PHI in a Designated Record Set to Covered Entity, or, as directed by Covered Entity, to an Individual, in order to meet the requirements of 45 CFR §164.524. Business Associate shall respond to any such request within thirty (30) days of receipt of the request. If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate shall, upon request, provide such information in an electronic format designated by the requesting party, in accordance with 45 CFR §164.524(c)(2)(ii).

(f) Amendment of PHI. Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR §164.526. Business Associate shall complete any such amendment within thirty (30) days of receipt of Covered Entity's direction.

(g) Accounting of Disclosures. Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528. Business Associate shall respond to any such request within sixty (60) days of receipt. At a minimum, Business Associate shall provide to Covered Entity the following information for each disclosure that is subject to the accounting requirement: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for a disclosure pursuant to 45 CFR §164.502(a)(2)(ii) or §164.512, if any.

(h) Government Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's and Business Associate's compliance with HIPAA. Business Associate shall respond to any such request from the Secretary within the timeframe required by applicable law.

(i) Minimum Necessary Standard. Business Associate shall, in accordance with 45 CFR §164.502(b) and 45 CFR §164.514(d), limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, except where the minimum necessary standard does not apply as specified in 45 CFR §164.502(b)(2).

(j) Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

5. PERMITTED USES AND DISCLOSURES

Except as otherwise limited in this BAA, Business Associate may use or disclose PHI as follows:

(a) Performance of Services. Business Associate may use or disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Service and as described in Section 3 of this BAA, provided that such use or disclosure would not violate Subpart E of 45 CFR Part 164 if done by Covered Entity, or the minimum necessary policies and procedures of Covered Entity, to the extent that Business Associate has been informed of such policies and procedures in accordance with Section 6 of this BAA.

(b) Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (i) the disclosure is Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(c) Data Aggregation. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). For the avoidance of doubt, any Data Aggregation activities shall utilize only de-identified data in accordance with 45 CFR §164.514, unless Covered Entity has expressly authorized the use of identifiable PHI for such purposes.

(d) De-Identification. Business Associate may use PHI to de-identify the information in accordance with the requirements of 45 CFR §164.514(a)-(c), using either the expert determination method set forth in 45 CFR §164.514(b)(1) or the safe harbor method set forth in 45 CFR §164.514(b)(2).

(e) Required by Law. Business Associate may use or disclose PHI as Required by Law, provided that the use or disclosure complies with and is limited to the relevant requirements of such law. Business Associate shall promptly notify Covered Entity of any such Required by Law disclosure, unless such notification is prohibited by law.

6. OBLIGATIONS OF COVERED ENTITY

Covered Entity agrees to the following obligations:

(a) Notice of Privacy Practices. Covered Entity shall inform Business Associate of any limitation(s) in Covered Entity's notice of privacy practices adopted in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

(b) Changes in Authorization. Covered Entity shall inform Business Associate of any changes in, or revocation of, the authorization by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

(c) Restrictions on Use or Disclosure. Covered Entity shall inform Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

(d) Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except as expressly permitted under Section 5(b) and Section 5(c) of this BAA for the proper management, administration, and legal responsibilities of Business Associate.

(e) Consent and Authorization. Covered Entity shall obtain any consent, authorization, or other legal permission required under applicable federal, state, or local law prior to furnishing PHI to Business Associate through the Covered Services. Covered Entity represents and warrants that it has obtained, or will obtain, all necessary consents and authorizations from Individuals as required by HIPAA and applicable law to permit Business Associate's use and disclosure of PHI as contemplated by this BAA and the Terms of Service.

(f) Minimum Necessary Information. Covered Entity shall make reasonable efforts to limit the PHI provided to Business Associate to the minimum necessary to accomplish the purpose of the disclosure, in accordance with 45 CFR §164.502(b).

7. SECURITY STANDARDS

Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C), including but not limited to the following standards and implementation specifications:

(a) Access Controls (45 CFR §164.312(a)). Business Associate shall implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in 45 CFR §164.308(a)(4). Such controls shall include: (i) unique user identification, assigning a unique name and/or number for identifying and tracking user identity; (ii) emergency access procedures, establishing and implementing as needed procedures for obtaining necessary ePHI during an emergency; (iii) automatic logoff, implementing electronic procedures that terminate an electronic session after a predetermined time of inactivity; and (iv) encryption and decryption, implementing a mechanism to encrypt and decrypt ePHI.

(b) Audit Controls (45 CFR §164.312(b)). Business Associate shall implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Business Associate shall maintain audit logs of system activity, including user access, authentication events, and data modifications, for a minimum period consistent with applicable law and regulatory requirements.

(c) Integrity Controls (45 CFR §164.312(c)). Business Associate shall implement policies and procedures to protect ePHI from improper alteration or destruction. Business Associate shall implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner, including the use of integrity verification measures and secure backup procedures.

(d) Transmission Security (45 CFR §164.312(e)). Business Associate shall implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. All ePHI transmitted by Business Associate shall be encrypted in transit using Transport Layer Security (TLS) version 1.2 or higher, or an equivalent or superior encryption standard. Business Associate shall implement integrity controls to ensure that ePHI is not improperly modified without detection during transmission.

(e) Encryption at Rest. All ePHI stored by Business Associate shall be encrypted at rest using the Advanced Encryption Standard (AES) with a key length of 256 bits (AES-256) or an equivalent or superior encryption standard. Encryption keys shall be managed in accordance with industry best practices, including the use of hardware security modules or equivalent key management systems where appropriate.

(f) Workforce Security (45 CFR §164.308(a)(3)). Business Associate shall implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI as provided under the access controls in paragraph (a) above, and to prevent those workforce members who do not have access under such access controls from obtaining access to ePHI. All members of Business Associate's workforce who have access to PHI shall complete training on HIPAA privacy and security requirements prior to being granted access to PHI, and shall receive refresher training at least annually thereafter.

(g) Risk Analysis (45 CFR §164.308(a)(1)). Business Associate shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Business Associate. Such risk assessments shall be performed no less frequently than annually and upon any material change to Business Associate's information systems or security posture. Business Associate shall implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.

(h) Contingency Plan (45 CFR §164.308(a)(7)). Business Associate shall establish and implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI, including data backup, disaster recovery, and emergency mode operation procedures.

(i) Hosting and Data Residency. As of the effective date of this BAA, all ePHI processed by Business Associate through the Covered Services is hosted on Microsoft Azure infrastructure located in the United States (US East region). Business Associate shall not transfer ePHI outside the United States without the prior written consent of Covered Entity.

8. BREACH NOTIFICATION

(a) Discovery and Reporting. Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay, and in no event later than thirty (30) calendar days after discovery of the Breach, in accordance with 45 CFR §164.410. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate, or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of Business Associate, as set forth in 45 CFR §164.410(a)(2).

(b) Content of Notification. The Breach notification provided by Business Associate to Covered Entity shall include, to the extent reasonably available at the time of notification:

  • (i) The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach;
  • (ii) A brief description of what happened, including the date of the Breach, the date of discovery of the Breach, and the nature of the unauthorized access, use, disclosure, or acquisition;
  • (iii) A description of the types of Unsecured PHI that were involved in the Breach, including whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved;
  • (iv) Any steps Business Associate recommends that affected Individuals take to protect themselves from potential harm resulting from the Breach;
  • (v) A description of what Business Associate is doing to investigate the Breach, mitigate losses and harm to affected Individuals, and protect against any further Breaches.

If Business Associate is not able to provide all of the information specified above at the time of the initial notification, Business Associate shall provide such information promptly as it becomes available, without unreasonable delay.

(c) Covered Entity Responsibility. Covered Entity acknowledges and agrees that it is responsible for providing notification to affected Individuals in accordance with 45 CFR §164.404, to the media in accordance with 45 CFR §164.406 (where applicable), and to the Secretary in accordance with 45 CFR §164.408. Business Associate shall provide such cooperation and assistance to Covered Entity as is reasonably necessary for Covered Entity to fulfill its notification obligations.

(d) Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware that results in the unauthorized access, use, disclosure, modification, or destruction of ePHI. The parties acknowledge and agree that unsuccessful Security Incidents — including but not limited to pings on a firewall, port scans, unsuccessful log-on attempts, denial-of-service attacks, and other network-level attacks that do not result in unauthorized access, use, or disclosure of PHI — occur routinely in the ordinary course of operating internet-connected information systems and need not be individually reported. Business Associate shall provide Covered Entity with periodic summary reports of such unsuccessful Security Incidents upon Covered Entity's reasonable written request, at a frequency not to exceed quarterly.

(e) Cooperation. Business Associate shall cooperate with Covered Entity in investigating any Breach or Security Incident and shall provide reasonable assistance to Covered Entity in its compliance with its breach notification obligations under 45 CFR Part 164, Subpart D. Such cooperation shall include, but not be limited to, making relevant personnel available for consultation, preserving evidence related to the Breach or Security Incident, and assisting in the preparation of required notifications.

(f) Law Enforcement Delay. If Business Associate is advised by a law enforcement official that notification of a Breach would impede a criminal investigation or cause damage to national security, Business Associate shall delay notification to Covered Entity for the applicable period specified in 45 CFR §164.412 and shall promptly notify Covered Entity upon expiration of such delay period.

9. TERM AND TERMINATION

(a) Term. This BAA shall become effective upon Covered Entity's acceptance of the Terms of Service and shall remain in effect for the duration of the Terms of Service, unless earlier terminated as provided in this Section 9.

(b) Termination for Cause. Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within thirty (30) calendar days after receiving written notice of such breach from the non-breaching party. If cure is not reasonably possible, the non-breaching party may immediately terminate this BAA upon written notice to the breaching party, consistent with the provisions of 45 CFR §164.504(e)(2)(iii).

(c) Automatic Termination. This BAA shall automatically terminate, without further action by either party, upon the termination or expiration of the Terms of Service for any reason.

(d) Effect of Termination — Return or Destruction of PHI.

  • (i) Upon termination of this BAA for any reason, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. The obligation to return or destroy PHI shall apply to PHI that is in the possession of Subcontractors of Business Associate. Business Associate shall ensure that its Subcontractors return or destroy PHI in accordance with this provision.
  • (ii) Notwithstanding the foregoing, if Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity a written notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such PHI and shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate shall not use or disclose such PHI for any other purpose.
  • (iii) If Covered Entity does not provide direction regarding the return or destruction of PHI within sixty (60) days of the termination of this BAA, Business Associate shall destroy such PHI in accordance with the standards set forth in NIST Special Publication 800-88, Guidelines for Media Sanitization, or an equivalent standard.

(e) Survival. The obligations of Business Associate under this Section 9(d) (Return or Destruction of PHI), Section 7 (Security Standards), and Section 8 (Breach Notification) shall survive the termination or expiration of this BAA for so long as Business Associate or any Subcontractor of Business Associate retains any PHI.

10. MISCELLANEOUS

(a) Regulatory References. Any reference in this BAA to a section of HIPAA, the HITECH Act, or their implementing regulations shall mean such section as in effect or as amended from time to time, and for which compliance is required. Any reference to a regulatory provision that is renumbered or replaced shall be deemed to refer to the successor provision.

(b) Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of HIPAA, the HITECH Act, and any other applicable law. eScheduleIt may update this BAA by posting the revised version on the Site. For material changes, eScheduleIt shall provide at least thirty (30) days' prior notice in accordance with the notice provisions set forth in the Terms of Service. Continued use of the Covered Services following the effective date of any such amendment constitutes Covered Entity's acceptance of the amended BAA.

(c) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA, the HITECH Act, and their implementing regulations. In the event of any conflict between this BAA and the Terms of Service with respect to the handling of PHI, the terms of this BAA shall control. To the extent that any provision of this BAA is more restrictive than a corresponding provision of the Terms of Service, the more restrictive provision shall govern with respect to PHI.

(d) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties hereto, and their respective successors and permitted assigns, any rights, remedies, obligations, or liabilities whatsoever. This BAA is not intended to and does not create any rights in any Individual whose PHI is used or disclosed pursuant to this BAA.

(e) Entire Agreement. This BAA, together with the Terms of Service, the Privacy Policy, and the AI Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to the subject matter of this BAA.

(f) Governing Law. This BAA shall be governed by and construed in accordance with applicable federal law, including HIPAA and the HITECH Act. To the extent not preempted by federal law, the laws of the State of Florida shall govern this BAA, without regard to its conflict of law principles. Notwithstanding the foregoing, to the extent that a provision of applicable state law provides greater protection of PHI than HIPAA, such state law shall be given effect to the extent consistent with 45 CFR §160.203.

(g) Indemnification. Each party shall indemnify, defend, and hold harmless the other party and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, losses, damages, liabilities, penalties, fines, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or relating to the indemnifying party's breach of any of its obligations under this BAA. This indemnification obligation shall survive the termination or expiration of this BAA.

(h) Notices. All notices required or permitted under this BAA shall be provided in accordance with the notice provisions set forth in the Terms of Service. Breach notifications and other time-sensitive notices shall also be sent to the email address associated with Covered Entity's account and to privacy@eschedule.it for notices directed to Business Associate.

(i) Severability. If any provision of this BAA is held to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions of this BAA shall remain in full force and effect. The parties agree that any invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable, while preserving the parties' original intent.

(j) Waiver. The failure of either party to enforce any provision of this BAA shall not constitute a waiver of that party's right to enforce such provision or any other provision of this BAA at any future time. No waiver of any provision of this BAA shall be effective unless made in writing and signed by the waiving party.

Last Updated: March 22, 2026

Related Documents