Business Associate Agreement

Section I Definitions

The following terms have the same meaning as in the HIPAA Rules (45 CFR Parts 160 and 164):

• Breach — Acquisition, access, use, or disclosure of PHI not permitted under the Privacy Rule that compromises its security or privacy.
• Business Associate — CriteriaIQ, LLC, providing revenue cycle management, utilization review, and clinical documentation support services.
• Covered Entity — The subscribing organization that is a covered entity under HIPAA (e.g., a behavioral health billing company, treatment facility, or provider organization).
• Designated Record Set — A group of records maintained by or for Covered Entity used to make decisions about individuals.
• Discovery — The first day on which a Breach is known, or reasonably should have been known, to Business Associate.
• HIPAA Rules — The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
• Protected Health Information (PHI) — Individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• Security Incident — Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or system operations.
• Subcontractor — A person or entity that acts as a Business Associate on behalf of Business Associate.
• Unsecured PHI — PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.

Section II Obligations of CriteriaIQ

a. Permitted Uses and Disclosures

CriteriaIQ will use or disclose PHI only as necessary to provide the CriteriaIQ RCM services, as otherwise permitted by this Agreement, or as required by law. CriteriaIQ will not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by Covered Entity.

b. Safeguards

CriteriaIQ will implement and maintain appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, and will comply with all applicable requirements of the HIPAA Security Rule (45 CFR Part 164, Subparts A and C).

c. AI Processing — No PHI Retention

d. Breach Notification

CriteriaIQ will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay, and in no event more than 30 days following Discovery, per 45 CFR § 164.410. Notification will include, to the extent available:

• The identity of each individual whose PHI was or is reasonably believed to have been involved
• A brief description of what happened, including the date of the Breach and the date of Discovery
• A description of the types of PHI involved
• Steps individuals should take to protect themselves from potential harm
• What CriteriaIQ is doing to investigate, mitigate, and prevent recurrence

e. Subcontractors

CriteriaIQ will ensure that any Subcontractors that create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions and requirements that apply to CriteriaIQ under this Agreement, including HIPAA Security Rule compliance.

f. Access and Amendment

Within five (5) business days of a written request from Covered Entity, CriteriaIQ will make PHI available as necessary to fulfill Covered Entity's obligations under 45 CFR §§ 164.524 and 164.526. If an individual requests access or amendment directly from CriteriaIQ, CriteriaIQ will notify Covered Entity within five (5) business days.

g. Accounting of Disclosures

CriteriaIQ will maintain a record of PHI disclosures and make it available to Covered Entity within five (5) business days of request, per 45 CFR § 164.528.

h. Books and Records

CriteriaIQ will make its internal practices, books, and records relating to PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with HIPAA, per 45 CFR § 160.310.

i. Minimum Necessary

CriteriaIQ will make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of each use, disclosure, or request.

j. Data Ownership

CriteriaIQ acknowledges that Covered Entity is the sole owner of all PHI created, received, maintained, or transmitted by CriteriaIQ on behalf of Covered Entity. CriteriaIQ acquires no rights in such PHI.

k. Mitigation

CriteriaIQ will mitigate, to the extent practicable, any harmful effect resulting from a use or disclosure of PHI in violation of this Agreement.

Section III Obligations of Covered Entity

• Notice of Privacy Practices. Covered Entity will provide CriteriaIQ with its Notice of Privacy Practices upon request and notify CriteriaIQ of any changes that may affect CriteriaIQ's permitted uses or disclosures of PHI.
• Revocation of Authorization. Covered Entity will notify CriteriaIQ of any revocation of individual authorization to use or disclose PHI to the extent such revocation may affect CriteriaIQ's activities.
• Restrictions. Covered Entity will notify CriteriaIQ of any agreed-upon restrictions on use or disclosure of PHI under 45 CFR § 164.522, to the extent such restrictions may affect CriteriaIQ's activities.
• Permissible Requests. Covered Entity will not request CriteriaIQ to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
• User Compliance. Covered Entity is responsible for ensuring that its authorized users comply with applicable HIPAA requirements when using CriteriaIQ RCM.
• Accurate Data. Covered Entity is responsible for the accuracy and completeness of PHI submitted to CriteriaIQ RCM for processing.

Section IV Term and Termination

a. Term

This Agreement is effective as of the date Covered Entity creates a CriteriaIQ RCM account and remains in effect for the duration of Covered Entity's active subscription.

b. Termination for Cause

Either Party may terminate this Agreement upon written notice if the other Party materially breaches any provision and fails to cure such breach within thirty (30) days. Covered Entity may terminate immediately if CriteriaIQ breaches a material term and cure is not possible.

c. Effect of Termination

Upon termination, CriteriaIQ will within thirty (30) days:

• Return to Covered Entity all PHI maintained on its behalf, if feasible; or
• Securely destroy all PHI and provide written certification of destruction; or
• If neither is feasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

Section V Indemnification & Liability

a. Mutual Indemnification

Each Party agrees to indemnify, defend, and hold harmless the other Party and its officers, directors, employees, and agents from third-party claims, penalties, fines, costs, liabilities, or damages — including reasonable attorneys' fees — arising from that Party's breach of this Agreement or violation of applicable HIPAA rules.

b. Liability Cap

CriteriaIQ's total indemnification liability shall not exceed the total fees paid by Covered Entity during the six (6) month period immediately preceding the date the claim accrued.

c. Exclusion of Consequential Damages

In no event shall either Party be liable to the other for lost profits, lost revenue, or any indirect, incidental, consequential, punitive, or special damages, to the maximum extent permitted by applicable law.

Section VI Miscellaneous

• Interpretation. Any ambiguity shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA, HITECH, and the HIPAA Rules.
• Governing Law. This Agreement is governed by applicable federal law and the laws of the state in which Covered Entity is domiciled.
• Notices. All notices to CriteriaIQ shall be sent to compliance@criteriaiq.com. Notices to Covered Entity shall be sent to the administrative email on file.
• Modification. This Agreement may only be modified in writing by authorized representatives of both Parties. CriteriaIQ will provide 30 days' advance notice of any material changes.
• Severability. If any provision is found unenforceable, the remaining provisions continue in full force and effect.
• Entire Agreement. This Agreement, together with the CriteriaIQ Terms of Service, constitutes the entire agreement between the Parties with respect to PHI handling.
• No Agency. Nothing in this Agreement creates an agency relationship between the Parties.
• Change in Law. If HIPAA or applicable laws are amended in a material way, the Parties agree to negotiate in good faith to amend this Agreement accordingly.

Execution Electronic Signature

By creating a CriteriaIQ RCM account and checking the BAA acceptance box during account creation or login, Covered Entity acknowledges that it has read, understands, and agrees to be bound by this Agreement. The individual accepting represents and warrants that they have legal authority to bind Covered Entity.

This electronic acceptance constitutes a valid and binding signature under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act). Acceptance timestamp and IP address are recorded in CriteriaIQ's audit log for compliance purposes.