Business Associate Agreement (BAA)

1. Purpose and Scope

This Business Associate Agreement ("BAA") governs OnLark's role as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) when providing services to Covered Entities (healthcare providers) and other Business Associates.

OnLark, LLC ("Business Associate" or "OnLark") provides a technology platform that facilitates speech therapy services by licensed speech-language pathologists ("Covered Entity" or "Provider"). In the course of providing these services, OnLark creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of Covered Entities.

2. Definitions

Terms not otherwise defined in this BAA have the meanings assigned to them in the HIPAA Privacy Rule (45 CFR Part 160 and Part 164):

• Business Associate: OnLark, LLC
• Covered Entity: Licensed SLPs and healthcare organizations using the OnLark platform
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium
• Required by Law: A mandate contained in law that compels use or disclosure of PHI
• Secretary: Secretary of the Department of Health and Human Services (HHS)
• Breach: Unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information

3. Permitted Uses and Disclosures of PHI

3.1 Services to Covered Entity

Business Associate may use and disclose PHI only as necessary to perform the following services on behalf of Covered Entity:

• Facilitating telehealth video sessions between patients and providers
• Storing and managing clinical documentation and treatment notes
• Processing insurance eligibility verification (EDI 270/271 transactions)
• Submitting insurance claims on behalf of providers (EDI 837P transactions)
• Providing scheduling, calendar management, and appointment reminders
• Secure messaging between patients and providers
• AI-assisted clinical documentation and transcription services
• Payment processing and billing support
• Platform maintenance, security monitoring, and technical support

3.2 Business Associate's Own Management and Administration

Business Associate may use PHI for its own proper management and administration, provided:

• Such use is necessary for Business Associate's operations
• Disclosure is required by law, or
• Business Associate obtains reasonable assurances from the recipient that the information will remain confidential and be used only as required by law

3.3 Data Aggregation Services

Business Associate may aggregate PHI to provide de-identified analytics and reporting services that improve platform quality, provided all data is de-identified in accordance with HIPAA standards (45 CFR § 164.514).

4. Obligations of Business Associate

4.1 Prohibited Uses and Disclosures

Business Associate shall not:

• Use or disclose PHI except as permitted by this BAA or required by law
• Use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity
• Sell PHI or receive remuneration in exchange for PHI without authorization
• Use or disclose PHI for marketing purposes without authorization

4.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to:

• Prevent use or disclosure of PHI other than as provided by this BAA
• Comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C)
• Ensure encryption of PHI at rest (AES-256) and in transit (TLS 1.3)
• Implement access controls and authentication mechanisms
• Maintain audit logs of all PHI access and modifications
• Conduct annual security risk assessments

4.3 Breach Notification

Business Associate shall report any Breach of unsecured PHI to Covered Entity within 48 hours of discovery. The notification shall include:

• Identification of each individual whose PHI was or is reasonably believed to have been breached
• Description of the breach, including date of discovery and date of breach (if known)
• Types of PHI involved
• Steps individuals should take to protect themselves
• Remedial actions taken or planned by Business Associate
• Contact information for questions

4.4 Subcontractors and Agents

Business Associate shall ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate through this BAA. Business Associate shall enter into a written BAA with each subcontractor.

Current HIPAA-Compliant Subcontractors:

• Amazon Web Services (AWS) - Cloud hosting and database storage
• Stedi - EDI transaction processing
• Daily.co - HIPAA-compliant video telehealth
• AssemblyAI - Medical transcription services
• Stripe - Payment processing (PCI-DSS compliant)

4.5 Access to PHI

Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or individual (at Covered Entity's direction) within 30 days of request, in the form and format requested if readily producible, or in a readable hard copy or electronic format as agreed by Covered Entity and Business Associate.

4.6 Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity within 30 days of notification.

4.7 Accounting of Disclosures

Business Associate shall document all disclosures of PHI and provide an accounting of disclosures to Covered Entity or individual (at Covered Entity's direction) within 60 days of request, covering the six years prior to the request (or such shorter period as agreed).

4.8 Availability of Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with HIPAA.

4.9 Minimum Necessary

Business Associate shall limit use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, except where disclosure is to the individual or pursuant to an authorization.

5. Obligations of Covered Entity

Covered Entity shall:

• Provide Business Associate with the Notice of Privacy Practices and any changes thereto
• Provide Business Associate with any changes in, or revocation of, patient authorizations that may affect Business Associate's permitted uses or disclosures
• Notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed
• Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity

6. Term and Termination

6.1 Term

This BAA shall be effective as of the date Covered Entity begins using the OnLark platform and shall terminate when all PHI provided by Covered Entity is destroyed or returned to Covered Entity, or if infeasible, protections are extended to such information.

6.2 Termination for Breach

Either party may terminate this BAA if the other party breaches a material term and fails to cure the breach within 30 days of written notice.

6.3 Effect of Termination

Upon termination, Business Associate shall:

• Return or destroy all PHI received from or created on behalf of Covered Entity, if feasible
• Retain no copies of PHI
• If return or destruction is infeasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make return or destruction infeasible

Note: Business Associate may retain PHI as required by law (e.g., 7-year medical records retention) or for legitimate business purposes (audit defense, legal compliance), subject to continued HIPAA safeguards.

7. Indemnification

Business Associate shall indemnify and hold harmless Covered Entity from any claims, damages, or penalties arising from Business Associate's breach of this BAA or violation of HIPAA, except to the extent caused by Covered Entity's actions or omissions.

8. Regulatory Changes

The parties agree to negotiate in good faith to amend this BAA to comply with changes in HIPAA regulations or other applicable privacy laws.

9. Miscellaneous

9.1 Governing Law

This BAA shall be governed by the laws of the State of California.

9.2 Amendment

This BAA may be amended only by written agreement signed by both parties.

9.3 Survival

The obligations of Business Associate under this BAA with respect to PHI shall survive the termination of this BAA and any underlying service agreement.

9.4 Interpretation

Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA.

10. Contact Information

For BAA execution, compliance questions, or breach reporting:
HIPAA Compliance Officer: legal@onlark.com
Privacy Officer: privacy@onlark.com
Address: OnLark, LLC, New York, NY
Breach Hotline: legal@onlark.com (monitored 24/7)