Business Associate Agreement

Last updated: March 18, 2026

This Business Associate Agreement (“Agreement”) is entered into by and between:

Covered Entity: _________________________________________ (“Covered Entity”)

Business Associate: Net Solutions Interactive, a California corporation doing business as “CensusGreeter” (“Business Associate”)

Effective Date: _________________________________________

Recitals

WHEREAS, Covered Entity is a HIPAA Covered Entity that operates one or more senior care facilities (which may include assisted living, memory care, skilled nursing, or continuing care retirement communities);

WHEREAS, Business Associate provides an AI-powered virtual receptionist service (“Services”) that processes inbound telephone calls on behalf of Covered Entity;

WHEREAS, in the course of providing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;

WHEREAS, the parties wish to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and the regulations promulgated thereunder at 45 CFR Parts 160 and 164 (collectively, the “HIPAA Rules”), as well as the California Confidentiality of Medical Information Act (California Civil Code §56–56.37, “CMIA”);

NOW, THEREFORE, in consideration of the mutual promises contained herein and the exchange of information pursuant to this Agreement, the parties agree as follows:

1. Definitions

The following terms used in this Agreement have the meanings set forth below. Capitalized terms not otherwise defined in this Agreement have the same meaning as those terms in the HIPAA Rules (45 CFR §160.103 and §164.501).

• Breach means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of such information, as defined at 45 CFR §164.402.
• Data Aggregation means the combining of Protected Health Information by Business Associate with the protected health information received from or on behalf of another covered entity to permit data analyses, as defined at 45 CFR §164.501.
• Designated Record Set means a group of records maintained by or for a Covered Entity that constitutes the records used to make decisions about individuals, as defined at 45 CFR §164.501.
• Disclosure means the release, transfer, provision of access to, or divulging in any manner of Protected Health Information outside the entity holding the information, as defined at 45 CFR §160.103.
• Health Care Operations has the meaning given at 45 CFR §164.501.
• Individual means the person who is the subject of Protected Health Information, and includes a person who qualifies as a personal representative under 45 CFR §164.502(g).
• Minimum Necessary means the standard requiring that uses, disclosures, and requests for Protected Health Information be limited to the minimum necessary to accomplish the intended purpose, as set forth at 45 CFR §164.502(b).
• Notice of Privacy Practices means the notice required by 45 CFR §164.520.
• Protected Health Information (“PHI”) means individually identifiable health information transmitted or maintained in any form or medium, as defined at 45 CFR §160.103. Where this Agreement references PHI, it includes electronic protected health information (“ePHI”).
• Required By Law has the meaning given at 45 CFR §164.103.
• Secretary means the Secretary of the United States Department of Health and Human Services or any designee.
• Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 CFR §164.304.
• Subcontractor means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of Business Associate.
• Unsecured Protected Health Information means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary, as defined at 45 CFR §164.402.
• Use means the sharing, employment, application, utilization, examination, or analysis of Protected Health Information within an entity that maintains such information, as defined at 45 CFR §160.103.
• California Medical Information means individually identifiable information, in electronic or physical form, regarding a patient’s medical history, mental or physical condition, or treatment, as defined at California Civil Code §56.05(j). Where CMIA imposes stricter protections than HIPAA, Business Associate shall apply the stricter standard.
• Services means the AI-powered virtual receptionist services provided by Business Associate to Covered Entity under the parties’ underlying service agreement.

2. Obligations of Business Associate

Business Associate agrees to the following obligations, consistent with the requirements of 45 CFR §164.504(e)(2)(ii):

2.1 Use and Disclosure Restrictions

Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law. (45 CFR §164.504(e)(2)(ii)(A))

2.2 Safeguards

Business Associate shall use appropriate safeguards and comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C, including §§164.308, 164.310, 164.312, and 164.316) with respect to electronic Protected Health Information, to prevent any use or disclosure of PHI other than as provided by this Agreement. (45 CFR §164.504(e)(2)(ii)(B))

2.3 Reporting of Unauthorized Uses, Disclosures, and Security Incidents

Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which Business Associate becomes aware, including any Security Incident of which Business Associate becomes aware. (45 CFR §164.504(e)(2)(ii)(C))

2.4 Breach Notification

Business Associate shall report to Covered Entity any Breach of Unsecured Protected Health Information in accordance with the requirements set forth in Section 7 of this Agreement and 45 CFR §164.410.

2.5 Subcontractors

In accordance with 45 CFR §164.502(e)(1)(ii), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

2.6 Access to PHI

Business Associate shall make available Protected Health Information in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.524 (individual right of access), within fifteen (15) business days of receiving a written request from Covered Entity.

2.7 Amendment of PHI

Business Associate shall make Protected Health Information available for amendment and shall incorporate any amendments to Protected Health Information in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR §164.526, within thirty (30) calendar days of receiving a written request from Covered Entity.

2.8 Accounting of Disclosures

Business Associate shall maintain an accounting of disclosures of Protected Health Information and make such accounting available to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528. Business Associate shall maintain records of such disclosures for a period of six (6) years from the date of the disclosure.

2.9 Compliance with Security Rule

Business Associate shall comply with the requirements of the HIPAA Security Rule that are applicable to business associates as required by the HITECH Act (42 U.S.C. §17931).

2.10 Availability of Records to HHS

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity’s and Business Associate’s compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures

3.1 Services

Business Associate may use or disclose Protected Health Information solely to perform the Services described in the parties’ underlying service agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

3.2 Management and Administration

Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, as permitted by 45 CFR §164.504(e)(2)(i)(A).

3.3 Disclosure for Management and Administration

Business Associate may disclose Protected Health Information for the purposes described in Section 3.2 if the disclosure is Required By Law, or if Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required By Law or for the purposes for which it was disclosed, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.4 Data Aggregation

Business Associate may use Protected Health Information to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, as permitted by 45 CFR §164.504(e)(2)(i)(B).

3.5 Minimum Necessary Standard

Business Associate shall apply the Minimum Necessary standard to all uses, disclosures, and requests for Protected Health Information. Business Associate shall limit its use and access to Protected Health Information to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request.

4. Protected Health Information Scope

In the course of providing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity. The specific categories of PHI handled are described in the parties’ underlying service agreement.

5. Subcontractors

5.1 Subcontractor Agreements

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information, in accordance with 45 CFR §164.502(e)(1)(ii).

5.2 Current Subcontractors

A schedule of current Subcontractors is provided to Covered Entity upon execution of this Agreement.

5.3 Changes to Subcontractors

Business Associate maintains a current list of Subcontractors that access Protected Health Information, available to Covered Entity upon request.

6. Security Safeguards

6.1 Security Rule Compliance

Business Associate shall implement administrative safeguards (45 CFR §164.308), physical safeguards (45 CFR §164.310), technical safeguards (45 CFR §164.312), and policies, procedures, and documentation requirements (45 CFR §164.316) as required by the HITECH Act (42 U.S.C. §17931) to protect the confidentiality, integrity, and availability of electronic Protected Health Information.

6.2 Safeguard Standards

Without limiting the generality of Section 6.1, Business Associate shall maintain appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic Protected Health Information in accordance with 45 CFR §§164.308, 164.310, 164.312, and 164.316. Specific safeguard details are provided to Covered Entity upon execution of this Agreement.

6.3 Risk Assessments

Business Associate shall conduct periodic risk assessments of its systems and processes that create, receive, maintain, or transmit electronic Protected Health Information, and shall implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

7. Breach Notification

7.1 Notification Obligation

Business Associate shall notify Covered Entity of any Breach of Unsecured Protected Health Information without unreasonable delay and in no case later than sixty (60) calendar days from the date of discovery of the Breach, in accordance with 45 CFR §164.410 and 42 U.S.C. §17932.

7.2 Discovery

A Breach shall be treated as discovered by Business Associate as of the first day on which the Breach is known or, by exercising reasonable diligence, would have been known to Business Associate, including any employee, officer, or agent of Business Associate (other than the individual committing the Breach), as set forth at 45 CFR §164.410(a)(2).

7.3 Content of Notification

Business Associate’s notification to Covered Entity shall include, to the extent available:

• The identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• A description of the nature of the Breach, including the types of Unsecured PHI involved;
• The date of the Breach and the date of discovery, if known;
• A description of what Business Associate is doing to investigate the Breach, mitigate harm, and prevent future occurrences; and
• Any other information Covered Entity needs to fulfill its notification obligations under 45 CFR §164.404(c).

7.4 Law Enforcement Delay

If a law enforcement official states that notification to Covered Entity would impede a criminal investigation or cause damage to national security, Business Associate shall delay notification in accordance with 45 CFR §164.412.

7.5 Mitigation

Business Associate shall take reasonable steps to mitigate any harmful effects of the Breach that are known to Business Associate and shall cooperate with Covered Entity’s breach investigation and response efforts.

8. Individual Rights

8.1 Right of Access

Business Associate shall make Protected Health Information maintained in a Designated Record Set available to Covered Entity within fifteen (15) business days of a written request, in order to enable Covered Entity to fulfill its obligations under 45 CFR §164.524 (individual right of access to PHI).

8.2 Right of Amendment

Business Associate shall make Protected Health Information maintained in a Designated Record Set available to Covered Entity for amendment, and shall incorporate any amendments directed by Covered Entity, within thirty (30) calendar days of a written request, in order to enable Covered Entity to fulfill its obligations under 45 CFR §164.526.

8.3 Accounting of Disclosures

Business Associate shall maintain records of disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR §164.528. Business Associate shall make such information available to Covered Entity within thirty (30) calendar days of a written request. Business Associate shall retain such records for a period of six (6) years from the date of the disclosure.

9. AI-Specific Provisions

9.1 No Model Training on Customer Data

Business Associate and its Subcontractors shall not use Protected Health Information or any customer data to train, fine-tune, improve, or benchmark artificial intelligence or machine learning models. Customer data is processed solely to deliver the contracted Services.

9.2 No Voiceprint Biometrics

The AI receptionist does not create, store, or process voiceprint biometric data. Voice audio is processed solely as speech-to-text in real time and is not used for speaker identification, voice authentication, or biometric profiling.

9.3 Transient Processing

Business Associate processes PHI transiently and does not persistently store PHI in AI systems beyond what is necessary to perform the contracted Services.

10. Senior Care Population Provisions

10.1 Authorized Representatives

Protected Health Information may be disclosed to legally authorized personal representatives (including holders of power of attorney, legal guardians, healthcare proxies, and conservators) as designated by Covered Entity, consistent with 45 CFR §164.502(g). Covered Entity is responsible for verifying representative authority and communicating authorized representative designations to Business Associate.

10.2 Disclosures Required by Law

Nothing in this Agreement shall be construed to prohibit or impede any disclosure that is Required By Law, including mandatory reporting obligations under applicable state law. Such disclosures are permitted under 45 CFR §164.512(a) and do not constitute a Breach of this Agreement.

11. California CMIA Compliance

11.1 Applicability

This Agreement shall comply with the California Confidentiality of Medical Information Act (California Civil Code §56–56.37) in addition to HIPAA. Where CMIA imposes requirements that are stricter than those imposed by the HIPAA Rules, the stricter CMIA requirements shall apply.

11.2 Broader Definition of Medical Information

The parties acknowledge that CMIA defines “medical information” (California Civil Code §56.05(j)) more broadly than HIPAA defines “Protected Health Information.” Business Associate shall protect California Medical Information to the stricter standard where applicable.

11.3 Remedies and Penalties

Business Associate acknowledges that unauthorized disclosure of medical information under CMIA may give rise to a private right of action for compensatory damages, punitive damages, and attorney’s fees (California Civil Code §56.35), as well as administrative penalties (California Civil Code §56.36).

11.4 Provider of Health Care Classification

Business Associate acknowledges that as a software vendor that maintains medical information, it may be classified as a “provider of health care” under California Civil Code §56.06 and is subject to the same confidentiality standards and penalties applicable to providers of health care.

12. Data Retention and Destruction

12.1 Return or Destruction

Upon termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) calendar days of termination. This provision applies to PHI that is in the possession of Business Associate and its Subcontractors.

12.2 Backup and Disaster Recovery Copies

Backup and disaster recovery copies of Protected Health Information shall be purged within ninety (90) calendar days of termination of this Agreement.

12.3 Infeasibility of Return or Destruction

If Business Associate determines that the return or destruction of Protected Health Information is not feasible (for example, because PHI must be retained to comply with a legal obligation), Business Associate shall extend all protections of this Agreement to the retained PHI indefinitely and shall limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible.

12.4 Certification

Upon request by Covered Entity, Business Associate shall provide written certification that all Protected Health Information has been returned or destroyed in accordance with this Section.

13. Obligations of Covered Entity

13.1 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitations in the Covered Entity’s Notice of Privacy Practices (45 CFR §164.520) that may affect Business Associate’s use or disclosure of Protected Health Information.

13.2 Changes to Authorizations

Covered Entity shall notify Business Associate of any changes in, or revocation of, the authorization of an Individual regarding the use or disclosure of Protected Health Information, to the extent that such changes affect Business Associate’s permitted uses or disclosures.

13.3 Restrictions on Use or Disclosure

Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restrictions affect Business Associate’s permitted uses or disclosures.

13.4 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

14. Term, Termination, and Survival

14.1 Term

This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the parties’ underlying service agreement, unless earlier terminated in accordance with this Section.

14.2 Termination for Material Breach

Either party may terminate this Agreement upon thirty (30) days’ written notice to the other party if the other party has materially breached any provision of this Agreement and has failed to cure such breach within the thirty (30) day notice period.

14.3 Automatic Termination

This Agreement shall automatically terminate if Business Associate fails to cure a material breach within the cure period specified in Section 14.2.

14.4 Survival

The obligations of Business Associate under Sections 2 (Obligations of Business Associate), 7 (Breach Notification), 8 (Individual Rights), 11 (California CMIA Compliance), and 12 (Data Retention and Destruction) shall survive the termination of this Agreement to the extent necessary to carry out the purposes of those provisions.

15. General Provisions

15.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflicts of law principles, except to the extent preempted by federal law (including HIPAA and the HITECH Act).

15.2 Venue

Any legal action or proceeding arising under or related to this Agreement shall be brought in the state or federal courts located in the State of California, and the parties hereby consent to the personal jurisdiction and venue of such courts.

15.3 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Entire Agreement

This Agreement, together with the underlying service agreement and any exhibits attached hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and negotiations, whether written or oral, relating to such subject matter.

15.5 Amendments

This Agreement may not be modified or amended except by a written instrument signed by both parties. The parties agree to amend this Agreement as necessary to comply with changes to the HIPAA Rules or other applicable law.

15.6 Electronic Acceptance

This Agreement may be executed by electronic signature or click-through acceptance, which shall have the same legal effect, validity, and enforceability as an original handwritten signature, in accordance with the California Uniform Electronic Transactions Act (California Civil Code §1633.1–1633.17) and the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. §7001).

15.7 Regulatory Changes

The parties shall amend this Agreement as necessary to comply with changes to the HIPAA Rules, the HITECH Act, or the CMIA. If any provision of this Agreement conflicts with applicable law, the applicable law shall control.

15.8 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Rules.

16. Signatures

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date.

This Agreement may be executed by electronic signature or click-through acceptance, which shall have the same legal effect as an original signature.

Exhibit A — Subcontractor Schedule

The Subcontractor Schedule, listing all Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate, is provided to Covered Entity upon execution of this Agreement. Business Associate shall update the schedule as Subcontractors are added or removed and shall notify Covered Entity of any changes in accordance with Section 5.3.