Business Associate Agreement

This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between the dental practice identified below ("Covered Entity") and NexV Inc., a subsidiary of iSimplifyMe ("Business Associate" or "NexV").

Effective as of: ___________

This Agreement supplements and is made a part of the NexV Terms of Service and governs the use and disclosure of Protected Health Information ("PHI") as required by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

1. Definitions

Capitalized terms used in this Agreement and not otherwise defined shall have the meanings assigned to them under HIPAA and the HITECH Act. The following terms have the meanings set forth below:

• Business Associate means NexV Inc., which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity in connection with the NexV platform and services.
• Covered Entity means the dental practice or healthcare provider that has entered into a subscription agreement with NexV and is subject to HIPAA.
• Protected Health Information (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
• Electronic Protected Health Information (ePHI) means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.
• Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
• Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.

2. Obligations of Business Associate

NexV, as Business Associate, agrees to the following obligations:

2.1 Use and Disclosure Restrictions

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the underlying service agreement, or as required by law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity.

2.2 Appropriate Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI. These safeguards include but are not limited to:

• AES-256 encryption of all ePHI at rest using AWS KMS with automatic key rotation.
• TLS 1.3 encryption for all ePHI in transit.
• Role-based access controls with least-privilege enforcement.
• Multi-factor authentication for all staff accounts accessing PHI.
• Immutable audit logging of all PHI access via AWS CloudTrail, retained for 7 years.
• Annual third-party penetration testing with verified remediation.

2.3 Security Incident and Breach Reporting

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. In the event of a Breach of unsecured PHI, Business Associate shall notify Covered Entity without unreasonable delay and in no case later than sixty (60) days after discovery of the Breach.

Notification shall include, to the extent available: the nature of the PHI involved, identification of individuals affected, a description of what Business Associate is doing to investigate and mitigate the Breach, and contact information for further inquiries.

2.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement. Business Associate shall enter into a written agreement with each such subcontractor that complies with 45 CFR 164.504(e).

2.5 Access to PHI

Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524 (individual right of access). Business Associate shall respond to such requests within fifteen (15) business days.

2.6 Amendment of PHI

Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity for amendment and shall incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR 164.526.

2.7 Accounting of Disclosures

Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain records of such disclosures for a period of six (6) years.

2.8 Availability to HHS

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining Covered Entity's and Business Associate's compliance with HIPAA.

2.9 Return or Destruction of PHI

Upon termination of this Agreement, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from Covered Entity or created or received on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

3. Obligations of Covered Entity

Covered Entity agrees to the following obligations:

3.1 Restrictions on PHI Use

Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restrictions may affect Business Associate's use or disclosure of PHI.

3.2 Changes to Consent or Authorization

Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

3.3 Prohibited Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity, except as expressly permitted under this Agreement.

4. Permitted Uses and Disclosures

4.1 Services

Business Associate may use and disclose PHI as necessary to perform its obligations under the NexV Terms of Service, including but not limited to: hosting and operating the NexV platform, processing clinical data, generating AI-assisted clinical notes and imaging analyses, managing scheduling and billing operations, and providing customer support.

4.2 Administration and Management

Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that any disclosure for such purposes is required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or disclosed only as required by law or for the purposes for which it was disclosed.

4.3 De-Identification

Business Associate may de-identify PHI in accordance with 45 CFR 164.514(a)-(c). De-identified data is no longer subject to this Agreement. Business Associate may use de-identified data for research, analytics, and improvement of its products and services.

4.4 Minimum Necessary

Business Associate shall apply the minimum necessary standard when using, disclosing, or requesting PHI, using only the minimum amount of PHI reasonably necessary to accomplish the intended purpose.

5. Term and Termination

5.1 Term

This Agreement shall be effective as of the date first written above and shall remain in effect for the duration of the NexV subscription agreement between the parties, unless earlier terminated as provided herein.

5.2 Termination for Cause

Either party may terminate this Agreement if it determines that the other party has violated a material term of this Agreement. The non-breaching party shall provide written notice of the breach and allow the breaching party thirty (30) days to cure the breach. If the breach is not cured within such period, the non-breaching party may terminate this Agreement.

5.3 Effect of Termination

Upon termination, Business Associate shall comply with Section 2.9 regarding the return or destruction of PHI. The obligations of Business Associate under this Agreement shall survive termination to the extent necessary to protect PHI.

6. Breach Notification

6.1 Discovery and Notification

Business Associate shall notify Covered Entity of any Breach of unsecured PHI without unreasonable delay and in no case later than sixty (60) days after the discovery of the Breach. A Breach is considered discovered on the first day on which the Breach is known to Business Associate or, by exercising reasonable diligence, would have been known.

6.2 Content of Notification

Breach notifications shall include, to the extent reasonably available:

• Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach.
• A description of the nature of the Breach, including the types of unsecured PHI involved.
• A description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches.
• Contact procedures for individuals to ask questions or obtain additional information, including a toll-free telephone number, email address, or postal address.

6.3 Cooperation

Business Associate shall cooperate with Covered Entity in investigating and responding to any Breach. Business Associate shall provide such additional information as Covered Entity may reasonably request to enable Covered Entity to comply with its notification obligations under 45 CFR 164.404 through 164.408.

7. Miscellaneous

7.1 Amendment

This Agreement may be amended only by a written instrument signed by both parties. The parties agree to negotiate in good faith any amendment to this Agreement necessary to comply with changes to HIPAA, the HITECH Act, or their implementing regulations.

7.2 Survival

The obligations of Business Associate under Sections 2.2, 2.3, 2.7, 2.8, and 2.9 shall survive the termination or expiration of this Agreement.

7.3 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA and the HITECH Act. In the event of a conflict between this Agreement and the NexV Terms of Service, this Agreement shall control with respect to the use and disclosure of PHI.

7.4 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of law principles, except where preempted by HIPAA or the HITECH Act.

7.5 Entire Agreement

This Agreement, together with the NexV Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties.

7.6 Notices

All notices under this Agreement shall be in writing and sent to the addresses set forth below, or to such other address as either party may designate by written notice to the other. Notices may be sent by email to privacy@nexv.ai for notices to Business Associate.

8. Signatures

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the date first written above.