Business Associate Agreement

1. Definitions

"Business Associate" means SendMeDocs LLC, operator of the SendMeDocs platform.

"Covered Entity" means the organization that has entered into a subscription agreement with Business Associate for the use of the SendMeDocs service and is subject to HIPAA.

"Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined by 45 CFR 160.103.

"Service" means the SendMeDocs document collection platform, including the dashboard, upload portal, API, and associated features.

"Underlying Agreement" means the Terms of Service and any subscription agreement between the parties governing use of the Service.

2. Obligations of Business Associate

1. Permitted uses and disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
2. Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).
3. Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, and any Security Incident or Breach of Unsecured PHI, without unreasonable delay and no later than sixty (60) days after discovery.
4. Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement.
5. Access to PHI. Business Associate shall make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524 (individual access rights).
6. Amendment of PHI. Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR 164.526.
7. Accounting of disclosures. Business Associate shall make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528.
8. HHS access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.
9. Minimum necessary. Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR 164.502(b).

3. Permitted Uses and Disclosures

1. Business Associate may use or disclose PHI as necessary to perform its obligations under the Underlying Agreement, including storing, transmitting, and making PHI available to authorized users of Covered Entity's account.
2. Business Associate may use or disclose PHI as required by law.
3. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that any disclosure for such purpose is required by law or Business Associate obtains reasonable assurances that the information will be held confidentially.

4. Obligations of Covered Entity

1. Covered Entity shall obtain any necessary consents, authorizations, or other permissions from individuals before submitting PHI to the Service.
2. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent such restrictions may affect Business Associate's performance under this Agreement.
3. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

5. Term and Termination

1. Term. This Agreement takes effect upon Covered Entity's electronic acceptance through the Service and remains in effect for the duration of the Underlying Agreement. By accepting this Agreement through the Service, Covered Entity acknowledges that electronic acceptance constitutes a valid and binding execution of this Agreement, equivalent to a handwritten signature, and that Business Associate's publication of these terms constitutes its execution.
2. Termination for cause. Either party may terminate this Agreement if the other party materially breaches this Agreement and fails to cure the breach within thirty (30) days of receiving written notice.
3. Effect of termination. Upon termination, Business Associate shall return or destroy all PHI in its possession, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the remaining PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. The Service's automatic file deletion policy ensures that PHI stored as uploaded documents is destroyed within the plan's retention window without requiring manual action.

6. Miscellaneous

1. Regulatory references. Any reference to a section of HIPAA or its implementing regulations means the section as in effect or as amended.
2. Amendment. Business Associate may update this Agreement by publishing a revised version through the Service. Material changes require Covered Entity to re-accept the updated Agreement through the Service before continued use. Covered Entity's electronic acceptance of an updated version constitutes agreement to the amended terms.
3. Survival. The obligations of Business Associate under Section 5.3 shall survive the termination of this Agreement.
4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA.