MediScan AI Business Associate Agreement


MediScan AI, Inc.
4014 21st Ave SW
Seattle, WA 98106
Delaware Corporation

Collectively referred to herein as the "Parties".

RECITALS

WHEREAS, Covered Entity is a covered entity as defined by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and provides healthcare services and maintains Protected Health Information ("PHI") as defined by HIPAA; and

WHEREAS, MediScan AI, Inc. is a Delaware Corporation that provides medical records summaries technology utilizing various technologies, including large language model ("LLM") technology providers, optical character recognition ("OCR") technology, email systems, and file storage systems;

WHEREAS, the Parties desire to disclose and use PHI in accordance with the terms and conditions of this Agreement and in compliance with HIPAA;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

Definitions

(a) The following terms used in this agreement shall have the meaning given to such terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Healthcare Operations, Individual Minimum Necessary, Notice of Privacy Practices, Protected health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

(b) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, including the regulations promulgated thereunder.

(c) "PHI" means Protected Health Information as defined by HIPAA.

(d) "Business Associate" shall have the meaning given to such term in 45 C.F.R. § 160.103.

(e) “Covered Entity” shall have the meaning given to such term in 45 C.F.R. § 160.103.

(f) “HIPAA Rules” shall have the meaning given to such terms in 45 C.F.R. Part 160 and Part 164.

Privacy Standards

The Parties agree to comply with the privacy standards adopted by the US Department of Health and Human Services (HHS), as they may be amended from time to time. These standards include but are not limited to:

Obligations of MediScan AI, Inc.

(a) MediScan AI, Inc. shall only use or disclose PHI received from Covered Entity for the purposes of providing medical records summary services as requested by Covered Entity.

(b) MediScan AI, Inc. agrees to implement and maintain appropriate safeguards to prevent the unauthorized use or disclosure of PHI in accordance with HIPAA.

(c) MediScan AI, Inc. shall not use or disclose PHI in any manner that would constitute a violation of HIPAA.(d) MediScan AI, Inc. shall promptly report to Covered Entity any unauthorized use or disclosure of PHI.

(e) MediScan AI, Inc. agrees to ensure that any subcontractors or agents to whom it provides PHI agree to the same restrictions and conditions that apply to MediScan AI, Inc. with respect to such information

Obligations of Covered Entity

a. Covered Entity shall only disclose PHI to MediScan AI, Inc. as necessary for MediScan AI, Inc.to perform its obligations under this Agreement.

b. Covered Entity shall obtain any necessary authorizations or consents from individuals for the use and disclosure of their PHI to MediScan AI, Inc.

c. Covered Entity shall notify MediScan AI, Inc. of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect MediScan AI, Inc.'s use or disclosure of PHI.

d. Covered Entity shall promptly report to MediScan AI, Inc. any breaches of unsecured PHI.

Permitted Uses and Disclosures

a. MediScan AI, Inc. may use PHI for the proper management and administration of MediScan AI, Inc. or to carry out the legal responsibilities of MediScan AI, Inc.

b. MediScan AI, Inc. may disclose PHI for the proper management and administration of MediScan AI, Inc., provided that disclosures are Required By Law or MediScan AI, Inc. obtains reasonable assurances from the recipient to protect the confidentiality of the PHI.

Security Measures

a. MediScan AI, Inc. shall maintain appropriate administrative, physical, and technical safeguards for protecting the confidentiality, integrity, and availability of the PHI as required by HIPAA.

b. MediScan AI, Inc. shall perform regular risk assessments and implement measures to mitigate any identified risks to the security of PHI.

User Access and Authentication

a. MediScan AI, Inc. shall implement access controls and authentication mechanisms to ensure that only authorized users have access to PHI.

b. MediScan AI, Inc. shall maintain a system of unique user identification, emergency access procedures, automatic logoff, and encryption and decryption of PHI as appropriate.

Use of PHI in Reports

a. MediScan AI, Inc. may use PHI provided by Covered Entity to create medical records summaries and reports for authorized users, including doctors and their administrative staff.

b. The reports generated by MediScan AI, Inc. may include PHI, but only to the extent necessary for the intended purpose of the report.

Sharing of Reports

a. MediScan AI, Inc. may provide a "share feature" in its application that allows authorized users to send the reports generated by the system to approved parties via email.

b. Covered Entity acknowledges that it is its responsibility to ensure that any information transmitted via email using MediScan AI, Inc.'s system is sent to appropriate covered parties and vendors.

c. MediScan AI, Inc. shall ensure that any PHI shared through this feature is encrypted and securely transmitted to the designated recipient.

Disclosure to Agents and Subcontractors

If MediScan AI, Inc. discloses PHI received from the Covered Entity to agents, subcontractors, or any third party, MediScan AI, Inc. shall require such agents or subcontractors to agree to the same restrictions and conditions as apply to MediScan AI, Inc. under this Agreement.

Breach and Security Incident

a. In the event of a breach or security incident involving PHI, MediScan AI, Inc. shall promptly investigate and take appropriate measures to mitigate the breach or incident.

b. MediScan AI, Inc. shall report any breaches of unsecured PHI to Covered Entity within 30 days of discovery of the breach. The report shall include, at a minimum, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the breach.

c. MediScan AI, Inc. shall assist Covered Entity in complying with its obligations under the HIPAA Breach Notification Rule, including providing necessary information for Covered Entity to complete its breach notification requirements.

Additional Business Associates

MediScan AI, Inc. maintains Business Associate Agreements with its AI and LLM technology providers, OCR technology providers, email system providers, and file storage system providers, ensuring that all parties handling PHI are compliant with HIPAA regulations.

Term and Termination

a. This Agreement shall become effective on the Effective Date and shall continue in effect until all PHI provided by Covered Entity to MediScan AI, Inc. is destroyed or returned to Covered Entity, or upon termination of this Agreement by either Party in accordance with this Section.

b. Either Party may terminate this Agreement upon written notice within 15 days to the other Party if the terminating Party determines that the other Party has breached a material term of this Agreement.

c. Upon termination of this Agreement, MediScan AI, Inc. shall return or destroy all PHI received from Covered Entity that MediScan AI, Inc. still maintains in any form, and MediScan AI, Inc. shall retain no copies of such PHI.

Miscellaneous

a. Indemnification. Business Associate's Indemnification: The Business Associate, incorporated in the State of Delaware, agrees to indemnify, defend, and hold harmless the Covered Entity, its officers, directors, employees, and agents (collectively, the "Covered Entity Parties") from and against any and all claims, losses, liabilities, damages, fines, penalties, costs, and expenses(including reasonable attorney fees) ("Claims") arising out of or related to the Business Associate's breach of this Agreement, violation of applicable laws or regulations, or negligent acts or omissions.

Covered Entity's Notification: In the event that the Covered Entity becomes aware of any potential Claims for which the Business Associate may be responsible under this indemnification provision, the Covered Entity shall promptly notify the Business Associate in writing.

Business Associate's Defense and Settlement: The Business Associate shall have the right to assume the defense of any such Claim at its own expense, with counsel reasonably acceptable to the Covered Entity. The Covered Entity may participate in the defense of such Claim at its own expense.

Settlement and Consent: The Business Associate shall not enter into any settlement of a Claim without the Covered Entity's prior written consent, which consent shall not be unreasonably withheld, delayed, or conditioned.

Limitation: Notwithstanding anything to the contrary, the Business Associate's indemnification obligations under this section shall be subject to any limitation on liability set forth in this Agreement.

b. Amendment. Any amendment to this Agreement must be in writing and signed by both Parties.

c. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware.

d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA.

e. No Third-Party Beneficiaries. This Agreement is for the benefit of the Parties hereto and is not intended to confer third-party beneficiary rights upon any other person or entity.

f. Entire Agreement. This Agreement constitutes the entire agreement between the Parties concerning the subject matter hereof and supersedes all prior agreements and understandings, both written and oral, between the Parties with respect to the subject matter hereof.