Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into by and between Toothreferral.com LLC, with a principal place of business at 13220 Strickland Rd, STE 166, Raleigh, NC 27613 ("Business Associate"), and the entity or individual registering for and utilizing the Toothreferral platform ("Covered Entity").

Recitals

• Covered Entity is a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations (45 C.F.R. Parts 160 and 164).
• Business Associate provides a digital dental referral network and communication platform ("Services") to Covered Entity, which involves the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") and Electronic Protected Health Information ("ePHI").
• The parties intend to comply with the requirements of HIPAA, the Health Information Technology for Economic and Clinical Health ("HITECH") Act, and the HIPAA Omnibus Rule.

1. Definitions

Capitalized terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 C.F.R. §§ 160.103, 164.402, and 164.501).

• "Breach" shall have the same meaning as given to such term in 45 C.F.R. § 164.402.
• "Protected Health Information" ("PHI") and "Electronic Protected Health Information" ("ePHI") shall have the same meaning as defined in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. Obligations of Business Associate

Business Associate agrees to:

• Permitted Uses and Disclosures: Not use or disclose PHI other than as permitted or required by this BAA, the primary Terms of Service ("Underlying Agreement"), or as Required By Law.
• Appropriate Safeguards: Use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, complying with Subpart C of 45 C.F.R. Part 164 (the HIPAA Security Rule).
• Subcontractors and Downstream Compliance: Ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and opportunities that apply to Business Associate with respect to such PHI via a written agreement.

3. Scope of Data Collection

• Minimum Necessary Standard: Business Associate shall limit its collection, intake, and transmission of PHI to the "Minimum Necessary" data required to facilitate the dental referral network, clinical scheduling, secure messaging, and associated administrative platform features, in compliance with 45 C.F.R. § 164.502(b).
• Authorized Intake: Data collection is restricted to information provided directly by Covered Entity personnel, or by patients explicitly interacting with Covered Entity's authorized digital referral forms.

4. Technical Infrastructure & Integrations

The parties acknowledge and agree that Business Associate maintains an integrated software architecture to secure and process PHI, governed by the following parameters:

• Data Storage (AWS Virginia): All core application data and database records containing PHI are securely hosted and maintained within Amazon Web Services (AWS) in the US East (N. Virginia) Region. Business Associate maintains an active BAA with AWS covering all HIPAA-eligible services utilized.
• Document Retention (DocuSign): Any electronic signatures, legal envelopes, or referral consent documentation processed via DocuSign integration are stored within dedicated, encrypted storage volumes inside the AWS environment.
• Edge Security (Cloudflare): Business Associate utilizes Cloudflare for network-level edge protection, including Web Application Firewall (WAF), Distributed Denial of Service (DDoS) mitigation, and SSL/TLS encryption in transit. Cloudflare is strictly utilized as a conduit and does not persistently store PHI.
• Application Programming Interfaces (Google API): Direct connections to Google APIs (e.g., calendar sync, address validation, email routing) are performed via secure, authenticated tokens. No PHI is processed or transmitted through Google APIs unless Covered Entity explicitly authorizes specific data fields necessary for the application feature.

5. Reporting Security Incidents and Breaches

• Notice to Covered Entity: Business Associate shall notify Covered Entity in writing following the discovery of any Breach of Unsecured PHI or a successful Security Incident without unreasonable delay, and in no event later than ten (10) business days after discovery. Communications regarding breaches will be managed via the primary technical contact or via Info@toothreferral.com.
• Content of Notice: To the extent known, the notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed, alongside a brief description of the incident.
• Mitigation: Business Associate agrees to mitigate, to the extent practicable, any harmful effect known to Business Associate resulting from an unauthorized use or disclosure of PHI.
• Unsuccessful Incidents: The parties agree that this section constitutes ongoing notice of routine, unsuccessful security incidents that do not result in unauthorized access, such as firewall pings, port scans, or unsuccessful log-on attempts, and no further notification to Covered Entity is required for these events.

6. Individual Rights Obligations

• Access to PHI: To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such information available to Covered Entity within fifteen (15) business days of a written request, enabling Covered Entity to respond to an Individual's request for access under 45 C.F.R. § 164.524.
• Amendment of PHI: Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.
• Accounting of Disclosures: Business Associate shall document and maintain records of disclosures of PHI as necessary for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.

7. Data Termination, Return, or Destruction

• Data Disposition upon Termination: Upon termination or expiration of the Underlying Agreement for any reason, Business Associate shall, at the option of Covered Entity, return or securely destroy all PHI received from, or created, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• Infeasibility of Return or Destruction: If the parties mutually agree that returning or destroying the PHI is completely infeasible (e.g., PHI embedded deep within historical, encrypted AWS data backups or required under state dental medical record retention regulations), Business Associate shall extend the protections of this BAA to such remaining PHI. Business Associate shall strictly limit any further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains the PHI.
• Verification: If requested by Covered Entity, Business Associate will provide written attestation certifying the secure deletion or destruction of active production databases holding Covered Entity's PHI. Requests for data destruction validation can be directed to Info@toothreferral.com.

8. Strict Prohibition on the Sale or Reselling of Data

Prohibition of Sale: In accordance with 45 C.F.R. § 164.502(a)(5)(ii) and the HITECH Act, Business Associate is strictly prohibited from selling, reselling, renting, or leasing PHI, or otherwise receiving direct or indirect financial remuneration in exchange for any patient data or PHI processed on the Toothreferral platform.

Marketing Restrictions: Business Associate shall not use or disclose PHI for marketing or commercial monetization purposes. Data collected via the platform remains the strict property of the Covered Entity and/or the patient, and under no circumstances will any patient information be packaged, aggregated, or disclosed to third-party brokers, advertisers, or commercial entities.

9. Term and Termination

• Term: This BAA shall become effective upon Covered Entity's acceptance of Toothreferral's Terms of Service and registration on the platform, and shall remain in effect until the Underlying Agreement is terminated or expires.
• Termination for Cause: Upon either party's knowledge of a material breach of this BAA by the other party, the non-breaching party shall provide the breaching party thirty (30) days to cure the breach. If the breach is not cured within such time, the non-breaching party may immediately terminate the Underlying Agreement and this BAA.

10. Miscellaneous

• Regulatory References: A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
• Amendment: The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity or Business Associate to comply with the requirements of HIPAA and the HITECH Act.
• Survival: The respective rights and obligations of Business Associate under Section 7 ("Data Termination, Return, or Destruction") and Section 8 ("Strict Prohibition on the Sale or Reselling of Data") of this BAA shall survive the termination of this Agreement.
• Notices and Communications: Any formal inquiry, notice of audit, or regulatory correspondence regarding this BAA must be sent to the physical corporate address listed above or delivered via email to Info@toothreferral.com.
• Electronic Acceptance: By checking the box, clicking "I Agree," or otherwise completing the registration flow to utilize Toothreferral, Covered Entity acknowledges, accepts, and executes this BAA as a legally binding addendum to the platform's Terms of Service.