Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between the dental practice or entity subscribing to the AIDentalClaims platform ("Covered Entity" or "CE") and Dental Claims AI, Inc. ("Business Associate" or "BA"), collectively referred to as the "Parties." This BAA is incorporated into and made part of the underlying Service Agreement between the Parties and is executed pursuant to the requirements of 45 CFR 164.504(e).

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms under the HIPAA Rules (45 CFR Parts 160 and 164). The following definitions apply to this Agreement:

• Business Associate ("BA") — Dental Claims AI, Inc., which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity in connection with claims intelligence, narrative generation, and denial prediction services.
• Covered Entity ("CE") — The dental practice, group, or organization that subscribes to the AIDentalClaims platform and is subject to the HIPAA Rules.
• Protected Health Information ("PHI") — Individually identifiable health information transmitted or maintained in any form or medium, as defined under 45 CFR 160.103, including electronic PHI (ePHI).
• Breach — The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
• Security Incident — The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as necessary to perform services on behalf of Covered Entity as specified in the Service Agreement, or as required by law. Permitted uses include, but are not limited to:

• Claims Processing — Analyzing dental claim data to identify errors, optimize coding accuracy, and improve reimbursement outcomes.
• Narrative Generation — Producing clinical narratives and supporting documentation to accompany insurance claims submissions.
• Denial Prediction — Applying predictive analytics to assess claim denial risk and recommend preventive measures before submission.

Business Associate may de-identify PHI in accordance with 45 CFR 164.514(b) for the purposes of improving service quality, provided that de-identified data cannot be re-identified.

3. Prohibition on Unauthorized Use or Disclosure

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as required by law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity, except as expressly permitted herein for data aggregation and management activities.

4. Appropriate Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 CFR Part 164, Subpart C. These safeguards include:

• Encryption at Rest — All ePHI is encrypted using AES-256 encryption at rest across all storage systems.
• Encryption in Transit — All data transmissions containing ePHI are protected using TLS 1.3 with enforced HSTS policies.
• Multi-Factor Authentication (MFA) — MFA is mandatory for all user accounts accessing PHI, including administrative and operational personnel.
• Audit Logging — Comprehensive audit logs are maintained for all access to, creation of, modification of, and deletion of PHI, with logs retained for a minimum of six (6) years.
• Access Controls— Role-based access controls (RBAC) enforce the minimum necessary standard, with practice-level data isolation ensuring that each Covered Entity's PHI is logically segregated.

5. Breach Reporting

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the Breach. The breach notification shall include:

• The date of the Breach and the date of discovery of the Breach.
• A description of the nature and extent of the PHI involved, including the types of identifiers and the number of individuals affected.
• The identification of any individual(s) whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed.
• A description of the mitigation steps taken or to be taken by Business Associate to mitigate harmful effects and prevent future occurrences.
• Contact information for individuals at Business Associate who can provide additional information regarding the Breach.

Business Associate shall also report any Security Incident of which it becomes aware, including unsuccessful attempts to access ePHI where required by applicable law.

6. Subcontractor Obligations

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate under this BAA. Business Associate maintains executed BAAs with the following subprocessors:

• Amazon Web Services (AWS) — Infrastructure and hosting services. AWS operates under a fully executed BAA and provides HIPAA-eligible services for all data storage and processing.
• Anthropic — AI processing services. Anthropic processes only de-identified data that does not constitute PHI under HIPAA. No PHI is transmitted to Anthropic systems. De-identification is performed in accordance with the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)).

Business Associate shall maintain an up-to-date list of subprocessors and shall notify Covered Entity of any material changes to subprocessors.

7. Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524. Business Associate shall respond to any such request within fifteen (15) business days. If Business Associate receives a request for access to PHI directly from an individual, Business Associate shall forward the request to Covered Entity within five (5) business days.

8. Amendment of PHI

Business Associate shall make PHI available for amendment and shall incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 CFR 164.526. Business Associate shall complete such amendments within fifteen (15) business days of receiving direction from Covered Entity.

9. Accounting of Disclosures

Business Associate shall document and make available the information required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain such information for a period of six (6) years from the date of disclosure. The accounting shall include:

• The date of each disclosure.
• The name and address (if known) of the entity or person who received the PHI.
• A brief description of the PHI disclosed and the purpose of the disclosure.

10. Access by the Secretary of HHS

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's and Business Associate's compliance with the HIPAA Rules.

11. Minimum Necessary Standard

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in compliance with 45 CFR 164.502(b) and 45 CFR 164.514(d). Business Associate shall implement policies and procedures to limit access to PHI to those workforce members who require such access to perform their job functions.

12. Termination and PHI Disposition

Either Party may terminate this BAA if it determines that the other Party has violated a material term of this Agreement. Upon termination of this BAA or the underlying Service Agreement, Business Associate shall:

• Return or destroy all PHI received from, or created or received on behalf of, Covered Entity within thirty (30) calendar days of termination. This includes PHI in the possession of subcontractors.
• If return or destruction is not feasible, extend the protections of this BAA to the remaining PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
• Certify in writing to Covered Entity that all PHI has been returned or destroyed, or that return or destruction is not feasible, within the thirty (30) day period.

13. Term and Survival

This BAA shall become effective on the date the Covered Entity executes the BAA (the "Effective Date") and shall remain in effect for the duration of the underlying Service Agreement. The obligations of Business Associate under Sections 4 (Appropriate Safeguards), 5 (Breach Reporting), 9 (Accounting of Disclosures), and 12 (Termination and PHI Disposition) shall survive termination of this BAA.

14. General Provisions

• Regulatory References. Any reference in this BAA to a section of the HIPAA Rules shall mean the section as in effect or as amended.
• Amendment. The Parties agree to take such action as is necessary to amend this BAA to comply with the requirements of HIPAA and its implementing regulations as they may be amended from time to time.
• Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties to comply with the HIPAA Rules.
• No Third-Party Beneficiaries. Nothing expressed or implied in this BAA is intended to confer any rights upon any person other than the Parties and their respective successors and assigns.

For questions about this Business Associate Agreement, contact [email protected].