HIPAA Business Associate Agreement

This Section binds (i) clinics ("Covered Entities"), (ii) therapists in their capacity as workforce members of a covered entity or as solo-practitioner covered entities, and (iii) Akris LLC d/b/a Psy180 ("Business Associate"). This Section does not bind clients (whose obligations are covered by Section 4 — Notice of Privacy Practices Acknowledgment).

(a) Permitted Uses and Disclosures by Business Associate. Psy180 may use and disclose PHI only as necessary to (i) provide platform services to the Covered Entity (clinical documentation, telehealth session management, consent management, scheduling); (ii) host PHI on HIPAA-compliant infrastructure that meets all AWS BAA standards; (iii) generate aggregate de-identified analytics consistent with 45 CFR §164.514; (iv) carry out its legal obligations, including disclosures to the Secretary of HHS under 45 CFR §164.502(j)(2); (v) carry out the data-aggregation services described in 45 CFR §164.504(e)(2)(i)(B) on behalf of the Covered Entity. Psy180 will not sell PHI or use PHI for marketing without separate written authorisation under 45 CFR §164.508.

(b) Safeguards. Psy180 will implement and maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C), NIST SP 800-53 / SP 800-66, and Massachusetts 201 CMR 17.00 (Written Information Security Program — incorporated regardless of client residence as the floor security standard). Psy180 operates on HIPAA-compliant infrastructure that meets all AWS BAA standards, including: AES-256 encryption at rest with customer-managed keys, TLS 1.2+ in transit, private network isolation, least-privilege access controls, multi-factor authentication for administrative access, and immutable seven-year audit logging.

(c) Subcontractors. Psy180 will ensure that each subcontractor that creates, receives, maintains, or transmits PHI on behalf of Psy180 agrees in writing to restrictions and conditions at least as stringent as those in this Section (45 CFR §164.504(e)(2)(ii)(D)).

(d) Breach Notification — 30-Day Floor. Psy180 will notify the Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery. This 30-day floor is stricter than HIPAA's 60-day default and aligns with the strictest applicable state regimes (Florida FIPA §501.171; Colorado §6-1-716; Washington RCW 19.255.010 as amended 2023; Massachusetts Chapter 93H §3). Notification will include the description, date of breach and discovery, types of PHI involved, mitigation steps, and recommended individual protective steps to the extent then known. The Covered Entity remains responsible for individual notifications under 45 CFR §164.404 and HHS Secretary notifications under 45 CFR §164.408.

(e) Access, Amendment, Accounting. Psy180 will make PHI available to the Covered Entity to satisfy individual requests under 45 CFR §§164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures). Psy180 will make its internal practices, books, and records relating to PHI handling available to the Secretary of HHS for compliance audits under 45 CFR §164.504(e)(2)(ii)(H).

(f) Minimum Necessary. Psy180 will request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose (45 CFR §164.502(b)).

(g) Termination and Return of PHI. Upon termination of the Covered Entity's platform subscription, Psy180 will, at the Covered Entity's direction, return or securely destroy all PHI in its possession that is feasible to return or destroy. PHI that is not feasible to return or destroy (e.g. as part of immutable audit logs required for HIPAA compliance) will continue to be protected under this Section for as long as Psy180 retains it.

(h) Provider HIPAA Acknowledgment (Workforce-Member Obligations). [Binds therapists.] If you are a therapist signing as a workforce member of a covered entity (or as a solo-practitioner covered entity), you acknowledge: (i) your independent obligations under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule; (ii) the minimum-necessary standard; (iii) your duty to maintain the confidentiality of your platform credentials and to enable multi-factor authentication; (iv) your duty to report any actual or suspected Breach of PHI to Psy180 and your clinic's Privacy Officer immediately upon discovery; (v) your obligation to complete HIPAA Privacy and Security training appropriate to your role within thirty (30) days and annually thereafter; (vi) the federal civil penalties (45 CFR §160.404 — up to USD 1.9 M per violation category per year) and criminal penalties (42 U.S.C. §1320d-6 — up to USD 250,000 and 10 years imprisonment for wilful misuse) for HIPAA violations; (vii) the additional obligations imposed by the state(s) in which you hold an active licence.

(i) Mutual Indemnification. Each party will indemnify, defend, and hold harmless the other party and its officers, members, employees, and agents from and against third-party claims, losses, damages, and reasonable attorneys' fees arising from the indemnifying party's (1) material breach of this Agreement, (2) negligent or wrongful acts or omissions in handling PHI, or (3) violation of HIPAA or other applicable law. Each party's aggregate indemnification obligation under this clause is capped at the total fees paid (or, on the Covered Entity's side, payable) to Akris LLC d/b/a Psy180 during the twelve (12) months preceding the event giving rise to the claim. The cap does not apply to a party's gross negligence, willful misconduct, or breach of confidentiality obligations under HIPAA, which are uncapped.

(j) Limitation of Liability. EXCEPT FOR THE UNCAPPED CARVE-OUTS IN SUB-CLAUSE (i) ABOVE, NEITHER PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL EXCEED THE GREATER OF (1) FIFTY THOUSAND U.S. DOLLARS (USD $50,000) OR (2) THE TOTAL FEES PAID OR PAYABLE TO AKRIS LLC D/B/A PSY180 DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS OR REVENUE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTHING IN THIS SUB-CLAUSE LIMITS EITHER PARTY'S OBLIGATIONS UNDER HIPAA OR ITS DUTY TO COMPLY WITH APPLICABLE LAW.

(k) Dispute Resolution; Venue. Any dispute arising out of or relating to this Agreement that the parties cannot resolve through good-faith negotiation within thirty (30) days will be finally resolved by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, with the arbitration seated in King County, Washington. Judgment on the award may be entered in any court of competent jurisdiction. Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in the state or federal courts located in King County, Washington for (1) violations of HIPAA, (2) misuse or unauthorized disclosure of PHI, or (3) infringement of intellectual property rights. The parties waive any right to a jury trial.