Business Associate Agreement

1. Definitions

Capitalized terms not otherwise defined herein have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”), as amended from time to time.

• “Business Associate” means Thalax, Inc.
• “Covered Entity” means the subscribing law firm or other entity that is a Covered Entity or Business Associate under HIPAA and has executed this BAA.
• “Protected Health Information” or “PHI” means individually identifiable health information as defined in 45 C.F.R. § 160.103, including electronic PHI (“ePHI”), that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity through the Service.
• “Breach” has the meaning set forth in 45 C.F.R. § 164.402.
• “Security Incident” has the meaning set forth in 45 C.F.R. § 164.304.
• “Service” means the Thalax platform as described in the Terms of Service.
• “Underlying Agreement” means the Terms of Service between Business Associate and Covered Entity.

2. Scope & Applicability

This BAA applies to all PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Service. This BAA supplements the Underlying Agreement. In the event of a conflict between this BAA and the Underlying Agreement with respect to PHI, this BAA controls.

This BAA becomes effective when Covered Entity: (a) subscribes to the Service and transmits PHI; or (b) electronically accepts this BAA through the Service; or (c) executes this BAA in writing. The BAA remains in effect for the duration of the Underlying Agreement and for as long as Business Associate retains PHI.

3. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA, the Underlying Agreement, or as Required by Law (as defined in 45 C.F.R. § 164.103).
• Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 (the Security Rule), to prevent use or disclosure of PHI other than as provided for by this BAA.
• Comply with the requirements of the HIPAA Rules applicable to Business Associates, including but not limited to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316.
• Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of Unsecured PHI and any Security Incident.
• Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI in violation of this BAA.
• Maintain and make available documentation required by the HIPAA Rules for a period of six (6) years from the date of creation or the date when it was last in effect, whichever is later.

4. Permitted Uses & Disclosures

Business Associate may use or disclose PHI solely for the following purposes:

• Service delivery: to perform functions, activities, and services for or on behalf of Covered Entity as specified in the Underlying Agreement, including case management, medical records processing, document generation, AI-assisted analysis, communications, billing, and deadline tracking.
• Proper management & administration:for Business Associate’s proper management and administration or to carry out its legal responsibilities, provided that: (a) the disclosure is Required by Law; or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
• De-identification:Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). De-identified data is no longer PHI and is not subject to this BAA.
• As Required by Law: to the extent required by applicable federal, state, or local law.

5. Prohibited Uses & Disclosures

Business Associate shall not:

• Use or disclose PHI for marketing purposes (as defined in 45 C.F.R. § 164.501) without prior written authorization from the individual.
• Sell PHI (as defined in 45 C.F.R. § 164.502(a)(5)(ii)) under any circumstances.
• Use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted in Section 4.
• Use PHI for underwriting purposes.
• Use PHI to train third-party artificial intelligence or machine learning models.

6. Safeguards

Business Associate implements and maintains the following safeguards for ePHI, which satisfy the requirements of the HIPAA Security Rule:

a. Administrative safeguards

• Designated security officer responsible for HIPAA compliance.
• Workforce training on HIPAA obligations and PHI handling.
• Documented policies and procedures for PHI access, use, and disclosure.
• Periodic risk assessments and risk management programs.
• Sanctions policy for workforce members who violate HIPAA policies.
• Business continuity and contingency planning.

b. Physical safeguards

• All ePHI is hosted in SOC 2 Type II-certified data centers (AWS us-east-1 via Supabase).
• Physical access to data center facilities is controlled by the infrastructure provider (AWS) with 24/7 monitoring, biometric access, and environmental controls.
• Thalax does not maintain on-premises servers. All infrastructure is cloud-hosted.

c. Technical safeguards

• TLS 1.2+ encryption for all ePHI in transit.
• AES-256 encryption at rest for all database storage.
• SSN fields encrypted via pgcrypto - never stored in plaintext.
• OAuth tokens and API credentials encrypted with AES-256-GCM.
• Row-Level Security (RLS) enforced at the database level for complete firm-to-firm data isolation.
• Multi-factor authentication required for all users.
• Unique user identification and automatic session timeout.
• Least-privilege access controls for all Thalax personnel.
• Audit logging for all access to ePHI, including read, create, update, and delete operations.
• Automated daily encrypted backups with geographic redundancy.
• Intrusion detection, IP-based rate limiting, and DDoS mitigation.
• Dependency vulnerability scanning and automated security patching.

7. Subcontractors & Agents

Business Associate shall ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2).

The following subcontractors may process PHI in connection with the Service:

Business Associate will provide Covered Entity at least 14 days’ advance written notice before engaging a new subcontractor that will process PHI. Covered Entity may object in writing within that period. If the parties cannot resolve the objection, Covered Entity may terminate this BAA and the Underlying Agreement.

8. Breach Notification

Business Associate shall report to Covered Entity any Breach of Unsecured PHI (as defined in 45 C.F.R. § 164.402) without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the Breach. Discovery occurs on the first day on which the Breach is known to Business Associate or, by exercising reasonable diligence, would have been known.

The Breach notification shall include, to the extent available:

• Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed.
• A description of the nature of the Breach, including the types of Unsecured PHI involved.
• A description of what Business Associate has done or is doing to investigate the Breach, mitigate harm, and protect against further Breaches.
• Contact information for individuals who can answer questions about the Breach.

Business Associate shall also report to Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (e.g., unsuccessful log-in attempts, pings, port scans) may be provided in summary or aggregate form upon request.

Covered Entity remains responsiblefor providing notification to affected individuals, the Secretary of Health and Human Services (HHS), and media outlets as required by 45 C.F.R. §§ 164.404–164.408. Business Associate shall cooperate with and assist Covered Entity in meeting these obligations.

9. Access to PHI

Business Associate shall, within fifteen (15) business days of a request, make available to Covered Entity (or, at Covered Entity’s direction, to an individual) PHI in a Designated Record Set, in accordance with 45 C.F.R. § 164.524. Business Associate shall provide PHI in the electronic form and format requested, if readily producible, or in a mutually agreed-upon alternative format (JSON, CSV, or PDF).

10. Amendment of PHI

Business Associate shall, within fifteen (15) business days of receiving a request from Covered Entity, make amendments to PHI in a Designated Record Set in accordance with 45 C.F.R. § 164.526.

11. Accounting of Disclosures

Business Associate shall maintain an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528 and shall make such accounting available to Covered Entity within thirty (30) days of a request. The accounting shall cover at least the six (6) years prior to the date of the request (or such shorter period as specified by Covered Entity).

The accounting shall include: (a) the date of each disclosure; (b) the name and address of the recipient; (c) a description of the PHI disclosed; and (d) the purpose of the disclosure or a copy of the request for disclosure.

12. HHS Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(H).

13. Obligations of Covered Entity

Covered Entity agrees to:

• Provide PHI to Business Associate only as permitted by HIPAA and applicable law.
• Notify Business Associate of any limitations in its notice of privacy practices (45 C.F.R. § 164.520) that affect Business Associate’s permitted uses or disclosures.
• Notify Business Associate of any changes in or revocation of authorization by an individual to use or disclose PHI, to the extent such changes affect Business Associate’s permitted uses.
• Notify Business Associate of any restriction on the use or disclosure of PHI agreed to by Covered Entity under 45 C.F.R. § 164.522, to the extent it affects Business Associate.
• Not request Business Associate to use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity.
• Obtain all necessary authorizations, consents, and permissions from individuals before transmitting their PHI to Business Associate.
• Maintain appropriate insurance coverage, including cyber liability and professional liability insurance.

14. Term & Termination

Term. This BAA is effective as of the date Covered Entity first transmits PHI through the Service (or the date of electronic or written acceptance, if earlier) and continues until the Underlying Agreement terminates and all PHI is returned or destroyed.

Termination for cause. Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within thirty (30) days of receiving written notice. If cure is not feasible, the non-breaching party may terminate immediately.

Automatic termination. This BAA automatically terminates upon termination of the Underlying Agreement.

Effect of termination. Upon termination, Business Associate shall comply with Section 15 (Return or Destruction of PHI). The obligations of Business Associate under Sections 3, 5, 6, 8, 11, 12, 15, 16, 17, and 18 survive termination.

15. Return or Destruction of PHI

Upon termination of this BAA, Business Associate shall, at Covered Entity’s election:

• Return all PHI to Covered Entity in a mutually agreed-upon electronic format (JSON, CSV, or encrypted archive) within thirty (30) days of termination; or
• Destroy all PHI, including all copies, backups, and archived versions, and certify such destruction in writing within sixty (60) days of termination.

If return or destruction is not feasible (e.g., because PHI is embedded in backup systems that cannot be selectively purged), Business Associate shall: (a) extend the protections of this BAA to such retained PHI; (b) limit further uses and disclosures to the purposes that make return or destruction infeasible; and (c) destroy retained PHI when feasible (e.g., upon backup rotation). In no event shall PHI be retained longer than required by applicable law or regulation.

16. Limitation of Liability

THE LIMITATION OF LIABILITY PROVISIONS SET FORTH IN THE UNDERLYING AGREEMENT (TERMS OF SERVICE, SECTION 13) APPLY TO THIS BAA. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BUSINESS ASSOCIATE’S TOTAL AGGREGATE LIABILITY UNDER THIS BAA SHALL NOT EXCEED THE TOTAL FEES PAID BY COVERED ENTITY IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

NOTWITHSTANDING THE FOREGOING, NOTHING IN THIS BAA LIMITS EITHER PARTY’S LIABILITY FOR: (A) WILLFUL MISCONDUCT OR GROSS NEGLIGENCE; (B) BREACH OF CONFIDENTIALITY OBLIGATIONS WITH RESPECT TO PHI CAUSED BY A PARTY’S INTENTIONAL OR RECKLESS CONDUCT; OR (C) INDEMNIFICATION OBLIGATIONS UNDER SECTION 17.

17. Indemnification

Each party (the “Indemnifying Party”) shall indemnify, defend, and hold harmless the other party and its officers, directors, employees, and agents from and against any third-party claims, losses, damages, fines, penalties, costs, and expenses (including reasonable attorneys’ fees) arising from the Indemnifying Party’s breach of this BAA or violation of the HIPAA Rules.

Additional Covered Entity indemnification.Covered Entity shall additionally indemnify Business Associate from claims arising from: (a) Covered Entity’s failure to obtain required patient authorizations or consents; (b) Covered Entity’s instructions to Business Associate that violate HIPAA; or (c) Covered Entity’s breach of obligations under Section 13 of this BAA.

18. Miscellaneous

Regulatory amendments.The parties agree to negotiate in good faith any amendment to this BAA that may be required by changes to the HIPAA Rules or other applicable law. If the parties cannot agree on an amendment within sixty (60) days, either party may terminate this BAA upon thirty (30) days’ written notice.

Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA Rules.

No third-party beneficiaries. Nothing in this BAA confers any rights on any third party, including any individual whose PHI is processed under this BAA. Individuals must exercise their HIPAA rights through Covered Entity.

Governing law. This BAA is governed by the laws of the State of Florida, USA, to the extent not preempted by HIPAA or other federal law.

Severability. If any provision is held invalid, the remaining provisions remain in effect. The invalid provision shall be modified to the minimum extent necessary to be enforceable.

Entire BAA. This BAA, together with the Underlying Agreement, constitutes the complete agreement between the parties with respect to PHI and supersedes all prior BAA agreements between them.

Notices. All notices under this BAA shall be sent to:

• Business Associate: [email protected]
• Covered Entity: the email address on file for the subscribing firm’s account.

To execute this BAA or request a countersigned copy, contact [email protected].

Thalax, Inc.
United States