Business Associate Agreement

Effective Date: Upon execution by authorized representatives.
Last Updated: May 2026

This Business Associate Agreement (“Agreement”) is entered into between the healthcare provider organization (“Covered Entity”) subscribing to the Psychiartist platform and Auralytics Technologies(“Business Associate”), collectively referred to as the “Parties.”

1. Definitions

Terms used but not defined in this Agreement shall have the same meaning as those terms in 45 CFR §§ 160.103 and 164.501.

• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
• Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.
• Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.
• Covered Entity: The healthcare provider organization subscribing to the Psychiartist platform.
• Business Associate: Auralytics Technologies, the operator of the Psychiartist platform.
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
• Use PHI only for the purpose of performing services as described in the underlying service agreement (platform access, data processing, technical support).
• Not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards as required by 45 CFR § 164.308, § 164.310, and § 164.312 to protect ePHI, including but not limited to:

• Encryption at Rest: All ePHI is encrypted using AES-256-GCM encryption with unique initialization vectors per record.
• Encryption in Transit: All data transmitted between client devices and servers uses TLS 1.2 or higher with enforced HTTPS.
• Access Controls: Role-based access control (RBAC) ensuring minimum necessary access. Automatic logoff after configurable inactivity period (default: 15 minutes).
• Audit Controls: Comprehensive audit logging of all PHI access, modifications, and disclosures with 6-year retention.
• Integrity Controls: Mechanisms to authenticate ePHI and protect against improper alteration or destruction.
• Transmission Security: Encryption and integrity controls for all electronic transmissions of ePHI.

2.3 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate under this Agreement.

2.4 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Security Incident as defined in 45 CFR § 164.304.

3. Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall:

1. Notify Covered Entity without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach.
2. Include in the notification: (a) identification of each individual whose PHI has been or is reasonably believed to have been affected; (b) a description of what happened; (c) the types of PHI involved; (d) steps individuals should take to protect themselves; (e) what Business Associate is doing to investigate, mitigate harm, and prevent future breaches.
3. Cooperate with Covered Entity in meeting its obligations under 45 CFR § 164.404 through § 164.408.

4. Term and Termination

4.1 Term

This Agreement shall be effective as of the date the Covered Entity subscribes to the Psychiartist platform and shall remain in effect until the earlier of: (a) termination of the underlying service agreement; or (b) termination of this Agreement by either Party.

4.2 Termination for Cause

Either Party may terminate this Agreement upon 30 days written notice to the other Party if the other Party materially breaches any provision of this Agreement and fails to cure such breach within the 30-day notice period.

4.3 Effect of Termination

Upon termination, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

5. Obligations of Covered Entity

• Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
• Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
• Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164.

6. Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

7. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the United States of America, including but not limited to HIPAA, the HITECH Act, and applicable state laws.