Back to Home
HIPAA Compliance

HIPAA Business Associate Agreement

Protected health information safeguards, breach notification, and compliance obligations.

RecordIQ Enterprise Edition • Last updated: April 13, 2026

HIPAA BUSINESS ASSOCIATE AGREEMENT

Pursuant to 45 CFR 164.504(e)

by and between

[________________________________________]

("Covered Entity")

and

RecordIQ Software LLC

("Business Associate")

Effective Date: [________________________]

Version 2.0

Document Generated: March 31, 2026

TABLE OF CONTENTS

Recitals

Section 1: Definitions

Section 2: Scope and Purpose

Section 3: Obligations of Business Associate

Section 4: Permitted Uses and Disclosures

Section 5: Obligations of Covered Entity

Section 6: Security Safeguards — Software Architecture

Section 7: Breach Notification

Section 8: Term and Termination

Section 9: Technical Support and Incidental Exposure

Section 10: Miscellaneous

Section 11: Compliance Certifications

Signature Page

Exhibit A: Software Description

Exhibit B: Security Controls Summary

HIPAA BUSINESS ASSOCIATE AGREEMENT

This Agreement is entered into as of the Effective Date set forth on the cover page (the "Effective Date"), by and between:

Covered Entity: The entity identified on the cover page of this Agreement (the "Covered Entity").

Business Associate: RecordIQ Software LLC, a limited liability company organized under the laws of the State of Wyoming, with principal offices at 30 N Gould St Ste N, Sheridan, WY 82801 (the "Business Associate").

Covered Entity and Business Associate are individually a "Party" and collectively the "Parties."

RECITALS

WHEREAS, Covered Entity is a covered entity as defined under HIPAA and engages in activities that involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI); and

WHEREAS, Business Associate provides RecordIQ – Enterprise Edition, a locally installed desktop software application that Covered Entity installs and operates on its own workstations to perform optical character recognition (OCR), data extraction, analysis, and report generation on documents Covered Entity elects to process; and

WHEREAS, the Software operates entirely on Covered Entity’s workstation and does not transmit PHI to Business Associate or any third party. The sole data transmitted from the Software to Business Associate’s servers consists of a cryptographic license key and a 16-character hexadecimal device identifier for the purpose of license activation and validation; and

WHEREAS, Business Associate's Software architecture is designed so that Protected Health Information is processed exclusively on Covered Entity's controlled systems. Business Associate does not routinely create, receive, maintain, or transmit PHI in the course of providing the Software, except for incidental exposure that may occur during optional technical support interactions as described in Section 9, which is subject to the safeguards set forth in Sections 5 and 7. However, incidental exposure to PHI may occur during limited technical support activities such as screen sharing, log file review, or diagnostic data inspection; and

WHEREAS, the Parties desire to enter into this Business Associate Agreement to satisfy the requirements of 45 CFR 164.502(e) and 164.504(e) and to establish the permitted uses and disclosures of PHI in connection with Business Associate’s provision of the Software and related services; and

WHEREAS, the Parties intend for this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and all applicable regulations promulgated thereunder;

NOW, THEREFORE, in consideration of the mutual promises contained herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

SECTION 1: DEFINITIONS

For purposes of this Agreement, the following terms shall have the meanings set forth below. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them under the HIPAA Rules.

1.1 "Business Associate" shall have the meaning given to such term under the Privacy Rule, 45 CFR 160.103, and shall refer to RecordIQ Software LLC in its capacity as a provider of the Software to Covered Entity.

1.2 "Covered Entity" shall have the meaning given to such term under the Privacy Rule, 45 CFR 160.103, and shall refer to the entity identified on the cover page of this Agreement.

1.3 "Protected Health Information" or "PHI" shall have the meaning given to such term under 45 CFR 160.103, and shall include all individually identifiable health information created, received, maintained, or transmitted by Covered Entity in any form or medium.

1.4 "Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term under 45 CFR 160.103, and shall refer to PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.

1.5 "Breach" shall have the meaning given to such term under 45 CFR 164.402 and shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under Subpart E of 45 CFR Part 164 which compromises the security or privacy of the PHI, subject to the exclusions set forth in 45 CFR 164.402(1).

1.6 "Unsecured PHI" shall have the meaning given to such term under 45 CFR 164.402 and shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.

1.7 "Security Incident" shall have the meaning given to such term under 45 CFR 164.304 and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

1.8 "Designated Record Set" shall have the meaning given to such term under 45 CFR 164.501.

1.9 "Individual" shall have the meaning given to such term under 45 CFR 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

1.10 "Required by Law" shall have the meaning given to such term under 45 CFR 164.103.

1.11 "Secretary" shall mean the Secretary of the United States Department of Health and Human Services or any designee thereof.

1.12 "HIPAA Rules" shall mean the Privacy Rule, Security Rule, and Breach Notification Rule at 45 CFR Part 160 and Part 164, Subparts A, C, D, and E, as amended, including all amendments made by the HITECH Act and the Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013).

1.13 "Software" shall mean RecordIQ – Enterprise Edition (including all licensed tiers: Standard, Pro, and Enterprise), a locally installed desktop software application that Covered Entity installs and operates on its own workstations to perform document processing, optical character recognition, data extraction, analysis, and report generation on documents Covered Entity elects to process. A detailed description of the Software is set forth in Exhibit A.

1.14 "Non-PHI Data" shall mean any data transmitted to Business Associate for software license validation, including a hardware-derived 16-character hexadecimal device identifier and a cryptographic license key, which shall not constitute PHI under any circumstances.

1.15 "Subcontractor" shall mean any person or entity to whom Business Associate delegates functions, activities, or services involving PHI in connection with the Software or this Agreement.

1.16 "Minimum Necessary" shall mean the standard described in 45 CFR 164.502(b) and 164.514(d) limiting PHI use, disclosure, or requests to the minimum necessary to accomplish the intended purpose.

1.17 "PHI Handled by Business Associate" shall mean PHI that may be processed by Covered Entity using the Software on its local systems. For avoidance of doubt, Business Associate does not receive, store, or transmit PHI on its own servers or systems during normal operation of the Software.

SECTION 2: SCOPE AND PURPOSE

2.1 Local Operation. The Software is a desktop application installed on and operated from Covered Entity’s local workstation. All document processing, optical character recognition, data extraction, encryption, analysis, and report generation occur locally on the workstation. No PHI leaves the workstation at any time during Software operation.

2.2 Nature of Relationship. Business Associate does not create, receive, maintain, or transmit PHI on behalf of Covered Entity in the traditional sense contemplated by 45 CFR 160.103. The relationship between the Parties is characterized by Business Associate providing a software tool that Covered Entity uses independently on its own systems to process PHI.

2.3 Transmitted Data Elements. The sole data elements transmitted from the Software to Business Associate’s servers are Non-PHI Data, consisting of:

(a) a hardware-derived device identifier (a 16-character hexadecimal string) generated by the Software for the purpose of machine-binding the software license; and

(b) a cryptographic license key issued by Business Associate for the purpose of validating the software license.

These data elements do not contain, derive from, or relate to any individually identifiable health information and are not PHI.

2.4 Limited Role. Business Associate’s role is strictly limited to:

(a) providing the Software for installation on Covered Entity’s workstation;

(b) providing software updates and patches;

(c) performing license validation using Non-PHI Data; and

(d) providing technical support, during which incidental exposure to PHI may occur as described in Section 9 of this Agreement.

2.5 Compliance Purpose. This Agreement is provided to satisfy Covered Entity’s compliance requirements under 45 CFR 164.502(e) and 164.504(e). The Parties acknowledge that the offline, locally-operated architecture of the Software substantially reduces the risk profile typically associated with business associate relationships involving cloud-hosted or network-connected PHI processing systems.

2.6 Incidental Exposure. Notwithstanding the foregoing, Business Associate acknowledges that incidental exposure to PHI may occur during technical support sessions involving screen sharing, log file review, or file inspection. Such incidental exposure is addressed in Section 9 of this Agreement.

SECTION 3: OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to the following obligations:

3.1 Use and Disclosure Restrictions. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for uses permitted under Sections 4.2 and 4.3 of this Agreement.

3.2 Appropriate Safeguards. Business Associate shall implement administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement. The specific safeguards embedded in the Software are described in detail in Section 6 and summarized in Exhibit B. These safeguards include, without limitation:

3.3 Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, including Security Incidents or Breaches of Unsecured PHI, without unreasonable delay and no later than sixty (60) calendar days after discovery of such use or disclosure. Reports shall include all information required under Section 7 of this Agreement.

3.4 Subcontractors. Business Associate shall ensure any Subcontractor performing functions involving PHI on its behalf complies with the same restrictions and safeguards as Business Associate, and shall enter into a written agreement with each such Subcontractor that contains substantially similar terms to those set forth in this Agreement, as required by 45 CFR 164.502(e)(1)(ii) and 164.314(a)(2)(iii).

3.5 Access to PHI. Business Associate shall make PHI in a Designated Record Set available to Covered Entity as necessary to satisfy 45 CFR 164.524, within fifteen (15) business days of request. The Parties acknowledge that all PHI processed by the Software resides on Covered Entity’s workstation and is directly accessible to Covered Entity at all times without requiring Business Associate’s assistance.

3.6 Amendment of PHI. Business Associate shall comply with requests for amendment of PHI pursuant to 45 CFR 164.526 within fifteen (15) business days. As noted, Business Associate does not maintain PHI on its systems; therefore, amendment obligations are limited to cooperating with Covered Entity’s reasonable requests related to any incidentally accessed PHI.

3.7 Accounting of Disclosures. Business Associate shall make available information required for accounting of disclosures pursuant to 45 CFR 164.528 within thirty (30) calendar days. The Parties acknowledge that, because the Software does not transmit PHI, disclosures requiring accounting are expected to be minimal and limited to any incidental disclosures during technical support.

3.8 Availability of Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, as required by 45 CFR 164.504(e)(2)(ii)(I).

3.9 Safeguards for ePHI. To the extent Business Associate creates, receives, maintains, or transmits ePHI on behalf of Covered Entity, Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of such ePHI, as required by the Security Rule at 45 CFR Part 164, Subpart C. The specific safeguards are described in Section 6 of this Agreement.

3.10 Technical Support and Incidental Exposure. Any incidental PHI accessed during technical support (screen sharing, log review, or file inspection) shall be limited to the minimum necessary to resolve the support issue. Business Associate shall not retain, copy, or record any PHI encountered during support sessions. Additional provisions governing technical support are set forth in Section 9.

SECTION 4: PERMITTED USES AND DISCLOSURES

4.1 Service Performance. Business Associate may use or disclose PHI only as necessary to perform the services described in this Agreement, which are limited to providing, maintaining, and supporting the Software as installed on Covered Entity’s workstation.

4.2 Proper Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that:

(a) the use or disclosure is Required by Law; or

(b) Business Associate obtains reasonable assurances from any person or entity to whom PHI is disclosed that: (i) the information will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed; and (ii) the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached.

4.3 Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate federal or state authorities, consistent with 45 CFR 164.502(j)(1), and only to the extent necessary for such reporting.

4.4 Minimum Necessary. Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR 164.502(b) and 164.514(d).

4.5 Prohibited Uses and Disclosures. Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except that Business Associate may use and disclose PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities as set forth in Section 4.2.

4.6 No Sale of PHI. Business Associate shall not sell PHI, as defined in 45 CFR 164.502(a)(5)(ii), or use or disclose PHI for marketing purposes, as defined in 45 CFR 164.501, or for underwriting purposes. This prohibition applies regardless of whether Business Associate receives direct or indirect remuneration in exchange for such PHI.

4.7 Documentation and Audit. Business Associate shall maintain documentation of any uses or disclosures of PHI as required by HIPAA and shall make such documentation available to Covered Entity or the Secretary upon request.

SECTION 5: OBLIGATIONS OF COVERED ENTITY

5.1 Workstation Security. Covered Entity shall implement and maintain appropriate administrative, physical, and technical safeguards on the workstation where the Software is installed and operated, including access controls, malware protection, operating system patching, and physical security measures.

5.2 Consents and Authorizations. Covered Entity shall obtain any consents, authorizations, or other permissions required under applicable law prior to furnishing PHI to the Software for processing. Covered Entity represents that its use of the Software is consistent with its Notice of Privacy Practices.

5.3 Restrictions on PHI. Covered Entity shall notify Business Associate in writing of any restriction on the use or disclosure of PHI to which Covered Entity has agreed pursuant to 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s obligations under this Agreement.

5.4 Changes to Permissions. Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission by any Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s obligations under this Agreement.

5.5 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as permitted under Sections 4.2 and 4.3 of this Agreement.

5.6 Sole Responsibility for Environment. Covered Entity is solely responsible for the physical and logical security of the workstation, local area network, and computing environment in which the Software operates. Business Associate shall have no liability for breaches, security incidents, or unauthorized access arising from vulnerabilities or failures in Covered Entity’s computing environment.

SECTION 6: SECURITY SAFEGUARDS — SOFTWARE ARCHITECTURE

Business Associate has designed and implemented the following security safeguards within the Software to assist Covered Entity in protecting PHI processed on Covered Entity’s workstation. These safeguards are intended to satisfy the requirements of 45 CFR Part 164, Subpart C (Security Rule).

6.1 Encryption. All output files generated by the Software are encrypted using AES-256-GCM, a NIST-approved authenticated encryption standard compliant with FIPS 197 (Advanced Encryption Standard) and NIST SP 800-38D (Galois/Counter Mode). AES-256-GCM provides both confidentiality and data integrity verification through its authentication tag, ensuring that encrypted data cannot be altered without detection.

Encryption keys are generated locally on the workstation and stored using the Windows Data Protection API (DPAPI), which binds keys to the authenticated user profile and the specific machine identity. No plaintext fallback is permitted. If DPAPI is unavailable or fails, the Software raises an error and refuses to operate, ensuring that keys are never stored in an unprotected state.

Plaintext copies of output files are securely deleted immediately after encryption. Covered Entity may decrypt and view files within the Software’s secure viewer, which decrypts to a temporary file that is securely deleted upon closing.

6.2 Key Management. Encryption keys are subject to automatic rotation on a configurable schedule. Key rotation is performed atomically with crash-safe recovery: the new key is backed up immediately after generation (before re-encryption of existing files), ensuring recoverability in the event of interruption. The Software maintains encrypted key backups in three (3) separate locations on the workstation.

The Software includes a disaster recovery drill capability that allows Covered Entity to verify backup integrity and key restoration without affecting production data. Covered Entity is responsible for ensuring the availability and security of the workstation on which the Software and its key backups reside.

6.3 Audit Logging. The Software maintains an immutable, append-only audit log with HMAC-SHA256 chain integrity verification. Each log entry is cryptographically chained to the previous entry, enabling detection of any insertion, deletion, or modification of log records. The audit log captures nineteen (19) event types, including but not limited to: file processing, encryption and decryption operations, key rotation, authentication attempts, session management, configuration changes, and security alerts.

Audit log files are protected with NTFS Access Control Lists (ACLs) restricting access to the authorized user account. Any detected tampering or access violations generate immediate alerts within the Software. Audit logs are available for inspection by Covered Entity or the Secretary.

6.4 PHI Protection Engine. The Software includes a PHI detection engine that identifies twenty-three (23) types of PHI using twenty-one (21) regex-based pattern detectors and two (2) NLP-based detectors. The PHI detection engine is integrated into the logging subsystem to prevent PHI from appearing in application log files or diagnostic output.

Social Security Numbers are redacted using full Safe Harbor methodology. No partial digits are retained in any log, report, or diagnostic output. Phone numbers are logged by length only; actual phone number values never appear in logs. Covered Entity should not provide PHI to Business Associate outside the scope of the Software’s intended document processing functions.

6.5 Access Controls. The Software implements PIN-based user authentication with PBKDF2-HMAC-SHA256 key derivation using six hundred thousand (600,000) iterations, exceeding NIST SP 800-132 recommendations. An automatic session lock activates after a configurable inactivity timeout (five to ninety minutes). Account lockout engages after five (5) consecutive failed authentication attempts, imposing a five-minute lockout period.

All failed authentication attempts and lockout events are recorded in the audit log. The Software’s license is device-bound via a hardware-derived fingerprint, preventing unauthorized transfer of the Software to different workstations.

6.6 Secure Deletion. All temporary plaintext files, intermediate extraction data, and processing metadata are permanently destroyed upon job completion using multi-pass random overwrite in accordance with NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization). The secure deletion mechanism includes a retry mechanism for locked files, attempting deletion at thirty-second intervals for up to ten (10) attempts.

A startup sweep executes each time the Software launches, cleaning any residual temporary data that may remain from prior sessions (e.g., due to unexpected application termination). If secure deletion fails after all retry attempts, the Software alerts the user and logs the failure for investigation.

6.7 Integrity Verification. The Software performs EXE self-hash verification at startup using SHA-256 to detect unauthorized modification of the application binary. Configuration drift detection using SHA-256 baselines monitors critical configuration files and settings, alerting the user to any unauthorized changes.

The integrity verification system operates on a fail-closed principle: if the hash verification file is missing or corrupted, the Software treats this as evidence of tampering and refuses to operate. Covered Entity is notified immediately of any integrity verification failure.

6.8 Network Isolation. The Software operates entirely offline during all document processing operations. No PHI is transmitted over any network at any time. The network communications initiated by the Software are limited to: (a) an HTTPS connection for initial license activation, transmitting only the license key and a device identifier; (b) periodic license revalidation approximately every 60 hours, transmitting only the license key and device identifier; (c) EULA acceptance and email verification; (d) optional software update checks; and (e) optional, user-initiated diagnostic submissions (see Section 9). No document data, PHI, or processing results are transmitted during any of these communications.

Between revalidation intervals, license verification is performed offline using Ed25519 digital signatures. The Software does not transmit telemetry or initiate any network connection during document processing. No PHI is transmitted under any circumstances. If the revalidation server is unreachable for 30 consecutive days, the Software enters a locked state until connectivity is restored.

6.9 Clean Code Representation. Business Associate represents that the Software does not contain any intentional malware, backdoor, or undisclosed functionality designed to transmit PHI to Business Associate or any third party without Covered Entity’s knowledge and consent.

HIPAA Safeguard Implementation Summary

A. Administrative Safeguards (45 CFR 164.308)

B. Physical Safeguards (45 CFR 164.310)

C. Technical Safeguards (45 CFR 164.312)

D. Minimum Necessary / Technical Support

Any incidental PHI accessed during support sessions is limited to the minimum necessary and handled in accordance with HIPAA and this Agreement (Sections 2.6, 3.10, and 9).

E. Audit Compliance

These safeguards are implemented and documented in accordance with HIPAA requirements and are subject to audit by Covered Entity or the Secretary as necessary.

SECTION 7: BREACH NOTIFICATION

7.1 Notification Obligation. Business Associate shall report to Covered Entity any actual or potential Breach of Unsecured PHI of which it becomes aware, without unreasonable delay and no later than sixty (60) calendar days after discovery of such Breach (per 45 CFR 164.410(a)).

7.2 Content of Notification. Each Breach notification shall include, to the extent known:

(a) the nature of the Breach, including the types of PHI involved;

(b) the identity of each Individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;

(c) the date of the Breach and the date of discovery;

(d) a description of what Business Associate is doing to investigate, mitigate harm, and prevent future Breaches; and

(e) any other information required under 45 CFR 164.410(c).

7.3 Architectural Mitigation. The Parties acknowledge that, given the Software’s offline desktop architecture and embedded technical safeguards (Section 6), Business Associate does not access PHI during normal Software operation. Normal operation of the Software on Covered Entity’s workstation does not constitute a Breach attributable to Business Associate.

7.4 Regulatory Notification Sequence. In the event of a Breach requiring notification to regulatory authorities, Business Associate shall notify Covered Entity prior to or concurrently with any notification to the Secretary, state attorneys general, or other regulatory bodies. Covered Entity shall have the primary responsibility for determining the scope and manner of notification to affected Individuals.

7.5 Limited Service Breach. If Business Associate discovers a Breach related to limited services, including license validation, support sessions, or other Business Associate-managed systems that may involve Non-PHI Data or incidentally accessed PHI, Business Associate shall promptly investigate and report findings to Covered Entity in accordance with Section 7.1.

7.6 Mitigation. Business Associate shall take prompt corrective action to mitigate any harmful effects of a Breach and shall implement reasonable measures to prevent recurrence, including but not limited to updating Software safeguards, revising support procedures, and enhancing training for support personnel.

7.7 Cooperation. Business Associate shall cooperate with Covered Entity in responding to Breaches, including providing log files, audit trails, and any system records related to the potential Breach. Each Party shall bear its own costs in connection with Breach investigation and notification unless otherwise agreed in writing.

SECTION 8: TERM AND TERMINATION

8.1 Term. This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the Parties’ business relationship, unless terminated earlier in accordance with this Section 8.

8.2 Termination for Cause. Either Party may terminate this Agreement if the other Party materially breaches any provision of this Agreement and fails to cure such breach within sixty (60) calendar days after receiving written notice thereof. If cure is not feasible, the non-breaching Party may terminate this Agreement immediately upon written notice.

8.3 Termination for Changes in Law. Either Party may terminate this Agreement upon ninety (90) days’ written notice if changes to the HIPAA Rules or other applicable law make performance under this Agreement materially impracticable.

8.4 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity or created on Covered Entity’s behalf, if any, and shall retain no copies of such PHI. Because the Software processes PHI locally on Covered Entity’s workstation and Business Associate does not retain PHI during normal operation, Business Associate’s obligations under this Section 8.4 are limited to securely deleting any PHI that may have been incidentally accessed or retained during technical support activities.

8.5 Survival. The obligations under this Section 8, Section 7 (Breach Notification), Section 10.5 (Governing Law), Section 10.8 (Entire Agreement), Section 10.9 (Severability), Section 10.12 (Limitation of Liability), and Section 10.13 (Indemnification) shall survive termination. Because Business Associate does not retain PHI during normal operation, these survival obligations are expected to be minimal in scope.

8.6 Infeasibility of Return or Destruction. If Business Associate determines that returning or destroying PHI is infeasible (e.g., due to audit logs or limited support session artifacts), it shall notify Covered Entity in writing, provide a detailed explanation of the conditions that make return or destruction infeasible, and extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate retains such PHI.

SECTION 9: TECHNICAL SUPPORT AND INCIDENTAL EXPOSURE

9.1 Incidental Exposure During Support. The Parties acknowledge that technical support provided by Business Associate, including screen sharing, log file review, diagnostic data inspection, or output file troubleshooting, may result in incidental exposure to PHI displayed on or stored within Covered Entity’s workstation. Such incidental exposure does not constitute a use or disclosure of PHI by Business Associate except as governed by this Agreement.

9.2 No Retention. Business Associate shall not retain, copy, record, photograph, or otherwise capture any PHI encountered during support sessions. Support personnel shall avoid reading or noting PHI beyond what is strictly necessary to resolve the technical issue.

9.3 Minimum Necessary. During all support interactions, Business Associate shall apply the Minimum Necessary standard under 45 CFR 164.502(b) and 164.514(d). Covered Entity is encouraged to limit the PHI visible during support sessions by closing unnecessary documents, using test data when possible, and redacting sensitive information before initiating support requests.

9.4 Encrypted Communication and Secure Deletion. All remote technical support sessions shall be conducted over encrypted channels using TLS 1.2 or higher. Files containing PHI, if transmitted for diagnostic purposes with Covered Entity’s explicit consent, shall be encrypted in transit and securely deleted by Business Associate within twenty-four (24) hours of support resolution. For purposes of this section, 'support resolution' means the earlier of (a) Business Associate's written confirmation that the issue is resolved, or (b) five (5) business days after the last substantive communication between the Parties regarding the issue.

9.5 Support Log Redaction. The Software’s PHI detection engine automatically filters and redacts twenty-three (23) types of PHI from application log files before diagnostic output is shared during support interactions. Social Security Numbers are redacted using full Safe Harbor methodology with no partial digits retained. Phone numbers are recorded by length only; actual values are never logged.

9.6 Breach Notification Applicability. In the unlikely event that PHI is inadvertently disclosed during a support session in a manner not permitted under this Agreement, Business Associate shall treat such disclosure as a potential Breach and comply with the notification obligations set forth in Section 7.

SECTION 10: MISCELLANEOUS

10.1 Regulatory References. This Agreement is intended to comply with, and shall be interpreted consistently with, HIPAA, the HITECH Act, the Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013), and all subsequent amendments and implementing regulations.

10.2 Amendment. This Agreement may not be amended, modified, or supplemented except by a written instrument signed by both Parties. If changes to the HIPAA Rules materially affect this Agreement, the Parties shall negotiate in good faith to amend this Agreement accordingly within sixty (60) calendar days of such changes becoming effective.

10.3 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. In the event of a conflict between this Agreement and the HIPAA Rules, the HIPAA Rules shall control.

10.4 No Third-Party Beneficiaries. Nothing in this Agreement shall confer upon any person or entity other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities whatsoever.

10.5 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Wyoming, without regard to its conflict of laws principles, except to the extent preempted by federal law, including HIPAA.

10.6 Dispute Resolution and Forum Selection. Any dispute arising out of or relating to this Agreement shall be resolved exclusively in the state or federal courts located in Sheridan County, Wyoming, and each Party irrevocably consents to the jurisdiction of such courts. Prior to initiating litigation, the Parties shall attempt in good faith to resolve any dispute through informal negotiation for a period of thirty (30) days following written notice of the dispute.

10.7 Notices. All notices required or permitted under this Agreement shall be in writing and shall be deemed given when: (a) delivered personally; (b) sent by certified mail, return receipt requested; (c) sent by overnight courier with confirmed delivery; or (d) sent by email with confirmed receipt. Notices to Business Associate shall be sent to: RecordIQ Software LLC, 30 N Gould St Ste N, Sheridan, WY 82801, or such other address as Business Associate may designate in writing.

10.8 Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral, relating to the subject matter of this Agreement.

10.9 Severability. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if modification is not possible, such provision shall be severed and the remaining provisions shall continue in full force and effect.

10.10 Waiver. The failure of either Party to enforce any provision of this Agreement shall not constitute a waiver of that Party’s right to enforce that provision or any other provision. Any waiver must be in writing and signed by the waiving Party.

10.11 Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic and scanned signatures shall be deemed originals for all purposes.

10.12 LIMITATION OF LIABILITY

10.12.1 EXCEPT FOR BUSINESS ASSOCIATE'S OBLIGATIONS UNDER SECTIONS 4 (PERMITTED USES AND DISCLOSURES), 6 (SECURITY SAFEGUARDS), 7 (BREACH NOTIFICATION), AND 10.12.3 (EXCLUSIONS), IN NO EVENT SHALL BUSINESS ASSOCIATE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT, EVEN IF BUSINESS ASSOCIATE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10.12.2 BUSINESS ASSOCIATE'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL AMOUNT PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE UNDER THE UNDERLYING LICENSE AGREEMENT (THE 'LIABILITY CAP'). IN NO EVENT SHALL THE LIABILITY CAP BE LESS THAN THE TOTAL AMOUNT PAID BY COVERED ENTITY FOR THE INITIAL LICENSE.

10.12.3 EXCLUSIONS. THE LIMITATIONS IN SECTIONS 10.12.1 AND 10.12.2 SHALL NOT APPLY TO: (a) BUSINESS ASSOCIATE'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 10.13; (b) BREACHES RESULTING FROM WILLFUL MISCONDUCT OR GROSS NEGLIGENCE; (c) CLAIMS THAT CANNOT BE LIMITED BY APPLICABLE LAW; OR (d) CIVIL MONEY PENALTIES IMPOSED DIRECTLY ON BUSINESS ASSOCIATE UNDER HIPAA.

10.12.4 ESSENTIAL PURPOSE. THE PARTIES AGREE THAT THE LIMITATIONS IN THIS SECTION REPRESENT A FUNDAMENTAL ELEMENT OF THE BARGAIN BETWEEN THE PARTIES AND WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

10.13 INDEMNIFICATION

10.13.1 INDEMNIFICATION BY BUSINESS ASSOCIATE. Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or resulting from: (a) Business Associate's material breach of this Agreement; (b) Business Associate's violation of HIPAA, the HITECH Act, or implementing regulations to the extent attributable to Business Associate's acts or omissions; or (c) Business Associate's gross negligence or willful misconduct in performing its obligations under this Agreement.

10.13.2 INDEMNIFICATION BY COVERED ENTITY. Covered Entity shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or resulting from: (a) Covered Entity's material breach of this Agreement; (b) Covered Entity's failure to obtain required patient authorizations or consents; (c) Covered Entity's configuration, deployment, or operation of the Software in a manner inconsistent with Business Associate's published documentation; or (d) Covered Entity's gross negligence or willful misconduct.

10.13.3 PROCEDURE. The indemnified party shall: (a) promptly notify the indemnifying party in writing of any claim for which indemnification is sought; (b) grant the indemnifying party sole control of the defense and settlement of such claim, provided that no settlement admits liability of or imposes non-monetary obligations on the indemnified party without its prior written consent; and (c) cooperate reasonably in the defense at the indemnifying party's expense. Failure to provide prompt notice shall not relieve the indemnifying party of its obligations except to the extent actually prejudiced.

10.14 Force Majeure. Neither Party shall be liable for any delay or failure to perform its obligations under this Agreement (other than payment obligations and Breach notification obligations under Section 7) resulting from events beyond the Party’s reasonable control, including but not limited to: natural disasters, pandemics, government actions, cyberattacks, infrastructure outages, or third-party provider failures. The affected Party shall provide prompt written notice and use commercially reasonable efforts to mitigate the impact.

SECTION 11: COMPLIANCE CERTIFICATIONS

11.1 Purpose. Business Associate represents that the Software has been developed and tested to align with recognized regulatory frameworks and industry standards.

11.2 Certification Statement. Business Associate represents that the Software is designed with safeguards that support compliance with HIPAA standards, including the Privacy Rule, Security Rule, and Breach Notification Rule. This certification reflects the state of the Software as of the Effective Date.

11.3 Supported Standards. The Software’s safeguards are designed to support compliance with the following standards and frameworks:

11.4 Disclaimer. These certifications are informational only and represent the state of the Software as of the Effective Date. They do not replace Covered Entity’s own compliance assessments, risk analyses, or legal obligations. Business Associate makes no warranty, express or implied, that use of the Software will result in compliance with HIPAA or any other law. Covered Entity remains solely responsible for its own HIPAA compliance program.

SIGNATURE PAGE

IN WITNESS WHEREOF, the Parties have executed this HIPAA Business Associate Agreement as of the Effective Date set forth on the cover page.

COVERED ENTITY

Organization: _______________________________________________

Authorized Signatory: _______________________________________________

Printed Name: _______________________________________________

Title: _______________________________________________

Date: _______________________________________________

BUSINESS ASSOCIATE

Organization: _______________________________________________

Authorized Signatory: _______________________________________________

Printed Name: _______________________________________________

Title: _______________________________________________

Date: _______________________________________________

EXHIBIT A: SOFTWARE DESCRIPTION

This Exhibit A is attached to and incorporated by reference into the HIPAA Business Associate Agreement (the "Agreement") between the Parties. This Exhibit provides a detailed description of the Software referenced in the Agreement.

A.1 Software Identity

RecordIQ – Enterprise Edition is a locally installed desktop software application that licensees install and operate on their own workstations to perform document processing, optical character recognition (OCR), data extraction, analysis, and report generation on documents they elect to process. The Software is developed and distributed by RecordIQ Software LLC.

A.2 Processing Capabilities

The Software includes thirty-two (32) document processing modules, ten (10) Core security modules, and thirty-three (33) graphical user interface tabs. Key functions of the processing modules include:

A.3 Architecture

The Software is a standalone desktop application that operates entirely on Covered Entity’s workstation. It does not require a network connection for document processing. All PHI remains on the local workstation at all times. Network communications are limited to: (a) an HTTPS license activation request, transmitting only the license key and a 16-character hexadecimal device identifier; (b) periodic license revalidation (approximately every 60 hours), transmitting only the license key and device identifier. No PHI is transmitted.

A.4 Data Flow

Input: PDF documents containing medical records, loaded from the local file system by Covered Entity.

Processing: OCR, extraction, analysis, and report generation occur entirely on the local workstation.

Output: Encrypted Excel workbooks, encrypted PDF reports, and encrypted JSON files stored on the local file system. All output is encrypted with AES-256-GCM. Plaintext copies are securely deleted immediately after encryption.

License Activation: Initial HTTPS request transmitting only the license key and device identifier (Non-PHI Data). Periodic revalidation occurs approximately every 60 hours; between intervals, license verification is offline via Ed25519 digital signatures. If the server is unreachable for 30 consecutive days, the Software enters a locked state.

EXHIBIT B: SECURITY CONTROLS SUMMARY

This Exhibit B is attached to and incorporated by reference into the HIPAA Business Associate Agreement (the "Agreement") between the Parties. This Exhibit provides a summary of the security controls implemented in the Software.

This Exhibit reflects security controls as of Software version 5.22.2 (March 31, 2026) and may be updated by Business Associate from time to time in connection with Software updates. Such updates do not require formal amendment of this Agreement.

Confirmation: No PHI is transmitted externally by the Software under any circumstances. All processing occurs locally on Covered Entity’s workstation.

— End of Agreement —

For questions about this document, contact support@recordiq.app.