Thrizer

Business Associate Agreement

Last Updated: June 9, 2026

This Business Associate Agreement (the "Agreement" or "BAA") is made and entered into at the date and time your Thrizer account is created and is between you ("Covered Entity") and Thrizer, Inc. ("Business Associate"), a Delaware Corporation.

The Covered Entity and Business Associate, collectively, the "Parties", wish to enter into this agreement.

The Parties may contemplate entering into one or more agreements (the "Terms of Service" or "ToS") pursuant to which Business Associate is providing certain services to the Covered Entity that require the disclosure and use of Protected Health Information ("PHI"). Unless the ToS specifies otherwise, Business Associate is an Independent Contractor with respect to the performance of all Services, and neither Business Associate nor anyone employed by Business Associate will be deemed for any purpose to be the employee, agent, servant or representant of the Covered Entity. Both Parties are committed to complying with the Privacy Rule and the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act and associated regulations.

This Agreement sets forth the terms and conditions pursuant to which PHI that is provided by, or created or received by, the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of each Service Agreement and after its termination.

In consideration of the terms of this Agreement, and other valuable considerations, the parties agree as follows:

1. Definitions

1.1. Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.

1.2.A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the "Privacy Rule") as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.

1.3 Covered Entity.'Covered Entity' shall mean a healthcare provider as defined under 45 C.F.R. § 160.103 who has registered for and uses the Business Associate's services in a professional capacity

2. General Obligations of Business Associate

2.1. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

2.2. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by the BAA.

2.3.Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.

2.4. Business Associate agrees to the following breach notification requirements:

  1. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within 30 calendar days of "discovery" within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
  2. Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary, and/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification.
  3. In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.

2.5. Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

2.6.Business Associate agrees to make available PHI in a Designated Record Set to the ["covered entity"] as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524.

  1. Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.
  2. Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).
  3. Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

2.7.Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.526.

2.8.Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.528.

2.9. Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Section 1.5).

2.10.To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

2.11. Business Associate agrees to account for the following disclosures:

  1. Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
  2. Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
  3. Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) ("EHR") in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested from Covered Entity.
  4. In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.

2.12.Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.

2.13. Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

3. Permitted Uses and Disclosures by Business Associate

3.1. Except as otherwise limited by this Agreement, Business Associate may make any Uses and Disclosures of Protected Health Information necessary to perform its services to Covered Entity and otherwise meet its obligations under this Agreement, if such Use or Disclosure would not violate the Privacy Rule, or the privacy provisions of the HITECH Act, if done by Covered Entity. All other Uses or Disclosures by Business Associate not authorized by this Agreement, or by specific instruction of Covered Entity, are prohibited.

3.2. Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

3.3. Except as otherwise limited in this Agreement, Business Associate may Disclose Protected Health Information for the proper management and administration of the Business Associate, provided that Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used, or further Disclosed, only as Required By Law, or for the purpose for which it was Disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.4. Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate agrees that such Data Aggregation services shall be provided to Covered Entity only wherein said services pertain to Health Care Operations. Business Associate further agrees that said services shall not be provided in a manner that would result in Disclosure of Protected Health Information to another covered entity who was not the originator and/or lawful possessor of said Protected Health Information. Further, Business Associate agrees that any such wrongful Disclosure of Protected Health Information is a direct violation of this Agreement and shall be reported to Covered Entity immediately after the Business Associate becomes aware of said Disclosure and, under no circumstances, later than three (3) business days thereafter.

3.5. Business Associate may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).

3.6. Business Associate shall make Uses, Disclosures, and requests for Protected Health Information consistent with the Minimum Necessary principle as defined herein.

4. Obligations and Activities of Covered Entity

4.1.Covered Entity shall notify Business Associate of the provisions and any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such provisions and limitation(s) may affect Business Associate's Use or Disclosure of Protected Health Information.

4.2.Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Business Associate's use or disclosure of Protected Health Information.

4.3.Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, and also notify Business Associate regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect Business Associate's Use or Disclosure of Protected Health Information.

4.4.Covered Entity shall notify Business Associate of any modifications to accounting disclosures of Protected Health Information under 45 CFR § 164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect Business Associate's use or disclosure of Protected Health Information.

4.5. Business Associate shall provide information to Covered Entity via email or phone call, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2.11 of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the HIPAA Rules or the HITECH Act, and Business Associate is provided sixty (60) business days notice before the requested modification takes effect.

4.6. Covered Entity shall not require Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.

5. Compliance with Security Rule

5.1.Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term "Electronic Health Record" or "EHR" as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

5.2. In accordance with the Security Rule, Business Associate agrees to:

  1. Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA: (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;
  2. Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
  3. Report to the Covered Entity any Security Incident of which it becomes aware.

6. Indemnification

The parties agree and acknowledge that except as set forth herein, the indemnification obligations contained under the Terms of Serviceshall govern each party's performance under this BAA.

Notwithstanding the foregoing, nothing in this Section shall limit any rights that any of the Indemnified Parties may have to additional remedies under the ToS or under applicable law for any acts or omissions of Business Associate or its agents or Subcontractors.

7. Term and Termination

7.1.The Term of this Agreement shall be effective as of the date and time Covered Entity agrees to the Terms of Service for using Business Associate's website, software, and services by creating an account, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Agreement.

7.2. Either party may terminate this BAA for cause upon knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed 15 days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the ToS, upon written notice to the other party.

7.3. Upon termination of this BAA for any reason, the parties agree that Business associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. The PHI shall be returned in a format that is reasonably expected to preserve its accessibility and usability. Business Associate shall retain no copies of the PHI.

8. No Third Party Beneficiaries

The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third party beneficiaries.

9. De-Identified Data

Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.

10. Governing Law & Dispute Resolution

Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Terms of Service. All disputes between the parties will be resolved according to the dispute resolution and arbitration rules specified in the Terms of Service.

11. Miscellaneous

11.1. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations.

11.2. Survival. The respective rights and obligations of Business Associate under Section 6 and 7 of this Agreement shall survive the termination of this Agreement.

11.3. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations.

11.4. Severability. If any provision or provisions of this Agreement is/are determined by a court of competent jurisdiction to be unlawful, void, or unenforceable, this Agreement shall not be unlawful, void or unenforceable thereby, but shall continue in effect and be enforced as though such provision or provisions were omitted.

11.5. This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the ToS impose more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

11.6. This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.