CloserMD

Business Associate Agreement

Version 1.1 · CloserMD LLC

CloserMD — Business Associate Agreement

Entered into pursuant to the HIPAA Privacy, Security, and Breach Notification
Rules (45 C.F.R. §§ 164.502(e), 164.504(e), 164.308(b), 164.314(a), 164.410).

Parties. This Business Associate Agreement ("Agreement") is between you — the
physician, group practice, or facility that signs below (the "Covered Entity") —
and CloserMD LLC, 8 Neal Dow Ave, Staten Island, NY 10314 (the "Business
Associate"), effective on the date you sign below. Where the skilled-nursing
facility at which you practice has executed its own Business Associate Agreement
with CloserMD covering the service, that facility agreement governs PHI for your
use of CloserMD and controls over this Agreement to the extent of any conflict.
This Agreement governs Protected Health Information ("PHI") that the Business
Associate creates, receives, maintains, or transmits on your behalf through the
CloserMD service described in Exhibit A. To provide the service, the Business
Associate also stores and uses the EMR login credentials you supply ("EMR
Credentials") to access your EMR on your behalf. Because those credentials unlock
ePHI in the EMR, the Business Associate protects them with the same safeguards
that apply to ePHI under this Agreement.

1. Definitions. Capitalized terms not defined here have the meanings given in
the HIPAA Rules (45 C.F.R. Parts 160 and 164), including Breach (§ 164.402),
Designated Record Set (§ 164.501), Electronic PHI, Individual, Required By Law
(§ 164.103), Secretary, Security Incident (§ 164.304), Subcontractor, and
Unsecured PHI (§ 164.402).

2. Permitted uses and disclosures. The Business Associate may use or disclose
PHI only (a) as necessary to perform the services in Exhibit A and as Required By
Law; and (b) for its proper management and administration, provided any disclosure
is Required By Law or is made under written confidentiality assurances with
breach-reporting back to the Business Associate. It will limit PHI to the minimum
necessary (§ 164.502(b)) and will not use or disclose PHI in any way that would
violate the HIPAA Rules if done by the Covered Entity. It will not sell PHI (45
C.F.R. § 164.502(a)(5)(ii)) and will not use PHI, EMR Credentials, or data obtained
with them to train or improve any foundation or general-purpose AI/ML model, and
will not disclose PHI to any model provider outside the BAA-covered environment. The
Business Associate may use AI/ML services that are hosted within HIPAA-eligible
infrastructure under a Business Associate Agreement (e.g., Amazon Bedrock) solely to
perform the services in Exhibit A. Data aggregation and de-identification are
permitted only if expressly authorized in Exhibit A.

3. Obligations of the Business Associate. The Business Associate will:
a. Not use or disclose PHI other than as permitted here or as Required By Law.
b. Implement and maintain administrative, physical, and technical safeguards —
with written policies and procedures — that protect the confidentiality,
integrity, and availability of ePHI and EMR Credentials per Subpart C of 45
C.F.R. Part 164, including a documented risk analysis and risk management,
least-privilege access controls, and authentication.
c. Encrypt ePHI and EMR Credentials in transit (TLS) and at rest (AWS KMS), or
implement a documented reasonable equivalent. EMR Credentials are held in
KMS-encrypted secret storage (AWS SSM SecureString), are decrypted only
server-side at the time a connection to the EMR is needed, are never returned
to the client, and are accessed only to provide the service.
d. Record and retain audit logs of access to, and use of, ePHI and EMR Credentials
sufficient to support monitoring and investigation.
e. Report to the Covered Entity any non-permitted use or disclosure, and any
Security Incident — including any known compromise of EMR Credentials — without
unreasonable delay; and report any Breach of Unsecured PHI without unreasonable
delay and no later than thirty (30) calendar days after discovery (§ 164.410),
with the information the Covered Entity needs to meet its own notification
duties (§ 164.404).
f. Ensure any Subcontractor that handles PHI or EMR Credentials agrees in writing
to restrictions at least as protective as those here (§§ 164.502(e)(1)(ii),
164.308(b)(2)).
g. Make PHI in a Designated Record Set available for access (§ 164.524), amendment
(§ 164.526), and an accounting of disclosures (§ 164.528).
h. To the extent it carries out a Covered Entity obligation under the Privacy
Rule, comply with the Privacy Rule requirements that apply to that obligation.
i. Make its internal practices, books, and records available to the Secretary to
determine HIPAA compliance.
j. Retain required documentation for at least six (6) years.

4. Obligations of the Covered Entity. You will notify the Business Associate of
any limitation in your Notice of Privacy Practices, of changes in or revocation of
an Individual's permission, and of any restriction you have agreed to under
§ 164.522, to the extent they affect the Business Associate's use or disclosure of
PHI; and you will not request any use or disclosure that would not be permissible
under the HIPAA Rules.

5. Term and termination.
a. This Agreement is effective when signed and continues until all PHI is returned
or destroyed.
b. On a material breach by the Business Associate, you may allow thirty (30) days
to cure and terminate if it is not cured, or terminate immediately if cure is
not possible.
c. On termination, the Business Associate will return or destroy all PHI and EMR
Credentials it still holds (including any held by Subcontractors) and retain no
copies. Where that is infeasible for PHI, it will extend these protections to
the retained PHI and limit further use or disclosure for as long as it is
retained. EMR Credentials are also deleted whenever you disconnect your EMR.

6. Miscellaneous. References to the HIPAA Rules mean those rules as amended. The
Parties will amend this Agreement as needed to comply with the HIPAA Rules;
amendments must be written and signed. Ambiguities are interpreted to permit HIPAA
compliance, and this Agreement controls over any conflicting services terms on this
subject matter. The Business Associate's return/destroy obligations survive
termination. There are no third-party beneficiaries. This Agreement is governed by
the laws of the State of Delaware, except where preempted by federal law.

Exhibit A — Description of services and PHI.
• Services: CloserMD lets authorized clinicians create, review, and sign
skilled-nursing-facility progress notes. It reads from and writes to the Covered
Entity's EMR (SigmaCare/MatrixCare) on the clinician's behalf, using EMR
Credentials the clinician supplies, and uses rule-based and AI-assisted tools
to suggest diagnosis codes, plan items, drug-interaction alerts, and summarized
interdisciplinary recommendations. AI processing of PHI occurs only within
HIPAA-eligible AWS services (including Amazon Bedrock) under AWS's HIPAA BAA; no
PHI is disclosed to any third-party model provider or used to train foundation
models.
• Categories of PHI: identifiers (patient name; room/bed; facility/unit; resident
identifier; dates of service); clinical content (diagnoses/ICD codes,
medications, allergies, vitals, exam, narrative notes); and transient voice
dictation (transcribed, then deleted).
• EMR Credentials: the EMR username/password the clinician supplies, stored in
KMS-encrypted secret storage (AWS SSM SecureString), decrypted only server-side
at call time, never returned to the client, and used solely to access the EMR on
the clinician's behalf.
• Permitted purposes: creating, updating, reviewing, and signing notes in the EMR
at the clinician's direction, and generating documentation/billing recaps for
the authorized clinician.
• Approved Subcontractor: Amazon Web Services — hosting, encrypted storage and
secret management (KMS, SSM), Transcribe Medical voice-to-text, and Amazon
Bedrock model inference — under AWS's
HIPAA BAA. Any vendor that will not sign a BAA is kept out of the PHI path.
• Breach notice: without unreasonable delay and no later than thirty (30) calendar
days after discovery.

By signing, you agree to the terms of this Business Associate Agreement.