BUSINESS ASSOCIATE AGREEMENT BETWEEN SIMVULY AND HEALTHCARE PROVIDER MEMBER
Last Updated: March 16, 2026.
This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is incorporated by reference into and made a part of the Simvuly Terms of Service, and is entered into by and between Simvuly LLC (“Simvuly” or “we”) and the applicable healthcare provider that has agreed to the Terms of Service (“Provider”); provided, however, that the terms of this BA Agreement apply only if and solely to the extent that Simvuly receives, creates, maintains, or transmits Protected Health Information relating to patients of Provider in connection with the Covered Services (defined below) that Simvuly, as a Business Associate, performs for or on behalf of Provider, as a Covered Entity. Simvuly, in its capacity as a Business Associate is referred to herein as “Business Associate”, and Provider, in his/her/its capacity as a Covered Entity, is referred to herein as “Covered Entity.”
WITNESSETH
WHEREAS, Business Associate provides software-as-a-service (“SaaS”) designed to support members in communicating with other members and accessing informational content, including content that may be generated or assisted by automated systems. Simvuly does not provide clinical services, does not independently diagnose, prescribe, or direct treatment, does not verify the accuracy of PHI uploaded by users, does not determine what PHI is shared, does not make medical decisions, and does not maintain a Designated Record Set on behalf of Provider or Covered Entities. The parties acknowledge that the Simvuly Clinical Communications and Third-Party Interaction Addendum, incorporated into the Terms of Service, separately governs the clinical responsibilities of users in connection with their use of the Services;
WHEREAS, the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, and the regulations promulgated thereunder (collectively, “HIPAA”), protect the confidentiality of health information; and
WHEREAS, in order to comply with the business associate requirements of HIPAA, a Business Associate and a Covered Entity must enter into an agreement that governs the uses and disclosures of such confidential health information by the Business Associate.
NOW, THEREFORE, in consideration of the foregoing recitals, the mutual promises and covenants set forth herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
For purposes of this BA Agreement, the following terms shall have the following meanings:
“Breach” when capitalized, shall have the meaning as the term “breach” in 45 C.F.R. 164.402; with respect to all other uses of the word “breach” in this BA Agreement, the word shall have its ordinary contract meaning.
“Business Associate” shall generally have the same meaning as the term “business associate” in 45 C.F.R. § 160.103.
“Covered Entity” shall generally have the same meaning as the term “covered entity” in 45 C.F.R. § 160.103.
“Covered Services” means the Services (as defined in the Simvuly Terms of Service) to the extent used in a manner that causes Simvuly to receive, create, maintain, or transmit Protected Health Information on behalf of Provider. For the avoidance of doubt, not all use of the Services gives rise to a Business Associate relationship; the BAA applies only with respect to those activities through which Simvuly acts as a Business Associate by receiving, creating, maintaining, or transmitting PHI on behalf of Provider as a Covered Entity.
“Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, and is limited to ePHI created, received, maintained or transmitted by Simvuly for, or on behalf of, or from Provider in connection with Simvuly’s provision of the Covered Services.
“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
“HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, effective February 17, 2009.
“Individual” shall have the meaning as the term “individual” in 45 C.F.R. 160.103, and shall include a personal representative in accordance with 45 C.F.R. 164.502(g).
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, Subparts A, D, and E, as currently in effect.
“Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 and is limited to PHI created, received, maintained or transmitted by Simvuly for, on behalf of, or from Provider in connection with Simvuly’s provision of the Covered Services.
“Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. 164.103.
“Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or any office or person within the U.S. Department of Health and Human Services to which/whom the Secretary has delegated his or her authority to administer the Privacy Rule and the Security Rule, such as the Director of the Office for Civil Rights.
“Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
“Security Rule” shall mean Security Standards for the Protection of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and C.
“Subcontractor” shall have the meaning as the term “subcontractor” in 45 C.F.R. §160.103.
“Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. 164.402, and is limited to the PHI created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
All references to “days” in this BA Agreement shall mean calendar days. Capitalized terms used not defined herein shall have the meanings ascribed to them in the Privacy Rule or Security Rule or the applicable Terms of Service.
2.1 General. Business Associate agrees not to use or disclose PHI other than as permitted or required by this BA Agreement, the Terms of Service or as Required By Law.
2.2 Appropriate Safeguards. Business Associate agrees to use appropriate and commercially reasonable safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent any use or disclosure of PHI other than as provided for by this BA Agreement.
2.3 Subcontractors. Business Associate agrees, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to restrictions and conditions that are no less restrictive than those that apply to Business Associate with respect to such information only to the extent that such Subcontractors creates, receives, maintains or transmits PHI on behalf of Business Associate. Business Associate may use subcontractors to provide infrastructure or support services. Such Subcontractors shall be bound by written agreements requiring appropriate safeguards consistent with HIPAA. Business Associate shall require such Subcontractors to comply with applicable HIPAA requirements and shall remain responsible for its obligations under this Agreement as required by applicable law.
2.4 Reporting of Unauthorized Use or Disclosures.
2.4.1 Business Associate agrees to report to Provider any use or disclosure of Provider’s Protected Health Information not provided for by this Agreement, including, without limitation, Breaches of Unsecured Protected Health Information as required at 45 C.F.R. 164.410, and any Security Incident of which it becomes aware. Notice is hereby deemed provided, and no further individual notice will be provided, for routine and unsuccessful Security Incidents that do not result in unauthorized access to, use, disclosure, modification, or destruction of Protected Health Information, including but not limited to pings, port scans, unsuccessful login attempts, and other similar events.
2.4.2 For all reporting obligations under this BA Agreement, the parties acknowledge that, due to the nature of the Covered Services, Business Associate may not know the nature of the PHI or the identities of the Individuals about whom the PHI relates. Accordingly, Business Associate may be limited in its ability to provide information regarding the identities of the Individuals who may have been affected by a Security Incident or Breach affecting Provider’s PHI, or in its ability to provide detailed information regarding what Provider PHI was affected by a Security Incident or Breach. Covered Entity acknowledges that, due to the nature of the Services, Business Associate may have limited or no visibility into the specific content of communications or the identity of Individuals associated with PHI transmitted through the Services. Business Associate does not have access to or knowledge of the full clinical context, patient history, or intended use of PHI transmitted through the Services, and does not make determinations regarding the appropriateness of any disclosure.
2.5 Internal Practices, Books and Records. Following reasonable advance written notice, Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Provider, available to the Secretary, for purposes of determining Business Associate’s and Covered Entity’s compliance with the Privacy Rule and Security Rule. Access shall be limited to information necessary to demonstrate Covered Entity’s compliance with HIPAA.
2.6 Access to Protected Health Information. Business Associate does not create, receive, maintain, or transmit PHI in a Designated Record Set on behalf of Covered Entity and does not maintain any Designated Record Set. Business Associate shall, to the extent technically feasible, provide reasonable assistance to Provider in responding to access requests to comply with its obligations under 45 C.F.R. 164.524 to provide Individuals with access to their Protected Health Information. Provider will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Covered Entity will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Covered Entity pursuant to 45 C.F.R. §164.524, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
2.7 Amendments to Protected Health Information. Business Associate does not maintain PHI in a Designated Record Set and cannot independently amend PHI records. Business Associate shall provide reasonable technical assistance to Covered Entity where feasible as directed or agreed to by the Provider pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Business Associate will make no such determinations. Any denial of amendment to PHI determined by Covered Entity pursuant to 45 C.F.R. §164.526, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
2.8 Accounting of Disclosures.
2.8.1 Business Associate is not responsible for maintaining a log of disclosures made by Provider, Covered Entity or their workforce members through the Services. Business Associate shall maintain records of disclosures of PHI made directly by Business Associate when required by applicable law. Business Associate shall provide system logs or technical information reasonably available to assist Provider in preparing an accounting of disclosures if required to Provider as necessary to satisfy Provider’s obligations under 45 C.F.R. 164.528. Specifically, within 30 business days of written notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Business Associate shall make available to Covered Entity such information as is in Simvuly’s possession and is required for Covered Entity to make the accounting required by 45 C.F.R. § 164.528. If Business Associate receives a request for an accounting directly from an Individual, Business Associate shall forward such request to the Provider. Covered Entity shall have the sole responsibility for providing an accounting to the Individual. For clarity, transmissions of PHI between authorized users of the Services do not constitute disclosures by Business Associate.
2.8.2 Notwithstanding Section 2.8.1, for repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity, Business Associate may record: (a) the Disclosure Information for the first of these repetitive disclosures; (b) the frequency, periodicity or number of these repetitive disclosures made during the accounting period; and (c) the date of the last of these repetitive disclosures.
2.9 Nature of Services. The parties acknowledge that the Covered Services are designed to facilitate communication and information exchange among users and are not intended to function as a system of record, clinical repository, or longitudinal patient record. Business Associate does not control the content of communications transmitted through the Services and does not independently review such communications except as necessary to operate the Services.
2.10 No Duty to Monitor. Business Associate does not monitor, review, or evaluate PHI or communications exchanged through the Services for clinical accuracy, completeness, or compliance, except as reasonably necessary to operate, maintain, or improve the Services.
2.11 No Clinical Role. Business Associate does not provide medical advice, diagnosis, or treatment, does not make clinical decisions, and does not assume responsibility for patient care. Covered Entity and its workforce members remain solely responsible for all clinical decisions and patient care activities.
2.12 AI Processing of PHI. Business Associate may use PHI to provide features and functionality of the Services that incorporate artificial intelligence or automated processing, including generating informational outputs in response to user inputs (“AI Features”), as requested by Covered Entity or its authorized users. Such use constitutes a permitted use of PHI for purposes of providing the Services under this Agreement. Business Associate shall not use PHI to train, retrain, or improve generalized artificial intelligence models except:
(i) where such PHI has been de-identified in accordance with 45 C.F.R. § 164.514, using either the Safe Harbor method (45 C.F.R. § 164.514(b)) or the Expert Determination method (45 C.F.R. § 164.514(a)); or
(ii) as otherwise expressly permitted in writing by Covered Entity.
Business Associate may engage third-party service providers to support AI Features, provided that such providers qualify as Subcontractors and agree in writing to comply with the same restrictions and conditions applicable to Business Associate under this Agreement.
2.13 User-Directed Disclosures. Covered Entity acknowledges that users of the Services may direct the transmission of PHI to other users or third-party professionals through the Services. Such transmissions are initiated by Covered Entity or its workforce and are not disclosures made by Business Associate. Covered Entity is solely responsible for ensuring that any such disclosures comply with applicable law, including the requirement to enter into Business Associate Agreements where applicable. Users’ responsibilities with respect to PHI disclosures made through the Services, including disclosures between users without a formal organizational relationship, are further addressed in the Simvuly Clinical Communications and Third-Party Interaction Addendum. Business Associate does not control or restrict the selection of recipients of PHI transmissions initiated by users.
3.1 General. Business Associate agrees to use and disclose PHI only in a manner consistent with this BA Agreement, the Privacy Rule, or the Security Rule, and only in connection with providing the Covered Services. To the extent the Covered Services include automated or artificial intelligence-assisted functionality, Business Associate’s use of PHI in connection with such functionality shall remain subject to the limitations and protections set forth in this BA Agreement. For the avoidance of doubt, transmissions of PHI between authorized users of the Services are not disclosures by Business Associate but rather are disclosures made by Covered Entity and its workforce or authorized users.
3.2 De-identification and Aggregation. Business Associate is authorized to (i) use Provider Protected Health Information to de-identify the Protected Health Information in accordance with 45 C.F.R. § 164.514(a)-(c), and (ii) provide Data Aggregation services relating to the Health Care Operations of Provider. For the avoidance of doubt, any use of PHI for product improvement, analytics, model refinement, machine learning, or artificial intelligence purposes shall be limited to PHI that has first been de-identified in accordance with HIPAA, unless otherwise expressly permitted by applicable law and authorized by an applicable written agreement.
3.3 Management, Administration and Legal Responsibilities.
3.3.1 Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.
3.3.2 Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notified Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.3.3 If Business Associate receives a court order, subpoena, or governmental request for documents or other information containing Provider’s Protected Health Information, if legally permissible, Business Associate will use reasonable efforts to notify Provider of the receipt of the request to provide Provider an opportunity to respond. Business Associate may comply with such order, subpoena, or request as Required by Law or permitted by law.
3.4 Reporting Violations of Law. Consistent with the requirements of 45 C.F.R. 164.502(j)(1), Business Associate may disclose PHI to report violations of law or professional or clinical standards to appropriate federal and state authorities.
4.1 Notice of Privacy Practices. Provider shall notify Business Associate of limitation(s) in its Notice of Privacy Practices, to the extent such limitation affects Business Associate’s use or disclosure of PHI.
4.2 Individual Permission. Provider shall notify Business Associate of any changes in or revocation of permission by an Individual to use or disclose PHI, to the extent such changes or revocation affect Business Associate’s permitted or required uses or disclosures of PHI.
4.3 Restrictions. Provider shall notify Business Associate of restriction(s) in the use or disclosure of PHI that Provider has agreed to, to the extent such restriction affects Business Associate’s permitted uses or disclosures of PHI.
4.4 Consents and Authorizations. Provider represents and warrants that any and all consents, authorizations, or other permissions necessary under the Privacy Rule or other applicable law (including state law) for the transmission of PHI in connection with the Covered Services and for the uses and disclosures specified in this BA Agreement and in accordance with the Terms of Service have been properly secured and communicated to Business Associate.
4.5 Marketing. Provider represents and warrants that it has obtained any and all authorizations from Individuals as necessary for any use or disclosure of PHI for its Marketing in connection with the Covered Services, unless the related communication is made without any form of remuneration (i) to describe medical services or products; (ii) for treatment of the Individual; or (iii) for case management or care coordination for the Individual or to direct or recommend alternate treatments, therapies, providers or settings.
4.6 Permissible Requests by Covered Entity. Provider shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164, except with respect to uses and disclosures by Business Associate of Protected Health Information under Section 3.3 above.
4.7 Provider Responsibilities. Provider, Covered Entities and their workforce members are solely responsible for the PHI they upload, transmit, or disclose through the Services and for compliance with applicable privacy laws when using the Services. Business Associate shall not be responsible for security incidents originating from Provider or Covered Entity systems, networks, devices, or user actions outside of the Services infrastructure controlled by Business Associate. Provider represents that it is authorized to permit itself and/or its workforce members and affiliated Covered Entities to access the Services and to share PHI through the Services in accordance with HIPAA. Provider and Covered Entities remain solely responsible for maintaining designated health records and for compliance with all HIPAA obligations relating to Designated Record Sets. To the extent the Services includes automated or artificial intelligence-assisted functionality, Provider, Covered Entities, and their workforce members remain solely responsible for independently evaluating any outputs generated by such functionality and for all clinical, legal, billing, and compliance decisions made in connection therewith. Provider’s obligations with respect to clinical communications, inter-organizational arrangements, and the characterization of clinical interactions conducted through the Services are further governed by the Simvuly Clinical Communications and Third-Party Interaction Addendum, which is incorporated into the Terms of Service.
4.8 Data Quality. Covered Entity acknowledges that Business Associate does not verify the accuracy, completeness, or quality of PHI submitted to or transmitted through the Services. Covered Entity and its workforce members are solely responsible for the accuracy and integrity of PHI.
5.1 Term. The term of this BA Agreement shall commence on the date that Provider agrees to the Simvuly Terms of Service by electronically registering as a Simvuly member and shall continue in effect for as long as Provider maintains an active account, unless terminated as provided in this Section 5.
5.2 Termination for Cause. In the event either party determines that the other has materially breached a term of this BA Agreement, and such breach continues for thirty (30) days after written notice of such breach has been received, the party claiming a breach shall have the right to terminate this BA Agreement. Upon termination of this BA Agreement, Simvuly may immediately terminate Provider’s Simvuly membership.
5.3 Effect of Termination. The parties hereby acknowledge that Business Associate’s return or destruction of PHI is not feasible, and therefore, Business Associate may retain a copy of such Protected Health Information provided that: (i) the provisions of this Agreement shall continue to apply to any such information retained following termination of this Agreement; and (ii) Business Associate shall limit uses and disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI.
6.1 Regulatory References. A reference in this BA Agreement to a section in HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule means the section as in effect or as amended at the time.
6.2 Survival. The respective rights and obligations of the parties under Section 5.3 of this BA Agreement shall survive the termination of this BA Agreement.
6.3 Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits the parties to comply with the Privacy Rule and Security Rule.
6.4 Controlling Provisions. Except to the extent specified in this BA Agreement, all of the terms and conditions governing Provider’s use of the Covered Services specified in the Terms of Service shall be and remain in full force and effect, and in the event of any conflict between this BA Agreement and such terms and conditions, this BA Agreement shall govern and control. If Provider is an employee, contractor, or other workforce member of an enterprise with whom Simvuly has also executed a Business Associate Agreement intended to cover use by the enterprise’s workforce members of the Services, that enterprise Business Associate Agreement will apply to Protected Health Information that Simvuly receives, creates, maintains, or transmits in connection with Provider’s use of those Services features as specified in the applicable Enterprise Agreement between Simvuly and the enterprise. For the avoidance of doubt, the order of precedence among Simvuly’s legal instruments in the event of a conflict is as follows: (i) with respect to HIPAA compliance and the treatment of PHI, this BAA shall govern and control over the Terms of Service and any Enterprise Agreement; (ii) with respect to commercial terms, service access, and other non-HIPAA matters, an applicable Enterprise Agreement shall govern and control over the Terms of Service; and (iii) the Terms of Service shall govern with respect to all matters not addressed by this BAA or an applicable Enterprise Agreement.
6.5 Amendment. This BA Agreement is incorporated by reference into and made a part of the Terms of Service, and as such may be amended from time to time by Simvuly as described therein, subject to applicable law. Continued use of the Services following amendment of this BA Agreement shall indicate Provider’s acceptance of such amendment.
6.6 Independent Relationship. None of the provisions of this BA Agreement are intended to create, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this BA Agreement and the terms and conditions governing Provider’s use of the Covered Services.
6.7 Notices. Simvuly may provide notices under this BA Agreement via email to the address associated with Provider’s account or through the Services. Provider may provide notice to Simvuly at support@simvuly.com. Notices will be deemed effective upon receipt.
6.8 Choice of Law and Jurisdiction. This BA Agreement, as well as all related disputes, shall be governed by and construed in accordance with the laws of the State of Ohio, without giving effect to its conflict of law provisions, regardless of from where you access the Covered Services. You agree that the exclusive place of jurisdiction for all disputes or claims relating to this BA Agreement is Cuyahoga County, Ohio, or the United States District Court for the Northern District of Ohio, except as otherwise agreed by the parties or as described in the Arbitration Agreement set forth in the Terms of Service.
