Business Associate Agreement (BAA)

This Business Associate Agreement ("BAA") is entered into by and between Ledger Link, Inc. ("Business Associate") and the entity or individual customer ("Covered Entity") utilizing the Ledger Link platform in connection with Protected Health Information ("PHI").

1. Background and Purpose

The parties identify that Business Associate may perform certain services for or on behalf of Covered Entity that may involve the use and/or disclosure of PHI. This Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for PHI that Business Associate may receive, create, maintain, use, or disclose in connection with the services provided.

2. Definitions

• HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
• Protected Health Information (PHI): Has the same meaning as the term is defined in 45 CFR § 160.103.
• Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.
• Breach: Has the same meaning as the term is defined in 45 CFR § 164.402.
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

3. Obligations of Business Associate

3.1 Limits on Use and Disclosure

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as required by law. Business Associate shall only use or disclose PHI for the purpose of performing the services requested by Covered Entity.

3.2 Safeguards

Business Associate shall implement and use appropriate administrative, physical, and technical safeguards (including without limitation, those required by the HIPAA Security Rule) to prevent the use or disclosure of PHI other than as provided for by this BAA.

3.2.1 Administrative Safeguards

• Privacy Officer: Business Associate designates a privacy and security officer responsible for the development and implementation of security policies and procedures.
• Workforce Training: All personnel with access to PHI receive HIPAA awareness training upon hire and annually thereafter.
• Access Policies: Access to PHI is granted on a minimum-necessary, role-based basis and reviewed regularly.
• Risk Assessments: Business Associate conducts periodic risk assessments to identify and mitigate threats to PHI.
• Incident Response: Documented incident response procedures are maintained and tested to ensure timely breach detection and response.

3.2.2 Physical Safeguards

• Data Center Security: All PHI is stored in data centers operated by SOC 2 Type II certified cloud providers (AWS via Supabase) with 24/7 physical security monitoring, biometric access controls, and environmental protections.
• Facility Access Control: Physical access to servers and infrastructure is restricted to authorized personnel and logged.
• Secure Disposal: Electronic media containing PHI is securely wiped or destroyed in accordance with NIST SP 800-88 guidelines before disposal or re-use.

3.2.3 Technical Safeguards

• Encryption at Rest: All PHI stored in databases and backups is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmission uses TLS 1.3, with HTTPS enforced via HSTS headers.
• Multi-Factor Authentication: MFA is available for all user accounts and required for administrative access to systems containing PHI.
• Role-Based Access Control: The platform enforces row-level security (RLS) in PostgreSQL, ensuring users can only access data within their organization and role.
• Audit Controls: All access to and modifications of PHI are logged with timestamps, user identity, and action type. Audit logs are immutable and retained for a minimum of six (6) years.
• Session Management: Automatic session timeout after periods of inactivity. Concurrent session limits are enforced.

3.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI and any Security Incidents.

3.4 Subcontractors

In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI.

3.5 Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity in writing without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach. Notification shall include:

• Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
• A brief description of what happened, including the date of the Breach and the date of discovery
• A description of the types of Unsecured PHI that were involved
• Any steps individuals should take to protect themselves from potential harm resulting from the Breach
• A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches
• Contact information for individuals to ask questions

4. Permitted Uses and Disclosures

Except as otherwise limited in this BAA, Business Associate may:

• Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity.
• Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.
• Provide data aggregation services relating to the health care operations of Covered Entity.

5. Term and Termination

This Agreement shall be effective as of the date Covered Entity accepts our Terms of Service and shall terminate when all PHI provided by Covered Entity is destroyed or returned to Covered Entity.

5.1 Termination for Cause

Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either provide an opportunity for Business Associate to cure the breach within thirty (30) days or terminate the Agreement if cure is not feasible.

5.2 Obligations Upon Termination

Upon termination of this Agreement, Business Associate shall:

• Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) calendar days.
• If return or destruction is not feasible, extend the protections of this BAA to any retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
• Provide written certification to Covered Entity confirming that PHI has been returned or destroyed within thirty (30) days of termination.

5.3 Minimum Necessary Standard

Business Associate shall make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and the minimum necessary standard of the HIPAA Privacy Rule. The platform enforces this through role-based access controls that restrict each user's access to only the data required for their function.

6. Contact Information

For questions about this BAA or our HIPAA compliance practices:

This BAA is incorporated by reference into the Ledger Link Terms of Service. Enterprise customers requiring a signed copy should contact compliance@theledgerlink.com.