Legal

Business Associate Agreement

Effective Date: June 1, 2025  |  Last Updated: June 9, 2026

1. Background and Purpose

GetSurveyReady, LLC ("Business Associate" or "BA") provides accreditation compliance and staff education software services to healthcare organizations ("Covered Entity" or "CE"). In the course of providing these services, Business Associate may create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of Covered Entity. This Business Associate Agreement establishes the terms under which Business Associate will handle PHI in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA Rules").

2. Definitions

Capitalized terms used herein have the meanings set forth in the HIPAA Rules unless otherwise defined.

• "Breach" has the meaning set forth at 45 C.F.R. § 164.402.
• "Business Associate" means GetSurveyReady, LLC.
• "Covered Entity" means the Customer organization that is a covered entity or business associate as defined under HIPAA.
• "Electronic Protected Health Information" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.
• "Protected Health Information" or "PHI" has the meaning set forth at 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• "Security Incident" has the meaning set forth at 45 C.F.R. § 164.304.
• "Subcontractor" means a person or entity that creates, receives, maintains, or transmits PHI on behalf of Business Associate in connection with the services provided to Covered Entity.
• "Unsecured PHI" has the meaning set forth at 45 C.F.R. § 164.402.

3. Obligations of Business Associate

3.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only:

1. As necessary to perform the services described in the Terms of Service;
2. As required by law;
3. For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed;
4. To provide data aggregation services to Covered Entity relating to the healthcare operations of Covered Entity, if applicable;
5. As permitted or required by this BAA; or
6. As otherwise permitted in writing by Covered Entity.

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity.

3.2 Minimum Necessary

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b) and 45 C.F.R. § 164.514(d).

3.3 Safeguards

Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided for in this BAA. With respect to ePHI, Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), including:

• Conducting regular risk analyses and implementing risk management programs;
• Implementing access controls limiting ePHI access to authorized personnel;
• Encrypting ePHI in transit and at rest using industry-standard encryption;
• Maintaining audit logs of access to and modification of ePHI;
• Implementing procedures for reporting and responding to Security Incidents.

3.4 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, by entering into a written agreement that complies with 45 C.F.R. §§ 164.308(b)(2) and 164.502(e)(1)(ii).

Current Subcontractors that may access PHI include: Amazon Web Services, Inc. (cloud infrastructure hosting).

3.5 Reporting

Breach Notification: Business Associate shall notify Covered Entity without unreasonable delay, and in no case later than sixty (60) calendar days after discovery, of a Breach of Unsecured PHI. Notification shall include, to the extent reasonably available: (i) identification of the individuals whose PHI was or may have been breached; (ii) a description of the Breach; (iii) the types of PHI involved; (iv) steps individuals should take; (v) steps Business Associate is taking; and (vi) contact information.

Security Incidents: Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Routine unsuccessful attempts (port scans, pings, etc.) are deemed reported through this BAA without further notification. Material Security Incidents will be reported without unreasonable delay.

Unauthorized Uses/Disclosures: Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for or permitted by this BAA of which Business Associate becomes aware, without unreasonable delay.

3.6 Access to PHI

Business Associate shall make available to Covered Entity the PHI necessary for Covered Entity to fulfill its obligations to provide individuals access to their PHI under 45 C.F.R. § 164.524. Business Associate shall provide this access within fifteen (15) business days of a written request from Covered Entity.

3.7 Amendment of PHI

Business Associate shall make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526 within fifteen (15) business days of a written request from Covered Entity.

3.8 Accounting of Disclosures

Business Associate shall maintain and make available information required for Covered Entity to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Records of disclosures required for such accounting shall be maintained for six (6) years and made available to Covered Entity within thirty (30) business days of written request.

3.9 Internal Practices

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining Covered Entity's compliance with HIPAA, subject to applicable legal privileges and protections.

3.10 HITECH Compliance

Business Associate acknowledges that, pursuant to the HITECH Act and its implementing regulations, Business Associate is directly subject to the HIPAA Security Rule and certain provisions of the Privacy Rule, and shall comply with all applicable requirements.

4. Obligations of Covered Entity

Covered Entity shall:

1. Notify Business Associate of any limitations in Covered Entity's Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI;
2. Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI that may affect Business Associate's permitted or required uses and disclosures;
3. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity;
4. Implement appropriate safeguards with respect to PHI prior to submitting it to the Service;
5. Promptly notify Business Associate of any restrictions to the use or disclosure of PHI that Covered Entity has agreed to or been required to abide by.

5. Term and Termination

5.1 Term

This BAA is effective as of the date Covered Entity first accepts the Terms of Service and shall remain in effect until the termination of the service relationship between the parties.

5.2 Termination for Cause

If either party determines that the other has materially breached a material provision of this BAA, the non-breaching party may provide written notice of the breach and afford the breaching party thirty (30) days to cure. If the breach is not cured within that period, the non-breaching party may terminate this BAA and the underlying service agreement.

5.3 Effect of Termination

Upon termination of this BAA for any reason, Business Associate shall, at Covered Entity's election, either: (a) return to Covered Entity all PHI received from or created on behalf of Covered Entity; or (b) destroy all such PHI and certify in writing that it has done so. Business Associate shall retain no copies of PHI after destruction, except that Business Associate may retain PHI that cannot feasibly be returned or destroyed, in which case Business Associate shall continue to protect such PHI in accordance with this BAA and shall limit further use or disclosure to the purposes that make return or destruction infeasible. Customer Data export is available for thirty (30) days following termination of the service agreement.

6. Miscellaneous

6.1 Amendment

The parties agree to amend this BAA as necessary to comply with changes in applicable law, including changes to HIPAA, the HITECH Act, and their implementing regulations. GetSurveyReady may update this BAA with thirty (30) days' notice to Covered Entity; continued use of the Service after the effective date constitutes acceptance.

6.2 Interpretation

This BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA and HITECH. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA and HITECH.

6.3 No Third-Party Beneficiaries

This BAA is for the sole benefit of the parties hereto and their respective successors and permitted assigns. Nothing herein creates any rights in any third party, including individuals whose PHI may be processed hereunder.

6.4 Survival

The obligations of Business Associate under Section 5.3 (Effect of Termination) shall survive the termination of this BAA.

6.5 Governing Law

This BAA shall be governed by the laws of the State of Texas and applicable federal law, including HIPAA and HITECH.

6.6 Entire Agreement

This BAA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior representations, agreements, and understandings with respect to Business Associate's obligations regarding PHI.

6.7 Contact for BAA Requests

Organizations requiring a countersigned BAA for their compliance records should contact:

GetSurveyReady, LLC
HIPAA Compliance
hello@getsurveyready.com

We will provide a countersigned copy within ten (10) business days.