Business Associate Agreement

Covered Entity means the Customer organization subject to HIPAA requirements, including covered healthcare providers, health plans, and healthcare clearinghouses. Business Associate means CISORA LLC, which performs functions or activities on behalf of or for a Covered Entity that involve the use or disclosure of Protected Health Information.

Protected Health Information (PHI) has the meaning set forth at 45 C.F.R. § 160.103 and means individually identifiable health information that is created, received, maintained, or transmitted by a Business Associate on behalf of a Covered Entity. Electronic Protected Health Information (ePHI) means PHI that is created, received, maintained, or transmitted in electronic form. Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA.

Cisora agrees to not use or disclose PHI other than as permitted or required by this BAA or as required by applicable law. Cisora will use appropriate safeguards and implement the HIPAA Security Rule requirements at 45 C.F.R. Part 164 to prevent unauthorized use or disclosure of PHI.

Cisora will report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, any Security Incident of which it becomes aware, and any Breach of unsecured PHI as required under 45 C.F.R. § 164.410. Cisora will cooperate with reasonable requests from the Covered Entity to facilitate compliance with HIPAA.

Cisora will ensure that any sub-contractors or subcontractors that create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions and conditions that apply to Cisora under this BAA, as set forth in Section 5.

Cisora may use or disclose PHI solely to perform the services specified in the Master Services Agreement, which include AI agent telemetry processing, security monitoring, and compliance reporting in connection with the Covered Entity's use of the Cisora platform.

Cisora may also use PHI for the proper management and administration of Cisora's business, or to carry out legal responsibilities, provided that the disclosure is required by law or Cisora obtains reasonable assurances that the PHI will be held confidentially.

Cisora may de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and use such de-identified data for product improvement and analytics. Cisora will never use PHI for marketing purposes or sell PHI.

Technical safeguards: Cisora implements AES-256 encryption at rest for all stored data, TLS 1.2+ for all data in transit, multi-factor authentication on all administrative access, comprehensive audit logs of all access to systems containing ePHI, and automatic session timeouts.

Physical safeguards: All infrastructure runs on AWS (ap-south-1 and us-east-1), which maintains HIPAA-eligible services and physical data center controls including facility access controls, workstation security, and device controls.

Administrative safeguards: Cisora maintains a security officer responsible for HIPAA compliance, conducts workforce training on HIPAA requirements, performs periodic risk analyses, and has a documented incident response plan. Access to systems containing ePHI is limited to employees with a need to know.

Cisora will enter into written agreements with all subcontractors that create, receive, maintain, or transmit PHI on behalf of Cisora. These agreements will require subcontractors to comply with the same HIPAA obligations applicable to Cisora under this BAA.

The current list of subcontractors that may have access to PHI is maintained at cisora.io/trust/sub-processors. Cisora will notify the Covered Entity at least 30 days before engaging any new subcontractor that will have access to PHI.

In the event of a Breach of unsecured PHI, Cisora will notify the Covered Entity without unreasonable delay and in no case later than 60 days following discovery of the Breach. Notification will include: the identification of each individual whose PHI was or may have been breached; a brief description of the Breach; the type of PHI involved; and the steps taken to investigate, mitigate, and prevent future occurrences.

For Security Incidents that do not constitute a Breach, Cisora will report the incident to the Covered Entity on a quarterly basis or upon request. Cisora will cooperate fully with the Covered Entity's obligations to notify affected individuals and the Department of Health and Human Services (HHS).

This BAA is effective as of the date the Covered Entity accepts the MSA or applicable order form and remains in effect until all PHI provided to Cisora is destroyed or returned to the Covered Entity, or the parties agree in writing to its termination.

Either party may terminate this BAA if the other party has violated a material term and failed to cure such violation within 30 days of written notice. Upon termination, Cisora will, if feasible, return or destroy all PHI in any form. If return or destruction is not feasible, Cisora will extend the protections of this BAA to such PHI and limit further use or disclosure.

This BAA is incorporated into and made a part of the Master Services Agreement between Cisora and the Covered Entity. In the event of a conflict between this BAA and the MSA with respect to PHI, this BAA will control.

This BAA will be interpreted in a manner consistent with HIPAA and HITECH. If any provision is found to violate applicable law, that provision will be modified to the minimum extent necessary to comply, and the remaining provisions will continue in full force. This Agreement is governed by the laws of the State of Delaware and applicable federal law.