Business Associate Agreement

Last Updated: January 14, 2026

This Business Associate Agreement ("BAA") is entered into by and between RadOverlay, LLC ("Service Provider") and [CUSTOMER NAME] ("Customer"). Service Provider and Customer are, collectively, the "Parties" and each, individually, a "Party."

Whereas, Customer is retaining Service Provider to provide certain services to Customer ("Services") pursuant to a Services Agreement between the Parties ("Agreement").

Whereas, if and to the extent Service Provider Processes Protected Health Information ("PHI"), provided or disclosed by Customer, for or on behalf of the Customer, then the terms of this BAA will apply to the Services that Service Provider provides to Customer. This BAA is intended to ensure that Service Provider will establish and implement appropriate safeguards for PHI that Service Provider may receive, create, maintain, use, or disclose in connection with the Services that Service Provider provides to Customer pursuant to the Agreement.

Now, therefore, for good and valuable consideration, which Service Provider and Customer acknowledge is sufficient to induce them to enter into this BAA, Service Provider and Customer acknowledge and agree as follows:

1. Definitions

1. Breach of PHI. "Breach of PHI" with respect to PHI within the possession, custody, or control of Service Provider, refers to a successful Security Incident or a Breach of Unsecured PHI, as those terms are defined under HIPAA.
2. Deliverables. "Deliverables" shall have the same meaning as set forth in the Agreement.
3. De-Identified. "De-Identified" means information that is de-identified pursuant to the standards set forth in 45 CFR §§164.514(a) and (b) of the HIPAA Rules.
4. HIPAA. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, including the Health Information Technology for Economic and Clinical Health Act "HITECH" Act of 2009 and the rules and regulations promulgated thereunder, as amended.
5. HIPAA Terms. Any capitalized terms used in this BAA that are not defined herein shall have the meaning ascribed to them in HIPAA, including, but not limited to, the following: Breach; Designated Record Set; Disclosure; Notice of Privacy Practices; Required by Law; Security Incident; and Unsecured PHI.
6. Liability. "Liability" means costs, expenses, losses, obligations, damages, actions, suits, demands, settlements, judgments, awards, fines, penalties, fees (including attorney's fees), and any other form of liability whatsoever. With respect to a Breach of PHI, Liability includes the following: (i) computer, technology, and forensic investigation; (ii) attorney fees; (iii) public relations costs; (iv) notification of affected individuals and regulators; (v) credit and identity monitoring and restoration; (vi) call and email support; and (vii) investigation, inquiry, request, subpoena, other legal process, fine, penalty, settlement, judgment, claim, suit, lawsuit, action, cause of action, or other allegation issued or made by an individual, group or class of individuals, regulator, or any other third-party arising out of or related to the Breach of PHI.
7. Protected Health Information. "Protected Health Information" or "PHI" has the definition given to it under HIPAA, and for the purposes of this BAA is limited to PHI that Service Provider receives from Customer or Processes for or on behalf of Customer.
8. Process. "Process" means any operation performed on or with PHI, including, but not limited to, the following: creation; collection; receipt; recording; storage; organization; management; adaptation; alteration; access; retrieval; consultation; use; analysis; disclosure; transmission; transportation; making available; making accessible; aggregation; combination; de-identification; re-identification; restriction; deletion; destruction; and erasure.
9. HIPAA Rules. "HIPAA Rules" mean the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164, as amended.
10. Sub-Processor. "Sub-Processor" means any third-party that Processes PHI by, for, or on behalf of the Service Provider arising out of or related to Service Provider's performance of its obligations under the Agreement.

2. Roles

Customer is a Covered Entity, a Business Associate, or a Business Associate's Service Provider under HIPAA. Service Provider is a Business Associate under HIPAA.

3. Processing of PHI

1. Permissible Use. Unless otherwise agreed between the Parties, Service Provider is permitted to Process PHI: (i) in connection with performing its obligations and exercising its rights under the Agreement; (ii) as permitted or required by the Agreement or this BAA; or (iii) as Required by Law.
2. Minimum Necessary. To the extent that Service Provider Processes PHI to provide the Services, Service Provider shall use reasonable efforts to limit PHI to the minimum necessary in order to provide the Services to Customer.
3. De-Identification and Limited Retention. If and to the extent PHI is uploaded to the Services, Service Provider will either: (i) make reasonable efforts to detect such PHI and delete it within 60 days of its detection; or (ii) De-Identify such PHI. The limited retention of PHI serves to enable diagnostic, debugging, and support operations while minimizing accumulation of PHI over time.
4. Prohibited Use. Service Provider will not Process PHI in a manner that would violate HIPAA or this BAA. In addition, Service Provider will not use PHI to train artificial intelligence models.
5. Management and Administration. Service Provider may Process PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if: (i) Required by Law; or (ii) Service Provider obtains written reasonable assurances from the person or entity to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Service Provider will be notified of any Breach of PHI.

4. Customer Obligations

1. Notice of Privacy Practices. Customer shall ensure that there are no limitation(s) in its own Notice of Privacy Practices, and that of any of its customers who provided or disclosed such PHI to Customer, that may affect Service Provider's Processing of PHI pursuant to the Agreement and this BAA. Customer will inform Service Provider of any changes in such privacy practices within 15 days that may affect Service Provider's Processing of PHI.
2. Authorizations and Consents. Customer represents and warrants that: (i) any PHI provided or disclosed by Customer to Service Provider as part of the Services is either owned by Customer or Customer otherwise has legal authorization to provide such PHI to Service Provider; and (ii) Service Provider's authorized Processing of such PHI will not violate the Agreement, this BAA, or HIPAA. Customer will notify Service Provider of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Service Provider's Processing of such PHI.
3. Restrictions. Customer shall ensure that Customer and Upstream Customers have not agreed to, or are not otherwise required to abide by, restrictions on the Processing of PHI that may affect Service Provider's Processing of PHI in connection with providing Services pursuant to the Agreement.
4. Requests by Customer. Customer will not request that Service Provider Processes PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate).
5. Mitigation. Customer shall take reasonable steps to mitigate, to the extent practicable, any harmful effects known to Customer of a breach of this BAA by Customer.

5. Employees

The Parties represent and warrant that all of its employees, agents, representatives and members of its work force, whose services may be used to fulfill its respective obligations under this BAA, are or shall be appropriately informed of the confidential nature of PHI, have received appropriate training on their responsibilities concerning such information, and are contractually required to maintain the confidentiality of such PHI.

6. Security

Service Provider will implement and maintain reasonable physical, technological, and administrative controls designed to safeguard the confidentiality, integrity, and availability of PHI to comply with applicable HIPAA Rules.

7. Sub-Processors

When Service Provider engages a Sub-Processor, Service Provider shall contractually obligate such Sub-Processor to comply with terms that are comparable to the terms in this BAA governing Service Provider's Processing of PHI. Service Provider shall only retain Sub-Processors that are capable of appropriately protecting the privacy, confidentiality and security of PHI. Service Provider shall provide to Customer any and all information, documents and data pertaining to Sub-Processors reasonably requested by Customer, including Service Provider's agreements with Sub-Processors and materials demonstrating the physical, technological, and administrative controls implemented by Sub-Processors to safeguard the confidentiality, integrity, and availability of PHI. Service Provider shall remain liable to Customer for acts or omissions of any Sub-Processor that violate the Agreement or the BAA. A list of Service Provider's sub-processors is available at https://radoverlay.com/legal/subprocessors. Note that not all listed providers process PHI.

8. Accounting of Disclosures

Service Provider will document disclosures of PHI by Service Provider and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.

9. Access to Records

To the extent required by law, Service Provider will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by the Service Provider on behalf of Customer, available to the Customer for the purpose of Customer determining compliance with HIPAA Rules.

10. Designated Record Set

Service Provider agrees to make available PHI in a Designated Record Set to the Customer as necessary to satisfy Customer's obligations under 45 C.F.R. § 164.524. Service Provider agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Customer pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Customer's obligations under 45 C.F.R. § 164.526.

11. Notification

Service Provider will notify Customer of a Breach of PHI or any Processing of PHI not authorized by this BAA or the Agreement within ten business days after Service Provider discovers that such breach occurred. At the time of such initial notification and continuing thereafter, Service provider will disclose to Customer non-privileged information that Service provider has or receives concerning such breach, including, but not limited to, the following: (i) names and other information available about individuals affected by the breach; (ii) the nature and scope of information compromised or potentially compromised in the breach or as a result of the breach; (iii) timing, manner, and cause of the breach; and (iv) acts taken in response to the breach. Service Provider will provide Customer with assistance and cooperation reasonably requested by Customer related to such breach, and shall follow and comply with reasonable requests made by Customer related to such breach. Notwithstanding the foregoing, Customer and Service Provider acknowledge the ongoing existence and occurrence of attempted but unsuccessful security incidents involving trivial and routine incidents, such as port scans, attempts to log-in with an invalid password or user name, denial of service attacks that do not result in a server being taken off-line, malware, and pings, or other similar types of events that do not compromise the security or privacy of PHI ("Unsuccessful Security Incidents") Customer acknowledges and agrees that no notification to the Customer is required of such Unsuccessful Security Incidents.

12. Breach of PHI Liability

Service Provider is liable to Customer for Liability arising out of or related to a Breach of PHI within the possession, custody, or control of Service Provider that is not caused by an act or omission of Customer, any sub-processor of Customer, or any of their respective employees, agents, representatives, or sub-processors ("Service Provider PHI Breach"). Customer is liable to Service Provider for Liability arising out of or related to a Breach of PHI within the possession, custody or control of Service Provider that is caused by an act or omission of Customer, any sub-processor of Customer (excluding Service Provider), or any of their respective employees, agents, representatives, or sub-processors ("Customer PHI Breach"). Service Provider and Customer shall each respectively maintain their own commercially reasonable insurance policies that provide coverage for Liability arising out of or related to a Breach of PHI and that has an overall limit of at least $1,000,000. Service Provider's policy shall be primary coverage and Customer's policy shall be secondary coverage for a Service Provider PHI Breach. Customer's policy shall be the primary coverage and Service Provider's policy shall be secondary coverage for a Customer PHI Breach. If Service Provider maintains such an insurance policy, and that insurance policy provides coverage for Liability arising out of or related to a Service Provider PHI Breach, then Service Provider's Liability to Customer arising out of or related to a Service Provider PHI Breach shall be limited to the coverage provided by that insurance policy. If Customer maintains such an insurance policy, and that insurance policy provides coverage for Liability arising out of or related to a Customer PHI Breach, then Customer's Liability to Service Provider arising out of or related to a Customer PHI Breach shall be limited to the coverage provided by that insurance policy.

13. Indemnification

Subject to the limitation of liability in Section 14 of this BAA, Customer shall indemnify, defend, and hold harmless Service Provider from and against all damages, costs, and liabilities Service Provider incurs arising out of or related to: (i) any violation by Customer of HIPAA, this BAA, and Customer's Obligations in Section 4; and (ii) any authorized use by Service Provider of PHI. Subject to the limitation of liability in Section 14 of this BAA, Service Provider shall indemnify, defend, and hold harmless Customer from and against all damages, costs, and liabilities Customer incurs arising out of or related to Service Provider's violation of HIPAA and this BAA.

14. Limitation of Liability

Except for Customer's Obligations in Section 4 of this BAA, and except as otherwise provided in Section 12 of this BAA, a Party's remedies with respect to any breach of this BAA will be subject to the aggregate limitation of liability that applies to Customer and Service Provider under the Agreement.

15. Term and Termination

1. Term. This BAA becomes effective on the effective date of the Agreement and will terminate simultaneously and automatically with the termination of the Agreement. In the event of termination of the Agreement, the Parties' obligations under this BAA will continue until Service Provider has either returned or (if authorized by Customer) permanently destroyed all PHI. Once Service Provider has done so, the Parties' obligations under this BAA will terminate.
2. Termination. Either Party may immediately terminate this BAA, or the Agreement, if the other Party materially breaches a term of this BAA and fails to cure such material breach within 30 days after written notice from the non-breaching Party about such breach. Without limiting the foregoing, the termination provisions set forth in the Agreement shall apply equally to this BAA.
3. Effect of Termination. If this BAA is terminated for any reason, Customer shall immediately stop using Services and shall not transmit or disclose any PHI to Service Provider. Following termination or expiration of this BAA for any reason, Service Provider will return or destroy any PHI maintained by Service Provider within a reasonable period and, upon Customer's written request, Service Provider shall certify that all PHI has been returned or destroyed. If return or destruction of the PHI is not feasible, Service Provider will extend the protections of this BAA to such information for as long as Service Provider retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.

16. Amendment

Service Provider may update this BAA from time to time. Any material changes will be posted on this page with an updated "Last Updated" date.

17. No Third Party Beneficiaries

Nothing expressed or implied in this BAA is intended to confer, nor anything herein shall confer, upon any person other than the parties hereto any rights, remedies, obligations, or liabilities whatsoever.