Business Associate Agreement

HIPAA Compliance Agreement for Protected Health Information

Effective Date: Upon Acceptance
Version: baa_v2025-10-17

Parties to This Agreement

Covered Entity: The dental practice or healthcare entity purchasing services ("Covered Entity")

Business Associate: Dental Education, Inc., doing business as Intake.Dental ("Business Associate")

Product/Service: Dental Forms Pro - Cloud-based patient intake, health history management, and Protected Health Information (PHI) document storage services

Recitals

WHEREAS, Covered Entity is a healthcare provider subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and related regulations (collectively, the "HIPAA Rules");

WHEREAS, Business Associate provides cloud-based software services that involve the creation, receipt, maintenance, transmission, or access to Protected Health Information on behalf of Covered Entity;

WHEREAS, the HIPAA Rules require Covered Entity to enter into a Business Associate Agreement with Business Associate to ensure appropriate safeguards for Protected Health Information;

NOW THEREFORE, in consideration of the mutual promises below and for other good and valuable consideration, the parties agree as follows:

1. Definitions

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).

1.1 Protected Health Information (PHI): As defined by 45 CFR ยง 160.103, means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI includes, but is not limited to, patient names, addresses, dates of birth, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, photographs, biometric identifiers, and any other unique identifying number, characteristic, or code, along with health information relating to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual.

1.2 Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

1.3 Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR ยง 164.402, and excluding disclosures where there is a low probability that the PHI has been compromised.

1.4 Electronic Protected Health Information (ePHI): PHI that is transmitted by or maintained in electronic media.

1.5 Required By Law: A mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.

1.6 Subcontractor: A person or entity to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of Business Associate's workforce.

2. Obligations and Activities of Business Associate

2.1 Data Storage and Security Standards

Business Associate shall store all PHI exclusively in secure, encrypted environments with the following safeguards:

2.1.1 Encryption Requirements:

  • Encryption at rest using AES-256 or equivalent industry-standard encryption
  • Encryption in transit using TLS 1.2 or higher for all data transmissions
  • Encrypted backups with the same level of protection as production data

2.1.2 Access Controls:

  • Role-based access control (RBAC) limiting PHI access to authorized personnel only
  • Multi-factor authentication (MFA) required for all administrative access
  • Unique user identifications for all persons with access to ePHI
  • Automatic logoff after period of inactivity
  • Emergency access procedures with audit trail

2.1.3 Security Monitoring:

  • Regular security audits and vulnerability assessments (at least annually)
  • Continuous monitoring for unauthorized access attempts
  • Intrusion detection and prevention systems
  • Regular security patches and updates to all systems

2.2 Permitted Uses and Disclosures of PHI

2.2.1 Business Associate may use and disclose PHI only as permitted or required by this Agreement or as Required By Law.

2.2.2 Business Associate may use PHI for the proper management and administration of Business Associate's services, including:

  • Hosting, storing, and backing up patient intake forms and health histories
  • Routing PHI to Covered Entity through secure, time-limited expiring links
  • Technical support and troubleshooting when explicitly requested by Covered Entity
  • System maintenance and performance optimization

2.2.3 Business Associate may disclose PHI for the proper management and administration of Business Associate only if:

  • The disclosure is Required By Law; or
  • Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

2.2.4 Business Associate may de-identify PHI in accordance with 45 CFR ยง 164.514(a)-(c) and use such de-identified data for system improvements, analytics, and quality assurance purposes. Business Associate shall not attempt to re-identify de-identified information.

2.2.5 Prohibited Uses: Business Associate shall NOT:

  • Use PHI for marketing purposes without explicit written authorization from Covered Entity
  • Sell PHI or use PHI for any commercial purpose not directly related to providing services
  • Share PHI with third-party analytics services, AI training models, or machine learning systems without explicit written authorization
  • Disclose PHI to any party not covered by a downstream Business Associate Agreement

2.3 Minimum Necessary Standard

Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR ยง 164.502(b) and ยง 164.514(d).

2.4 Appropriate Safeguards

Business Associate shall use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in compliance with 45 CFR Part 164, Subpart C (the Security Rule).

2.5 Reporting Requirements

2.5.1 Breach Notification: Business Associate shall report to Covered Entity any Breach of unsecured PHI of which it becomes aware within five (5) business days of discovery, or sooner if required by applicable law. The notification shall include, to the extent possible:

  • A description of the Breach, including the date of the Breach and the date of discovery
  • Identification of the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
  • A description of the types of PHI involved (e.g., full name, Social Security number, date of birth, medical record number)
  • A brief description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches
  • Contact information for individuals to ask questions or learn additional information

2.5.2 Security Incident Reporting: Business Associate shall report Security Incidents to Covered Entity upon request or as otherwise agreed. Business Associate and Covered Entity acknowledge that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (such as unsuccessful login attempts, pings, port scans, denial of service attacks, and malware that does not result in access to ePHI). Business Associate shall report successful Security Incidents within the same timeframe as Breaches.

2.5.3 Improper Use or Disclosure: Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement within five (5) business days of becoming aware of such use or disclosure.

2.6 Subcontractor Agreements

2.6.1 Business Associate shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.

2.6.2 Current Subcontractors include:

  • Amazon Web Services (AWS) - Cloud hosting and storage infrastructure
  • Supabase - Database services
  • Email service providers for secure delivery of PHI

2.6.3 Business Associate shall obtain and maintain valid Business Associate Agreements with all Subcontractors handling PHI and shall make copies of such agreements available to Covered Entity upon reasonable request.

2.6.4 Business Associate shall notify Covered Entity of any changes to Subcontractors within thirty (30) days of such change.

2.7 Access to PHI

2.7.1 Within ten (10) business days of a request by Covered Entity, Business Associate shall make available to Covered Entity or, as directed by Covered Entity, to an individual, PHI in a Designated Record Set that is maintained by or for Business Associate, in the time and manner designated by Covered Entity, to enable Covered Entity to meet its obligations under 45 CFR ยง 164.524.

2.7.2 If Business Associate maintains an electronic Designated Record Set, Business Associate shall provide the PHI in electronic format to enable Covered Entity to fulfill its obligations under 45 CFR ยง 164.524(c)(2)(ii).

2.8 Amendment of PHI

Within ten (10) business days of receipt of a request from Covered Entity, Business Associate shall make available PHI maintained in a Designated Record Set for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance with 45 CFR ยง 164.526, as directed by Covered Entity.

2.9 Accounting of Disclosures

2.9.1 Business Associate shall document all disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures in accordance with 45 CFR ยง 164.528.

2.9.2 Within ten (10) business days of notice by Covered Entity that it has received a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as is in Business Associate's possession and is required for Covered Entity to make the accounting required by 45 CFR ยง 164.528.

2.9.3 Business Associate shall maintain accounting records for at least six (6) years from the date of disclosure.

2.10 Access to Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules, in the time and manner designated by the Secretary.

2.11 HITECH Act Compliance

Business Associate shall comply with the applicable requirements of the HITECH Act and the regulations promulgated thereunder, including but not limited to:

  • Restrictions on sale of PHI (42 U.S.C. ยง 17935(d))
  • Marketing restrictions (42 U.S.C. ยง 17936(a))
  • Accounting of disclosures (42 U.S.C. ยง 17935(c))
  • Notification requirements in the event of a Breach (42 U.S.C. ยง 17932)

3. Obligations of Covered Entity

3.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and any changes thereto, to the extent such Notice or changes affect Business Associate's permitted or required uses and disclosures.

3.2 Permission to Use or Disclose

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as permitted under 45 CFR ยงยง 164.504(e)(2) and 164.504(e)(3).

3.3 Restrictions on Use and Disclosure

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR ยง 164.522, to the extent that such restriction affects Business Associate's use or disclosure of PHI.

3.4 Permissible Requests

Covered Entity represents and warrants that any PHI provided to Business Associate, or PHI that Business Associate creates or receives on behalf of Covered Entity, is done so in compliance with the HIPAA Rules.

4. Term and Termination

4.1 Term

This Agreement shall be effective as of the date Covered Entity accepts these terms (electronically or in writing) and shall remain in effect until all PHI provided by Covered Entity to Business Associate, or created, received, or maintained by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such PHI in accordance with the termination provisions in this Section.

4.2 Termination for Cause

4.2.1 Covered Entity may terminate this Agreement immediately upon written notice to Business Associate if Covered Entity determines that Business Associate has violated a material term of this Agreement and has not cured the breach within thirty (30) days of receiving written notice of the breach from Covered Entity.

4.2.2 Business Associate may terminate this Agreement immediately upon written notice if Covered Entity has violated a material term and has not cured the breach within thirty (30) days of receiving written notice.

4.2.3 Either party may terminate this Agreement immediately upon written notice if the other party becomes the subject of a petition in bankruptcy, or becomes insolvent, or makes an assignment for the benefit of creditors.

4.3 Effect of Termination

4.3.1 Return or Destruction of PHI:

Upon termination of this Agreement for any reason, Business Associate shall:

a) Retrieval Period: Provide Covered Entity with thirty (30) days to retrieve or export all PHI from Business Associate's systems. During this period, Business Associate shall:

  • Maintain full access for Covered Entity to all PHI
  • Provide technical assistance for data export
  • Offer data in commonly used, machine-readable formats
  • Not charge additional fees for standard data export

b) Destruction: After the thirty (30) day retrieval period expires, Business Associate shall:

  • Permanently delete or destroy all PHI in all forms (electronic and physical)
  • Securely overwrite all storage media containing PHI in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization
  • Delete all PHI from backup systems within ninety (90) days or upon the next backup cycle
  • Provide written certification of destruction to Covered Entity within ten (10) days of completion

4.3.2 Infeasibility of Return or Destruction:

If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall:

  • Provide written notification to Covered Entity explaining the specific reasons why return or destruction is infeasible
  • Extend the protections of this Agreement to such PHI
  • Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible
  • Not use or disclose such PHI for any other purpose

Examples of infeasibility include, but are not limited to: legal or regulatory requirements to retain records, technical limitations of backup systems, or ongoing litigation or governmental investigations.

4.4 Survival

The obligations of Business Associate under Section 4.3 (Effect of Termination) and Section 7 (Liability and Indemnification) shall survive the termination of this Agreement.

5. Audit Rights

5.1 Documentation Requests

Upon reasonable written notice (not less than fifteen (15) business days), Covered Entity may request that Business Associate provide documentation of its security policies, encryption controls, audit logs, staff training records, and Subcontractor Business Associate Agreements for purposes of determining Business Associate's compliance with this Agreement.

5.2 Methods of Audit

Business Associate may satisfy audit requirements through any of the following methods:

  • Written summaries of security controls, policies, and procedures
  • Third-party compliance reports (e.g., SOC 2 Type II, HITRUST certification, ISO 27001)
  • Audit log extracts for specific time periods (de-identified where possible)
  • Virtual or in-person inspection of facilities and systems, upon mutual agreement of date and scope

5.3 Audit Frequency

Covered Entity may request audits no more than once per calendar year unless:

  • There has been a Breach or Security Incident
  • Required by law or regulation
  • Covered Entity has reasonable cause to believe Business Associate is not in compliance

5.4 Audit Costs

Each party shall bear its own costs associated with audits, unless the audit reveals material non-compliance by Business Associate, in which case Business Associate shall reimburse Covered Entity for reasonable audit costs.

5.5 Confidentiality

Any information disclosed during an audit shall be treated as confidential business information and used solely for the purpose of verifying compliance with this Agreement.

6. Liability and Indemnification

6.1 Mutual Responsibility

Each party shall be responsible for its own negligent acts or omissions, and those of its employees, agents, or Subcontractors, in connection with this Agreement to the extent permitted by law.

6.2 Limitation of Liability

6.2.1 Except as provided in Section 6.2.2, Business Associate's total liability to Covered Entity under this Agreement for any and all claims arising out of or related to this Agreement shall not exceed an amount equal to twelve (12) months of fees paid or payable by Covered Entity to Business Associate.

6.2.2 The limitation in Section 6.2.1 shall not apply to:

  • Willful misconduct or intentional wrongdoing
  • Gross negligence
  • Intentional breach of confidentiality obligations
  • Criminal conduct
  • Violations of HIPAA resulting from Business Associate's failure to implement required safeguards
  • Obligations under Section 6.3 (Indemnification)

6.2.3 NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOSS OF DATA, OR LOSS OF BUSINESS OPPORTUNITY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, EXCEPT TO THE EXTENT SUCH DAMAGES RESULT FROM GROSS NEGLIGENCE OR WILLFUL MISCONDUCT.

6.3 Indemnification by Business Associate

Business Associate shall indemnify, defend, and hold harmless Covered Entity, its directors, officers, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

  • Business Associate's breach of this Agreement
  • Business Associate's violation of the HIPAA Rules
  • Business Associate's unauthorized use or disclosure of PHI
  • Claims by third parties arising from Business Associate's acts or omissions
  • Breach or Security Incident caused by Business Associate or its Subcontractors

This indemnification obligation shall not apply to the extent any such claims, liabilities, damages, losses, costs, or expenses are caused by Covered Entity's breach of this Agreement or violation of the HIPAA Rules.

6.4 Indemnification by Covered Entity

Covered Entity shall indemnify, defend, and hold harmless Business Associate, its directors, officers, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

  • Covered Entity's breach of this Agreement
  • Covered Entity's violation of the HIPAA Rules
  • Covered Entity's provision of inaccurate or incomplete PHI to Business Associate
  • Instructions by Covered Entity to Business Associate that violate the HIPAA Rules

6.5 Insurance

Each party shall maintain appropriate insurance coverage, including cyber liability insurance, in amounts reasonably sufficient to cover potential liabilities under this Agreement. Upon request, each party shall provide the other with certificates of insurance.

7. Regulatory Changes and Amendments

7.1 Regulatory Changes

The parties acknowledge that the HIPAA Rules may be amended from time to time by the Secretary of Health and Human Services. Business Associate agrees to implement changes to its practices, policies, and procedures as necessary to maintain compliance with the HIPAA Rules as amended.

7.2 Agreement Amendments

7.2.1 Business Associate shall notify Covered Entity of any material changes to the HIPAA Rules that affect this Agreement within thirty (30) days of the effective date of such changes.

7.2.2 If either party determines that an amendment to this Agreement is necessary to comply with changes in the HIPAA Rules, the parties shall negotiate in good faith to amend this Agreement accordingly.

7.2.3 This Agreement may not be amended except by written agreement signed by authorized representatives of both parties.

7.2.4 Business Associate reserves the right to update the version of this Agreement from time to time. Updated versions will be posted on the Business Associate's website, and Covered Entity will be notified via email at least thirty (30) days prior to the effective date of material changes.

8. Miscellaneous Provisions

8.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State in which Covered Entity is located, without regard to its conflicts of law provisions, except to the extent federal law preempts state law.

8.2 Jurisdiction and Venue

Any legal action arising out of or relating to this Agreement shall be brought exclusively in the state or federal courts located in the jurisdiction where Covered Entity maintains its principal place of business.

8.3 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules. In the event of any conflict between the provisions of this Agreement and the HIPAA Rules, the HIPAA Rules shall control.

8.4 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

8.5 Waiver

The failure of either party to enforce any provision of this Agreement shall not constitute a waiver of that provision or any other provision, nor shall such failure prevent that party from enforcing such provision at a later time.

8.6 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

8.7 Assignment

Neither party may assign this Agreement without the prior written consent of the other party, except that Business Associate may assign this Agreement to a successor entity in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees to assume all obligations under this Agreement.

8.8 Entire Agreement

This Agreement, together with any Service Agreement between the parties, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements concerning such subject matter.

8.9 Notices

All notices required or permitted under this Agreement shall be in writing and shall be deemed given when:

  • Delivered personally
  • Sent by confirmed email transmission
  • Sent by certified or registered mail, return receipt requested
  • Delivered by a nationally recognized overnight courier service

Notices to Business Associate shall be sent to: Dental Education, Inc. d/b/a Intake.Dental 1041 N. Dupont Hwy Dover, DE 19901 Email: support@intake.dental

Notices to Covered Entity shall be sent to the email address and physical address provided during registration.

8.10 Force Majeure

Neither party shall be liable for any delay or failure in performance due to causes beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, labor disputes, or governmental actions, provided that the affected party gives prompt notice to the other party and uses reasonable efforts to resume performance.

8.11 Counterparts and Electronic Signatures

This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures and electronically delivered signatures shall have the same force and effect as original signatures.

9. Acceptance and Execution

9.1 Methods of Acceptance

This Business Associate Agreement is considered fully executed and binding when:

  • Electronic Acceptance: Digitally accepted via electronic signature during online account registration or checkout process; OR
  • Written Signature: Signed by authorized representatives of both parties via electronic or physical signature

9.2 Authority to Sign

By signing this Agreement, the individual represents and warrants that they have full authority to bind Covered Entity to the terms and conditions of this Agreement.

9.3 Record Retention

Both parties shall maintain a copy of this executed Agreement for a minimum of six (6) years from the date of its termination or expiration, or such longer period as may be required by law.

10. Definitions of Key Service Terms

For purposes of this Agreement, the following service-specific terms apply:

10.1 Dental Forms Pro Platform: The cloud-based software-as-a-service platform provided by Business Associate for creating, collecting, storing, and delivering patient intake forms, health histories, and related documentation.

10.2 Expiring Links: Secure, time-limited URLs generated by the platform that allow Covered Entity to access PHI for a specified period (typically 48-72 hours), after which the links automatically expire and become inaccessible.

10.3 Cloud Storage: Encrypted storage services provided through AWS S3 and Supabase infrastructure, used to securely store PHI on behalf of Covered Entity.

10.4 Patient Intake Submissions: Electronic forms completed by patients containing PHI, including but not limited to medical history, current medications, allergies, insurance information, and consent forms.

Contact Information

For questions about this Business Associate Agreement or HIPAA compliance matters:

Dental Education, Inc. d/b/a Intake.Dental
Email: support@intake.dental
Website: https://intake.dental
Compliance Officer: Jordan Thomas
Phone: (916) 752-2280

Document Information

Agreement Version: baa_v2025-10-17
Last Updated: October 17, 2025
Next Review Date: October 17, 2026

This Business Associate Agreement complies with:

  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
  • 45 CFR Parts 160 and 164 (HIPAA Privacy, Security, and Breach Notification Rules)
  • ESIGN Act (Electronic Signatures in Global and National Commerce Act)

IMPORTANT NOTICE TO COVERED ENTITIES:

By proceeding with checkout or clicking "I Agree," you acknowledge that:

  1. You have read and understood this entire Business Associate Agreement
  2. You are an authorized representative of your practice/entity with authority to enter into this Agreement
  3. You agree to be bound by all terms and conditions stated herein
  4. Your electronic signature will be legally binding and equivalent to a handwritten signature
  5. This Agreement will remain in effect for the duration of our service relationship and beyond as specified in the termination provisions

This is a legally binding contract. Please save a copy for your records.

For technical support or questions: support@intake.dental
For HIPAA compliance questions: support@intake.dental

Document ID: BAA-{Generated upon acceptance}
Generated: {Date of acceptance}