echo
Demo

HIPAA Business Associate Agreement

Echo Health Solutions, Inc.

Effective Date: The date on which you click "I Agree" or otherwise accept this Agreement during the Echo Health Solutions account registration or onboarding process.

Acceptance

By clicking "I Agree," completing account registration, or otherwise accessing the Echo Health Solutions platform, the healthcare practice, clinic, or provider organization accepting this Agreement ("Covered Entity" or "you") agrees to be bound by the terms of this Business Associate Agreement ("BAA") with Echo Health Solutions, Inc. ("Business Associate" or "Echo Health Solutions"). This BAA is incorporated into and forms part of the Echo Health Solutions Terms of Service.

If you are not a Covered Entity or Business Associate under HIPAA, or if your use of the Services does not involve Protected Health Information, this BAA does not apply to you.

1. Definitions

Terms used but not otherwise defined in this BAA have the meanings set forth in 45 C.F.R. Parts 160 and 164. As used in this BAA:

"Breach" has the meaning set forth in 45 C.F.R. § 164.402, the acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI.

"Business Associate" means Echo Health Solutions, Inc., acting in its capacity as a business associate of Covered Entity under HIPAA.

"Covered Entity" means the healthcare practice, medical group, clinic, or other HIPAA-covered entity that has accepted this BAA.

"Designated Record Set" has the meaning set forth in 45 C.F.R. § 164.501.

"Electronic Protected Health Information" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.

"HIPAA Rules" means the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule under HIPAA, as amended from time to time, including applicable provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

"Minimum Necessary" refers to the standard under 45 C.F.R. § 164.502(b) requiring that, to the extent practicable, PHI be limited to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.

"Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. § 160.103, limited to the PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in connection with the Services.

"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 164, Subparts A and E.

"Required by Law" has the meaning set forth in 45 C.F.R. § 164.103.

"Security Incident" has the meaning set forth in 45 C.F.R. § 164.304.

"Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 164, Subparts A and C.

"Services" means the AI-powered practice management platform and associated features provided by Echo Health Solutions under the Terms of Service.

"Subcontractor" means any agent or vendor engaged by Business Associate that creates, receives, maintains, or transmits PHI on Business Associate's behalf.

"Unsecured PHI" has the meaning set forth in 45 C.F.R. § 164.402.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

(a) Performance of Services. Business Associate may use and disclose PHI as necessary to perform the Services on behalf of Covered Entity, including scheduling, patient communications, prior authorization processing, digital forms, voice and SMS communications, and related automation services.

(b) Operations of Business Associate. Business Associate may use PHI for the proper management and administration of Business Associate's own operations, and to carry out Business Associate's legal responsibilities, provided that such use is permitted by HIPAA.

(c) Required by Law. Business Associate may disclose PHI as Required by Law.

(d) De-Identified Data and AI Model Improvement. Business Associate may use PHI to create de-identified information in accordance with the de-identification standards set forth in 45 C.F.R. § 164.514(a)–(c) (either the Safe Harbor method or the Expert Determination method). Such de-identified information is no longer PHI and may be used by Business Associate for product development, AI model training and improvement, platform analytics, benchmarking, and other lawful purposes. Business Associate will not attempt to re-identify any de-identified information. Covered Entity may opt out of this use by written notice to Business Associate's Privacy Officer; opt-out does not affect the ongoing provision of Services.

(e) Data Aggregation. Business Associate may aggregate PHI with PHI from other covered entities for whom it acts as a business associate, for the purpose of analyzing data pertaining to the health care operations of the respective covered entities, as permitted under 45 C.F.R. § 164.504(e)(2)(i)(B).

Business Associate will not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted under this Section 2.

2.2 Safeguards

Business Associate will:

(a) Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI as required by the Security Rule (45 C.F.R. Part 164, Subpart C), including conducting periodic risk analyses and implementing security measures sufficient to reduce identified risks and vulnerabilities.

(b) Implement reasonable and appropriate policies and procedures to comply with the Privacy Rule standards applicable to business associates.

(c) Maintain an incident response program capable of detecting, containing, investigating, and remediating Security Incidents and Breaches.

2.3 Minimum Necessary

Business Associate will make reasonable efforts to limit its use and disclosure of PHI to the Minimum Necessary to accomplish the purpose of each use or disclosure.

2.4 Subcontractors

Business Associate may use subcontractors to perform services on its behalf. Each Subcontractor that may access PHI has executed a HIPAA-compliant sub-BAA and is contractually obligated to safeguard PHI in accordance with HIPAA. Covered Entity acknowledges and agrees to such Subcontractor use as part of its acceptance of this BAA. Business Associate remains liable for the acts and omissions of its Subcontractors to the same extent it would be liable for its own acts and omissions under this BAA. For questions regarding Subcontractor compliance, please contact our Privacy Officer.

2.5 Reporting

(a) Security Incidents. Business Associate will report to Covered Entity any Security Incident of which Business Associate becomes aware. Business Associate hereby provides notice that it may experience attempted, unsuccessful Security Incidents (such as port scans, pings, and similar automated probes) on an ongoing basis; Business Associate will take commercially reasonable measures to address such attempts but will not provide individual reports of each unsuccessful attempt unless material.

(b) Breach Notification. Business Associate will notify Covered Entity of any Breach of Unsecured PHI affecting Covered Entity's PHI without unreasonable delay and in no event later than thirty (30) calendar days following Business Associate's discovery of such Breach, consistent with 45 C.F.R. § 164.410. Notification will include, to the extent reasonably available at the time of notification:

  • The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
  • A brief description of the Breach, including date of discovery;
  • A description of the types of Unsecured PHI involved;
  • The steps Business Associate is taking to investigate, mitigate, and prevent recurrence;
  • Contact information for questions from Covered Entity.

Business Associate will supplement the initial notification with additional information as it becomes available. Covered Entity, as the Covered Entity under HIPAA, is responsible for notifying affected individuals, the Secretary of HHS, and, where required, the media, in accordance with the Breach Notification Rule.

(c) Impermissible Uses or Disclosures. Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which Business Associate becomes aware, without unreasonable delay.

2.6 Individual Rights

To the extent Business Associate holds PHI in a Designated Record Set on behalf of Covered Entity:

(a) Access. Business Associate will make PHI available to Covered Entity (or, at Covered Entity's direction, to an Individual) in the format requested, in accordance with 45 C.F.R. § 164.524, within thirty (30) days of a written request from Covered Entity.

(b) Amendment. Business Associate will make PHI available for amendment and will incorporate any amendments directed by Covered Entity in accordance with 45 C.F.R. § 164.526.

(c) Accounting of Disclosures. Business Associate will document and make available information required for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, within thirty (30) days of a written request from Covered Entity.

(d) Restrictions. Business Associate will honor any restrictions on uses or disclosures of PHI that Covered Entity notifies Business Associate of in writing, to the extent Business Associate is capable of accommodating such restrictions without materially impairing its ability to provide the Services.

2.7 Access by HHS

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's or Business Associate's compliance with the HIPAA Rules.

2.8 Mitigation

Business Associate will take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

3. Obligations of Covered Entity

3.1 Notice of Privacy Practices

Covered Entity will notify Business Associate of any limitation(s) in its Notice of Privacy Practices that affects Business Associate's use or disclosure of PHI under this BAA, to the extent such limitation may affect Business Associate's ability to perform the Services.

3.2 Restrictions and Revocations

Covered Entity will notify Business Associate in writing of any restriction on the use or disclosure of PHI that Covered Entity has agreed to with an Individual, to the extent such restriction may affect Business Associate's use or disclosure of PHI. Covered Entity will notify Business Associate of any revocation of authorization by an Individual, to the extent such revocation may affect Business Associate's use or disclosure of PHI.

3.3 Permissible Requests

Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as otherwise expressly permitted under this BAA.

3.4 Consents for Communications

Covered Entity is responsible for obtaining all required consents and authorizations from patients prior to initiating or enabling automated voice calls, SMS messages, or other electronic communications through the Services, in compliance with the TCPA and applicable state law.

3.5 Accuracy of PHI Submitted

Covered Entity is responsible for the accuracy, completeness, and lawfulness of all PHI submitted to the Services.

4. Permitted Purposes, Summary

For ease of reference, Business Associate is permitted to use or disclose PHI only for the following purposes:

  1. Providing the Services to Covered Entity
  2. The proper management and administration of Business Associate's operations
  3. As Required by Law
  4. Creating de-identified information for AI model improvement, analytics, and product development, as described in Section 2.1(d)
  5. Data aggregation for health care operations analytics, as described in Section 2.1(e)

All other uses and disclosures are prohibited.

5. Term and Termination

5.1 Term

This BAA is effective on the date of acceptance and remains in effect for the duration of the underlying Terms of Service (or Pilot Agreement, if applicable), unless earlier terminated in accordance with this Section. This BAA will automatically terminate upon expiration or termination of the Terms of Service.

5.2 Termination for Cause

Either party may terminate this BAA and the underlying Terms of Service immediately upon written notice if the other party has materially breached a provision of this BAA and, if curable, has failed to cure such breach within thirty (30) days of receiving written notice of the breach. If termination of the underlying Terms of Service is not feasible, the non-breaching party may report the breach to the Secretary of HHS as required by HIPAA.

5.3 Return and Destruction of PHI Upon Termination

Upon expiration or termination of this BAA:

(a) Return of PHI. Business Associate will make available to Covered Entity an export of Covered Entity's PHI in a commonly used electronic format within sixty (60) days following the termination or expiration date. Business Associate will notify Covered Entity of the export availability and provide reasonable assistance to facilitate the data transfer.

(b) Destruction of PHI. Following confirmation of Covered Entity's receipt of the data export (or expiration of the 60-day export window, whichever is earlier), Business Associate will securely delete or destroy all remaining PHI in its possession or control, including any PHI held by its Subcontractors, and provide written certification of such deletion to Covered Entity within thirty (30) days thereafter.

(c) Exceptions. Notwithstanding the foregoing, Business Associate may retain PHI to the extent required by applicable law or regulation, including record retention obligations under HIPAA. Any such retained PHI remains subject to the protections of this BAA for the duration of its retention.

(d) De-Identified Data. De-identified information created in accordance with Section 2.1(d) prior to termination is not PHI and is not subject to the return or destruction requirements of this Section.

5.4 Survival

The obligations of the parties under Sections 2.2 (Safeguards), 2.5 (Reporting), 5.3 (Return and Destruction), and 6 (General Provisions) survive termination of this BAA to the extent necessary to fulfill the parties' obligations with respect to PHI retained after termination.

6. General Provisions

6.1 Relationship to Terms of Service

This BAA is incorporated into and governed by the Echo Health Solutions Terms of Service. In the event of a conflict between this BAA and the Terms of Service with respect to the subject matter of this BAA (i.e., obligations relating to PHI), this BAA controls.

6.2 Amendment

This BAA will be amended automatically, without further action of the parties, to the extent necessary to comply with any amendment to the HIPAA Rules or any other applicable law affecting the parties' obligations with respect to PHI. Business Associate will provide notice of any material amendment to this BAA in accordance with the Terms of Service.

6.3 Interpretation

Any ambiguity in this BAA will be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules. The parties acknowledge that this BAA is intended to comply with HIPAA and HITECH and should be interpreted accordingly.

6.4 No Third-Party Beneficiaries

This BAA is entered into for the sole benefit of Business Associate and Covered Entity, and nothing in this BAA, express or implied, is intended to or will confer on any other person or entity, including patients, any rights or remedies under or by reason of this BAA.

6.5 Governing Law

This BAA is governed by applicable federal law, including HIPAA and HITECH, and to the extent not preempted by federal law, by the laws of the State of Delaware.

6.6 Regulatory References

Any reference in this BAA to a HIPAA regulation or statute includes the reference as it may be amended, updated, or supplemented from time to time.

6.7 Entire Agreement as to Subject Matter

This BAA, together with the Terms of Service and any applicable Pilot Agreement, constitutes the entire agreement between the parties with respect to the use and disclosure of PHI by Business Associate on behalf of Covered Entity, and supersedes all prior agreements, understandings, or representations relating to such subject matter.

7. Contact, Privacy Officer

Questions, reports of suspected breaches, individual rights requests, or other BAA-related notices should be directed to:

Echo Health Solutions, Inc., Privacy Officer Email: info@echobooking.com Mailing Address: 120 Bretano Way, Greenbrae, CA 94904

Important Notice Regarding Subcontractors: Echo Health Solutions may use subcontractors to perform services on its behalf. Each subcontractor that may access PHI has executed a HIPAA-compliant sub-BAA and is contractually obligated to safeguard PHI in accordance with HIPAA. Covered Entity acknowledges and agrees to such subcontractor use as part of its acceptance of this BAA. For questions regarding subcontractor compliance, please contact our Privacy Officer.

This Business Associate Agreement was last reviewed by Echo Health Solutions legal counsel on February 25, 2026.