Last Updated: August 20, 2025

​

​

​

This Business Associate Agreement (this “BAA”) is entered into by and between Elea.ai GmbH (“Business Associate”) and the Client identified in the Services Agreement (“Covered Entity”), which is a covered entity or a business associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The parties are entering into this BAA to assist the Covered Entity in complying with HIPAA, and to set forth Business Associate’s obligations under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Data Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Regulations”). 

 

This BAA applies to any PHI (as defined below) Business Associate receives from Covered Entity, or creates, receives or maintains on behalf of Covered Entity, under its agreements with Covered Entity (the “Services Agreement”). Capitalized terms used herein but not otherwise defined have the meanings given to them in the Services Agreement.  

​

1. Definitions. Except as otherwise defined in this BAA and in the Services Agreement, capitalized terms shall have the definitions set forth under the HIPAA Regulations, as amended from time to time.
   
   (a) “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR § 160.103 of the HIPAA Regulations, provided that it is limited to such PHI that is received by Business Associate from, or created, received, maintained, or transmitted by Business Associate on behalf, of Covered Entity.
   
   (b) “Security Incident” shall have the meaning given to the term “security incident” at 45 CFR § 164.304, as applied to the electronic PHI created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entityy
   
   (c) “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of PHI.
    

2. Permitted Uses and Disclosures. Business Associate may use and disclose PHI to provide Covered Entity with the services under the Services Agreement. Except as expressly provided below, this BAA does not authorize Business Associate to make any use or disclosure of PHI that Covered Entity would not be permitted to make under Subpart E of 45 CFR Part 164.
    

3. Obligations of Business Associate. Business Associate will:
   
   (a) Not use or further disclose PHI except as permitted by the Services Agreement or the BAA, or as required by law;
   
   (b) Use appropriate safeguards, and comply, where applicable, with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Services Agreement or this BAA. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity;
   
   (c) Report to Covered Entity any use or disclosure of PHI not provided for by the Services Agreement or this BAA of which it becomes aware, including breaches of unsecured PHI as required by the Data Breach Notification Rule (45 CFR § 164.410), and any Security Incident of which Business Associate becomes aware, without unreasonable delay, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given;
   
   (d) Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree in writing to substantially similar, and no less restrictive, restrictions and conditions as those that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic PHI;
   
   (e) To the extent that Business Associate maintains PHI in a Designated Record Set, make any PHI in a Designated Record Set available to Covered Entity to enable Covered Entity to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524;
   
   (f) To the extent that Business Associate maintains PHI in a Designated Record Set, make any PHI in a Designated Record Set available for amendment and incorporate any amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526;
   
   (g) Make available to Covered Entity the information concerning disclosures that Business Associate makes of PHI required to enable Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528;
   
   (h) To the extent that Business Associate carries out Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations; and
   
   (i)Make Business Associate’s internal practices, books, and records relating to Business Associate’s use and disclosure of PHI, available to the Secretary of the United States Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Regulations, subject to attorney-client and other applicable legal privileges.
    

4. Proper Management and Administration of Business Associate. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out Business Associate’s own legal responsibilities.  Business Associate may disclose PHI for these purposes if Business Associate is required to do so by law, or if Business Associate obtains reasonable assurances from the recipient of the information that (1) it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (2) the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the information is breached.
    

5. Data Aggregation. Business Associate may use PHI for data aggregation, as permitted by the Privacy Rule.
    

6. De-identification. Business Associate may de-identify PHI, in compliance with the requirements of 45 CFR § 164.514. Business Associate shall be the owner of such de-identified data.
    

7. Covered Entity Obligations. With regard to the use and/or disclosure of PHI by Business Associate, Covered Entity agrees:
   
   (a) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (except to the extent permitted by HIPAA for a business associate).
   
   (b) Covered Entity is responsible for maintaining a notice of privacy practices, as required by HIPAA.
   
   (c) Covered Entity represents and warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under any applicable law to provide PHI to Business Associate and for Business Associate to provide the services.
   
   (d) Covered Entity shall notify Business Associate in writing of any limitations in an applicable notice of privacy practices, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
   
   (e) Covered Entity shall notify Business associate in writing of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of PHI.
   
   (f) Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
    

8. Term and Termination. This BAA shall continue in effect until the earlier of (1) expiration of the Services Agreement or (2) termination pursuant to subsection (a) of this Section 8.
   
   (a) Either party may immediately terminate this BAA if the other party is in material breach or default of any obligation in this BAA. The non-breaching party may, but does not have the duty to, provide the breaching party with an opportunity to cure any material breach of the Agreement or end the violation within thirty (30) days.
   
   (b) Upon expiration or termination of this BAA, Business Associate shall return or destroy all PHI in its possession, if it is feasible to do so. If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, as determined by the Business Associate, then Business Associate shall extend the protections of this BAA, without limitation, to such PHI and limit any further use or disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.
    

9. Regulatory References.  A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time this BAA is executed or amended.
    

10. Amendment; No Waiver.  No waiver, change, modification, or amendment of any provision of this BAA shall be made unless it is in writing and is signed by the parties hereto.  The failure of either party at any time to insist upon strict performance of any condition, promise, agreement, or understanding set forth herein shall not be construed as a waiver or relinquishment of the right to insist upon strict performance of the same condition, promise, agreement, or understanding at a future time.
     

11. Relationship of Parties.  The parties to this BAA are independent contractors.  None of the provisions of this BAA are intended to create, nor shall they be interpreted or construed to create, any relationship between Covered Entity and Business Associate other than that of independent contractors.  Except as otherwise expressly set forth herein, neither party, nor any of its representatives, shall be deemed to be the agent, employee, or representative of the other party.
     

12. No Third-Party Relationships. This Agreement is between the parties hereto. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Business Associate and Covered Entity and any respective successors and assigns.
     

13. Invalid or Unenforceable Provision.  The provisions of this BAA shall be severable.  The invalidity or unenforceability of any particular provision or portion of such provision of this BAA shall be construed, in all respects, as if such invalid or unenforceable provision or portion of such provision had been omitted, and shall not affect the validity and enforceability of the other provisions hereof or portions of that provision.
     

14. Non-assignability, Benefits and Burdens.  The parties’ rights and obligations with respect to assignment of this BAA shall be subject to the assignment provision set forth in the Services Agreement.  In the event that the Services Agreement does not contain an assignment provision, neither party may assign its rights, or delegate its duties or obligations, under this BAA without the prior written consent of the other party, which consent shall not be unreasonably withheld.  This Agreement shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective successors.
     

15. Applicable Law. This Agreement shall be construed, administered, and governed by the governing law set forth in the Services Agreement, except to the extent preempted by applicable federal law.
     

16. Notices. All notices hereunder shall be in writing, and delivered in accordance with the notices provision of the Services Agreement.
     

17. Interpretation. This Agreement is to be interpreted in accordance with HIPAA, the HITECH Act, and the regulations promulgated thereunder, as amended from time to time. The Parties agree that, in the event of a conflict, the terms of this BAA supersede the terms of the Services Agreement.
     
    
    
     

​