HIPAA Business Associate Agreement (BAA)

If you are a Covered Entity and Raven Health’s services involve handling Protected Health Information (PHI) on your behalf, this HIPAA Business Associate Agreement (“BAA”) is part of the Raven Health Terms of Use and End User License Agreement (“Agreement”). Should there be a conflict, this BAA will take precedence.

1. Definitions

Unless otherwise specified, capitalized terms follow definitions provided by HIPAA. If not defined by HIPAA, these terms refer to definitions within the Agreement.

• “Breach Notification Rule” refers to the Breach Notification for Unsecured Protected Health Information Final Rule.
• “Business Associate” has the meaning provided in 45 CFR § 160.103 of HIPAA.
• “Covered Entity” is defined per 45 CFR § 160.103 of HIPAA.
• “HIPAA” encompasses the administrative simplification provisions of the Health Insurance Portability and Accountability Act, including amendments such as the HITECH Act and relevant modifications addressing privacy, security, and breach notification rules.
• “Privacy Rule” refers to the Standards for Privacy of Individually Identifiable Health Information.
• “Protected Health Information” has the meaning provided in 45 CFR § 160.103 of HIPAA and specifically pertains to information that Raven Health receives, creates, or transmits on your behalf through Raven Health Services.
• “Security Rule” refers to Security Standards for the Protection of Electronic Protected Health Information.

2. Permitted Uses and Disclosures of Protected Health Information

a. Service Performance: Subject to limitations in this BAA, Raven Health may use and disclose PHI on your behalf to provide services as specified in the Agreement, provided these uses or disclosures would comply with HIPAA if conducted by you, except as explicitly permitted in Section b.

b. Management, Administration, and Legal Duties: Raven Health may use or disclose PHI for its management, administration, or legal obligations. Any disclosure of PHI is limited to instances: (1) Required by Law, or (2) where Raven Health obtains reasonable assurances that the recipient will maintain confidentiality, use the information solely as required by law or for its intended purpose, and notify Raven Health of any breaches in confidentiality of the disclosed PHI.

3. Responsibilities of the Parties with Respect to Protected Health Information

a. Raven Health’s Responsibilities:

• Limitations on Use and Disclosure: Raven Health will only use or disclose Protected Health Information (PHI) as permitted by the Agreement, this BAA, or as required by law. Raven Health will not disclose, store, or transmit PHI for any activities not authorized under the Agreement or this BAA. Additionally, Raven Health will not use PHI for marketing or advertising purposes. We will always make reasonable efforts to limit the use, disclosure, and request for PHI to the minimum necessary to fulfill the intended purpose.

• Safeguards: Raven Health will employ reasonable safeguards to prevent unauthorized PHI use or disclosure and comply with relevant Security Rule requirements in 45 CFR Part 164, Subpart C.

• Reporting: Raven Health will notify you of any unauthorized PHI use or disclosure, any security incidents, and any breach of unsecured PHI as outlined in the Breach Notification Rule, with notice of a breach provided within 96 hours of discovery. Notification methods may include email or other means, and Raven Health’s reporting is not an admission of liability.

• Subcontractors: Raven Health will ensure that any subcontractors handling PHI agree to the same or stricter confidentiality and security requirements as those in this BAA, including those under the Security Rule.

• Disclosure to the Secretary: Raven Health will make its records on PHI use and disclosure available to the Secretary of Health and Human Services for HIPAA compliance determination, while respecting legal privileges.

• Access: Upon request, if PHI is held in a designated record set, Raven Health will make it accessible to you within 20 days as per the Privacy Rule.

• Amendment: Raven Health will also support amendments to PHI in a designated record set, as requested, within 20 days, in compliance with the Privacy Rule.

• Accounting of Disclosures: Upon request, Raven Health will, within 45 days, provide information on PHI disclosures to support any required accounting as per the Privacy Rule.

• Performing Covered Entity Obligations: If Raven Health undertakes any responsibilities typically required of a Covered Entity under the Privacy Rule, it will comply with the relevant Privacy Rule obligations.

b. Your Responsibilities:

• No Impermissible Requests: You will not ask Raven Health to use or disclose PHI in any way that would be impermissible under HIPAA if conducted by a Covered Entity (unless permitted for a Business Associate).

• Safeguards and Appropriate Use of PHI: You are responsible for implementing necessary privacy and security measures to protect PHI, including:

  1. Avoid including PHI in technical support requests or ticket content, as Raven Health’s Business Associate obligations do not extend to data sent outside of our services via public internet.
  2. Implement appropriate privacy and security safeguards within your own systems, applications, and software when using Raven Health services.

4. Term and Termination

a. Term:
This Business Associate Agreement (BAA) will remain in effect until the earlier occurrence of either (1) termination by either party due to breach, as further specified in Section 4.b, or (2) expiration of your Agreement with Raven Health. This duration is subject to any conditions set forth in this BAA or in applicable laws that may require continued protection of Protected Health Information (PHI).

b. Termination for Breach:
In the event of a material breach of this BAA by either party, the non-breaching party reserves the right to terminate the Agreement and this BAA immediately upon providing written notice. However, at its discretion, the non-breaching party may provide the breaching party with a 30-day period to resolve the material breach. Failure to resolve the breach within this period may lead to termination.

c. Return, Destruction, or Retention of Protected Health Information Upon Termination:
Upon termination or expiration of this BAA, Raven Health agrees to return or destroy all PHI in its possession if feasible. If returning or destroying certain portions of PHI proves infeasible, Raven Health will maintain the protections outlined in this BAA to secure such PHI, limiting any further Use or Disclosure solely to purposes that render return or destruction unfeasible. This retention will last as long as the PHI is retained by Raven Health, ensuring continued compliance with applicable legal and contractual safeguards.

5. Miscellaneous

a. Interpretation:
This BAA is intended to be interpreted in alignment with the parties’ shared intent to comply fully with HIPAA and relevant federal or state regulations. Where conflicts may arise between this BAA and the primary Agreement, the provisions of this BAA concerning PHI will govern. Captions and headings are included for convenience and are not meant to affect the interpretation of this BAA’s terms.

b. Amendments; Waiver:
This BAA may be modified only through a written amendment signed by authorized representatives of both parties. A waiver concerning a specific event will not constitute a continuous waiver or prevent either party from exercising any rights or remedies regarding subsequent events.

c. No Third-Party Beneficiaries:
This BAA does not intend to grant any rights, remedies, or obligations to any person or entity other than the parties to this BAA and their respective successors or permitted assigns.

d. Severability:
If any provision of this BAA is determined to be invalid or unenforceable, the remainder of the BAA shall remain in full force and effect. The unenforceable provision will be modified to the minimum extent necessary to ensure validity while preserving the intent of the provision and this BAA.

e. No Agency Relationship:
The terms of this BAA do not establish an agency relationship under HIPAA or relevant Privacy, Security, or Breach Notification Rules. Raven Health and the Covered Entity remain independent parties, and no provision within this BAA should be interpreted as creating an agency relationship or implying that Raven Health acts as an agent for you under HIPAA.

 

Beta Test Agreement (Beta Agreement)

Purpose and Scope of the Beta Agreement
This Beta Test Agreement (“Beta Agreement”) is a legally binding document between Raven Health, LLC, a Delaware limited liability company (“Raven Health”), and the user (“Beta Tester”). The agreement formalizes the terms under which Raven Health grants the Beta Tester early access to its proprietary electronic health record and practice management software-as-a-service system, specifically designed for use by healthcare providers in applied behavioral analysis (ABA) treatment (“Raven Health Services”).

Since the Raven Health Services are currently not generally available for commercial distribution, this Beta Agreement allows both parties to engage in a mutually beneficial collaboration. Through this partnership, the Beta Tester will gain hands-on access to the Raven Health Services, while Raven Health will gather valuable insights based on the Beta Tester’s experience and feedback to improve its service offering.

THEREFORE, the party agrees as follows:

1. Terms of Use and End User License Agreement

Under this Beta Agreement’s terms, Raven Health grants Beta Tester the right to access and use the Raven Health Services, in accordance with Raven Health’s Terms of Use and End User License Agreement (EULA), found at https://ravenhealth.com/terms. The EULA also includes the following documents by reference, which apply to Beta Tester: (i) Raven Health’s Privacy Policy, available at https://ravenhealth.com/privacy; and (ii) Raven Health’s HIPAA Business Associate Agreement, available at https://ravenhealth.com/legal.

2. Evaluation and Reports

2.1 Acknowledgment of Beta Testing:
The parties acknowledge that the Raven Health Services is a beta version and may contain defects. Access to the Raven Health Services is provided [free of charge] in exchange for Beta Tester’s evaluation of the software, alongside other undertakings detailed below.

2.2 Beta Tester Reports:
Throughout this Beta Agreement, Beta Tester agrees to test, evaluate, and report on the Raven Health Services, sharing operational insights and experiences. Upon Raven Health’s request, Beta Tester will provide written Evaluation Reports, in an agreed format, documenting their experience with the Raven Health Services. These reports will include, but are not limited to: (i) results of Beta Tester’s use and evaluations, identifying bugs, errors, or issues, with sufficient detail for Raven Health’s analysis; and (ii) suggestions for additions, modifications, or improvements to the Raven Health Services.

2.3 Ownership of Reports:
Beta Tester hereby assigns Raven Health all rights, title, and interest in all evaluations, recommendations, and inventions related to the Raven Health Services, including the Evaluation Reports. All related intellectual property will be the sole property of Raven Health, which may use or disclose this information freely, subject to the limitations in Section 2.4.

2.4 Publicity:
Raven Health may disclose to the public or to third parties that Beta Tester has used the Raven Health Services and may identify Beta Tester as a reference (the “Identification and Reference Right”). Raven Health also retains the right to issue press releases or public statements regarding Beta Tester’s experience, beyond the scope of the Identification and Reference Right, provided Beta Tester approves such statements. Approval will not be unreasonably withheld and will be considered granted if no response is received within ten (10) days of providing the content for review.

3. Testing Period

3.1 Term:
This Beta Agreement begins on the Effective Date and lasts until the later of (i) 12 months after the Effective Date or (ii) 30 days after the first commercial release of Raven Health Services. After expiration or termination, only certain obligations remain as specified in Section 6.9.

3.2 Termination:
Raven Health can terminate this agreement with a 15-day written notice.

3.3 Effect of Expiration or Termination:
Upon termination or expiration, Beta Tester will return all documentation and proprietary Raven Health materials, cease use, and delete the Raven Health Services.

4. Commercial Release

Raven Health has no obligation to further develop or release a production version of the Raven Health Services. If an updated version is released during the term, Beta Tester can request access under the terms of this agreement.

5. Confidential Information

5.1 Obligations:
Beta Tester will keep Raven Health’s business and product information confidential and will not use, disclose, or distribute it beyond the terms of this agreement, applying reasonable efforts to maintain confidentiality. Confidential Information also includes conclusions and findings per Section 2.2.

5.2 Exceptions:
Confidentiality obligations do not apply if the information (i) is public, (ii) was previously known to Beta Tester, (iii) was obtained lawfully from a third party, (iv) was independently developed, or (v) is disclosed by law or court order, in which case Beta Tester must notify Raven Health and cooperate to protect confidentiality.

5.3 Injunctive Relief:
Beta Tester acknowledges that breaches of confidentiality may cause irreparable harm. Raven Health is entitled to injunctive relief, in addition to any legal or equitable remedies.

6. Miscellaneous

6.1 Relationship of the Parties:
The agreement clarifies that Raven Health and the Beta Tester act independently and are not agents, representatives, partners, or joint venturers of each other. This independence limits each party’s authority over the other, ensuring that each party fulfills their roles without implying a partnership or similar affiliation.

6.2 Notices:
All important communications under this agreement, such as notifications of termination or breaches, must be in writing. Delivery methods include personal delivery, certified mail, or an overnight courier. The timing of when notice is considered “delivered” varies by method: mailed notices are deemed delivered two business days after postmark, hand-delivered notices upon delivery, and couriered notices when records confirm delivery. This ensures timely and reliable communication between the parties.

6.3 Assignment:
The Beta Tester cannot transfer or assign its rights and obligations under this agreement to another party without Raven Health’s prior written approval. Any unauthorized attempt to assign the agreement is void. However, Raven Health’s rights and obligations will extend to any future successors or approved assigns, ensuring the agreement’s integrity across potential organizational changes.

6.4 Governing Law and Venue:
Michigan state law governs this agreement. Any legal disputes related to the agreement must be resolved in Michigan, specifically in the United States District Court for the Eastern District of Michigan or a Detroit state court. This provision clarifies the applicable law and legal forum, promoting predictability for both parties in case of legal action.

6.5 Severability:
If a specific provision in the agreement is found to be unenforceable or invalid, it will be adjusted or removed only to the necessary extent, ensuring the rest of the agreement remains enforceable. This clause safeguards the agreement’s functionality even if part of it is legally challenged.

6.6 Entire Agreement:
This agreement, along with any referenced documents, represents the entire understanding between Raven Health and the Beta Tester regarding the beta testing. It supersedes all previous agreements, whether written or oral, making it the sole source of terms for this relationship and eliminating any ambiguities from prior negotiations.

6.7 Waiver:
If either party chooses to waive a breach of any part of this agreement, that waiver applies only to that specific breach. It does not constitute a general waiver of any subsequent or concurrent breaches. All waivers must be in writing and signed by an authorized representative, preserving the right to enforce other provisions of the agreement.

6.8 Amendments:
Any changes to this agreement must be formally documented in writing and signed by both parties. This process ensures that both parties explicitly agree to any modifications, preventing unintentional changes.

6.9 Survival:
Certain sections of the agreement (including confidentiality, commercial release obligations, and miscellaneous provisions) remain in effect even after the agreement ends. This continuation provides enduring protection and obligations related to key areas, like confidentiality and data handling.

6.10 Counterparts:
The agreement may be signed in multiple parts or copies, with each considered an original document. Together, these counterparts form a complete, legally binding document, allowing for flexibility in signing and record-keeping.

IN ADDITION, the party agrees to the following:

Raven Health Fulfillment Policy