Business Associate Agreement (BAA) for
YouSquared by Strange Attractor

SAT may use and disclose PHI solely to perform the Service on Customer’s behalf. SAT shall not use or disclose PHI in any manner not permitted by this BAA or HIPAA.

SAT shall implement administrative, physical, and technical safeguards reasonably designed to protect PHI. SAT shall ensure that any subcontractors with access to PHI agree to equivalent protections.

SAT shall notify Customer without unreasonable delay, and in no event later than thirty (30) days, after discovering a Breach of unsecured PHI. Notification shall include the information required under 45 CFR §164.410(c) to the extent known.

Upon termination of this BAA or the Service, SAT shall return or destroy PHI in its possession, except as required by law. Obligations under this BAA survive termination to the extent necessary to wind down PHI handling.

Customer represents, warrants, and covenants that:

Customer has obtained, or will obtain prior to any outbound communication, all consents and authorizations required under HIPAA and TCPA for SAT to contact Customer’s patients via SMS and phone calls on Customer’s behalf.

Customer has obtained, or will obtain, written authorization from each affiliated primary care physician or other healthcare practitioner whose name or identity appears in any outbound communication sent by SAT.

Customer is solely responsible for the accuracy and completeness of all patient data provided to SAT, including names, phone numbers, and clinical indicators.

Customer shall maintain and promptly communicate to SAT a list of patients who have opted out of outbound communications. SAT shall honor such list upon receipt.

Customer shall not request SAT to use or disclose PHI in any manner that would violate HIPAA or TCPA, and is solely responsible for obtaining any required patient consents or authorizations.

All outbound communications performed under this BAA shall:

• Be drafted and delivered as communications from Customer’s affiliated practitioners (e.g., “Dr. [Name]’s office at [Customer]”), limited to healthcare operations purposes;
• Not constitute marketing or pharmaceutical promotions — any such use requires a separate HIPAA-compliant authorization;
• Include opt-out mechanisms as required by TCPA (e.g., “Reply STOP to unsubscribe” for SMS, verbal opt-out option for calls);
• Comply with all applicable federal and state regulations governing automated telephone communications and text messages.

SAT’s total liability under this BAA shall not exceed the fees paid by Customer to SAT in the twelve (12) months preceding the claim. SAT shall not be liable for any indirect, incidental, or consequential damages.

Customer shall indemnify and hold SAT harmless from any claims, losses, or penalties arising from (i) Customer’s violations of HIPAA or TCPA, (ii) inaccurate or incomplete patient data provided by Customer, or (iii) Customer’s failure to obtain required consents or practitioner authorizations.

This BAA is effective as of the Effective Date and continues until the Service arrangement between the parties terminates. Either party may terminate this BAA upon thirty (30) days’ written notice of a material breach that remains uncured.

This BAA shall be governed by the laws of the State of New York. Any ambiguity shall be resolved in favor of a meaning that permits compliance with HIPAA. This BAA constitutes the entire agreement between the parties regarding PHI and supersedes any prior agreements on this subject.