Business Associate Agreement

Last updated: May 2026

Effective upon acceptance during Partner enrollment

This Business Associate Agreement (“BAA”) is entered into by and between:

(1) Revelation Diagnostics, LLC dba Healos, a Florida limited liability company (“Business Associate” or “Healos”),

and

(2) The clinician, practice, organization, or partner enrolling in the Healos Partner Program solely to the extent such person or entity is acting as a Covered Entity under HIPAA or is otherwise contractually agreeing to HIPAA-like privacy and security obligations (“Covered Entity,” “You,” or “Partner”).

This BAA supplements the Healos Partner Terms, Platform Terms of Service, and any interpretation or ordering agreements (“Underlying Agreement”).

This BAA applies only to PHI that Healos creates, receives, maintains, or transmits on behalf of Covered Entity in Healos’s capacity as a Business Associate. Other data processing activities may be governed by the Platform Terms, Privacy Policy, Partner Terms, patient authorization, consent, or other applicable agreements.

This BAA is required under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and all associated regulations.

1. DEFINITIONS

Terms not defined here have the meanings set forth in 45 C.F.R. §§ 160.103 and 164.501. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164. Capitalized terms not otherwise defined in this BAA, including Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use, have the meanings given to them under the HIPAA Rules.

1.1 “Protected Health Information” (PHI)

PHI has the same meaning as in HIPAA and includes individually identifiable health information that Healos creates, receives, maintains, or transmits for Covered Entity.

1.2 “Electronic PHI” (ePHI)

PHI transmitted or maintained in electronic media.

1.3 “Business Associate”

Revelation Diagnostics, LLC dba Healos.

1.4 “Covered Entity”

The clinician or organization entering into this BAA.

Note: Health coaches and unlicensed partners with no PHI access are not “Covered Entities” under HIPAA. They may still sign this BAA purely for contractual compliance when authorized PHI access is granted by a patient.

If Partner is a Covered Entity under HIPAA, this BAA governs Healos’s creation, receipt, maintenance, or transmission of PHI on Partner’s behalf. If Partner is not a Covered Entity, the parties agree that this BAA will apply contractually to Partner Data and PHI-like information to the extent applicable, but such contractual application does not by itself make Partner a Covered Entity or Healos a Business Associate of Partner under HIPAA.

1.5 “Reportable Event”

Any:

  • (a) Use/disclosure of PHI not permitted by this BAA,
  • (b) Breach of Unsecured PHI, or
  • (c) Security Incident involving ePHI.

For clarity, routine unsuccessful security events such as pings, port scans, or failed login attempts are not Reportable Events unless they result in unauthorized access, acquisition, use, disclosure, modification, or destruction of PHI or otherwise require reporting under the HIPAA Rules.

1.6 “Subcontractor”

Any third party to whom Business Associate delegates functions involving PHI.

1.7 “Unsecured PHI”

PHI that is not encrypted or otherwise secured in accordance with federal guidance.

2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

Healos may use or disclose PHI only as follows:

2.1 To Provide Services Under the Underlying Agreement

Including:

  • Lab ordering, results retrieval, and display
  • Patient portal and profile management
  • Interpretation summaries or partner-linked contextual explanations
  • EHR-like partner tools (charting, notes, structured data storage)
  • Notifications and messaging
  • Reporting, analytics, and dashboard features
  • Coordination between interpretation partners and clinicians where permitted

2.2 For Healos’s Proper Management and Operations

Healos may use PHI for:

  • Security, audit, and fraud prevention
  • Legal compliance
  • Payment operations
  • Internal analytics solely to operate, secure, debug, audit, support, and improve the services provided under the Underlying Agreement, and not for third-party advertising or sale of PHI

Healos may disclose PHI externally only if:

  • (1) Required by law, or
  • (2) Healos obtains written assurances of confidentiality from the recipient.

Healos will not sell PHI or use PHI for third-party advertising.

2.3 Data Aggregation

Healos may perform data aggregation for Covered Entity’s healthcare operations.

2.4 De-Identification

Healos may de-identify PHI in compliance with 45 C.F.R. § 164.514 and may use de-identified data for product improvement, analytics, research, benchmarking, and other lawful business purposes, provided that Healos does not attempt to re-identify the information and does not use de-identified information to identify Covered Entity’s patients, clients, or customers.

2.5 Minimum Necessary

Healos will use and disclose only the minimum PHI necessary to accomplish permitted purposes.

3. OBLIGATIONS OF BUSINESS ASSOCIATE

3.1 Restrictions on Use and Disclosure

Healos will not use or disclose PHI except as permitted by this BAA, the Underlying Agreement, or as required by law.

3.2 Safeguards

Healos will implement administrative, technical, and physical safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, including:

  • Encryption of PHI at rest and in transit
  • Access controls and authentication
  • Logging and monitoring
  • Security risk assessments
  • HIPAA-compliant data hosting
  • Workforce training

3.3 Reporting Requirements

3.3.1 Reportable Events

Healos shall report any Reportable Event to Covered Entity:

  • Without unreasonable delay, and
  • No later than ten (10) calendar days after discovery.

The report will include, to the extent known:

  • Individuals affected
  • Description of the incident
  • PHI involved
  • Mitigation steps
  • Actions taken to prevent recurrence
  • Date of discovery
  • Date or estimated date of the incident
  • Identification of unauthorized recipients, if known
  • Whether the PHI was encrypted
  • Actions Individuals should take to protect themselves, if applicable
  • Any information reasonably required for Covered Entity to comply with 45 C.F.R. § 164.410 and applicable breach notification obligations

Healos will supplement information as it becomes available.

Healos will mitigate, to the extent practicable, any harmful effect known to Healos resulting from a use or disclosure of PHI in violation of this BAA.

3.3.2 Ongoing Security Incidents

The parties acknowledge Healos’s systems experience routine, unsuccessful security events (e.g., pings, failed login attempts). These require no additional reporting beyond this notice.

3.3.3 Notification Allocation

Unless otherwise agreed in writing, Covered Entity is responsible for determining whether notification to Individuals, HHS/OCR, media, or other parties is required. Healos will reasonably cooperate with Covered Entity and provide information necessary for Covered Entity to meet its notification obligations. Healos will not notify Individuals, HHS/OCR, or media regarding a Breach involving Covered Entity’s PHI without prior written coordination with Covered Entity, except where required by law.

3.4 Subcontractors

Healos will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Healos agrees in writing to the same restrictions, conditions, and requirements that apply to Healos under this BAA with respect to such PHI, including appropriate safeguards for ePHI.

3.5 Interpretation Partners / Reviewers

To the extent Healos uses interpretation partners, reviewers, clinicians, contractors, or other service providers to perform services involving PHI on behalf of Covered Entity, Healos will ensure such parties are bound by written confidentiality, privacy, and security obligations consistent with this BAA, unless such party is independently authorized by the Individual or otherwise permitted by law to receive the PHI.

3.6 Access to PHI / Designated Record Set

If Healos maintains PHI in a designated record set, Healos will:

  • Provide access to Covered Entity or the patient,
  • Enable export or electronic delivery of PHI held in Healos systems, in compliance with 45 C.F.R. § 164.524.

Healos may require requests from Individuals to be routed through Covered Entity where permitted by law and where necessary to verify identity, authority, and the scope of the request.

3.7 Amendments to PHI

Healos will update or amend PHI upon request from Covered Entity, per 45 C.F.R. § 164.526.

3.8 Accounting of Disclosures

Healos will provide accounting of disclosures in compliance with 45 C.F.R. § 164.528.

3.9 Compliance with Secretary Investigations

Healos will make relevant records available to the Secretary of HHS for HIPAA compliance investigations.

4. OBLIGATIONS OF COVERED ENTITY

Covered Entity agrees:

4.1 Minimum Necessary Disclosure

To provide Healos only the minimum PHI necessary.

4.2 Patient Permissions

To ensure all patient consents, mandates, or authorizations for PHI sharing are valid.

4.3 Notification of Changes

Covered Entity must notify Healos of:

  • Changes in privacy practices
  • Patient revocation of authorization
  • Restrictions on PHI use/disclosure
  • Errors or unauthorized disclosures by Covered Entity or its workforce

4.4 No Impermissible Requests

Covered Entity will not request Healos to use or disclose PHI in a manner not permitted by HIPAA.

5. TERM AND TERMINATION

5.1 Term

This BAA begins upon acceptance and lasts until the Underlying Agreement is terminated.

5.2 Termination for Cause

Covered Entity may terminate this BAA and the applicable Underlying Agreement if Covered Entity determines that Healos has violated a material term of this BAA and Healos fails to cure the violation within thirty (30) days after written notice. If cure is not feasible, Covered Entity may terminate immediately.

Healos may terminate this BAA and the applicable Underlying Agreement if Covered Entity materially breaches this BAA and fails to cure within thirty (30) days after written notice.

5.3 Effect of Termination

5.3.1 Return or Destruction

Upon termination, Healos will:

  • Return or destroy PHI if feasible.

5.3.2 If Destruction Is Not Feasible

Healos will:

  • Retain only necessary PHI,
  • Continue applying BAA safeguards,
  • Use PHI only for the purpose retained,
  • Destroy PHI when feasible.

Backup, archive, legal-hold, disaster-recovery, audit-log, and record-retention copies may be retained only as necessary and will remain subject to the protections and limitations of this BAA until securely destroyed.

These obligations survive termination.

6. MISCELLANEOUS

6.1 Automatic Amendment for HIPAA Updates

This BAA automatically incorporates future HIPAA and HITECH amendments.

6.2 Interpretation

Ambiguities are resolved in favor of HIPAA compliance.

6.3 No Third-Party Beneficiaries

This BAA creates no rights for third parties.

6.4 Governing Law

Governed by Florida law except where federal law preempts.

6.5 Notices

Notices to Healos:

  • Revelation Diagnostics, LLC dba Healos
  • Attn: Compliance Officer
  • Email: team@healos.com
  • Address: 17305 Saint James Ct, Boca Raton, FL 33496

Notices to Covered Entity are sent to the email used during Partner enrollment.

6.6 Order of Precedence

If there is a conflict between this BAA and any Underlying Agreement, Platform Terms, Partner Terms, Privacy Policy, or other agreement between the parties, this BAA controls with respect to the use, disclosure, safeguarding, return, destruction, and breach notification obligations applicable to PHI.