Business Associate Agreement

This page is informational only and is NOT a Business Associate Agreement. No legal relationship is created by reading this page. A Business Associate Agreement is a formal contract that must be executed in writing by authorized representatives of both parties before any Protected Health Information is shared with BrainMeBack.

BAA-ready, by design

BrainMeBack is built for clinician-supervised use in environments that handle Protected Health Information (“PHI”) as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations at 45 CFR Parts 160 and 164. When a Covered Entity (or an upstream Business Associate) deploys BrainMeBack in a way that causes BrainMeBack to create, receive, maintain, or transmit PHI on its behalf, BrainMeBack will execute a Business Associate Agreement (“BAA”) consistent with the requirements of 45 CFR §164.504(e).

We maintain a template BAA that we are prepared to negotiate in good faith. To request a copy, email shavoni@me.com with your organization name, the BrainMeBack deployment context, and the name and title of the individual authorized to sign on your behalf.

What BrainMeBack covers as a Business Associate

Under our template BAA, BrainMeBack commits, with respect to PHI received from or on behalf of the Covered Entity, to:

• Use and disclose PHI only as permitted or required by the BAA or as required by law (45 CFR §164.504(e)(2)(ii)(A))
• Implement appropriate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312)
• Report to the Covered Entity any use or disclosure of PHI not provided for by the BAA, including breaches of unsecured PHI, in accordance with the Breach Notification Rule (45 CFR Part 164 Subpart D)
• Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on BrainMeBack’s behalf agrees in writing to substantially the same restrictions and conditions
• Make PHI available to the Covered Entity, or to the individual as directed, for access, amendment, and accounting of disclosures (45 CFR §§164.524, 164.526, 164.528)
• Make internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance
• Return or destroy PHI at termination of the BAA where feasible, and extend protections to PHI that cannot feasibly be returned or destroyed

This is a summary, not the operative contract language. The executed BAA controls.

Technical safeguards in the product

The BrainMeBack patient mobile application and clinician dashboard are architected to align with the HIPAA Security Rule’s technical safeguards (45 CFR §164.312), including:

• Access control (§164.312(a)) — Unique user identification, automatic session timeout (15 minutes of inactivity; background lock after 2 minutes in the mobile app), and role-based access on the clinician dashboard
• Audit controls (§164.312(b)) — Hash-chained audit log capturing access, modification, and authentication events; daily off-platform integrity attestation is on the post-seed roadmap
• Integrity (§164.312(c)) — Field-level encryption of PHI at rest and TLS in transit reduce unauthorized-alteration risk; the hash-chained audit log supports post-hoc detection of administrative tampering
• Transmission security (§164.312(e)) — TLS 1.2+ for transmissions; field-level encryption for designated PHI elements at rest, with encryption coverage and key-management practices documented in our security overview (available under NDA)
• Multi-tenancy isolation — Row-level security on the production database, scoped per organization

Additional administrative and physical safeguards (workforce training, access management, business continuity, facility access controls at our subprocessors) are documented in our security overview, available under NDA. Independent third-party attestation (SOC 2 Type II) and an annual external penetration test are on the post-seed roadmap.

What is NOT in scope on this marketing site

The marketing website at brainmeback.com does not create, receive, maintain, or transmit PHI. The only personal information collected through the marketing site is what users voluntarily provide via the demo-request form (name, email, role, organization, condition list, and free-text message). That data is handled under the Privacy Policy, not under a BAA.

Please do not include patient identifiers in demo-request submissions. If PHI is needed to evaluate the platform for your organization, we will move the discussion to a channel covered by an executed BAA.

Subprocessors handling PHI

A current list of subprocessors that may handle PHI in the BrainMeBack product environment is maintained at brainmeback.com/baa/subprocessors and is incorporated by reference into our template BAA. We will provide reasonable advance notice of changes to that list and, where required, an opportunity for the Covered Entity to object.

Pricing and timeline

There is no separate charge to execute our standard BAA when you are a paid customer of BrainMeBack. We aim to acknowledge BAA requests within 5 business days and complete standard BAA negotiations within 30 days of receiving a redline. Material deviations from our standard template may extend this timeline.

How to request the template BAA

Email shavoni@me.com with:

1. Organization legal name and state of formation
2. The intended BrainMeBack deployment (patient app, clinician dashboard, both)
3. Estimated number of patients
4. Name, title, and email of your authorized signatory
5. Any preferred contract management platform

We will respond within five business days.

Questions

For HIPAA, security, or compliance questions outside the BAA process: shavoni@me.com.
For responsible-disclosure security reports: shavoni@me.com or brainmeback.com/.well-known/security.txt.

BAA notice address:
Scott S. Parker, d/b/a BrainMeBack
(intended successor entity: BrainMeBack, Inc., a Delaware C-Corporation in formation)
Attn: HIPAA / BAA
1151 W. 13th Street, Unit #214
Upland, CA 91786, United States