Business Associate Agreement

HIPAA-Compliant · Effective Date: April 1, 2026

1. DEFINITIONS

Capitalized terms used but not otherwise defined in this Agreement shall have the meanings given to them in HIPAA and HITECH, as amended. For convenience, certain key terms are summarized below; in the event of conflict, the regulatory definitions control.

• Business Associate means Unlimited Pediatric Therapy, LLC d/b/a BillUnlimited.
• Covered Entity means the agency or entity that has subscribed to BillUnlimited and is providing PHI to Business Associate for processing.
• PHI ("Protected Health Information") shall have the meaning set forth at 45 CFR §160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity through the BillUnlimited platform.
• ePHI ("Electronic PHI") means PHI in electronic form.
• Breach, Security Incident, Unsecured PHI, Required by Law, Designated Record Set, Subcontractor, and other capitalized terms shall have the meanings set forth at 45 CFR §§160.103 and 164.402 et seq.

2. PERMITTED USES AND DISCLOSURES OF PHI

2.1 Permitted Uses by Business Associate

Business Associate may use PHI only as necessary to perform the services for which it has been engaged by Covered Entity, specifically:

• Generating ESDS-compliant EMR XML files from visit data provided by Covered Entity.
• Generating 837P Electronic Data Interchange ("EDI") claim files from acknowledgement data returned by ESDS.
• Storing visit data, provider records, fee schedules, and billing batches as necessary for the operation of the platform.
• Performing internal management, administration, and operations of the platform, including authentication, account management, audit logging, billing reconciliation, and customer support to the Covered Entity.
• Carrying out the Business Associate's legal responsibilities under HIPAA or other applicable law.

Business Associate limits its use, access, and retention of PHI to the minimum necessary to perform the services described in this Agreement. Business Associate does not interact directly with individuals (patients) and does not receive PHI directly from individuals.

2.2 Other Permitted Uses

Business Associate may, where permitted by 45 CFR §164.504(e)(4):

• Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
• Disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any breaches of confidentiality.
• Provide Data Aggregation services relating to the health care operations of Covered Entity, if requested.
• De-identify PHI in accordance with 45 CFR §164.514(a)-(c). De-identified information is no longer PHI and is not subject to this Agreement. Business Associate may use de-identified data for internal analytics, product improvement, and service optimization purposes.

2.3 Prohibited Uses

Business Associate will not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific uses set forth in Sections 2.1 and 2.2 above. Business Associate will not sell PHI or use PHI for marketing purposes.

3. OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to:

• 3.1 Limit use and disclosure. Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
• 3.2 Safeguard PHI. Use appropriate administrative, physical, and technical safeguards, and comply with the applicable HIPAA Security Rule requirements at Subpart C of 45 CFR Part 164, to prevent use or disclosure of PHI other than as provided for by this Agreement. See Section 5 for specific safeguards.
• 3.3 Mitigate harmful effects. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.
• 3.4 Report incidents and breaches. Report to Covered Entity (a) any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware, (b) any Security Incident of which Business Associate becomes aware, and (c) any Breach of Unsecured PHI as required by 45 CFR §164.410. Reports of Breaches will be made without unreasonable delay and in no event later than sixty (60) calendar days after the discovery of the Breach, and typically within a commercially reasonable timeframe once the Breach is confirmed. Reports will include, to the extent known, the identification of each individual whose PHI was involved, a description of what happened, the types of information involved, and the steps Business Associate is taking in response.
• 3.5 Subcontractors. Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, in accordance with 45 CFR §164.502(e)(1)(ii).
• 3.6 Access to PHI. To the extent PHI is maintained in a Designated Record Set by Business Associate, make such PHI available to Covered Entity (or, as directed by Covered Entity, to an Individual) as necessary to satisfy Covered Entity's obligations under 45 CFR §164.524 within fifteen (15) business days of a written request. BillUnlimited is not intended to function as the Covered Entity's system of record, and the Covered Entity is responsible for maintaining its own clinical and administrative records.
• 3.7 Amendment of PHI. To the extent PHI is maintained in a Designated Record Set by Business Associate, make any amendment(s) to such PHI as directed by or agreed to by Covered Entity pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy Covered Entity's obligations under that section, within thirty (30) business days of written request.
• 3.8 Accounting of Disclosures. To the extent Business Associate makes disclosures of PHI for which an accounting is required under 45 CFR §164.528, maintain and make available the information necessary to provide such accounting to Covered Entity within thirty (30) business days of written request.
• 3.9 Compliance with Privacy Rule obligations. To the extent that Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
• 3.10 Internal practices and records. Make Business Associate's internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA, in accordance with 45 CFR §164.504(e)(2)(ii)(I).

4. OBLIGATIONS OF COVERED ENTITY

Covered Entity agrees to:

• 4.1 Notice of Privacy Practices. Notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices under 45 CFR §164.520, to the extent such limitation may affect Business Associate's use or disclosure of PHI.
• 4.2 Changes in Authorization. Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
• 4.3 Restrictions. Notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR §164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI.
• 4.4 Lawful Use Only. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as permitted under Section 2.2 of this Agreement.
• 4.5 Authorizations. Obtain and maintain all consents, authorizations, and permissions required under HIPAA for the disclosure of PHI to Business Associate for the purposes set forth in this Agreement.
• 4.6 Minimum Necessary. Provide Business Associate with only the minimum PHI necessary for Business Associate to perform its services under this Agreement.

5. SECURITY SAFEGUARDS

In accordance with the HIPAA Security Rule (45 CFR §§164.302–164.318), Business Associate implements and maintains the following safeguards:

5.1 Administrative Safeguards (45 CFR §164.308)

• Designated security responsibilities and a security management process.
• Workforce access policies under the principle of least privilege.
• Information access management procedures, including access authorization, modification, and termination.
• Documented incident response procedures.
• Risk analysis and risk management performed on a periodic basis.

5.2 Physical Safeguards (45 CFR §164.310)

• Hosting in commercial-grade cloud infrastructure providers with industry-standard physical and environmental controls.
• No PHI is stored on portable or unencrypted devices.

5.3 Technical Safeguards (45 CFR §164.312)

• Encryption in transit: All connections to and from the BillUnlimited platform use TLS 1.2 or higher.
• Encryption at rest: Database and stored files are encrypted at rest using industry-standard encryption.
• Access controls: Authentication and access control mechanisms appropriate to the sensitivity of PHI, including credential-based access and session management controls.
• Audit controls: Application and infrastructure activity logging.
• Integrity controls: Database constraints, validation rules, and checksums where applicable.
• Transmission security: All PHI transmissions occur over encrypted channels (HTTPS / TLS).

5.4 Risk Assessments

Business Associate conducts periodic risk assessments consistent with 45 CFR §164.308(a)(1)(ii)(A) and updates safeguards as appropriate.

5.5 Third-Party Service Providers (Subprocessors)

Business Associate may use third-party service providers (such as cloud hosting, infrastructure, database, monitoring, and support tools) that may process PHI on its behalf in the course of providing the Service. Such providers are engaged subject to appropriate Business Associate Agreements or equivalent contractual protections that obligate them to safeguard PHI consistent with the requirements of HIPAA and this Agreement.

6. BREACH NOTIFICATION

Following the discovery of a Breach of Unsecured PHI, Business Associate will notify Covered Entity in accordance with 45 CFR §164.410:

• Timing. Without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the Breach.
• Content. The notification will include, to the extent possible: (a) the identification of each Individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed; (b) a brief description of what happened, including the date of the Breach and the date of discovery, if known; (c) a description of the types of Unsecured PHI involved; (d) any steps Individuals should take to protect themselves; (e) a brief description of what Business Associate is doing to investigate, mitigate harm, and protect against further Breaches.
• Cooperation. Business Associate will cooperate with Covered Entity in any investigation, mitigation, and notification activities that Covered Entity determines are necessary or appropriate, including assisting with the content and timing of any notifications to affected Individuals, the Secretary of HHS, or the media as required by 45 CFR §§164.404–164.408.

7. TERM AND TERMINATION

7.1 Term

This Agreement is effective on the Effective Date and continues until the Covered Entity's subscription to BillUnlimited terminates, or until terminated as set forth in this Agreement, whichever is earlier.

7.2 Termination for Breach

Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity will, where feasible, give Business Associate written notice and a reasonable opportunity (not less than thirty (30) days) to cure the breach. If Business Associate does not cure the breach within the cure period, Covered Entity may terminate this Agreement and the underlying subscription. If cure is not feasible, Covered Entity may terminate this Agreement immediately. Covered Entity may report the breach to the Secretary of HHS as required by law.

7.3 Effect of Termination — Return or Destruction of PHI

Upon termination of this Agreement for any reason, Business Associate will, at the option of Covered Entity, return or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Except as provided below, Business Associate will retain no copies of the PHI.

If return or destruction is infeasible (for example, due to retention required by law, the presence of PHI in routine operational backups, audit logs, or system records, or other operational necessity), Business Associate will: (a) extend the protections of this Agreement to such PHI, including data retained in backup systems in the ordinary course of operations; (b) limit further uses and disclosures to those purposes that make the return or destruction infeasible; and (c) continue to apply the protections in this Agreement to such PHI for as long as Business Associate retains it. Such retained data will not be actively used and will be securely overwritten in accordance with standard retention cycles.

Business Associate will complete return or destruction of actively maintained PHI within sixty (60) days of termination, or notify Covered Entity within that period if any PHI must be retained, the reasons therefor, and the protections that will continue to apply.

7.4 Survival

The obligations of Business Associate under Sections 3, 5, 6, 7.3, 8, 9, and 10 of this Agreement shall survive termination of this Agreement.

8. INDEMNIFICATION

Each party agrees to indemnify, defend, and hold harmless the other party and its officers, directors, employees, and agents from and against any and all third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to the indemnifying party's negligent acts or omissions, willful misconduct, or material breach of this Agreement, including any failure to comply with HIPAA or HITECH that results in a Breach of Unsecured PHI.

Notwithstanding any other provision of this Agreement, neither party's aggregate liability under this Agreement shall exceed the limitations set forth in the Terms of Service applicable to the BillUnlimited subscription, except for liability arising from willful misconduct, gross negligence, or breach of confidentiality obligations under this Agreement, which is not subject to such limitations.

9. AMENDMENT

The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of HIPAA, HITECH, the HIPAA Privacy, Security, and Breach Notification Rules, or any other applicable law. Business Associate may propose amendments by providing written notice to Covered Entity, and amendments will become effective thirty (30) days after notice unless Covered Entity terminates the subscription.

10. MISCELLANEOUS

10.1 Regulatory References

A reference in this Agreement to a section in HIPAA or its implementing regulations means the section as in effect or as amended.

10.2 Interpretation

Any ambiguity in this Agreement will be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA. In the event of a conflict between this Agreement and the BillUnlimited Terms of Service, the terms of this Agreement will control with respect to the handling of PHI.

10.3 Independent Contractors

The relationship of the parties is that of independent contractors. Nothing in this Agreement creates an agency, partnership, joint venture, or employment relationship.

10.4 No Third-Party Beneficiaries

This Agreement does not, and is not intended to, create any rights, benefits, or causes of action in any third party, including any patient or guardian whose PHI is processed under this Agreement.

10.5 Governing Law

This Agreement is governed by the laws of the State of Florida and applicable federal law, including HIPAA and HITECH. To the extent state and federal laws conflict, federal law controls. Any dispute arising under this Agreement shall be resolved exclusively in the state or federal courts located in Pinellas County, Florida.

10.6 Entire Agreement

This Agreement, together with the BillUnlimited Terms of Service, constitutes the entire understanding between the parties regarding the subject matter and supersedes any prior agreements regarding the handling of PHI.

10.7 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

10.8 Acceptance

By creating an account on the BillUnlimited platform and checking the box accepting this Business Associate Agreement, the Covered Entity, through an authorized representative, agrees to be bound by all terms and conditions set forth in this Agreement. The date of acceptance is recorded electronically by the platform and constitutes the parties' acknowledgment of mutual agreement.

11. CONTACT

Questions, breach notifications, or requests under this Agreement should be directed to:

BillUnlimited — HIPAA Compliance
Unlimited Pediatric Therapy, LLC
7010 15th St N
St. Petersburg, FL 33702
Email: admin@billunlimited.com

← Back to BillUnlimited