# BUSINESS ASSOCIATE AGREEMENT
## EMDR Tappers Platform
Version: 2025-09-20
Last Updated: 2025-09-20
—
This BUSINESS ASSOCIATE AGREEMENT (this “BAA”) is entered into as of _____________ (the “Effective Date”) by and between:
**Bilateral Mind (EMDR Tappers)**, a technology platform provider with principal place of business at 1014 Broadway #1420, Santa Monica, CA 90403 (“Business Associate” or “EMDR Tappers”)
and
___________________________________________________________________, a healthcare provider/practice with principal place of business at ___________________________________________________________________ (“Covered Entity”)
(individually a “Party” and collectively the “Parties”)
## RECITALS
WHEREAS, Covered Entity is a healthcare provider subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations;
WHEREAS, Covered Entity desires to utilize EMDR Tappers’ multi-platform technology solution for Eye Movement Desensitization and Reprocessing (EMDR) therapy delivery, including web, mobile, and wearable device applications (the “Services”);
WHEREAS, in connection with providing the Services, Business Associate may create, receive, maintain, transmit, use or disclose Protected Health Information on behalf of Covered Entity;
WHEREAS, the Parties desire to comply with HIPAA, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and all applicable privacy and security regulations;
NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the Parties agree as follows:
## ARTICLE I – DEFINITIONS
### 1.1 HIPAA Definitions
Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in HIPAA and HITECH, including but not limited to:
– “Breach”
– “Data Aggregation”
– “Designated Record Set”
– “Disclosure”
– “Electronic Protected Health Information” or “ePHI”
– “Individual”
– “Minimum Necessary”
– “Protected Health Information” or “PHI”
– “Required by Law”
– “Secretary”
– “Security Incident”
– “Subcontractor”
– “Unsecured Protected Health Information”
– “Use”
### 1.2 Platform-Specific Definitions
– **”Platform”**: The EMDR Tappers technology solution including web application, mobile applications (iOS/Android), and Apple Watch application
– **”Session Data”**: Any PHI created, transmitted, or stored during EMDR therapy sessions, including but not limited to audio, video, haptic feedback patterns, eye movement data, and session parameters
– **”Synchronization Events”**: Real-time data exchanges between devices during active therapy sessions via WebSocket, WebRTC, or similar protocols
– **”Covered Services”**: Only those Services specifically selected and configured by Covered Entity through the Platform
## ARTICLE II – BUSINESS ASSOCIATE OBLIGATIONS
### 2.1 Permitted Uses and Disclosures
Business Associate agrees to:
– (a) Use and disclose PHI only as permitted by this BAA, as Required by Law, or as authorized in writing by Covered Entity
– (b) Not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity
– (c) Use PHI for proper management and administration of Business Associate or to carry out legal responsibilities
– (d) Disclose PHI for Business Associate’s management and administration only if Required by Law or with reasonable assurances from recipient
– (e) Use PHI to provide Data Aggregation services relating to Covered Entity’s healthcare operations
– (f) Create de-identified health information in accordance with 45 CFR § 164.514(b)
– (g) Use, create, sell, disclose to third parties and otherwise exploit de-identified health information for any purposes not prohibited by law, with such rights surviving termination of this BAA. De-identification shall be performed in accordance with 45 C.F.R. § 164.514(b) (safe harbor or expert determination). Business Associate shall not attempt to re-identify, nor permit third parties to re-identify, any de-identified information, and shall not combine such information with other data in a manner that re-identifies an Individual or Covered Entity.
### 2.2 Safeguards
Business Associate shall:
– (a) Implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of ePHI
– (b) Comply with Subpart C of 45 CFR Part 164 (Security Rule) with respect to ePHI
– (c) Encrypt data in transit using industry-standard protocols (e.g., TLS/DTLS-SRTP) for Session Data transmissions
– (d) Maintain audit logs of all access to and modifications of PHI
– (e) Conduct annual risk assessments and technology inventories
– (f) Ensure PHI is stored in data centers with appropriate security certifications (e.g., SOC 2 Type II)
– (g) Implement secure authentication mechanisms including multi-factor authentication where appropriate
– (h) Retain required HIPAA documentation for six (6) years, consistent with 45 CFR § 164.316(b)(2); retain security logs for a risk-appropriate period consistent with Business Associate policy
### 2.3 Reporting Obligations
Business Associate shall report to Covered Entity:
– (a) Promptly, and in any event within seventy-two (72) hours of becoming aware, report any material use or disclosure of PHI not permitted by this BAA
– (b) Any Security Incident that materially compromises the confidentiality, integrity, or availability of ePHI within seventy-two (72) hours of discovery
– (c) Any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery, using the discovery standard at 45 C.F.R. § 164.410(a)
– (d) Unsuccessful Security Incidents (e.g., pings, port scans, failed login attempts) on a quarterly basis or as requested
– (e) Government or third-party legal demands for PHI (e.g., subpoenas, court orders) to the extent legally permitted, and cooperate in good faith to narrow or challenge overbroad requests
### 2.4 Subcontractor Management
– (a) Business Associate shall enter into written agreements with any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate
– (b) Such agreements shall contain provisions at least as protective as this BAA
– (c) Business Associate shall maintain a record of Subcontractors that handle PHI
– (d) Upon reasonable request, Business Associate shall provide Covered Entity with a current list of such Subcontractors, subject to confidentiality obligations
### 2.5 Individual Rights Support
Business Associate shall:
– (a) Provide access to PHI in a Designated Record Set within thirty (30) days of Covered Entity’s request, with one thirty (30) day extension where permitted by law
– (b) Make amendments to PHI as directed by Covered Entity within sixty (60) days, with extensions as permitted by law
– (c) Provide information for accounting of disclosures within sixty (60) days of request, with extensions as permitted by law
– (d) Forward any Individual requests received directly to Covered Entity promptly, and in any event within ten (10) business days
### 2.6 Minimum Necessary Standard
Business Associate shall:
– (a) Limit PHI requests, uses, and disclosures to the minimum necessary to accomplish the intended purpose
– (b) Implement role-based access controls limiting workforce member access to PHI
– (c) Review and update access permissions at least annually
– (d) Channel PHI to secure Platform workflows and prohibit submission of PHI via non-secure channels (e.g., standard email, support forms) to the extent operationally feasible
### 2.7 Compliance and Audit
– (a) Make internal practices, books, and records relating to use and disclosure of PHI available to Secretary for determining compliance
– (b) Provide Covered Entity with annual attestation of HIPAA compliance
– (c) Permit Covered Entity to conduct compliance audits with thirty (30) days written notice, during normal business hours, no more than once annually, subject to reasonable confidentiality and scope limitations; Covered Entity shall reimburse Business Associate’s reasonable costs for audits beyond the foregoing parameters.
## ARTICLE III – COVERED ENTITY OBLIGATIONS
### 3.1 Permissible Requests
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
### 3.2 Appropriate Use of Platform
Covered Entity agrees to:
– (a) Use the Platform only for legitimate healthcare operations and treatment purposes
– (b) Ensure all users are properly trained on HIPAA requirements and Platform security features
– (c) Maintain appropriate access controls and user management
– (d) Not circumvent Platform security features or attempt unauthorized access
– (e) Not submit PHI through non-secure channels (e.g., standard email, public forums)
– (f) Classify psychotherapy notes and 42 CFR Part 2 records (if applicable) and configure Platform settings to avoid unintended storage or transmission
### 3.3 Authorizations and Consents
Covered Entity warrants that it has obtained all necessary patient consents, authorizations, and permissions required for the use of the Platform and disclosure of PHI to Business Associate.
### 3.4 Notice and Restrictions
– (a) Covered Entity shall provide Business Associate with its Notice of Privacy Practices upon request
– (b) Covered Entity shall notify Business Associate of any restrictions on use/disclosure of PHI agreed to under 45 CFR § 164.522
– (c) Covered Entity shall notify Business Associate of any changes in patient permissions affecting Business Associate’s services
### 3.5 Minimum Necessary
When disclosing PHI to Business Associate, Covered Entity shall provide only the minimum amount necessary for Business Associate to perform the Services.
## ARTICLE IV – MUTUAL PROVISIONS
### 4.1 Term
This BAA shall become effective on the Effective Date and shall continue for so long as Business Associate maintains any PHI received from or created on behalf of Covered Entity.
### 4.2 Termination
#### 4.2.1 Termination for Cause
Either Party may terminate this BAA and any related Services agreement upon thirty (30) days written notice if the other Party materially breaches this BAA and fails to cure such breach within the notice period. Business Associate shall have sole discretion in determining whether any breach by Covered Entity has been adequately cured. Covered Entity’s breach of payment obligations shall be deemed a material breach permitting immediate suspension of Services.
#### 4.2.2 Termination for Convenience
Business Associate may terminate this BAA and any related Services agreement without cause upon fourteen (14) days written notice to Covered Entity.
#### 4.2.3 Termination for Regulatory Changes
Either Party may terminate upon ninety (90) days written notice if regulatory changes make continued performance impracticable or illegal.
#### 4.2.4 Effect of Termination
– (a) Business Associate shall, at Covered Entity’s option, return or destroy all PHI within sixty (60) days
– (b) Business Associate shall determine, in its reasonable discretion, whether return or destruction is feasible
– (c) If return or destruction is infeasible, Business Associate shall:
– Extend protections of this BAA to such PHI
– Limit further uses and disclosures to those purposes that make return or destruction infeasible
– Continue to protect PHI for as long as it is retained
– May use PHI for Business Associate’s proper management and legal compliance purposes
### 4.3 Amendment
This BAA shall be amended automatically to conform to changes in HIPAA, HITECH, or other applicable law. Business Associate may modify this BAA upon thirty (30) days notice to reflect regulatory changes, security requirements, or industry best practices. Material amendments adverse to Covered Entity require mutual written consent. Any determination of whether a breach has been cured or whether PHI return/destruction is feasible shall be made by Business Associate in its sole discretion.
### 4.4 Order of Precedence
In the event of any conflict between this BAA and any Services Agreement or Terms, this BAA shall control solely with respect to the Parties’ rights and obligations regarding PHI.
## ARTICLE V – LIABILITY AND INDEMNIFICATION
### 5.1 Limitation of Liability
EXCEPT FOR WILLFUL MISCONDUCT OR AMOUNTS THAT CANNOT BE LIMITED AS A MATTER OF LAW:
– (a) Neither Party shall be liable for any indirect, incidental, special, punitive, or consequential damages
– (b) Business Associate’s total liability shall not exceed the greater of: (i) twelve months of fees paid by Covered Entity, or (ii) $100,000
– (c) These limitations apply regardless of the form of action or theory of liability
For clarity, clinical judgments, treatment decisions, and professional services are the sole responsibility of Covered Entity.
### 5.2 Indemnification
– (a) **Business Associate Indemnification**: Business Associate shall indemnify and hold harmless Covered Entity from third-party claims arising from Business Associate’s gross negligence, willful misconduct, or material breach of this BAA
– (b) **Covered Entity Indemnification**: Covered Entity shall indemnify and hold harmless Business Associate from any and all third-party claims arising from:
– Covered Entity’s negligence, willful misconduct, or breach of this BAA
– The professional services, medical advice, or treatment decisions of Covered Entity
– Covered Entity’s failure to obtain necessary patient consents or authorizations
– Any clinical malpractice claims related to therapy services
– Covered Entity’s use of the Platform outside its intended purpose
### 5.3 Insurance
– (a) Business Associate shall maintain appropriate cyber liability insurance commensurate with risk
– (b) Covered Entity shall maintain professional liability insurance appropriate for its practice
– (c) Each Party shall provide certificates of insurance upon request
## ARTICLE VI – GENERAL PROVISIONS
### 6.1 Platform-Specific Provisions
#### 6.1.1 Multi-Device Synchronization
Business Associate acknowledges the Platform’s unique multi-device architecture and commits to maintaining security across all synchronized devices and sessions.
#### 6.1.2 Session Recording
– If enabled by Covered Entity, session recordings are retained only as configured by Covered Entity, and Covered Entity should avoid including patient identifiers where feasible
– All recordings are encrypted at rest and in transit
– Access is restricted to authorized users only
– Psychotherapy notes, if any, are handled in accordance with 45 CFR § 164.508(a)(2) and require specific authorization for use/disclosure; Covered Entity should avoid storing psychotherapy notes through the Platform unless expressly configured for such purpose
#### 6.1.3 Real-Time Communication
WebSocket and WebRTC connections are secured with industry-standard encryption and authentication protocols.
#### 6.1.4 Wearable Device Data
Haptic feedback patterns and device telemetry are treated as PHI when associated with Individual sessions.
#### 6.1.5 42 CFR Part 2 (if applicable)
To the extent Business Associate receives substance use disorder records subject to 42 CFR Part 2, Business Associate shall apply applicable Part 2 restrictions in addition to HIPAA, and Covered Entity shall identify such records where feasible.
### 6.2 DISCLAIMER OF CLINICAL RESPONSIBILITY
**IMPORTANT NOTICE**: Business Associate is a technology platform provider ONLY. Business Associate explicitly disclaims any and all responsibility for:
– Clinical judgments, treatment decisions, or therapeutic outcomes
– Medical advice, diagnoses, or treatment recommendations
– Provider-patient relationships or clinical supervision
– Emergency or crisis intervention services
– Professional malpractice or clinical negligence
– Therapist licensing, credentials, or competence
**ALL CLINICAL RESPONSIBILITY REMAINS SOLELY WITH COVERED ENTITY**. Covered Entity acknowledges that Business Associate is not a healthcare provider and assumes no clinical duties or liabilities whatsoever.
### 6.3 Force Majeure
Neither Party shall be liable for delays or failures due to causes beyond reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, pandemic, or internet/telecommunications failures.
### 6.4 Governing Law and Jurisdiction
This BAA shall be governed by the laws of the State of California, without regard to conflict of law principles. Any disputes shall be resolved exclusively in the state or federal courts located in Los Angeles County, California. Covered Entity expressly consents to personal jurisdiction in California and waives any objection based on inconvenient forum. Service of process shall be effected by methods permitted under applicable law, and the Parties consent to service by email where permitted.
### 6.5 Dispute Resolution
The Parties agree to attempt good faith resolution of disputes for thirty (30) days before pursuing litigation. This shall not prevent either Party from seeking injunctive relief for ongoing harm.
### 6.6 Entire Agreement
This BAA, together with any applicable Services Agreement, constitutes the entire agreement between the Parties regarding Business Associate’s handling of PHI.
### 6.7 Severability
If any provision is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
### 6.8 No Third-Party Beneficiaries
This BAA is intended solely for the benefit of the Parties and creates no third-party beneficiary rights.
### 6.9 No Agency
Nothing in this BAA creates a partnership, joint venture, or agency relationship between the Parties. Each Party is an independent contractor.
### 6.10 Survival
Provisions relating to confidentiality, indemnification, and any terms that by their nature should survive shall survive termination of this BAA.
### 6.11 Counterparts
This BAA may be executed in counterparts, including electronic signatures, each of which shall be deemed an original.
### 6.12 Suspension for Risk
Business Associate may suspend all or part of the Services immediately upon written notice if Business Associate reasonably determines that: (a) Covered Entity’s use poses a security risk to the Platform or PHI; (b) is in violation of law; or (c) could subject Business Associate to material liability. Business Associate will restore Services promptly once the risk is mitigated.
### 6.13 Assignment
Either Party may assign this BAA in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets, with written notice to the other Party; otherwise, assignment requires prior written consent not to be unreasonably withheld.
### 6.14 Subprocessors
Upon Covered Entity’s written request, Business Associate will provide a current list of Subprocessors within ten (10) business days. Business Associate requires all Subprocessors that handle PHI to be bound by written agreements imposing protections no less protective than those in this BAA. Business Associate reserves the right to use infrastructure providers (e.g., major cloud platforms) provided they meet or exceed current security standards.
### 6.15 Acceptance Records
Business Associate will maintain records of Covered Entity’s acceptance of this BAA, including signatory name, title, organization, acceptance timestamp, and applicable version, and will make such records available to Covered Entity upon request.
### 6.16 Execution and Effective Date
Covered Entity agrees to this BAA by electronic acceptance within the Platform. The Effective Date is the date and time recorded by Business Associate at acceptance. Covered Entity’s legal name, notice address (if provided), and authorized representative details are those contained in Covered Entity’s account profile and the acceptance record maintained by Business Associate. Covered Entity may update its notice information in its account, and such updates are incorporated by reference. Business Associate will maintain acceptance records (including version) and make them available upon request.
## ARTICLE VII – NOTICES
All notices shall be in writing and delivered to:
**If to Business Associate:**
Bilateral Mind
Attn: Privacy Officer
Bilateral Mind, 1014 Broadway #1420, Santa Monica, CA 90403
Email: contact@emdrtappers.com
**If to Covered Entity:**
[Name]
Attn: HIPAA Compliance Officer
[Address]
Email: [Email]
## SIGNATURES
IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the date first written above.
**BUSINESS ASSOCIATE:**
Bilateral Mind
By: _______________________
Name:
Title:
Date:
**COVERED ENTITY:**
[Entity Name]
By: _______________________
Name:
Title:
Date: