loader

Business Associate Agreement

EasyOtp Business Associate Agreement

Business Associate Agreement (BAA)

Operated by Braintech Corporation Private Limited (EasyOTP)

Effective Date: August 2025

1. Introduction

This Business Associate Agreement (“BAA”) is entered into between the Vendor (Covered Entity) and Braintech Corporation Private Limited, operating EasyOTP (“Business Associate”), to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and related regulations.

2. Definitions

• Covered Entity (CE): The healthcare provider, health plan, or healthcare clearinghouse that is a party to this Agreement.
• Business Associate (BA): Braintech Corporation Pvt. Ltd., operating EasyOTP, when performing services involving PHI.
• Protected Health Information (PHI): Individually identifiable health information as defined by HIPAA.
• Subcontractor Business Associate: A third party engaged by EasyOTP that may handle PHI on EasyOTP’s behalf.

3. Obligations of EasyOTP (Business Associate)

• Use and Disclosure: EasyOTP shall not use or disclose PHI except as permitted by this BAA, required by law, or as necessary to perform services for the Covered Entity.
• Safeguards: EasyOTP shall implement administrative, technical, and physical safeguards to protect PHI.
• Subcontractors: EasyOTP shall ensure that any subcontractor BA agrees in writing to the same restrictions and safeguards.
• Reporting: EasyOTP shall report to the Covered Entity any unauthorized use or disclosure of PHI, including breaches.
• Access & Amendment: EasyOTP shall provide PHI access and amendments as directed by the Covered Entity.
• Accounting: EasyOTP shall maintain an accounting of disclosures of PHI as required under HIPAA.

4. Obligations of Covered Entity

• Inform EasyOTP of any privacy restrictions or changes that affect PHI use or disclosure.
• Not request EasyOTP to use or disclose PHI in a manner that would violate HIPAA.
• Obtain required consents, authorizations, and notices before providing PHI to EasyOTP.

5. Permitted Uses and Disclosures

EasyOTP may use or disclose PHI only as follows:
• To perform functions, activities, or services on behalf of the Covered Entity.
• For proper management and administration, provided disclosures are legally required or with safeguards.
• To fulfill its legal obligations under HIPAA and other applicable law.

6. Breach Notification

EasyOTP shall notify the Covered Entity without unreasonable delay, and no later than 30 days after discovery, of any breach of unsecured PHI. Such notification will include the nature of the breach, types of PHI involved, and mitigation actions taken.

7. Term and Termination

• Term: This Agreement remains in effect while EasyOTP provides services to the Covered Entity involving PHI.
• Termination: The Covered Entity may terminate this Agreement if EasyOTP materially breaches its terms.
• Return/Destruction of PHI: Upon termination, EasyOTP shall return or securely destroy all PHI, unless retention is legally required.

8. Miscellaneous

• Regulatory References: Any HIPAA regulation cited herein means the regulation as in effect, amended, or replaced.
• Interpretation: This Agreement shall be interpreted to allow compliance with HIPAA and HITECH.
• Governing Law: This Agreement shall be governed by applicable U.S. federal law and, where not preempted, the laws of India.

9. Execution

By accepting this Agreement digitally during onboarding, the Covered Entity and EasyOTP acknowledge and agree to be bound by its terms. Digital acceptance constitutes execution under the ESIGN Act, UETA, and eIDAS.


 

Appendix A – HIPAA Role Mapping

This Appendix provides a clear mapping of roles and responsibilities under HIPAA for Covered Entities, EasyOTP (as Business Associate), and Subcontractors.

1. Covered Entity (CE)

• Definition: A healthcare provider, health plan, or healthcare clearinghouse.
• In this Agreement: The Vendor subscribing to EasyOTP’s services when handling PHI.
• Responsibilities: Ensure PHI is shared lawfully, provide notices of privacy practices, and obtain consents/authorizations as required.

2. EasyOTP (Business Associate – BA)

• Definition: Braintech Corporation Pvt. Ltd., operating EasyOTP, when providing services that involve access to PHI on behalf of the Covered Entity.
• Responsibilities: Implement HIPAA safeguards, limit PHI use/disclosure, report breaches, support data subject rights, and manage subcontractors.

3. Subcontractor Business Associate

• Definition: Any subcontractor engaged by EasyOTP that creates, receives, maintains, or transmits PHI on behalf of EasyOTP.
• Examples: AWS (hosting), Firebase (infrastructure), or other approved subprocessors.
• Responsibilities: Bound by written agreement with EasyOTP to apply HIPAA-level safeguards and comply with this BAA.

4. Practical Flow

1. Covered Entity (Vendor) shares PHI with EasyOTP for authentication, messaging, or scanning services.
2. EasyOTP processes PHI as a Business Associate and ensures HIPAA compliance.
3. EasyOTP may rely on Subcontractor Business Associates (e.g., hosting providers) who are bound by HIPAA-compliant contracts.
4. At all times, the Covered Entity retains ownership and control over PHI.