Business Associate Agreement

Version 2026-05-11 · Effective 2026-05-11

This is the canonical text. When you accept inside the Mand app, the agreement is personalized with your organization's legal name and a cryptographic hash of the exact text shown to you is recorded alongside the acceptance.

BUSINESS ASSOCIATE AGREEMENT

Version 2026-05-11, effective 2026-05-11.

This Business Associate Agreement ("BAA") is entered into between
Mand Health, Inc. ("Mand", a "Business Associate" as defined under HIPAA)
and [Your Organization] ("Customer", a "Covered Entity" as defined under HIPAA),
effective on the date Customer accepts this BAA via the in-product
acceptance flow ("Effective Date").

PREAMBLE

Mand provides software-as-a-service for assembling, drafting, and
submitting prior-authorization packets on behalf of Applied Behavior
Analysis (ABA) clinics. Customer is a healthcare provider that
transmits Protected Health Information ("PHI") to Mand for those
purposes. Mand and Customer agree as follows.

1. DEFINITIONS

Capitalized terms used but not defined in this BAA have the meanings
set forth in 45 CFR §§ 160.103 and 164.501 ("HIPAA"). For convenience:

  - "Breach" has the meaning in 45 CFR § 164.402.
  - "Designated Record Set" has the meaning in 45 CFR § 164.501.
  - "PHI" means Protected Health Information that Mand receives from,
    or creates or receives on behalf of, Customer.
  - "Required by Law" has the meaning in 45 CFR § 164.103.
  - "Security Incident" has the meaning in 45 CFR § 164.304.
  - "Subcontractor" has the meaning in 45 CFR § 160.103.
  - "Unsecured PHI" has the meaning in 45 CFR § 164.402.

2. USE AND DISCLOSURE FRAMEWORK

Mand will use and disclose PHI only as: (a) necessary to provide the
Services to Customer, including assembling, formatting, and
transmitting prior-authorization packets to payers; running
AI-assisted drafting and field extraction; storing client records;
and sending notifications to Customer-designated recipients;
(b) Required by Law; (c) for Mand's proper management and
administration, including evaluating service quality, security,
billing, and resolving disputes; and (d) to provide Data Aggregation
services for Customer's Health Care Operations as defined in
45 CFR § 164.501.

Mand will not sell PHI. Mand will not use PHI for advertising. Mand
will not use PHI to train artificial intelligence or machine learning
models in any form that retains individual identifiers or could
reproduce them, except as expressly authorized in writing by
Customer. De-identified data created under 45 CFR § 164.514(b) may
be used for product improvement.

3. LIMITS ON USE AND FURTHER DISCLOSURE

Mand will not use or further disclose PHI other than as permitted or
required by this BAA, the Services Agreement, or as Required by Law.

4. SAFEGUARDS

Mand will implement and maintain administrative, physical, and
technical safeguards consistent with 45 CFR §§ 164.308, 164.310, and
164.312 designed to prevent the use or disclosure of PHI other than
as provided for by this BAA, including:

  - Encryption of PHI in transit (TLS 1.2 or higher) and at rest
    (AES-256).
  - Role-based access controls; least-privilege grants.
  - Comprehensive audit logging of every PHI access and mutation.
  - A documented incident response process.
  - Regular vulnerability scanning.
  - Annual security risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).
  - Annual HIPAA workforce training for personnel who handle PHI.

A summary of the most recent security risk analysis will be provided
to Customer upon written request.

5. REPORTING

Mand will report to Customer:

  (i) any use or disclosure of PHI not provided for by this BAA of
      which Mand becomes aware, without unreasonable delay;
  (ii) any Security Incident of which Mand becomes aware. Customer
       agrees that unsuccessful, routine pings, probes, port scans,
       broadcast attacks, and similar attempts that result in no
       unauthorized access need not be individually reported but
       will be reported in aggregate upon written request; and
  (iii) any Breach of Unsecured PHI, without unreasonable delay and
        no later than thirty (30) days after Discovery as defined in
        45 CFR § 164.410.

Mand will provide the information required for Customer's breach
notification obligations under 45 CFR § 164.404 to the extent known.

6. SUBCONTRACTOR FLOW-DOWN

Mand will require, by written agreement, that any Subcontractor that
creates, receives, maintains, or transmits PHI on Mand's behalf
agrees to restrictions and conditions at least as protective as
those in this BAA. Mand maintains a current list of Subcontractors
that may handle PHI at https://usemand.com/legal/subprocessors.

Mand will provide Customer at least thirty (30) days' advance notice
via email before onboarding a new Subcontractor that will handle PHI.
Customer may object to a new Subcontractor within thirty (30) days
of notice; if Mand and Customer cannot resolve the objection,
Customer may terminate this BAA without penalty.

7. ARTIFICIAL INTELLIGENCE PROCESSING

Customer acknowledges that the Services use third-party AI
Subcontractors (currently as listed at the URL in Section 6) to
draft narratives and extract structured fields from clinical
documents. Mand has executed a Business Associate Agreement with
each AI Subcontractor that handles PHI. Mand will not enable any
AI Subcontractor that has not signed a BAA for a Customer
organization with PHI-handling enabled. PHI passed to AI
Subcontractors is subject to the contractual terms of those BAAs,
including no-training restrictions equivalent to those Mand
commits to in Section 2.

8. ACCESS BY INDIVIDUALS

Within ten (10) business days of Customer's written request, or
such shorter period as required by applicable state law (including
the California Patient Access to Health Records Act, Cal. Health
and Safety Code § 123110), Mand will make available to Customer PHI
in a Designated Record Set in the form and format requested, to
enable Customer to respond to an individual's request for access
under 45 CFR § 164.524.

9. AMENDMENT OF PHI

Within ten (10) business days of Customer's written request, Mand
will (i) make available PHI for amendment as requested by Customer,
and (ii) incorporate amendments to PHI in accordance with
45 CFR § 164.526.

10. ACCOUNTING OF DISCLOSURES

Mand will document and, within thirty (30) days of Customer's
written request, provide to Customer an accounting of disclosures
of PHI by Mand made on or after April 14, 2003, as required for
Customer to respond to an individual's request under
45 CFR § 164.528.

11. PASS-THROUGH OBLIGATIONS

To the extent Mand carries out one or more of Customer's
obligations under Subpart E of 45 CFR Part 164, Mand will comply
with the requirements of that Subpart that apply to Customer in
the performance of such obligations.

12. AVAILABILITY OF RECORDS TO HHS

Mand will make its internal practices, books, and records relating
to the use and disclosure of PHI received from, or created or
received by Mand on behalf of, Customer available to the
Secretary of the U.S. Department of Health and Human Services for
purposes of determining Customer's compliance with HIPAA.

13. RETURN OR DESTRUCTION ON TERMINATION

Upon termination of this BAA for any reason, Mand will return to
Customer or destroy all PHI in its possession, including PHI held
by Subcontractors, and will retain no copies, within sixty (60) days
of termination. If Customer requests an export, Mand will provide
the data in JSON and PDF formats at no charge. If return or
destruction is infeasible (e.g., PHI retained in backup media
subject to retention requirements or in audit logs required for
compliance with this BAA or HIPAA), Mand will extend the protections
of this BAA to such PHI and limit further uses and disclosures to
those purposes that make the return or destruction infeasible, for
so long as Mand retains such PHI.

14. STATE LAW COMPLIANCE

Where applicable state law imposes obligations more stringent than
HIPAA — including but not limited to the California Confidentiality
of Medical Information Act (Cal. Civ. Code § 56 et seq.), Texas
House Bill 300 (Tex. Health & Safety Code Ch. 181), Florida
Statute § 456.057, the New York SHIELD Act, the New York Mental
Hygiene Law § 33.13, and the Illinois Mental Health and
Developmental Disabilities Confidentiality Act (740 ILCS 110/1 et
seq.) — Mand will comply with the more stringent requirement.

15. AUTHORITY

Customer represents and warrants that the individual accepting this
BAA on Customer's behalf has the authority to bind Customer to this
agreement.

16. AMENDMENT

The parties agree to take such action as is necessary to amend this
BAA from time to time to comply with the requirements of HIPAA and
any other applicable law. Mand may update this BAA from time to
time by posting the revised version at https://usemand.com/legal/baa
with a new version identifier. Mand will notify Customer by email
at least thirty (30) days before a material change takes effect.
Continued use of the Services after the effective date of a revised
BAA, or affirmative re-acceptance via the in-product flow,
constitutes acceptance.

17. TERMINATION FOR CAUSE

Customer may terminate this BAA if Mand violates a material term and
fails to cure the violation within thirty (30) days of written
notice. Mand may terminate this BAA if Customer breaches a material
obligation related to use, disclosure, or safeguarding of PHI and
fails to cure within thirty (30) days of written notice.

18. SURVIVAL

Sections 8, 10, 13, and the safeguard and reporting obligations
survive termination for so long as Mand retains PHI subject to this
BAA.

19. RELATIONSHIP TO SERVICES AGREEMENT

This BAA is incorporated into and made part of Mand's Services
Agreement with Customer. In the event of a conflict between this
BAA and the Services Agreement with respect to PHI, the terms of
this BAA control.

ACCEPTANCE

By checking the BAA acceptance box in the Mand application,
Customer's authorized representative agrees to be bound by this BAA.
Mand records the acceptance — including the version above, the
representative's name and title, the date and time, the IP address
of the accepting browser, and a cryptographic hash of this exact
text — as evidence of the parties' mutual assent.