Business Associate Agreement

HIPAA-compliant BAA template for employer and provider partners.

Toothsome, Inc. — Finalized Version, January 2026

Reference Template: This is the standard Toothsome Business Associate Agreement template. It is provided here for transparency and reference. Executed agreements are signed individually between Toothsome and each Covered Entity (employer or provider partner). Contact privacy@toothsome.io to request an executable copy.

This Business Associate Agreement ("BAA") is entered into as of _________________ ("Effective Date") between:

COVERED ENTITY: _______________________________ ("Covered Entity" or "Employer")

and

BUSINESS ASSOCIATE: Toothsome, Inc., 3550 N Lakeline Blvd, Unit 170, PMB 1022, Leander, TX 78641 ("Business Associate" or "Toothsome")

Recitals

WHEREAS, Covered Entity and Business Associate have entered into or will enter into an Employer Services Agreement or Provider Network Agreement (the "Underlying Agreement") pursuant to which Business Associate may create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of Covered Entity; and

WHEREAS, the parties wish to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder (collectively, the "HIPAA Rules");

NOW, THEREFORE, in consideration of the mutual promises contained herein, the parties agree as follows:

Article 1 — Definitions

1.1 HIPAA Definitions

The following terms have the meanings set forth in the HIPAA Rules: "Breach," "Designated Record Set," "Disclosure," "Electronic Protected Health Information" or "ePHI," "Health Care Operations," "Individual," "Minimum Necessary," "Protected Health Information" or "PHI," "Required by Law," "Security Incident," "Subcontractor," "Treatment," and "Use."

1.2 Business Associate

"Business Associate" means Toothsome, Inc.

1.3 Covered Entity

"Covered Entity" means the employer or provider identified above.

Article 2 — Permitted Uses and Disclosures

2.1 Permitted Uses

Business Associate may use and disclose PHI only as follows:

  1. To perform its obligations under the Underlying Agreement;
  2. For its proper management and administration, provided that any disclosure is Required by Law or Business Associate obtains reasonable assurance from the recipient that the PHI will be held confidentially;
  3. To provide data aggregation services relating to Covered Entity's health care operations;
  4. To de-identify PHI in accordance with 45 CFR §164.514;
  5. As Required by Law.

2.2 Prohibited Uses

Business Associate shall NOT use or disclose PHI:

  1. In a manner that would violate the HIPAA Rules if done by Covered Entity;
  2. For its own benefit, except as permitted by this BAA;
  3. For fundraising or marketing purposes without authorization;
  4. In exchange for remuneration that constitutes a sale of PHI.

Article 3 — Obligations of Business Associate

3.1 Safeguards

Business Associate shall:

  1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI;
  2. Implement safeguards as necessary to prevent use or disclosure of PHI other than as provided by this BAA;
  3. Comply with the Security Rule requirements applicable to business associates.

3.2 Specific Security Measures

Business Associate shall implement:

  1. Access Controls: Unique user identification, automatic logoff, encryption of ePHI at rest and in transit;
  2. Audit Controls: Hardware, software, and procedural mechanisms to record and examine access to ePHI;
  3. Integrity Controls: Electronic mechanisms to corroborate that ePHI has not been altered or destroyed;
  4. Transmission Security: Encryption of all ePHI transmitted over electronic networks;
  5. Secure Disposal: Secure disposal of PHI when no longer needed.

3.3 Reporting

(a) Breach Notification: Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including breaches of unsecured PHI, within 24 hours of discovery.

"Discovery" means the first day on which the breach is known to Business Associate or would have been known with reasonable diligence.

Business Associate's breach report shall include:

(b) Security Incidents: Business Associate shall report any security incident involving ePHI within 24 hours of discovery.

Note: This obligation does not include unsuccessful security incidents such as pings, port scans, unsuccessful login attempts, denial of service attacks, and similar occurrences that do not result in unauthorized access, use, or disclosure of ePHI.

(c) Violations: Business Associate shall report any use or disclosure of PHI in violation of this BAA within 24 hours of discovery.

3.4 Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effect of use or disclosure of PHI in violation of this BAA that is known to Business Associate.

3.5 Subcontractors

(a) Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this BAA.

(b) Current subcontractors handling PHI:

(c) Business Associate shall provide Covered Entity with list of subcontractors upon request.

3.6 Access to PHI

Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, within 10 business days of a request to enable Covered Entity to fulfill its obligations under 45 CFR §164.524 (right of access).

If the Individual makes the request directly to Business Associate, Business Associate shall forward the request to Covered Entity within 5 business days.

3.7 Amendment of PHI

Business Associate shall make PHI available to Covered Entity for amendment and incorporate any amendments to PHI within 10 business days of notification by Covered Entity, in accordance with 45 CFR §164.526.

3.8 Accounting of Disclosures

(a) Business Associate shall maintain a record of all disclosures of PHI made by Business Associate or its subcontractors, except:

(b) Business Associate shall provide an accounting of disclosures to Covered Entity within 30 days of request to enable Covered Entity to fulfill its obligations under 45 CFR §164.528.

(c) The accounting shall include:

3.9 Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

3.10 Minimum Necessary

Business Associate shall limit its uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose, except:

Article 4 — Obligations of Covered Entity

4.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and any changes thereto.

4.2 Permission or Authorization

Covered Entity shall obtain any necessary authorizations or consents from Individuals for uses or disclosures of PHI that require such authorization under the HIPAA Rules.

4.3 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522.

4.4 Changes in Permission

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate's permitted uses and disclosures.

Article 5 — Term and Termination

5.1 Term

This BAA shall be effective as of the Effective Date and shall continue until terminated as provided herein.

5.2 Termination by Covered Entity

Covered Entity may terminate this BAA and the Underlying Agreement:

  1. Immediately if Business Associate has breached a material term of this BAA and has not cured the breach within 30 days of receiving notice from Covered Entity; or
  2. Immediately if Business Associate has breached a material term of this BAA and cure is not possible.

5.3 Termination by Business Associate

Business Associate may terminate this BAA and the Underlying Agreement if Covered Entity has breached a material term of this BAA and has not cured the breach within 30 days of receiving notice.

5.4 Automatic Termination

This BAA shall automatically terminate upon termination of the Underlying Agreement.

5.5 Effect of Termination

Upon termination of this BAA:

(a) Return or Destruction of PHI: Business Associate shall, at Covered Entity's option:

Option 1 — Return: Return to Covered Entity all PHI in any form (including all copies) that Business Associate or its subcontractors still maintain; OR

Option 2 — Destruction: Destroy all PHI in any form (including all copies) that Business Associate or its subcontractors still maintain, and certify in writing that all PHI has been destroyed.

(b) Retention if Required by Law: If return or destruction is not feasible or Business Associate is required by law to retain PHI:

(c) Subcontractor PHI: Business Associate shall ensure that subcontractors return or destroy PHI as described above.

5.6 Survival

The obligations of Business Associate under Section 5.5 shall survive termination of this BAA.

Article 6 — Miscellaneous

6.1 Regulatory References

A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

6.2 Amendment

The parties agree to take such action as is necessary to amend this BAA from time to time as necessary to comply with changes in the HIPAA Rules and other applicable law.

6.3 Interpretation

Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

6.4 Conflicts

In the event of any conflict between this BAA and the Underlying Agreement, the terms of this BAA shall control with respect to PHI.

6.5 No Third-Party Beneficiaries

Nothing in this BAA shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

6.6 Assistance

Business Associate shall provide reasonable assistance to Covered Entity to enable Covered Entity to respond to requests from Individuals exercising their rights under the HIPAA Rules.

6.7 Insurance

Business Associate shall maintain cyber liability insurance of at least $1,000,000 per occurrence covering data breaches and privacy violations.

6.8 Governing Law

This BAA is governed by federal HIPAA regulations and, to the extent not preempted, the laws of the State of Texas.

6.9 Notices

All notices shall be in writing and sent to:

For Business Associate:
Toothsome, Inc.
Attn: Privacy Officer
3550 N Lakeline Blvd, Unit 170, PMB 1022
Leander, TX 78641
Email: privacy@toothsome.io

For Covered Entity:
[Address listed in Underlying Agreement]

Article 7 — Signatures

This BAA is incorporated into and made part of the Underlying Agreement.

COVERED ENTITY:

By: _________________________________

Name: _______________________________

Title: ______________________________

Date: _______________________________


BUSINESS ASSOCIATE: TOOTHSOME, INC.

By: _________________________________

Name: Shouvik Ponnusamy

Title: CEO

Date: _______________________________

Document Version: 1.0 FINAL · Last Updated: January 2026