Business Associate Agreement

Last updated: March 2026

Between FoundryNX LLC d/b/a ClaimWon ("Business Associate") and the entity identified during account registration ("Covered Entity").

Effective Date: The date Covered Entity accepts this Agreement during account registration.

Recitals

WHEREAS, Covered Entity is an Applied Behavior Analysis (ABA) therapy practice that creates, receives, maintains, or transmits Protected Health Information ("PHI") as defined by the HIPAA Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164) and the HIPAA Security Rule (45 C.F.R. Part 160 and Subparts A and C of Part 164);

WHEREAS, Business Associate provides a cloud-based software platform known as "ClaimWon" that assists Covered Entity in generating insurance denial appeal letters using artificial intelligence, which involves the use and disclosure of PHI on behalf of Covered Entity;

WHEREAS, the parties wish to comply with the requirements of HIPAA, the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and the regulations promulgated thereunder, including the Omnibus Rule (collectively, the "HIPAA Rules");

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

Article 1 — Definitions

All capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in the HIPAA Rules (45 C.F.R. Parts 160 and 164). The following definitions apply specifically to this Agreement:

"Agreement" means this Business Associate Agreement, including any exhibits and amendments.

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402.

"Designated Record Set" means a group of records maintained by or for Covered Entity that includes medical records, billing records, enrollment records, and other records used in whole or in part to make decisions about individuals, as defined in 45 C.F.R. § 164.501.

"Electronic Protected Health Information (ePHI)" means PHI that is transmitted by or maintained in electronic media, as defined in 45 C.F.R. § 160.103.

"Platform" means the ClaimWon software application and all associated services, infrastructure, and data stores operated by Business Associate.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.

"Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.

Article 2 — Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall use and disclose PHI only as permitted or required by this Agreement, the Terms of Service, or as required by law. Specifically, Business Associate may:

  • Process uploaded insurance denial documents containing PHI to extract denial data for the purpose of generating appeal letters;
  • Transmit extracted PHI to approved AI subprocessors operating under separate Business Associate Agreements solely for the purpose of generating insurance denial appeal letters;
  • Store PHI in encrypted systems to maintain denial records, appeal letters, outcome tracking, and analytics for the benefit of Covered Entity;
  • Use de-identified data (in compliance with 45 C.F.R. § 164.514) derived from aggregate denial outcomes to improve the Platform;
  • Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that such use is permitted under the HIPAA Rules.

2.2 Safeguards

Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, consistent with the requirements of 45 C.F.R. Part 164, Subpart C. At a minimum, Business Associate shall maintain:

Administrative Safeguards: Workforce access controls, security management processes, information access management policies, security awareness training, and contingency planning procedures.

Physical Safeguards: Use of HIPAA-eligible cloud infrastructure providers with independently audited physical security controls, facility access restrictions, and workstation security policies.

Technical Safeguards: AES-256 or equivalent encryption of ePHI at rest, TLS 1.2 or higher encryption of ePHI in transit, unique user identification and authentication, network segmentation isolating application and data tiers from public access, automated audit logging, and integrity controls.

Business Associate shall maintain documentation of its safeguards and make a summary available to Covered Entity upon reasonable request. The specific technical implementation of these safeguards may change over time as Business Associate improves its security posture, provided that all changes continue to meet or exceed the requirements of the HIPAA Security Rule.

2.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured PHI or Security Incident.

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach. Such notice shall include, to the extent available:

  • The nature of the Breach, including the types of PHI involved;
  • The identity of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed;
  • A description of what Business Associate is doing to investigate, mitigate harm, and prevent future Breaches;
  • Contact information for individuals to ask questions or obtain additional information.

2.4 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

Business Associate maintains a current list of Subcontractors that handle PHI, available at claimwon.ai/subprocessors or upon written request. Business Associate shall notify Covered Entity of any material changes to its Subcontractor list within thirty (30) days by updating the list at the URL above.

2.5 Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524 (individual right of access). Business Associate shall respond to such requests within fifteen (15) business days.

2.6 Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. § 164.526 within fifteen (15) business days of receipt of such direction.

2.7 Accounting of Disclosures

Business Associate shall make available information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528. Business Associate shall maintain records of disclosures for a period of six (6) years from the date of the disclosure.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

2.9 Minimum Necessary Standard

Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b) and the HITECH Act.

Article 3 — Obligations of Covered Entity

Covered Entity shall:

  • Obtain all necessary consents and authorizations from patients prior to submitting PHI to the Platform, as required by applicable law;
  • Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restrictions may affect Business Associate's obligations under this Agreement;
  • Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent such changes may affect Business Associate's permitted uses or disclosures;
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

Article 4 — Data Ownership and Intellectual Property

Covered Entity retains all rights, title, and interest in and to any PHI provided to Business Associate. Business Associate acquires no ownership interest in PHI.

Business Associate retains all rights, title, and interest in and to the Platform, including but not limited to appeal letter templates, payer intelligence data, denial pattern analytics, clinical citation databases, algorithmic models, and all de-identified aggregate data derived from Platform usage. De-identification shall comply with 45 C.F.R. § 164.514(a) and (b).

Article 5 — Indemnification

Each party ("Indemnifying Party") shall indemnify, defend, and hold harmless the other party and its officers, directors, employees, and agents ("Indemnified Party") from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

  • Any Breach of this Agreement by the Indemnifying Party;
  • Any Breach of Unsecured PHI caused by the Indemnifying Party's negligence or willful misconduct;
  • Any violation of applicable federal or state privacy or security laws by the Indemnifying Party.

The Indemnifying Party's obligations under this section are conditioned upon the Indemnified Party providing prompt written notice of the claim and reasonable cooperation in the defense thereof.

Article 6 — Term and Termination

6.1 Term

This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the underlying Terms of Service between the parties, unless earlier terminated as provided herein.

6.2 Termination for Cause

Either party may terminate this Agreement upon thirty (30) days' written notice if the other party materially breaches any provision of this Agreement and fails to cure such breach within the notice period. If cure is not feasible, the non-breaching party may terminate immediately.

6.3 Effect of Termination

Upon termination of this Agreement, Business Associate shall:

  • Cease all uses and disclosures of PHI;
  • Return or destroy all PHI in its possession, including all copies in databases, file storage, backups, and logs, within sixty (60) days of termination;
  • Certify in writing to Covered Entity that all PHI has been returned or destroyed;
  • If return or destruction is not feasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

6.4 Survival

The obligations of Business Associate under Section 6.3, Article 4 (Data Ownership), and Article 5 (Indemnification) shall survive the termination or expiration of this Agreement.

Article 7 — General Provisions

7.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Arizona, without regard to its conflict of laws principles, except to the extent preempted by federal law (including HIPAA).

7.2 Dispute Resolution

Any dispute arising out of or relating to this Agreement shall first be submitted to good-faith mediation. If mediation fails, the dispute shall be resolved by binding arbitration in Maricopa County, Arizona, under the rules of the American Arbitration Association.

7.3 Amendments

This Agreement may be amended only by a written instrument signed by both parties. The parties agree to amend this Agreement as necessary to comply with changes in the HIPAA Rules or other applicable law.

7.4 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities.

7.5 Entire Agreement

This Agreement, together with the Terms of Service, constitutes the entire agreement between the parties concerning its subject matter and supersedes all prior agreements and understandings.

7.6 Notices

All notices under this Agreement shall be in writing and sent to:

To Business Associate: FoundryNX LLC d/b/a ClaimWon, Phoenix, AZ. Email: legal@claimwon.ai

To Covered Entity: At the email address provided upon account registration.

By checking the box during account registration indicating acceptance of this Business Associate Agreement, Covered Entity agrees to be bound by the terms herein. This electronic acceptance constitutes a valid and binding agreement under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and the Uniform Electronic Transactions Act (UETA).