Business Associate Agreement

This Business Associate Agreement (“BAA”) is required for any Customer operating in healthcare or handling Protected Health Information (“PHI”) as defined under HIPAA.

1. Definitions

“PHI” means Protected Health Information as defined in 45 CFR § 160.103.

“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.

2. Obligations of Corax as Business Associate

2.1 Not use or disclose PHI other than as permitted by this BAA or required by law.

2.2 Use appropriate safeguards to prevent unauthorized use or disclosure of PHI.

2.3 Report to Customer any unauthorized use or disclosure of PHI, including breaches of unsecured PHI, within 72 hours of discovery.

2.4 Ensure sub-processors agree to the same restrictions.

2.5 Make PHI available to Customer as needed for individuals' access rights under HIPAA.

2.6 Return or destroy PHI on termination of the agreement.

2.7 Make its internal practices available to the Secretary of HHS for determining compliance.

3. Permitted Uses

Corax may use PHI only to provide the services described in the Terms of Service and as required by law.

4. Customer Obligations

4.1 Configure Corax to use your own AI provider before connecting any PHI-adjacent systems.

4.2 Notify Corax of any restrictions on PHI use that may affect Corax's service delivery.

4.3 Not request Corax to use or disclose PHI in a manner that would violate HIPAA.

5. Term and Termination

5.1 This BAA remains in effect for the duration of the Terms of Service.

5.2 On termination, Corax will return or destroy all PHI within 60 days, with written certification.

5.3 If return or destruction is not feasible, protections continue indefinitely for retained PHI.