Business Associate Agreement

Background & Recitals

This Business Associate Agreement is entered into between Practice Pad Technologies LLC, an Arizona limited liability company ("Business Associate," "Practice Pad," "we," or "us"), and the licensed clinical professional who accepts this Agreement ("Covered Entity" or "you").

WHEREAS, Practice Pad Technologies LLC provides a digital clinical note-taking and practice organization application that facilitates the capture, on-device processing, and sync of clinical records to Covered Entity's own Google Workspace environment (the "Services"), as described more fully in the Practice Pad Terms of Service;

WHEREAS, in the course of providing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;

WHEREAS, HIPAA, the HITECH Act, and the Omnibus Rule require that a Business Associate Agreement be in place before any PHI is used or disclosed by a Business Associate on behalf of a Covered Entity;

NOW, THEREFORE, in consideration of the mutual obligations set forth herein and the parties' agreement to the Practice Pad Terms of Service, the parties agree as follows:

1. Definitions

Capitalized terms not otherwise defined herein have the meanings given them under HIPAA, the HITECH Act, or the Omnibus Rule, as applicable and as amended from time to time.

1.1 "Breach"

The acquisition, access, use, or disclosure of PHI in a manner not permitted under Subpart E of 45 CFR Part 164 that compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402. "Breach" excludes: (a) unintentional acquisition, access, or use of PHI by a workforce member or agent acting within authorized scope, if PHI is not further impermissibly used or disclosed; (b) inadvertent disclosure between authorized persons at Business Associate; and (c) disclosure to an unauthorized person who could not reasonably have retained such information.

1.2 "Business Associate"

Has the meaning set forth at 45 CFR § 160.103. For purposes of this Agreement, "Business Associate" refers to Practice Pad Technologies LLC.

1.3 "Covered Entity"

The licensed clinical professional who has accepted this Agreement and who qualifies as a "covered entity" under 45 CFR § 160.103 (individual health care provider). The Covered Entity is the HIPAA Covered Entity responsible for their clients' PHI.

1.4 "Designated Record Set"

A group of records maintained by or for a covered entity that includes the medical and billing records about individuals, as defined in 45 CFR § 164.501. In the context of Practice Pad, PHI maintained in a Designated Record Set is limited to session notes accessible within the app interface on Covered Entity's device; PHI synced to Covered Entity's Google Workspace is in Covered Entity's direct possession and control.

1.5 "Electronic PHI" or "ePHI"

PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 CFR § 160.103.

1.6 "HIPAA"

The Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act and the Omnibus Rule, together with all implementing regulations codified at 45 CFR Parts 160 and 164.

1.7 "HITECH Act"

The Health Information Technology for Economic and Clinical Health Act, enacted as Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5).

1.8 "Omnibus Rule"

The final rule implementing certain provisions of the HITECH Act, published at 78 Fed. Reg. 5566 (Jan. 25, 2013) and codified at 45 CFR Parts 160 and 164.

1.9 "PHI" (Protected Health Information)

Individually identifiable health information created, received, maintained, or transmitted by Business Associate in connection with Services provided to or on behalf of Covered Entity, as defined in 45 CFR § 160.103. As used in this Agreement, "PHI" includes ePHI unless context requires otherwise. PHI excludes: (a) education records under FERPA; (b) employment records held by Business Associate in its role as employer; and (c) information about individuals who have been deceased for more than 50 years.

1.10 "Privacy Rule"

The HIPAA Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR Part 164, Subparts A and E.

1.11 "Required by Law"

A mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law, as defined in 45 CFR § 164.103.

1.12 "Secretary"

The Secretary of the U.S. Department of Health and Human Services, or any officer or employee of HHS to whom authority has been delegated.

1.13 "Security Incident"

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.

1.14 "Security Rule"

The HIPAA Security Standards for the Protection of Electronic Protected Health Information, codified at 45 CFR Part 164, Subpart C.

1.15 "Services"

The clinical note-taking and practice organization services provided by Practice Pad to Covered Entity pursuant to the Practice Pad Terms of Service, including offline note capture, on-device OCR and assessment scoring, sync facilitation to Covered Entity's Google Workspace environment, and the audit logging and community template library features.

1.16 "Subcontractor"

A person or entity to whom Business Associate delegates a function, activity, or service involving the use or disclosure of PHI, who agrees to be treated as a Business Associate of Business Associate per 45 CFR § 164.308(b)(3). For purposes of clarity: Apple Inc. (on-device frameworks), Google LLC (Covered Entity's own Workspace BAA), and Netlify Inc. (website hosting only; no PHI processed) are not Subcontractors under this Agreement.

1.17 "Unsecured PHI"

PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through use of a technology or methodology specified by the Secretary, as defined in 45 CFR § 164.402. PHI encrypted with AES-256 at rest and TLS 1.3 in transit per current HHS guidance is not "Unsecured PHI."

2. Permitted Uses and Disclosures by Business Associate

2.1 Permissible Uses and Disclosures. Business Associate is authorized to use or disclose PHI only to the extent necessary to perform the Services, which include:

• Facilitating the capture, AES-256 encrypted on-device storage, and sync of clinical session notes from Covered Entity's iPad to Covered Entity's Google Workspace Drive;
• Performing on-device automated scoring of clinical assessment instruments (PHQ-9, GAD-7, PCL-5, ACE, C-SSRS) using PHI retrieved directly from Covered Entity's Google Forms via Covered Entity's own authorized OAuth token;
• Logging sync events, assessment results, and sync destination identifiers (Google Drive file IDs and folder IDs) to the local audit record and to Covered Entity's Google Sheets Master Session Ledger;
• Displaying C-SSRS risk alerts to Covered Entity when intake screening results meet a threshold for active suicidal ideation; and
• Provisioning community template files into Covered Entity's Google Drive at initial account setup (template file identifiers only; no PHI involved in this operation).

2.2 Use for Business Associate Operations. Business Associate may use de-identified information (as defined in 45 CFR § 164.514(b)) derived from PHI for the proper management and administration of Business Associate's internal operations and legal responsibilities, as permitted by 45 CFR § 164.504(e)(4). Business Associate shall not use identifiable PHI for internal product analytics without explicit written authorization from Covered Entity.

2.3 Disclosure for Business Associate Operations. Business Associate may disclose PHI for its own proper management and administration only if: (a) the disclosure is Required by Law; or (b) Business Associate obtains reasonable assurances from the recipient that it will hold the PHI confidentially, use or disclose it only as Required by Law or for the purpose of the disclosure, and notify Business Associate of any breach of confidentiality.

2.4 Minimum Necessary. Consistent with 45 CFR § 164.502(b) and HITECH Act § 13405(b), Business Associate shall make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of any such use, disclosure, or request.

2.5 Prohibited Uses and Disclosures. Business Associate shall not:

• Use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
• Sell PHI, as prohibited by 45 CFR § 164.502(a)(5)(ii) and HITECH Act § 13405(d);
• Use or disclose PHI for fundraising purposes without written authorization, as restricted by 45 CFR § 164.514(f);
• Use or disclose PHI for marketing purposes without written authorization, as restricted by 45 CFR § 164.514(e) and HITECH Act § 13406;
• Use PHI in a way that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity; or
• Disclose PHI in a manner that would violate 45 CFR § 164.502 if done by Covered Entity, including to any unauthorized third party.

3. Obligations of Business Associate

3.1 Administrative Safeguards. Business Associate shall implement administrative safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 CFR § 164.308. These include:

• A security management process, including a documented risk analysis and risk management program, updated at least annually and upon material changes to the Services;
• Designation of Perry Emerick, LPC as Privacy and Security Officer, responsible for developing and implementing security policies and procedures;
• Workforce security policies restricting access to systems containing ePHI to authorized personnel only; and
• A contingency plan addressing data backup, disaster recovery, and emergency mode operations consistent with 45 CFR § 164.308(a)(7).

3.2 Physical Safeguards. Business Associate shall implement physical safeguards as required by 45 CFR § 164.310. Practice Pad does not operate data centers or physical servers that store PHI. PHI is stored on Covered Entity's own iPad (subject to Covered Entity's physical security obligations under Section 4) and, after sync, in Covered Entity's own Google Workspace (subject to Google's physical safeguards under Covered Entity's separate Google BAA).

3.3 Technical Safeguards — Practice Pad Architecture. Business Associate implements the following technical safeguards, each specific to Practice Pad's offline-first architecture:

• Encryption at Rest: All locally stored clinical data, session notes, assessment scores, and handwritten canvas images on Covered Entity's device are encrypted using AES-256 via SQLCipher. The encryption key is derived from the device keychain and is inaccessible without biometric or passcode authentication.
• Encryption in Transit: All communication with Google Workspace APIs (Drive, Sheets, Calendar, Forms) is conducted over HTTPS with TLS 1.3. No unencrypted PHI is transmitted over any network connection.
• On-Device OCR — No External Transmission: All handwriting-to-text conversion is performed exclusively on Covered Entity's iPad using Apple's Vision Framework (VNRecognizeTextRequest). No handwritten PHI is ever transmitted to Practice Pad's infrastructure or any external server for recognition purposes.
• On-Device Assessment Scoring — No External Transmission: All clinical assessment scoring (PHQ-9, GAD-7, PCL-5, ACE, C-SSRS) is performed exclusively on Covered Entity's device using PHI retrieved directly from Covered Entity's Google Forms via Covered Entity's own OAuth token (scope: forms.responses.readonly). PHI does not transit Business Associate's infrastructure at any point during the scoring process.
• Biometric Access Control: Practice Pad enforces device-level biometric authentication (Face ID or Touch ID) or a secure device passcode before granting access to any locally stored PHI. The app auto-locks after a configurable period of inactivity.
• Audit Controls: A tamper-evident local audit log records all sync events, timestamps, and sync destination identifiers (Google Drive file IDs and folder IDs), consistent with HIPAA audit control requirements under 45 CFR § 164.312(b) and supporting Covered Entity's Accounting of Disclosures obligations under 45 CFR § 164.528.
• Telemetry PHI Exclusion: All anonymized usage statistics and crash logs (telemetry) are stripped of any user-generated content, PHI, client names, and handwriting before leaving Covered Entity's device. Practice Pad does not receive raw clinical content through telemetry.
• Netlify Infrastructure Isolation: Netlify, Inc. hosts the practicepadapp.com website and the provision-library.js template provisioning function. This function processes template file identifiers only — no PHI is ever transmitted to or processed by Netlify infrastructure. Netlify infrastructure logging is disabled for this function.

3.4 Security Incident Response. Consistent with 45 CFR § 164.308(a)(6), Business Associate shall: (a) implement policies and procedures to address Security Incidents; (b) identify and respond to suspected or known Security Incidents; (c) mitigate, to the extent practicable, harmful effects of Security Incidents of which Business Associate becomes aware; and (d) document Security Incidents and their outcomes. Business Associate shall report Security Incidents resulting in unauthorized access, use, disclosure, modification, or destruction of ePHI to Covered Entity in accordance with Section 5 (Breach Notification).

3.5 Subcontractor Obligations. In accordance with 45 CFR § 164.308(b)(3) and HITECH Act § 13401(b), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as protective as those in this Agreement, prior to allowing such Subcontractor access to PHI. As of the Effective Date of this Agreement, Business Associate has identified no Subcontractors that receive PHI in connection with the Services, consistent with Practice Pad's on-device processing architecture. Business Associate shall maintain a current Subcontractor register and make it available to Covered Entity upon written request.

3.6 Access to PHI by Individuals. To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall make such PHI available to Covered Entity — within 30 days of a written request — to enable Covered Entity to fulfill individual access requests under 45 CFR § 164.524. The Practice Pad application provides built-in tools to view, export, and delete local session records for this purpose. PHI already synced to Covered Entity's Google Workspace is in Covered Entity's direct possession; access it there to fulfill access requests.

3.7 Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall make such PHI available for amendment and shall incorporate any amendment directed by Covered Entity, consistent with 45 CFR § 164.526.

3.8 Accounting of Disclosures. Business Associate shall document and make available to Covered Entity, within 30 days of a written request, information necessary for Covered Entity to provide an accounting of disclosures of PHI as required by 45 CFR § 164.528. Business Associate's local audit log (Section 3.3, Audit Controls) is designed to support this obligation by recording disclosure events and sync destination identifiers that enable reconstruction of where PHI was transmitted.

3.9 Internal Practices Available to HHS. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's or Business Associate's compliance with HIPAA, as required by 45 CFR § 164.504(e)(2)(ii)(I).

3.10 Workforce Training. Business Associate shall provide appropriate training to its workforce members who have access to systems that process PHI in connection with the Services, and shall document such training, consistent with 45 CFR § 164.308(a)(5).

3.11 No Sale, Marketing, or Fundraising Use of PHI. Business Associate shall not sell PHI, use PHI for marketing, or use PHI for fundraising, except as expressly permitted by HIPAA and this Agreement. Any future feature that processes PHI for any purpose other than the core Services described in Section 2.1 shall be disclosed to Covered Entity in advance and require updated written authorization.

4. Obligations of Covered Entity

4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices that would affect Business Associate's use or disclosure of PHI, to the extent such limitation applies to a function Business Associate performs under this Agreement.

4.2 Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to under 45 CFR § 164.522, to the extent such restriction affects Business Associate's performance of the Services.

4.3 Permissible Requests Only. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. Covered Entity shall not use Practice Pad to document, store, or sync PHI of individuals for whom Covered Entity is not the clinician of record (or supervising clinician of record).

4.4 Google Workspace BAA — Covered Entity's Independent Obligation. Covered Entity acknowledges and agrees that: (a) Practice Pad's Cloud and Pro tier features result in PHI being stored in Covered Entity's Google Workspace environment; (b) Google LLC is an independent Business Associate of Covered Entity with respect to that PHI; (c) Covered Entity is solely responsible for executing and maintaining a valid, active Business Associate Agreement with Google LLC for its Google Workspace account before enabling sync features; and (d) failure to maintain a Google Workspace BAA constitutes a HIPAA violation for which Covered Entity bears full responsibility. Business Associate is not a party to the Google Workspace BAA and cannot execute it on Covered Entity's behalf.

4.5 Paid Google Workspace Account Requirement. Covered Entity represents and warrants that: (a) the Google account to which PHI will be synced via Practice Pad is a paid Google Workspace account (Business Starter, Business Standard, or higher) covered by Google's HIPAA BAA; and (b) Covered Entity has not and will not sync PHI to a personal @gmail.com account or any other account not covered by a valid Google BAA. Violation of this warranty constitutes a material breach of this Agreement.

4.6 Device Security Obligations. Covered Entity is solely responsible for: (a) ensuring the iPad used with Practice Pad is protected by biometric authentication (Face ID or Touch ID) or a strong device passcode; (b) enabling Find My iPhone and configuring remote wipe capability through Covered Entity's Apple ID; (c) maintaining physical control over and security of the device; (d) reporting a lost or stolen device containing unsynced PHI to Business Associate at support@practicepadapp.com within 24 hours of discovery; and (e) enabling remote wipe if the device is lost or stolen and contains unsynced PHI.

4.7 Onboarding Wizard Completion. Covered Entity shall complete all required steps of the Practice Pad HIPAA Onboarding Wizard — including acceptance of this Agreement, acknowledgment of the Google Workspace BAA requirement, and confirmation of device security — before enabling Cloud or Pro tier sync features. Covered Entity shall not circumvent, bypass, or otherwise skip any step of the onboarding process.

4.8 Parallel Records and Licensing Obligations. Consistent with professional licensing obligations, Covered Entity shall maintain parallel clinical records (paper records or a separate, designated primary EHR system) as required by Covered Entity's licensing board, malpractice insurer, and applicable state law. Practice Pad is not a legally designated primary records system, and its use does not relieve Covered Entity of professional record-keeping obligations.

4.9 Notification of Changed Circumstances. Covered Entity shall promptly notify Business Associate if: (a) Covered Entity's Google Workspace account lapses, is downgraded to a free tier, or ceases to be covered by a valid Google BAA; (b) Covered Entity's professional license is suspended, revoked, or otherwise restricted; or (c) Covered Entity becomes aware of unauthorized access to the device or to PHI stored in Practice Pad or in the synced Google Workspace environment.

5. Breach Notification

5.1 Discovery. Business Associate shall treat a Breach as "discovered" as of the first day on which the Breach is known to Business Associate, or — by exercising reasonable diligence — would have been known to Business Associate, consistent with 45 CFR § 164.410(a)(2).

5.2 Notice to Covered Entity. Business Associate shall notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) calendar days following discovery of the Breach, as required by 45 CFR § 164.410(b). In practice, Business Associate will endeavor to provide notice within ten (10) business days of determining that a reportable Breach has occurred, given that many state laws and BAA standards impose timelines shorter than HIPAA's federal maximum.

5.3 Notice Contents. Notice of a Breach to Covered Entity shall, to the extent possible, include:

• Identification of each individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• A brief description of what happened, including the date of the Breach and the date of its discovery (if known);
• A description of the types of Unsecured PHI involved (e.g., assessment scores, session metadata, handwritten note images);
• Any steps Covered Entity's clients should take to protect themselves from potential harm;
• A brief description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against future Breaches; and
• Contact information for Business Associate's Privacy and Security Officer.

5.4 Covered Entity's Notification Obligations. Upon receiving notice of a Breach from Business Associate, Covered Entity is responsible for: (a) notifying affected individuals in accordance with 45 CFR § 164.404; (b) notifying the Secretary in accordance with 45 CFR § 164.408; and (c) notifying prominent media outlets where required by 45 CFR § 164.406. Business Associate will provide reasonable assistance to Covered Entity in fulfilling these obligations as required by the HITECH Act (§ 13402).

5.5 Ongoing Notice — Unsuccessful Security Incidents. Business Associate acknowledges that, consistent with 45 CFR § 164.308(a)(6), it must address Security Incidents. As an inherent aspect of operating networked software, Business Associate may experience ongoing unsuccessful attempts to breach system security (e.g., port scans, probes, failed authentication attempts). Business Associate is not required to provide individual notice for each such unsuccessful attempt; this Section 5.5 serves as Covered Entity's standing general notice of such ongoing unsuccessful Security Incidents.

5.6 Device Loss Incidents. In the event Covered Entity reports a lost or stolen device (Section 4.6(d)), Business Associate will: (a) provide Covered Entity with guidance on remote wipe procedures; (b) evaluate whether the loss constitutes a Breach under 45 CFR § 164.402, taking into account the encryption status of locally stored PHI; and (c) notify Covered Entity of its determination within ten (10) business days. Because locally stored PHI is encrypted using AES-256 (Section 3.3), physical device loss of a properly configured device is unlikely to constitute a Breach of Unsecured PHI under current HHS guidance, but Business Associate shall conduct a case-by-case analysis.

6. Term and Termination

6.1 Term. This Agreement is effective as of the date Covered Entity accepts it through the HIPAA Onboarding Wizard (or the date of the last signature if executed as a paper BAA) and shall remain in effect until terminated as provided herein, or until the underlying Services agreement (the Practice Pad Terms of Service) terminates or expires, whichever occurs first.

6.2 Termination for Cause by Covered Entity. Covered Entity may terminate this Agreement and the underlying Services agreement upon written notice to Business Associate if Business Associate has materially breached a material provision of this Agreement and fails to cure such breach within thirty (30) days of receiving written notice specifying the breach in reasonable detail. If cure within thirty (30) days is not feasible, Covered Entity may terminate immediately upon written notice.

6.3 Termination for Cause by Business Associate. Business Associate may suspend or terminate this Agreement and the underlying Services agreement, upon written notice to Covered Entity (or immediately, if necessary to prevent ongoing harm or HIPAA violations), if Covered Entity materially breaches this Agreement, including by: (a) syncing PHI without a valid Google Workspace BAA in place; (b) using Practice Pad with live client PHI without completing the HIPAA Onboarding Wizard; (c) syncing PHI to a personal @gmail.com account; or (d) failing to notify Business Associate of a lost or stolen device within the timeframe required by Section 4.6(d).

6.4 Termination Without Cause. Either party may terminate this Agreement without cause upon thirty (30) days' written notice to the other party, provided that termination does not relieve either party of obligations that have already accrued or that survive termination under Section 6.7.

6.5 Effect of Termination — Return or Destruction of PHI. Upon termination of this Agreement for any reason, Business Associate shall, within ninety (90) days of the termination date, return to Covered Entity or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form, and retain no copies — except as provided in Section 6.6. For the avoidance of doubt: (a) PHI stored on Covered Entity's device is in Covered Entity's direct possession and is not subject to this return/destruction obligation; and (b) PHI synced to Covered Entity's Google Workspace is in Covered Entity's direct possession and control and is also not subject to this obligation. Business Associate shall provide written confirmation of destruction upon Covered Entity's written request.

6.6 Infeasibility of Return or Destruction. If return or destruction of PHI is not feasible (e.g., due to a legal hold or regulatory requirement), Business Associate shall: (a) provide Covered Entity with written notification explaining the basis for infeasibility within fifteen (15) days of determining infeasibility; (b) extend the protections of this Agreement to such PHI for as long as Business Associate retains it; and (c) limit further uses and disclosures of such PHI to the purposes that make return or destruction infeasible. Business Associate shall destroy PHI retained under this Section as soon as return or destruction becomes feasible.

6.7 Survival. The following provisions shall survive termination of this Agreement: (a) the return/destruction obligations of Sections 6.5 and 6.6; (b) the breach reporting obligations of Section 5 with respect to Breaches discovered after termination; (c) the record-keeping and HHS access obligations of Section 3.9; (d) the definitions in Section 1; (e) the prohibited uses and disclosures in Section 2.5; and (f) any other obligation that by its nature should survive termination of this Agreement.

7. Beta Software Acknowledgment

7.1 Pre-Release Status. Covered Entity acknowledges that Practice Pad may be distributed as beta software via Apple TestFlight. While Business Associate exercises reasonable care to maintain the integrity and security of ePHI, beta software is pre-release software that may contain bugs, errors, or unexpected behavior. Business Associate shall endeavor to notify Covered Entity of any bug or error that places ePHI at risk as soon as practicable after discovery, and shall comply with its breach notification obligations in Section 5 regardless of the software's release status.

7.2 Parallel Records During Beta. During any beta period, Covered Entity shall maintain parallel clinical records of all PHI documented in Practice Pad — via paper records or a separate EHR — to ensure that no PHI is at risk of permanent loss in the event of a beta-related failure. This obligation is in addition to, and does not replace, the standing parallel records obligation in Section 4.8.

7.3 Production Transition. Upon general release of Practice Pad to the Apple App Store (non-beta distribution), this Agreement shall remain in full force and effect without modification. No re-acceptance or re-execution of this Agreement shall be required upon the production release, unless the Agreement itself is materially amended.

8. Miscellaneous

8.1 Entire Agreement. This Agreement, together with the Practice Pad Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the treatment of PHI in connection with the Services and supersedes all prior or contemporaneous agreements, representations, or warranties relating to the subject matter hereof.

8.2 Amendment. This Agreement may be amended only by a written instrument (including a click-through amendment presented through the Practice Pad interface) accepted by both parties. In the event of a change in HIPAA, the HITECH Act, the Omnibus Rule, or other applicable law that materially affects either party's obligations under this Agreement, the parties shall use commercially reasonable efforts to amend this Agreement to maintain compliance. If the parties cannot agree on an amendment within sixty (60) days, either party may terminate this Agreement immediately upon written notice.

8.3 Regulatory References. Any reference in this Agreement to a statute, regulation, or rule shall be deemed to refer to such statute, regulation, or rule as amended, replaced, or supplemented from time to time. This Agreement shall be interpreted so as to maintain compliance with HIPAA, the HITECH Act, and any successor legislation or regulation.

8.4 Interpretation and Conflict. This Agreement shall be interpreted in accordance with the requirements of HIPAA, the HITECH Act, and the Omnibus Rule, and any ambiguity shall be resolved in the manner most consistent with those requirements. In the event of a conflict between this Agreement and the Practice Pad Terms of Service or Privacy Policy, this Agreement shall control with respect to the treatment of PHI. In the event of a conflict between this Agreement and applicable federal or state law, applicable law shall control.

8.5 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights or remedies upon any person or entity other than the parties to this Agreement and their respective permitted successors and assigns. Covered Entity's clients are not third-party beneficiaries of this Agreement, provided that nothing herein limits Covered Entity's independent obligations to those clients under HIPAA.

8.6 Governing Law. This Agreement shall be governed by the laws of the State of Arizona and applicable federal law (including HIPAA and the HITECH Act), without regard to conflict-of-laws principles. Disputes arising under this Agreement shall be subject to the dispute resolution provisions of the Practice Pad Terms of Service.

8.7 Severability. If any provision of this Agreement is held invalid, illegal, or unenforceable under applicable law, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

8.8 Waiver. No waiver of any provision of this Agreement shall be effective unless made in writing. No waiver of any breach shall be construed as a continuing waiver of that breach or as a waiver of any subsequent breach of any provision.

8.9 Assignment. Covered Entity may not assign or transfer rights or obligations under this Agreement without Business Associate's prior written consent. Business Associate may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that: (a) Business Associate gives Covered Entity thirty (30) days' advance written notice of the assignment; (b) the assignee expressly assumes all Business Associate obligations under this Agreement, including all BAA obligations, in accordance with 45 CFR § 164.504(e); and (c) Business Associate notifies Covered Entity of the successor entity's identity and HIPAA compliance status as part of the required notice.

8.10 Notices. Any written notice required or permitted under this Agreement shall be sent to Business Associate at support@practicepadapp.com (subject line: "BAA Notice") and to Covered Entity at the email address associated with Covered Entity's Practice Pad account. Notices shall be deemed received upon confirmed delivery to the recipient's email address.