Business Associate Agreement

Effective version: v1.2026-05

This Business Associate Agreement ("BAA") supplements the ClinXtra Terms of Service and governs the parties' obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and 45 CFR Parts 160 and 164.

1. Definitions

Capitalized terms not defined here have the meanings given in 45 CFR §160.103 and §164.501. "PHI" means Protected Health Information that ClinXtra creates, receives, maintains, or transmits on behalf of Customer.

2. Permitted Uses and Disclosures

ClinXtra will use and disclose PHI only as permitted by this BAA, the Terms of Service, or as required by law. ClinXtra will not sell PHI or use it for marketing without authorization.

3. Safeguards

ClinXtra implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege access, audit logging, and routine vulnerability management.

4. Subcontractors

ClinXtra ensures any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to substantially the same restrictions and conditions.

5. Breach Notification

ClinXtra will report any Breach of Unsecured PHI to Customer without unreasonable delay and in no case later than sixty (60) days after discovery, per 45 CFR §164.410.

6. Individual Rights

ClinXtra will, within commercially reasonable timeframes, support Customer's obligations to provide individuals access to, amendment of, and accounting of disclosures of their PHI.

7. Return or Destruction

Upon termination, ClinXtra will return or destroy PHI within ninety (90) days, except where retention is required by law. Customer may also request export and deletion at any time via the in-app Compliance page.

8. Term and Termination

This BAA continues for the duration of the underlying Terms of Service and may be terminated by Customer for material breach as provided therein.

Questions? Email compliance@clinxtra.com.