BUSINESS ASSOCIATE AGREEMENT (BAA)

Last Updated: November 9, 2025

1. Effect. This BAA defines, modifies, and replaces any prior arrangements between the parties with respect to PHI. This BAA is made subject to the terms and conditions of the Agreement. Except as otherwise set forth in this BAA, the terms and provisions of this BAA will supersede any other conflicting or inconsistent terms and provisions in the Agreement. Absent an Agreement, this BAA shall govern Dental Bee’s obligations with respect to PHI from Customer.

2. Definitions. The following capitalized terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (also referred to as “PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.

3. Permitted uses and disclosures by Dental Bee.

a. Except as specifically limited in this BAA, Dental Bee may use or disclose PHI to perform its obligations under this BAA, to provide the Platform, and to perform functions, activities, or services for Customer or on Customer’s behalf in connection with the Platform or the Agreement, or as required by law.

b. Dental Bee may use PHI for its proper management and administration (e.g., research and testing in support of its products or services) and to carry out its legal responsibilities;

c. Dental Bee may disclose PHI for its proper management and administration, or to carry out its legal responsibilities, provided the disclosures are required by law or Dental Bee obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Dental Bee when the person becomes aware that the confidentiality of the information has been breached.

d. Dental Bee may provide data aggregation services relating to Customer’s and Dental Bee’s other customers’ health care operations.

e. Dental Bee may de-identify PHI so long as such de-identification meets the requirements of 45 CFR 164.514(a)-(c). Information de-identified in accordance with this section will no longer constitute PHI under the HIPAA Rules, and Dental Bee and may use, disclose, or transfer such de-identified data at its discretion, for any lawful purpose, even after this BAA ends.

f. Dental Bee may disclose PHI (i) for the treatment activities of a health care provider; (ii) to a covered entity or health care provider for the payment activities of the entity that receives the PHI; or (iii) to another covered entity for health care operations activities of the entity that receives the PHI, if each entity either has or had a relationship with the Individual who is the subject of the PHI being disclosed, the PHI pertains to such relationship, and the disclosure is for the covered entity’s health care operations in accordance with 45 C.F.R. § 164.506(c)(4)(i).

4. Dental Bee’s obligations and activities.

a. Safeguards against misuse of PHI. Dental Bee shall use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA, and comply when applicable with Subpart C of 45 CFR Part 164 with respect to electronic PHI that Dental Bee creates, receives, maintains, or transmits on Customer’s behalf;

b. Reporting of Disclosures of PHI. Dental Bee shall report to Customer any use or disclosure of PHI not covered by this BAA (including breaches of unsecured PHI) of which we become aware, as well as any security incidents of which we become aware, in accordance with 45 CFR 164.410 and 164.412. Notwithstanding the foregoing, the parties acknowledge and agree that this Section 3(c) constitutes notice by Dental Bee to Customer of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Customer shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on our firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incidents resulted in unauthorized access, use or disclosure of Customer’s electronic PHI;

c. Notification of Breach. Dental Bee shall notify Customer of the discovery of any Breach of Unsecured PHI in accordance with HIPAA Regulations as soon as practicable, but no later than five (5) business days after discovery of any Breach. Such notice shall include the identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, breached. Dental Bee’s obligation to report under Section 3(c) and this Section 3(d) is not and will not be construed as an acknowledgement by Dental Bee of any fault or liability with respect to any use, disclosure, Security Incident or Breach.

d. Agreements with Third Parties. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Dental Bee shall ensure that its affiliates, agents, or subcontractors that create, receive, maintain, or transmit PHI on our behalf agree to the same or materially similar terms that apply to Dental Bee with respect to such information;

e. Access to Information. Unless expressly agreed to in the Agreement, Dental Bee and Customer mutually understand that Dental Bee is not responsible for maintaining any Designated Record Set on behalf of Customer. If Dental Bee maintains PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, then upon Customer’s request, Dental Bee shall provide access to such PHI in a Designated Record Set to the Individual in order for Customer to comply with the requirements under 45 C.F.R. § 164.524. If Dental Bee receives a direct request from an Individual for access to PHI, it will forward the request to Customer to fulfill. If Dental Bee provides copies or summaries of PHI to an Individual, Dental Bee may impose a reasonable, cost-based fee in accordance with 45 C.F.R. § 164.524(c)(4). Notwithstanding the foregoing, if the PHI that is the subject of a request for access is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such information, Dental Bee shall provide access to the PHI in the electronic form and format requested. Further, if an Individual’s request for access directs Dental Bee to transmit the copy of PHI directly to another person designated by the Individual, Dental Bee shall provide the copy to the person designated by the Individual. The Individual’s request must be in writing, signed by the Individual, and clearly identify the designated person;

f. Availability of PHI for Amendment. If Dental Bee maintains PHI in a Designated Record Set, Dental Bee agrees to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set, in order for Customer to comply with 45 C.F.R. § 164.526. If Dental Bee receives a direct request from an Individual for amendment to PHI, Dental Bee will forward the request to Customer to fulfill.

g. Accounting of Disclosures. Within forty-five (45) days after notice by Customer to Dental Bee, Dental Bee shall make available such information as is in its possession and that is required for Customer to make the accounting required by 45 C.F.R. § 164.528. If Dental Bee receives a direct request from an Individual for an accounting of disclosures of PHI, Dental Bee will forward the request to Customer to fulfill. The obligations set forth in the foregoing section will not apply to disclosures of PHI related to the Treatment of a patient, the processing of Payments related to such Treatment, or the Health Care Operations of a covered entity or its business associate and not relating to disclosures made earlier than six (6) years prior to the date on which the accounting was requested.

h. To the extent Dental Bee has agreed in writing to carry out Customer’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Customer in performance of such obligation(s).

i. Dental Bee agrees to make its internal practices, books, and records available to the Secretary to determine compliance with the HIPAA Regulations.

j. Except for the purposes set forth in the Agreement and as otherwise provided by law, Dental Bee shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless Customer receives a valid HIPAA authorization.

k. Dental Bee shall make reasonable efforts to limit the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

5. Customer’s Obligations and Restrictions.

a. Customer Obligations. Customer will implement its own appropriate safeguards, not inconsistent with this BAA, to prevent unauthorized use and disclosure of PHI and will maintain the necessary consents required by law before using the Platform to process PHI.

b. Minimum Necessary. Dental Bee may deem that Customer is disclosing to it only that PHI which Customer determines is reasonably necessary to achieve the intended purpose of the disclosure.

c. Changes in Policies and Procedures. Customer shall notify Dental Bee prior to implementing any change in its privacy or security policies and procedures, including its Notice of Privacy Practices, which would affect Dental Bee’s obligations hereunder.

d. Notice of Restrictions on Use or Disclosure. Customer agrees to notify Dental Bee of any restriction on the use or disclosure of PHI that it has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Dental Bee’s use or disclosure of PHI. To the best of Customer’s knowledge, there are no such restrictions as of the date of this BAA.

e. Permitted Actions by Customer. In no event will Customer request Dental Bee to use or disclose PHI in any manner not permitted by HIPAA Rules if done by Customer, nor will Customer send unencrypted PHI to Dental Bee in any form. Should Customer do so, Dental Bee will not be responsible for damages related to such requests or unencrypted PHI.

6. Term and Termination.

a. This BAA will become effective contemporaneously with the Agreement, and unless otherwise terminated as provided herein, will have a term that will run concurrently with that of the last expiration date or termination of the Agreement, if any.

b. If either party learns of a material breach of this BAA by the other party, the non-breaching party will notify the breaching party and provide a reasonable opportunity to cure the breach, and if such breach is not cured within a reasonable time, terminate this BAA and the Service components that Dental Bee determines require or permit ongoing access to PHI. If a cure is not possible, then the non-breaching party may immediately terminate this BAA and the Service components that Dental Bee determines require or permit ongoing access to PHI.

c. Except as provided in this subsection, on termination of this BAA, Dental Bee will return or destroy all PHI currently in its possession, and it will retain no copies of the PHI. If Dental Bee determines that returning or destroying PHI is infeasible (e.g., retention of PHI is necessary to continue its proper management and administration or to carry out its legal obligations), Dental Bee will inform Customer of the conditions that make return or destruction infeasible and will extend the protections of this BAA to such PHI to limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for as long as Dental Bee maintains such PHI. The terms of this subsection apply to PHI in possession of Dental Bee’s subcontractors and agents.

d. Survival. The obligations of the parties under Sections 4, 5, 6, and 7 of this BAA shall survive the termination of this BAA.

MINIMUM SERVICE LEVELS

1. Exhibit. This exhibit describes the standard software as a service support levels currently offered by DentalBee to its Customers. Capitalized terms not otherwise defined herein have the meanings ascribed to them in the main body of the Agreement.

2. Service Availability. DentalBee will use commercially reasonable efforts to provide availability to the Website at least 99% of the time as measured over the course of each calendar month, excluding unavailability as a result of any of the Exceptions described below (the “Availability Requirement”). “Service Level Failure” means a material failure of the Website to meet the Availability Requirement. “Available” means the Website is available for access and use by Customer and its visitors over the Internet and operating in material accordance with this Agreement.

3. Service Availability Exceptions. For purposes of calculating the Availability Requirement, the following are “Exceptions” to the Availability Requirement, and neither the Website will be considered un-Available nor any Service Level Failure be deemed to occur in connection with any failure to meet the Availability Requirement or impaired ability of Customer or its visitor to access or use the Website that is due, in whole or in part, to any:

(a) Scheduled Downtime;
(b) Website downtime or degradation due to a Force Majeure Event;
(c) an act or omission by Customer to use of the Website or hosting environment that does not strictly comply with this Agreement;
(d) Customer’s internet connectivity;
(e) failure, interruption, outage or other problem with any software, hardware, system, network, facility or other matter not supplied by DentalBee pursuant to this Agreement;
(f) any other circumstances beyond DentalBee’s reasonable control; and
(g) any suspension or termination of the Customer’s access to or use of the Website as permitted by this Agreement.

4. Scheduled Downtime. DentalBee will use commercially reasonable efforts to; (a) schedule downtime for routine maintenance of the Website between the hours of 1 a.m. and 4 a.m., Eastern Time; and (b) give Customer at least 12 hours’ prior notice of all scheduled outages of the hosting Platform (“Scheduled Downtime”).

5. Support & Availability. DentalBee provides online case submissions with business-hour support providing call-back responses to Customer issues and cases, which includes:

(a) on-line support through Provider’s website;
(b) on-line case submission; and
(c) under 5 business day email-back response time.

See How AI Can Help Elevate Your Practice, Boost Efficiency, And Enhance Patient Care.

The complete AI-Powered solution to document, monitor, & analyze your patient visits

Legal

Compliance

Problem Focus

Transcript

Problem Focus

Transcript

Discover How to Customize Yours