# Meditropia ClinicOps — Business Associate Agreement
**Effective Date:** The date the Clinic executes this Agreement or first transmits Protected Health Information ("PHI") to CloudFran, whichever occurs first.
This Business Associate Agreement ("BAA") is entered into between **CloudFran, Inc.** ("CloudFran," "Business Associate") and the healthcare provider identified on the executed signature page ("Clinic," "Covered Entity"), and governs the handling of PHI exchanged under the Meditropia ClinicOps service suite, including ScheduleGuard AI, ClaimShield AI, ReEngage AI, and the Revenue Acceleration Suite bundle (collectively, the "Services").
This BAA is required by the HIPAA Privacy Rule, 45 C.F.R. §§ 164.502(e) and 164.504(e), the HIPAA Security Rule, 45 C.F.R. §§ 164.308(b) and 164.314(a), and the HITECH Act. Capitalized terms used but not defined have the meanings in 45 C.F.R. Parts 160 and 164.
## (a) Permitted Uses and Disclosures
CloudFran may use and disclose PHI received from or created on behalf of Clinic **only** for the following operational purposes, each of which constitutes a Health Care Operation of Clinic or is performed on Clinic's behalf:
1. **Operational analytics** — computing no-show rates, same-day cancellation rates, appointment lead-time distributions, provider utilization, location-level volume, and payer-mix summaries.
2. **Scheduling optimization** — generating per-appointment risk scores, recommended reminder cadence, provider-panel load balancing, and overbook recommendations.
3. **Billing and revenue-cycle analytics** — denial-trend detection, CPT/payer pattern analysis, eligibility-verification gap reporting, prior-authorization flag generation, days-to-payment modeling, and appeal-priority scoring.
4. **Reactivation outreach** — identifying lapsed patients, generating recall lists, composing and (where Clinic enables it) delivering SMS, email, voice, and portal messages through Clinic-approved channels, and measuring response.
5. **De-identified and aggregated research** — creation and use of de-identified data sets (45 C.F.R. § 164.514(b)) and Limited Data Sets pursuant to a separate Data Use Agreement, for service improvement, model training, and benchmarking, provided that the resulting data sets are not re-identifiable and are not disclosed to third parties in a form that reveals Clinic's identity without Clinic's prior written consent.
6. **Required service operations** — activities CloudFran must perform to deliver the Services, including system administration, quality assurance, backup, disaster recovery, audit logging, and customer support.
CloudFran shall not use or disclose PHI for any purpose other than as permitted or required by this BAA, the underlying Master Services Agreement, or as required by law.
## (b) Minimum Necessary
CloudFran has engineered the Services so that the standard ingestion dataset contains **no direct patient identifiers**. Specifically, Clinic is **not** asked to transmit:
- Patient names
- Social Security numbers
- Street or mailing addresses (ZIP3 or ZIP5 only)
- Full date of birth (age band only, per the ingestion schema)
- Email addresses or telephone numbers, **except** to the extent Clinic elects to enable CloudFran-delivered reactivation or reminder outreach, in which case only the contact points necessary for delivery are shared and are stored in a segregated, encrypted communications vault
Clinic's internal patient identifier (`source_patient_id`) is a pseudonymous linkage key and is not mapped back to a patient name by CloudFran. CloudFran requests, uses, and discloses only the minimum necessary PHI to perform each permitted purpose, consistent with 45 C.F.R. § 164.502(b) and § 164.514(d).
## (c) Safeguards
CloudFran shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI it creates, receives, maintains, or transmits on behalf of Clinic, in accordance with the HIPAA Security Rule. These safeguards include, at minimum:
1. **Encryption in transit** — TLS 1.2 or higher for all PHI in motion, including SFTP ingestion and all API traffic.
2. **Encryption at rest** — AES-256 encryption for all PHI stored in primary databases, object storage, backups, and log archives. Encryption keys are managed in a hardware-backed key vault with rotation on a schedule no less frequent than annually and after any suspected compromise.
3. **Role-based access control (RBAC)** — principle-of-least-privilege role assignments, quarterly access reviews, and separation of duties between production engineering, support, and data-science personnel. No CloudFran employee has standing access to Clinic PHI; access is granted on a per-ticket basis and expires automatically.
4. **Audit logging** — immutable, append-only logs capturing authentication events, PHI access (read, write, export), administrative actions, and system changes. Logs are retained for no less than six (6) years, consistent with 45 C.F.R. § 164.316(b)(2).
5. **Multi-factor authentication (MFA)** — MFA is required for all CloudFran administrative access to systems that process PHI and for all Clinic user logins with PHI-level permissions.
6. **Secrets management** — API keys, database credentials, and signing keys are stored exclusively in a hardware-backed secrets vault. No secret is stored in source code, configuration files committed to version control, or developer workstations.
7. **Vulnerability management** — ongoing static and dynamic application security testing, third-party penetration testing no less than annually, and documented patch management for all systems that process PHI.
8. **Workforce training** — all CloudFran workforce members with access to PHI complete HIPAA privacy and security training at onboarding and annually thereafter.
## (d) Breach Notification
CloudFran shall report to Clinic any Security Incident of which it becomes aware, and any Breach of Unsecured PHI (as defined in 45 C.F.R. § 164.402) of which it becomes aware, **without unreasonable delay and in no case later than seventy-two (72) hours** after discovery. Notification shall be made to the Clinic's designated privacy officer at the contact on file and shall include, to the extent then known and as supplemented as the investigation progresses:
- The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed.
- A description of the nature of the Breach, the PHI involved, the date of discovery, and the date of occurrence (if known).
- Any steps individuals should take to protect themselves from potential harm.
- The steps CloudFran has taken or will take to investigate, mitigate, and prevent recurrence.
CloudFran shall cooperate with Clinic's notification obligations under 45 C.F.R. §§ 164.404–164.408 and shall not independently notify individuals, regulators, or media without Clinic's prior written consent unless required by law.
Unsuccessful Security Incidents (e.g., routine port scans, pings, and other probes that are blocked by CloudFran's perimeter controls and do not result in access to PHI) are deemed reported hereby in summary form through CloudFran's periodic security reporting, and shall not require individual notice.
## (e) Subcontractors and Sub-Processors
CloudFran shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of CloudFran agrees in writing to the same restrictions and conditions that apply to CloudFran under this BAA, consistent with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2). A current list of sub-processors is **[IDENTIFIED IN SCHEDULE A]** and is updated from time to time; Clinic will receive no less than thirty (30) days' advance written notice of any new sub-processor that would process PHI, and may object on reasonable grounds. If the objection cannot be resolved through a mutually agreed remediation, Clinic's sole remedy is termination for convenience of the affected portion of the Services, subject to the payment of fees accrued through the termination date.
## (f) Return or Destruction of PHI
Upon termination of the Services for any reason, CloudFran shall, at Clinic's option, return to Clinic or securely destroy all PHI in its possession, including all copies in backup and archive systems, within ninety (90) days of termination. CloudFran shall certify destruction in writing. To the extent return or destruction is infeasible — for example, because PHI is embedded in disaster-recovery backup media subject to retention schedules that cannot be surgically altered — CloudFran shall extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, until such time as the PHI is purged in the ordinary course of media retirement.
## (g) No Sale, No Redistribution
CloudFran shall not directly or indirectly receive remuneration in exchange for any PHI and shall not sell PHI, as prohibited by 45 C.F.R. § 164.502(a)(5)(ii) and HITECH § 13405(d). CloudFran shall not redistribute Clinic PHI to any third party except (i) to a sub-processor bound under subsection (e), (ii) as required by law, or (iii) as expressly directed in writing by Clinic. De-identified data and Limited Data Sets created under subsection (a)(5) are not subject to this prohibition.
## (h) Covered Entity Status
Clinic is and shall remain the Covered Entity with respect to the PHI it provides under this BAA. Nothing in this BAA transfers any of Clinic's responsibilities as a Covered Entity to CloudFran, and CloudFran's role is limited to that of a Business Associate acting on Clinic's behalf. Clinic is responsible for obtaining any patient authorizations or notices required for Clinic's own uses and disclosures, including those that reference the Services.
## (i) Audit Rights
Upon reasonable prior written notice — not less than thirty (30) days except in the case of a suspected Breach, in which case notice shall be as prompt as the circumstances permit — and no more than once per calendar year absent cause, Clinic or its designated third-party auditor (who shall be subject to a reasonable non-disclosure agreement) may audit CloudFran's compliance with this BAA. Audits shall be conducted during normal business hours, shall not unreasonably interfere with CloudFran's operations, and shall be scoped to matters relevant to Clinic's PHI and this BAA. CloudFran shall provide, in lieu of on-site audit where reasonable, its most recent SOC 2 Type II report, HIPAA risk assessment summary, and written responses to a reasonable security questionnaire.
## (j) Indemnification
Each party (the "Indemnifying Party") shall defend, indemnify, and hold harmless the other party and its directors, officers, employees, and agents from and against any third-party claims, damages, penalties, costs, and reasonable attorneys' fees to the extent arising out of the Indemnifying Party's (i) breach of this BAA, (ii) negligent or willful act or omission in handling PHI, or (iii) violation of HIPAA, HITECH, or any applicable state health-privacy law. The indemnifying party's obligations under this section are subject to the Indemnified Party's prompt notice of the claim, reasonable cooperation in the defense, and the Indemnified Party's ability to participate in the defense and approve settlements affecting its rights.
## (k) Term and Termination
This BAA shall take effect on the Effective Date and shall remain in effect for as long as CloudFran creates, receives, maintains, or transmits PHI on behalf of Clinic, and thereafter with respect to PHI that cannot yet be returned or destroyed under subsection (f). Either party may terminate this BAA for the other party's material breach of the BAA that remains uncured thirty (30) days after written notice, without prejudice to the surviving provisions of the Master Services Agreement.
## (l) Assignment
Neither party may assign this BAA without the other party's prior written consent, except that either party may assign this BAA to a successor in connection with a merger, acquisition, or sale of substantially all of its assets, provided the successor agrees in writing to be bound by the BAA.
## (m) Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-laws principles, except to the extent HIPAA, HITECH, or other federal law preempts state law.
## (n) Arbitration Reference
Any dispute arising under this BAA shall be resolved pursuant to the dispute-resolution provisions of the Master Services Agreement between the parties, including, if applicable, binding arbitration. Nothing in this section limits either party's right to seek injunctive or equitable relief in a court of competent jurisdiction to prevent or remediate a Breach or unauthorized use or disclosure of PHI.
## (o) Interpretation; Order of Precedence
This BAA is intended to comply with HIPAA and HITECH. Any ambiguity shall be resolved in favor of a meaning that permits the parties to comply. In the event of a conflict between this BAA and any other agreement between the parties, the provisions of this BAA shall control with respect to PHI.
---
**Schedule A — Sub-Processors.** [IDENTIFIED IN SCHEDULE A] *(maintained at https://www.cloudfran.com/trust/subprocessors and delivered on request)*
*This BAA is signed electronically by the Clinic's authorized representative through CloudFran's e-signature workflow. A fully executed PDF is returned to Clinic and retained in CloudFran's immutable signature ledger.*
---
## Document control
- **Effective date:** 2026-04-23
- **Update cadence:** Reviewed quarterly; material changes notified 30 days in advance by email and in-dashboard banner.
- **How to request changes:** Send requested edits with rationale to legal@cloudfran.com. CloudFran will respond within ten (10) business days with accept, reject, or counter-proposal.
- **Latest version:** The canonical current version lives at `/wwwroot/legal/` in this repository and is mirrored at https://cloudfran.com/legal/.
