Business Associate Agreement

This Business Associate Agreement (the "BAA") is between Phiusion Labs Inc., an Ontario corporation ("Business Associate" or "Phiusion"), and the practitioner or practitioner entity identified at signature ("Covered Entity" or "CE"). It takes effect on [EFFECTIVE_DATE_OF_THIS_BAA] and runs alongside the Phiusion Labs Terms of Service (the "Services Agreement"), which governs the SaaS relationship; this BAA governs how Phiusion handles Protected Health Information ("PHI") that the CE places into the Phiusion platform.

This BAA implements the Business Associate contract requirements at HIPAA §164.502(e), §164.504(e), §164.314, and §164.404, as amended by the HITECH Act (42 USC §17921 et seq.). Where the Services Agreement and this BAA conflict on PHI handling, this BAA controls.

1. Recitals

A. The CE is a HIPAA Covered Entity under 45 CFR §160.103, using the Phiusion platform in the ordinary course of practice to capture skin photographs, record patient health background, run skin assessments, propose skincare regimens, sell professional skincare products, and store related patient records.

B. In performing those services Phiusion creates, receives, maintains, or transmits PHI on the CE's behalf and is therefore the CE's "Business Associate" under 45 CFR §160.103.

C. Phiusion engages Universkin SAS (Sophia Antipolis, France) as its Subcontractor Business Associate and GDPR Art. 28 sub-processor for the "SkinXS" skin-assessment service and related platform operations. Where a patient has separately consented under the Patient AI Improvement Consent (D11), Universkin's processing of that patient's training data is governed by an independent controller-leg agreement, leaves the BA-Subcontractor flow-down chain at de-identification or §164.508 authorization (as applicable), and is not within the scope of this BAA. The parties are not joint controllers within the meaning of GDPR Art. 26. Flow-down terms are in §5 and in the Intercompany DPA + BAA ("D15").

D. Phiusion positions its software as general wellness software under the FDA's 2019 guidance. As §11 explains, that positioning does not remove patient records from HIPAA's scope. The PHI Phiusion creates, receives, maintains, or transmits on behalf of the CE is handled under this BAA.

E. The parties enter this BAA so the CE can comply with the HIPAA Privacy, Security, and Breach Notification Rules when using Phiusion.

F. US-only scope. This BAA is for HIPAA Covered Entities established in the United States. Ontario PHIPA custodians use the PHIPA HINP Services Agreement (D21) instead; Alberta HIA custodians, Manitoba/Atlantic PHIA trustees, Saskatchewan HIPA trustees, and other Canadian custodians or trustees are onboarded under a bilateral agreement via sales@phiusionlabs.app and should not sign this BAA.

2. Definitions

Capitalized terms not defined here have the meanings given in 45 CFR Parts 160 and 164.

• "Breach" has the meaning at 45 CFR §164.402: acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI, unless a §164.402 exception applies.
• "Designated Record Set" has the meaning at 45 CFR §164.501.
• "Electronic PHI" ("ePHI") has the meaning at 45 CFR §160.103.
• "PHI" means Protected Health Information as defined at 45 CFR §160.103, but limited to PHI that Phiusion creates, receives, maintains, or transmits on behalf of the CE in connection with the Services Agreement or any related Phiusion service.
• "Privacy Officer" means Phiusion's designee under 45 CFR §164.530(a)(1), responsible for receiving Breach notices, coordinating §6 CE-side cooperation, and acting as point of contact for HIPAA matters. Identified in the frontmatter and at privacy@phiusionlabs.app.
• "Required by Law" has the meaning at 45 CFR §164.103.
• "Security Incident" has the meaning at 45 CFR §164.304: attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations. Routine unsuccessful attempts (e.g., port scans, denied log-ins) are not individually reported under §6; Phiusion reports them in aggregate on request (consistent with HHS sub-regulatory guidance on §164.314 — see HHS FAQ on Security Incident reporting, 2002).
• "Subcontractor" has the meaning at 45 CFR §160.103: a person to whom a Business Associate delegates a function, activity, or service involving PHI, other than as a member of the Business Associate's workforce.
• "Unsecured PHI" has the meaning at 45 CFR §164.402 — PHI not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction technologies specified by HHS guidance.

3. Permitted Uses and Disclosures of PHI

Per 45 CFR §164.504(e)(2)(i)–(ii), Phiusion may use or disclose PHI only as follows:

a. To perform the Services Agreement. Phiusion may use and disclose PHI as necessary to deliver the platform features the CE has activated (patient records, photo capture, skin assessment, skincare-regimen documentation, product ordering, and supporting infrastructure).

b. For Phiusion's proper management and administration. Phiusion may use PHI for its own management and administration and to carry out its legal responsibilities (45 CFR §164.504(e)(4)(i)(A)). Disclosure for that purpose is permitted only if Required by Law or Phiusion obtains reasonable assurances that the recipient will hold the PHI confidentially, use it only for the disclosed purpose, and notify Phiusion of any Breach.

c. Data aggregation services for the CE. Where the CE requests it, Phiusion may use PHI to provide data aggregation services to the CE within the meaning of 45 CFR §164.501.

d. To report violations. Phiusion may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

e. As Required by Law. Phiusion may disclose PHI where Required by Law (45 CFR §164.103). Phiusion will give the CE written notice of any such request before disclosure where notification is itself lawful, so the CE may seek a protective order or otherwise object.

f. To Subcontractors. Phiusion may disclose PHI to Subcontractors only after the Subcontractor has agreed in writing to restrictions at least as protective as those imposed on Phiusion by this BAA (§5).

g. In response to judicial or administrative orders. Phiusion may disclose PHI in response to a court or administrative-tribunal order, or to a subpoena or discovery request, subject to 45 CFR §164.512(e).

h. For public-health disclosures on CE instruction. Phiusion may, on the CE's written instruction, disclose PHI for the public-health activities at 45 CFR §164.512(b).

Phiusion will not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by the CE itself, except as expressly permitted by paragraphs (b), (c), and (d) above (Business-Associate-specific uses).

4. Obligations of Business Associate

Phiusion's obligations track 45 CFR §164.504(e)(2)(ii)(A)–(J):

a. (A) Safeguards. Phiusion will use appropriate administrative, physical, and technical safeguards — and, for ePHI, will comply with Subpart C of 45 CFR Part 164 (§§164.308, 164.310, 164.312, 164.316) — to prevent use or disclosure of PHI other than as permitted by this BAA. Plain-language summary in Schedule B; operational detail in D17 (DPIA) and D19 (Breach Playbook).

b. (B) Report unauthorized uses and disclosures. Phiusion will report to the CE any use or disclosure of PHI not permitted by this BAA that comes to Phiusion's attention, including Breaches of Unsecured PHI (§164.410) and Security Incidents (§164.314(a)(2)(i)(C)). Timing and content in §6.

c. (C) Subcontractors. Phiusion will ensure any Subcontractor that creates, receives, maintains, or transmits PHI on Phiusion's behalf agrees in writing to the same restrictions that apply to Phiusion under this BAA (45 CFR §164.502(e)(1)(ii) and §164.308(b)(2)). Current Subcontractor list with PHI scope is in Schedule A.

d. (D) Access to PHI — §164.524. Where the PHI Phiusion holds for the CE is in a Designated Record Set, Phiusion will, within fifteen (15) calendar days of the CE's request, make that PHI available to the CE (or, at the CE's direction, to the individual) so the CE can meet its 30-day response obligation under §164.524. Phiusion supplies machine-readable export tooling (JSON/CSV by default; PDF on request) as part of its documented patient-record export tooling.

e. (E) Amendment — §164.526. Phiusion will, within fifteen (15) calendar days of the CE's request, make any CE-directed amendment to PHI in a Designated Record Set, or allow the CE to make it in Phiusion.

f. (F) Accounting of disclosures — §164.528. Phiusion will, within thirty (30) calendar days of the CE's request, provide the information needed for the CE to give an individual an accounting consistent with §164.528. Phiusion logs the §164.528(b) categories through the platform's audit log.

g. (G) Internal practices, books, and records. Phiusion will make available to the Secretary of HHS, for purposes of determining HIPAA compliance, its internal practices, books, and records relating to PHI it receives from the CE or creates or receives on the CE's behalf.

h. (H) Breach notification — §164.410. Phiusion will notify the CE of any Breach of Unsecured PHI without unreasonable delay, within the SLAs in §6.

i. (I) Mitigation. Phiusion will mitigate, to the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of this BAA (45 CFR §164.530(f)).

j. (J) Return or destruction at termination. At termination, Phiusion will return or destroy all PHI it still maintains for the CE in any form. Where return or destruction is not feasible — for example, where HIPAA §164.530(j) requires retention of compliance documentation for six (6) years; where state medical-record retention statutes (typically 6–10+ years, longer for minors) govern the underlying clinical record; or where other applicable law (litigation hold, regulatory order, subpoena) requires preservation — Phiusion will extend the protections of this BAA to that PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible. D18 captures the applicable per-state matrix.

5. Subcontractors

Per 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), Phiusion flows down BAA-equivalent terms to every PHI-handling Subcontractor.

5.1 Universkin SAS as primary Subcontractor

Universkin SAS (Sophia Antipolis, France) is Phiusion's primary Subcontractor and operator of the SkinXS skin-assessment service. The flow-down agreement is the Intercompany DPA + BAA ("D15"). D15:

• imposes on Universkin the same use and disclosure restrictions this BAA imposes on Phiusion;
• requires Universkin to implement Security Rule safeguards equivalent to §4(a);
• requires Universkin to notify Phiusion of any Breach or Security Incident within twenty-four (24) hours of Universkin's awareness, so Phiusion can meet its §6 SLA;
• includes a France L34-1 CPCE "challenge or notify" clause obligating Universkin, where lawful, to challenge any French legal demand for CE-routed PHI before complying, to notify Phiusion and the affected CE immediately, and suspend compliance pending challenge; and
• attests that the SkinXS service does not persist face-geometry vectors past the API request for any patient who has not given AI-improvement consent under D11.

5.2 Infrastructure Subcontractors with PHI exposure

Phiusion has executed or is executing a BAA with the following Subcontractors before enabling PHI on their infrastructure:

• Supabase, Inc. — database, authentication, object storage for patient records, health background, photographs, and skin-assessment results. BAA on the Team tier with HIPAA add-on.
• Vercel, Inc. — hosting and edge runtime. BAA on the Pro tier with HIPAA add-on.
• Anthropic, PBC — LLM regeneration of the plain-language skin overview from doctor-curated text. Phiusion maintains a code-level invariant — verified at every release — that PHI requests use only the /v1/messages endpoint (not Batch, Files, Skills, Code Execution, Computer Use, Web Fetch, or third-party MCP integrations). Zero Data Retention enabled. Phiusion will notify the CE under §5 if the scope of Anthropic processing expands.
• Sentry (Functional Software, Inc.) — error monitoring on Business tier with BAA. PHI paths gated by beforeSend scrubbing and a route blocklist; Sentry configuration decision recorded in docs/legal/internal/sentry-option-c-acknowledgment.md where Option C is selected.

The following Subcontractors are architecturally excluded from PHI paths in code and therefore do not require a BAA; the exclusion is reviewed under the procurement matrix:

• Stripe, Inc. — payments; cart total, practitioner billing/shipping contact, card data only; no patient identifiers or clinical data.
• SendGrid (Twilio Inc.) — transactional email; opaque order IDs and "log in to view" patterns only; no patient names, assessments, photos, or regimen detail.
• Google Maps Platform (Google LLC) — address autocomplete; restricted in code to practitioner shipping/billing forms; never invoked on patient records.
• AfterShip Limited — carrier tracking; webhook payloads carry only order_id, tracking_number, carrier, status, and the practitioner's shipping address.
• remove.bg (Kaleido AI GmbH) — no patient photograph will be routed to remove.bg under this BAA. Phiusion has either (a) completed the cut-over to self-hosted background removal within Supabase/Vercel infrastructure, or (b) disabled photo-capture features until the cut-over completes.

The current Subcontractor list — legal entity, service, data categories, storage region, BAA/DPA status — is in Schedule A and maintained in code at content/legal/sub-processors.ts. Phiusion will give the CE thirty (30) days' advance notice of any addition of, or material change to, a Subcontractor with PHI scope; the CE may object in writing, in which case the parties will discuss a reasonable alternative. For an emergency change to remediate a security incident or vendor failure, Phiusion may act on twenty-four (24) hours' notice with full documentation within seven (7) days.

6. Breach Notification

Phiusion's Breach reporting obligations are set by 45 CFR §164.410. Phiusion targets faster timing than HIPAA's outer limit so the CE can meet its own §164.404 individual-notice obligation.

6.1 Service-level timing

• Discovery to CE notification — within seventy-two (72) hours. Phiusion targets notice within 72 hours of awareness of a Breach of Unsecured PHI, and in no event later than sixty (60) calendar days after discovery (§164.410(b) outer bound). Phiusion will deliver the §6.2 content elements within 72 hours where it has them, and will work with the CE in good faith to provide preliminary information — including data fields needed to populate state-AG submission forms — sufficient to meet shorter state-AG SLAs binding the CE (see content/legal/internal/state-ag-pre-notification-matrix.md for per-state windows: e.g., MA c.93H regulator-first; IA 5-business-day; LA 10-day; CO/FL/WA/TX 30-day; VT 14-business-day).
• Security Incidents. Phiusion reports Security Incidents resulting in unauthorized access to or disclosure of PHI through the same channel and SLA. Routine unsuccessful attempts posing no risk of disclosure (e.g., port scans, denied authentication) are reported in aggregate on request, not individually.

6.2 Notification content

Phiusion's notice will include, to the extent known and consistent with 45 CFR §164.410(c):

• identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
• a brief description of what happened, including the date of Breach and date of discovery, if known;
• the types of Unsecured PHI involved;
• the steps Phiusion is taking to investigate, mitigate, and protect against further Breaches; and
• contact information for Phiusion's Privacy Officer.

Where information is not yet known, Phiusion will send an initial notice and supplement as the investigation progresses.

6.3 Channel and CE cooperation

Breach notices go to the CE's email of record, with a follow-up call to the licensed practitioner of record where the Breach meets the §164.408 "large-breach" (500+) threshold. Phiusion's Privacy Officer coordinates response. The CE retains the §164.404 / §164.408 obligation to notify affected individuals, HHS, and (where applicable) the media; Phiusion will cooperate in good faith — supplying affected-individual lists, investigation findings, and template notice language — so the CE can meet its 60-day individual-notice SLA.

7. Access, Amendment, and Accounting

The CE retains primary responsibility under §164.524 (access), §164.526 (amendment), and §164.528 (accounting). Phiusion's role is to provide the export, edit, and audit-log tooling the CE needs to respond within its statutory windows.

• §164.524 access. Phiusion's export tooling satisfies the §164.524(c)(2)–(3) "form and format" choice. Phiusion charges the CE no per-page fee for electronic copies; the CE may pass through cost-based fees to the patient consistent with §164.524(c)(4) and the HHS 2016 guidance.
• §164.526 amendment. The CE may make amendments directly through the platform's Manage Consents and patient-record screens. Where the CE asks Phiusion to make the amendment, Phiusion will act within fifteen (15) calendar days.
• §164.528 accounting. Phiusion's audit log captures the categories of disclosure required by §164.528(b); Phiusion will deliver an accounting export within thirty (30) calendar days of request.
• Consent withdrawal. Where a patient withdraws a consent under the Consent Withdrawal policy (D12), Phiusion stops the relevant processing and writes an immutable withdrawal row to the audit log. The underlying clinical record is preserved for medical-record retention purposes per §164.530(j) and D18; the withdrawal scopes future use only.
• Universal protection. Every patient enrolled in Phiusion receives the same access, amendment, accounting, and withdrawal rights regardless of state of residence; the CE need not maintain state-by-state branching of these rights inside the platform. Where a patient invokes a non-HIPAA right (e.g., PIPEDA Sch. 1 §4.9, PHIPA s.52, Law 25 art. 27), Phiusion will support the CE on the same timelines as the HIPAA equivalents in this section.

8. Return or Destruction at Termination

Per 45 CFR §164.504(e)(2)(ii)(J), upon termination for any reason, Phiusion will return or destroy all PHI it still maintains for the CE in any form and retain no copies — except where return or destruction is infeasible under the §4(j) categories (HIPAA §164.530(j); state medical-record retention; D18 retention schedule; litigation hold, regulatory order, or subpoena). The D18 matrix controls — e.g., ten (10) years for patient wellness sessions; majority + 10 years for minors.

Where infeasible, Phiusion will continue to extend this BAA's protections to retained PHI, limit further uses and disclosures to the purposes that make destruction infeasible, and destroy the PHI promptly once those purposes end. The list of retained categories and disposition timeline is delivered to the CE within thirty (30) days of termination.

9. Term and Termination

a. Term. This BAA takes effect on [EFFECTIVE_DATE_OF_THIS_BAA] and continues for as long as the Services Agreement is in force, plus any tail period needed for §8 return or destruction.

b. Termination for cause by the CE — §164.504(e)(2)(iii). If the CE knows of a pattern of activity or practice of Phiusion that materially breaches this BAA, the CE will give Phiusion written notice and a cure period of not less than thirty (30) calendar days. If Phiusion fails to cure, the CE may terminate this BAA and the Services Agreement on written notice. Where cure is not possible, the CE may terminate immediately.

c. Termination for unauthorized use or disclosure. The CE may terminate this BAA immediately on written notice if Phiusion uses or discloses PHI in a manner that would violate the HIPAA Privacy Rule if done by the CE and that materially breaches this BAA.

d. Termination for cause by Phiusion. Phiusion may terminate on written notice if the CE materially breaches its obligations and fails to cure within thirty (30) calendar days. §8 (return or destruction) survives regardless of which party terminated.

e. Reporting to HHS — §164.504(e)(2)(iv). If neither termination nor cure is feasible, the CE will report the violation to the Secretary of HHS.

10. Cross-Border Data Flows (US → CA → FR)

The CE is in the US; Phiusion is in Ontario, Canada, with primary infrastructure hosted in the US (Supabase, Vercel) under signed BAAs (§5.2); Universkin SAS is in France and runs SkinXS on EU infrastructure. The flow is US (CE) → CA (Phiusion) → FR (Universkin).

For HIPAA purposes, the chain is governed by signed BAAs at every link (this BAA; D15). For European data-protection purposes — which apply because Universkin processes the PHI on French infrastructure — the chain is governed by:

• the GDPR Art. 28 controller-processor terms in D15;
• Canada's EU adequacy decision (Commission Decision 2002/2/EC), which applies to Phiusion's processing where Phiusion is subject to PIPEDA in the course of commercial activities (Phiusion confirms it operates within that scope). The Phiusion → Universkin transfer relies on this decision under GDPR Art. 45; it does not apply to the CE → Phiusion leg, which is governed by HIPAA, this BAA, and PIPEDA Schedule 1 §4.1.3;
• the France L34-1 CPCE "challenge or notify" clause in D15;
• Schrems-II supplementary measures (encryption in transit and at rest, access control, audit logging, and the France L34-1 CPCE challenge-or-notify clause); their effectiveness against US and French surveillance laws is assessed in per-vendor Transfer Impact Assessments at content/legal/internal/tia-<vendor>.md (D20) for US Subcontractors storing PHI (Supabase, Vercel, Anthropic, Sentry).

Phiusion represents and warrants that the European instruments in this §10 are in force at the effective date and will remain in force for as long as Phiusion routes PHI through Universkin SAS; this representation survives termination for the duration of any §8 retained-PHI obligations. Those instruments are Phiusion's responsibility, not the CE's; they govern the Phiusion–Universkin relationship and do not modify the CE's HIPAA obligations under this BAA.

11. Wellness-Positioning Recital

In short: calling our software general wellness keeps it outside the FDA's medical-device regime; it does not move your patient records outside HIPAA. This BAA still applies.

Phiusion positions its software as general wellness software under the FDA's 2019 General Wellness: Policy for Low Risk Devices guidance. Customer-facing copy does not claim to diagnose, treat, cure, mitigate, or prevent disease; the platform supports, but does not replace, the CE's professional judgment.

HIPAA's applicability turns on the status of the CE under 45 CFR §160.103. A Covered Entity is a health-care provider that transmits health information electronically in a transaction for which HHS has adopted a standard. Where the CE meets that definition, everything the CE places into Phiusion is PHI — patient records, photographs, health background, skin-assessment results, and skincare-regimen documentation. Phiusion handles all of it as a Business Associate under this BAA.

The parties accordingly agree that:

• Phiusion's general-wellness positioning is a defense against FDA Software-as-a-Medical-Device classification only; it does not remove any patient record from HIPAA's scope where the CE is a Covered Entity, and does not reduce Phiusion's obligations under this BAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule;
• the CE's HIPAA status is determined by 45 CFR §160.103 and HHS guidance, not by anything in the Services Agreement or this BAA; and
• a change in FDA classification does not, by itself, change the GDPR characterisation of patient records — already processed by Phiusion and Universkin as special-category health data under Art. 9(2)(h). Controller-leg AI-improvement processing remains governed by patient consent under Art. 9(2)(a) and D11 regardless of FDA status.

12. Signature Blocks

Business Associate

Phiusion Labs Inc. By: ____________________________ Printed name: Jonathan Garbutt Title: Privacy Officer, Phiusion Labs Email: privacy@phiusionlabs.app Date: ____________________

Covered Entity

[DOCTOR_PRACTICE_LEGAL_NAME] By: ____________________________ Printed name: [CE_AUTHORIZED_SIGNATORY_NAME] Title: [CE_AUTHORIZED_SIGNATORY_TITLE] NPI: [DOCTOR_NPI] State license number: [DOCTOR_STATE_LICENSE_NUMBER] State of licensure: [DOCTOR_STATE_OF_LICENSURE] Date: ____________________

---

Schedule A — Subcontractors with PHI Scope

Phiusion's PHI-handling Subcontractors under §5. Authoritative list at content/legal/sub-processors.ts; regenerated at each BAA revision.

Architecturally-excluded sub-processors (Stripe, SendGrid, AfterShip, Google Maps, and — pending replacement — remove.bg) are in §5.2 with their engineering invariants. Where a status reads [DATE], the date is filled at signature.

Schedule B — Safeguards Summary

Plain-language summary; operational detail lives in D17 (DPIA) and D19 (Breach Notification Playbook).

• Administrative. Named Privacy Officer; workforce confidentiality training; role-based access; vendor procurement and BAA management (matrix at content/legal/internal/sub-processor-baa-verification.md).
• Physical. Inherited from infrastructure Subcontractors (Supabase, Vercel) under their BAAs; Phiusion does not operate physical data centers.
• Technical. TLS 1.2+ in transit; AES-256 at rest; Supabase RLS partitions records by practitioner; signed JWT sessions; §164.528(b) audit logging; Sentry beforeSend scrubbing and route deny-list; code-level invariants keeping PHI out of architecturally-excluded vendors (§5.2).
• Detection & response. Sentry alerting, Supabase audit-log monitoring, Privacy Officer on call. Procedure in D19.
• Retention. Patient clinical records for ten (10) years from session date (majority + 10 years for minors). Full schedule at D18.

For BAA questions, contact the Phiusion Privacy Officer at privacy@phiusionlabs.app. For Universkin's EU sub-processor role, contact DPO Maître Eric ELABD, dpo@universkin.com, +33 (4) 93.00.11.96.