Business Associate Agreement

Klaim handles protected health information (“PHI”) with the same care it handles your capital. A Business Associate Agreement (“BAA”) is available to every customer and partner who works with us, and is executed as part of onboarding — before any PHI is exchanged.

This page summarizes the terms of that agreement in plain language. The executed BAA is the binding document; where this summary and the signed agreement differ, the signed agreement controls. To request a copy, contact hello@klaim.com.

Terms used here have the meanings given in the HIPAA Privacy, Security, and Breach Notification Rules at 45 CFR Parts 160 and 164. In summary:

• Covered Entity — the healthcare provider or other entity that engages Klaim.
• Business Associate — Klaim, when it creates, receives, maintains, or transmits PHI on the Covered Entity's behalf.
• PHI— protected health information, including electronic PHI, that Klaim handles in connection with the Service.

Klaim uses and discloses PHI only as permitted or required by the BAA, as required by law, or as the Covered Entity directs. Specifically, Klaim may use PHI to:

• Provide the Service — forecasting, acceleration, recovery, and reconciliation of receivables on the Covered Entity's behalf.
• Carry out its own proper management, administration, and legal responsibilities, where permitted under 45 CFR 164.504(e).

Klaim does not use or disclose PHI in any manner that would violate the HIPAA Rules if done by the Covered Entity, and applies the minimum necessary standard to its uses and disclosures.

Klaim maintains administrative, physical, and technical safeguards — including encryption of PHI in transit and at rest — designed to protect the confidentiality, integrity, and availability of electronic PHI, consistent with the HIPAA Security Rule. Klaim limits access to PHI to workforce members who need it to deliver the Service.

Klaim reports to the Covered Entity any use or disclosure of PHI not permitted by the BAA, any security incident, and any breach of unsecured PHI of which it becomes aware, without unreasonable delay and within the timeframe required by the agreement and applicable law. Reports include the information reasonably available to support the Covered Entity's own notification obligations.

Klaim ensures that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those that apply to Klaim under the BAA.

Klaim makes PHI available to the Covered Entity, and supports the Covered Entity's obligations to provide individuals with access to, and amendment of, their PHI, and an accounting of disclosures, as required by 45 CFR 164.524, 164.526, and 164.528. Klaim also makes its internal practices, books, and records relating to PHI available to the Secretary of Health and Human Services for compliance review.

The BAA remains in effect for as long as Klaim handles PHI on the Covered Entity's behalf. The Covered Entity may terminate the agreement if Klaim materially breaches a term and fails to cure it within the period specified in the agreement.

On termination, Klaim returns or destroys all PHI it maintains on the Covered Entity's behalf, where feasible. Where return or destruction is not feasible, Klaim extends the protections of the BAA to that PHI and limits further uses and disclosures to the purposes that make return or destruction infeasible.

A BAA is provided as part of onboarding, and our team will walk you through it alongside your setup. To request a copy or get started, contact hello@klaim.com or +1 833 410-0950.