Last updated: May 29, 2026 · Effective upon electronic acceptance during account registration
This Business Associate Agreement ("Agreement") is entered into as of the date accepted during account registration ("Effective Date"), by and between the healthcare practice or individual provider identified in the BrightPath-IQ account registration ("Covered Entity") and BrightPath-IQ, LLC, a Wyoming limited liability company ("Business Associate" or "BrightPath-IQ"). This Agreement is incorporated into and made a part of the BrightPath-IQ Terms of Service.
WHEREAS, Business Associate provides practice management, session tracking, clinical documentation, and related software services to Covered Entity (the "Services");
WHEREAS, in connection with providing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity;
WHEREAS, the parties intend to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations;
NOW, THEREFORE, in consideration of the mutual promises set forth herein, the parties agree as follows:
Terms used but not otherwise defined in this Agreement shall have the same meaning as in 45 C.F.R. Parts 160 and 164.
1.1 "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information, as defined in 45 C.F.R. § 164.402.
1.2 "Business Associate" has the meaning given in 45 C.F.R. § 160.103.
1.3 "Covered Entity" has the meaning given in 45 C.F.R. § 160.103.
1.4 "Data Aggregation" has the meaning given in 45 C.F.R. § 164.501.
1.5 "Designated Record Set" has the meaning given in 45 C.F.R. § 164.501.
1.6 "Disclosure" has the meaning given in 45 C.F.R. § 160.103.
1.7 "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is created, received, maintained, or transmitted in electronic form.
1.8 "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
1.9 "Protected Health Information" or "PHI" has the meaning given in 45 C.F.R. § 160.103, limited to the information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
1.10 "Required by Law" has the meaning given in 45 C.F.R. § 164.103.
1.11 "Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.
1.12 "Security Incident" has the meaning given in 45 C.F.R. § 164.304.
1.13 "Subcontractor" has the meaning given in 45 C.F.R. § 160.103.
1.14 "Unsecured PHI" has the meaning given in 45 C.F.R. § 164.402.
2.1 Services. Business Associate may use or disclose PHI as necessary to perform the Services described in the Terms of Service, provided such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
2.2 Operations. Business Associate may use PHI for Business Associate's proper management and administration, or to carry out Business Associate's legal responsibilities.
2.3 Disclosure for Management. Business Associate may disclose PHI to third parties for Business Associate's proper management and administration, provided: (a) the disclosure is Required by Law, or (b) Business Associate obtains reasonable assurances from the third party that the PHI will be held confidentially, used only for the purposes for which it was disclosed, and the third party will notify Business Associate of any Breach.
2.4 Data Aggregation. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), solely in de-identified or aggregate form.
2.5 De-Identification. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(b). De-identified information is not PHI and is not subject to this Agreement.
3.1 Limitation of Use. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
3.2 Appropriate Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
3.3 Safeguards in Practice. Business Associate's current safeguards include, without limitation: (a) Encryption of ePHI at rest and in transit using industry-standard protocols (AES-256 / TLS 1.2+); (b) Role-based access controls limiting PHI access to authorized personnel; (c) Audit logging of access and modifications to PHI; (d) Multi-factor authentication for platform access; (e) Regular security assessments and vulnerability management.
3.4 Reporting of Impermissible Uses or Disclosures. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware.
3.5 Breach Notification. Business Associate shall notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach. The notification shall include the identity of affected individuals, a description of the Breach, the types of PHI involved, recommended protective steps, and the steps Business Associate is taking to investigate and mitigate the Breach.
3.6 Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to restrictions and conditions at least as stringent as those in this Agreement by executing a written business associate agreement with such Subcontractor.
3.7 Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity as necessary to allow Covered Entity to respond to individuals' requests for access, in accordance with 45 C.F.R. § 164.524.
3.8 Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available for amendment and shall incorporate amendments as directed by Covered Entity, in accordance with 45 C.F.R. § 164.526.
3.9 Accounting of Disclosures. Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
3.10 Government Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
3.11 Minimum Necessary. Business Associate shall, to the extent practicable, request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose.
4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation in Covered Entity's notice of privacy practices that affects Business Associate's permitted uses or disclosures.
4.2 Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, if such changes affect Business Associate's permitted uses or disclosures.
4.3 Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
4.4 Lawful Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
4.5 Appropriate Use. Covered Entity is solely responsible for ensuring that the PHI it submits to the BrightPath-IQ platform has been collected and is being processed in compliance with applicable law, including HIPAA.
5.1 Term. This Agreement shall be effective as of the Effective Date and shall remain in effect until terminated in accordance with this Article or until the underlying Terms of Service expire or terminate.
5.2 Termination for Cause. Either party may terminate this Agreement immediately upon written notice if the other party has materially breached a provision of this Agreement and has not cured such breach within thirty (30) days of receiving written notice of the breach.
5.3 Effect of Termination — Return or Destruction. Upon termination of this Agreement for any reason, Business Associate shall, at the direction of Covered Entity: (a) return to Covered Entity all PHI Business Associate still maintains in any form; or (b) destroy all such PHI and certify in writing that it has been destroyed. If return or destruction is not feasible, Business Associate shall continue to extend the protections of this Agreement to the PHI.
5.4 Data Export. Covered Entity may export its data from the BrightPath-IQ platform at any time during the term of the Agreement using the data export features provided, or by contacting support@brightpathiq.com.
6.1 Regulatory References. Any reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.
6.2 Amendment. This Agreement may be amended by Business Associate upon thirty (30) days' written notice to Covered Entity to the extent necessary to comply with changes in the HIPAA Rules. Continued use of the Services after the notice period constitutes acceptance of the amended Agreement.
6.3 Survival. The respective rights and obligations of Business Associate with respect to the return or destruction of PHI shall survive termination of this Agreement.
6.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Rules.
6.5 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.
6.6 Governing Law. This Agreement shall be governed by the laws of the State of Wyoming, without regard to its conflict of law provisions, except to the extent preempted by federal law.
6.7 Entire Agreement. This Agreement, together with the BrightPath-IQ Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions.
6.8 Counterparts / Electronic Acceptance. This Agreement may be accepted electronically. Electronic acceptance during account registration or platform onboarding shall constitute a valid and binding signature for all purposes.
By checking the acceptance box during BrightPath-IQ registration or onboarding, Covered Entity acknowledges that it has read, understands, and agrees to be bound by this Business Associate Agreement.
| Covered Entity | Business Associate | |
|---|---|---|
| Name | As provided during registration | Durranie S. Wilkinson |
| Title | As provided during registration | Founder-CEO |
| Organization | As provided during registration | BrightPath-IQ, LLC |
| Date | Date of electronic acceptance | May 29, 2026 |
BrightPath-IQ — 10228 E Northwest Hwy, Unit 261, Dallas, TX 75238
Questions regarding this Agreement: support@brightpathiq.com · 214-302-7461