Request a demo
Log in

Tooth Teller, LLC
Exhibit B – Business Associate Agreement

Effective Date: As of July 1, 2025
Latest Revision Date: N/A

THIS BUSINESS ASSOCIATE AGREEMENT (“BAA”) is entered into concurrently with and as Exhibit B to the Customer Master Terms of Service (“Terms of Service”) between Customer and Tooth Teller (“Business Associate”).  This BAA is subject to and incorporates the terms of the Terms of Service by reference and is effective as of the Effective Date of the Terms of Service.  Collectively, the Terms of Service, this BAA and all attachments, exhibits, and schedules thereto shall be referred to as the “Agreement”.

RECITALS

WHEREAS, Business Associate will provide Services to Customer that may involve the use, disclosure, receipt, transmission, maintenance, and/or creation of Protected Health Information; and

WHEREAS, Customer and Business Associate wish to set forth their understanding with regard to the use and disclosure of Protected Health Information in compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations set forth at 45 C.F.R. Part 160, 162, and 164 (“HIPAA”) as supplemented by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), implemented as part of the American Recovery and Reinvestment Act of 2009 (collectively, the “HIPAA Rules”).

NOW, THEREFORE, in consideration of the Parties’ continuing obligations under the Agreement, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of this BAA.

Except as otherwise defined Agreement, including this BAA, any and all capitalized terms in this BAA shall have the definitions set forth in the HIPAA Rules.  In the event of an inconsistency between the provisions of this BAA and mandatory provisions of the HIPAA Rules, as amended, the HIPAA Rules in effect at the time shall control.  Where provisions of this BAA are different than those mandated by the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of this BAA shall control.

I. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

  1. Business Associate may use or disclose Protected Health Information to perform the Services and associated activities and functions for, or on behalf of, Customer as specified in the Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Customer.
  2. Business Associate may use Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of Business Associate, provided that such uses are permitted under state and federal confidentiality Laws.
  3. Business Associate may disclose Protected Health Information in its possession to third parties for the purposes of its proper management and administration or to fulfill any present or future legal responsibilities of Business Associate, provided that:
    1. the disclosures are Required by Law; or
    2. Business Associate obtains reasonable assurances from the third parties to whom the Protected Health Information is disclosed that the information will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party, and that such third parties will notify Business Associate of any instances of which they are aware in which the confidentiality of the information has been breached.
  4. Business Associate may access, use, or request only the minimum necessary amount of Protected Health Information to accomplish the intended purpose of the access, use, or request.
  5. Business Associate may de-identify Protected Health Information in accordance with 45 C.F.R. § 164.514(b) for its own commercial purposes permitted under applicable Laws.
  6. Business Associate may use Protected Health Information to provide Data Aggregation services to Customer as permitted by 45 CFR § 164.504(e)(2)(i)(B) to the extent expressly required pursuant to the Agreement.

II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

  1. Business Associate agrees not to use or further disclose Protected Health Information other than as permitted or required by this BAA or the Agreement or as Required by Law.
  2. Business Associate shall use and maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent uses and disclosures of Protected Health Information other than as permitted in this BAA. In addition, Business Associate agrees to comply with the applicable requirements of 45 C.F.R. Part 164 Subpart C with respect to Electronic Protected Health Information and any guidance issued by the Secretary of the Department of Health and Human Services (the “Secretary”).
  3. Business Associate shall require each subcontractor that creates, receives, maintains, or transmits Protected Health Information on its behalf to enter into a business associate agreement containing substantially similar, but not less restrictive, restrictions on access, use, and disclosure of Protected Health Information as those applicable to Business Associate under this Agreement. Furthermore, to the extent that Business Associate provides Electronic Protected Health Information to a subcontractor, Business Associate shall require such subcontractor to comply with all applicable provisions of 45 C.F.R. Part 164, Subpart C.
  4. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, at the request of Covered Entity and in a reasonable time and manner, Business Associate agrees to make available Protected Health Information required for Covered Entity to respond to an Individual’s request for access to his or her Protected Health Information in accordance with 45 C.F.R. § 164.524.
  5. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, at the request of Covered Entity and in a reasonable time and manner, Business Associate agrees to make available Protected Health Information required for amendment by Covered Entity in accordance with the requirements of 45 C.F.R. § 164.526.
  6. Business Associate agrees to document any disclosures of Protected Health Information and to make Protected Health Information and other such information available for purposes of an accounting of disclosures, as required by 45 C.F.R. § 164.528.
  7. If Business Associate is to carry out one or more of Customer’s obligations under 45 C.F.R. Part 164, Subpart E, Business Associate shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
  8. To the extent Customer notifies Business Associate of a restriction request granted by Customer that would limit Business Associate’s use or disclosure of Protected Health Information, Business Associate will comply with the restriction.
  9. Business Associate agrees that it will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Customer, available to the Secretary, in a time and manner designated by the Secretary, to enable the Secretary to determine Business Associate’s or Customer’s compliance with the HIPAA Rules. Business Associate also shall cooperate with the Secretary and, upon the Secretary’s request, pursuant to 45 C.F.R. § 160.310, shall disclose Protected Health Information to the Secretary to enable the Secretary to investigate and review Business Associate’s or Customer’s compliance with the HIPAA Rules.

III. IMPROPER USE OR DISCLOSURE; SECURITY INCIDENT; BREACH

  1. Business Associate shall report to Customer in writing any access, use, or disclosure of Protected Health Information not permitted by this BAA, any Security Incident, and any Breach of which it becomes aware or which it discovers without unreasonable delay after discovery. This Section shall hereby serve as notice, and no additional reporting shall be required, of any Unsuccessful Security Incidents.  For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of Protected Health Information.
  2. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known by, or by exercising reasonable diligence would have been known to, any person, other than the person committing the Breach, who is an employee, officer, or other agent of Business Associate.
  3. Any report of Breach required by this Section shall include the information specified in 45 CFR § 164.410 and such other information as Customer requires.
  4. Business Associate shall promptly provide Customer with updates of information concerning the details of any unauthorized access, use, or disclosure of Protected Health Information, Security Incident, or Breach.
  5. Business Associate shall perform a preliminary risk assessment immediately following the discovery of any unauthorized access, use, or disclosure of Protected Health Information. Such preliminary risk assessment must take into account those factors set forth in 45 CFR  164.402 as well as such other factors as Customer reasonably requests.  The results of such preliminary risk assessment shall be provided to Customer in writing without unreasonable delay and in no case later than fifteen (15) days from the date of discovery of the unauthorized access, use, or disclosure of Protected Health Information.  Business Associate shall promptly provide Company with updates of information material to a risk assessment undertaken by Customer.
  6. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA, a Security Incident, or a Breach.
  7. Unless otherwise agreed in writing by the Parties, it is the sole responsibility of Customer to notify individuals of any Breach. Business Associate shall cooperate with Customer in the provision of any such notification.

IV. OBLIGATIONS OF CUSTOMER

  1. As applicable, and upon request of Business Associate, Customer shall provide Business Associate with the notice of privacy practices that Customer produces in accordance with 45 C.F.R. § 164.520.
  2. Customer shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes could reasonably be expected to affect Business Associate’s permitted or required uses and disclosures.
  3. Customer shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information to which Customer has agreed in accordance with 45 C.F.R. § 164.522, and Customer shall inform Business Associate of the termination of any such restriction, and the effect that such termination shall have, if any, upon Business Associate’s use and disclosure of such Protected Health Information

V. TERM AND TERMINATION

  1. Term. The Term of this BAA shall be effective as of the Effective Date and shall terminate upon later of the following events: (i) in accordance with Section V(C), when all of the Protected Health Information provided by Customer to Business Associate or created or received by Business Associate on behalf of Customer is returned to Customer or destroyed or, if such return or destruction is infeasible, when protections are extended to such information; or (ii) upon termination of the Agreement.
  2. Termination for Cause. Customer may immediately terminate this BAA in the event that Business Associate materially breaches any provision of this BAA, provided that, if cure is possible,  Customer will provide Business Associate the ability to reasonably cure or take substantial steps to cure such material breach within thirty (30) days after receipt of written notice from Customer. 
  3. Effect of Termination. Upon termination, if feasible, Business Associate shall return or destroy, all Protected Health Information that Business Associate still maintains in any form and shall retain no copies of such information.  Prior to doing so, Business Associate further agrees to recover any Protected Health Information in the possession of its subcontractors or agents.  If it is infeasible to return or destroy Protected Health Information, Business Associate shall provide to Customer notification of the conditions that make return or destruction of Protected Health Information infeasible and Business Associate shall continue to extend the protections of this Agreement to such Protected Health Information, and limit further use of such Protected Health Information solely to those purposes that make the return or destruction of such Protected Health Information infeasible.  The provisions of this Section shall survive the expiration or termination of this BAA

VI. MISCELLANEOUS

  1. Indemnification. Each Party shall indemnify and hold the other harmless from and against all third-party claims, liabilities, judgments, fines, assessments, penalties, awards, or other reasonable expenses, including, without limitations, reasonable attorneys’ fees, expert witness fees, and costs of investigation, litigation or dispute resolution, arising out of any Breach, violation of Laws or material breach of this BAA caused by that Party.
  2. Limitation of Liability. Neither Party will be responsible or liable to the other in contract, in tort, or otherwise for any special, indirect, incidental, consequential, or punitive damages arising from any aspect of its performance of this BAA, including, but not limited to, damage to loss of property, loss of product, profits or revenues, damage to or loss from operation or non-operation of business, or claims of customers. Business Associate’s total liability for any and all claims or reimbursable expenses arising out of or related to this Agreement shall not exceed the total fees paid by Customer to Business Associate during the twelve (12)-month period before the liability or claim arose.
  3. No Rights in Third Parties. Except as expressly stated herein or in the HIPAA Rules, the Parties to this BAA do not intend to create any rights in any third parties.
  4. Survival. The obligations of Business Associate under Section V(C) of this BAA shall survive the expiration, termination, or cancellation of this BAA, the Agreement, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein. 
  5. Amendment to Comply With Laws. The Parties acknowledge that it may be necessary to amend this BAA to comply with modifications to the HIPAA Rules, including but not limited to statutory or regulatory modifications or interpretations by a regulatory agency or court of competent jurisdiction.  The Parties agree to use good faith efforts to develop and execute any amendments to this BAA as may be required by any such modifications.
  6. Assignment. Neither Party may assign its respective rights and obligations under this BAA without the prior written consent of the other Party, provided, however, that Business Associate may assign this Agreement without the consent of the other Party to an affiliate or in conjunction with a merger, reorganization, consolidation, change of control or sale of all or substantially all of its assets. Subject to the requirements of this paragraph, this BAA shall be binding upon and inure to the benefit of the respective successors and permitted assigns of the Parties. 
  7. Independent Contractor. None of the provisions of this BAA are intended to create, nor will they be deemed to create, any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this BAA and any other agreements between the Parties evidencing their business relationship.  Nothing in this BAA creates or is intended to create an agency relationship.
  8. Governing Law. To the extent this BAA is not governed exclusively by the HIPAA Rules or other provisions of federal statutory or regulatory Laws, this BAA will be governed by and construed in accordance with the Laws governing the Agreement.
  9. No Waiver. No change, waiver, or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.
  10. Interpretation. Any ambiguity of this BAA shall be resolved in favor of a meaning that permits Customer and Business Associate to comply with the HIPAA Rules.
  11. Severability. In the event that any provision of this BAA is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this BAA will remain in full force and effect
  12. Section Headings. The paragraph headings in this BAA are for convenience only. They form no part of this BAA and shall not affect its interpretations.
  13. Notice. Any notice required under the terms of this BAA, including notifications of breach, should be made in writing and without unreasonable delay in accordance with Section 13(K) of the Order.
  14. Entire Agreement; Amendments; Conflict; Amendment. This BAA constitutes the entire understanding of the Parties with respect to the subject matter hereof and supersedes and amends all prior business associate agreements.  There are no other representations, understandings, or agreements between the Parties relative to this BAA’s subject matter. No amendment to, or change, waiver, or discharge of, any provisions of this BAA will be valid unless in writing and signed by an authorized representative of the Party against which such amendment, change, waiver, or discharge is sought to be enforced. In the event of any inconsistency between this BAA and the Terms of Service and any other attachments, exhibits, and schedules thereto concerning the use and disclosure of Protected Health Information and the Parties’ obligations with respect thereto, the terms of this BAA and any amendments thereto shall control.