Business Associate Agreement

Between Jins Tech Corporation, d/b/a KwickOS, operator of KwickPhone ("Business Associate") and the customer identified at signing ("Covered Entity"). Sample dated June 24, 2026.

This Business Associate Agreement ("Agreement") supplements and is made part of the services agreement between the parties. It governs Business Associate's handling of Protected Health Information ("PHI") on behalf of Covered Entity and is intended to satisfy the Business Associate requirements of HIPAA, the HITECH Act, and 45 CFR Parts 160 and 164.

1. Definitions

Terms used but not defined here have the meaning given in 45 CFR Parts 160 and 164, including "Breach," "Protected Health Information" (PHI), "Electronic PHI" (ePHI), "Required by Law," "Security Incident," and "Unsecured PHI."

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only (a) to perform the services described in the underlying services agreement, (b) as Required by Law, and (c) for Business Associate's proper management and administration or to carry out its legal responsibilities, provided any such disclosure is Required by Law or made under reasonable confidentiality assurances. Business Associate will not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

3. Safeguards

Business Associate will implement and maintain administrative, physical, and technical safeguards (including those required by the HIPAA Security Rule for ePHI) that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI it creates, receives, maintains, or transmits on behalf of Covered Entity, and will use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by this Agreement.

4. Reporting

Business Associate will report to Covered Entity (a) any use or disclosure of PHI not permitted by this Agreement of which it becomes aware, (b) any Security Incident, and (c) any Breach of Unsecured PHI, without unreasonable delay and in no case later than the timelines required by 45 CFR 164.410 (and in any event within sixty (60) days of discovery), with the information required to support Covered Entity's notification obligations.

5. Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those that apply to Business Associate under this Agreement.

6. Individual Rights

To the extent Business Associate maintains PHI in a Designated Record Set, it will, within reasonable timeframes: make PHI available for access (45 CFR 164.524); make PHI available for amendment and incorporate amendments (164.526); and provide an accounting of disclosures (164.528). Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance.

7. Term and Termination

This Agreement is effective on the date the underlying services agreement begins and continues until all PHI is returned or destroyed. Covered Entity may terminate if Business Associate materially breaches this Agreement and fails to cure within a reasonable period after notice.

8. Return or Destruction of PHI

On termination, Business Associate will return or destroy all PHI it maintains on behalf of Covered Entity if feasible. Where return or destruction is not feasible, Business Associate will extend the protections of this Agreement to such PHI and limit further use or disclosure to those purposes that make return or destruction infeasible.

9. Miscellaneous

The parties will amend this Agreement as necessary to comply with changes to HIPAA. There are no third-party beneficiaries. Sections that by their nature should survive termination (including Section 8) survive. This Agreement is governed by the laws of the State of [STATE — confirmed at signing]. In the event of a conflict between this Agreement and the underlying services agreement regarding PHI, this Agreement controls.

This sample is provided for informational review only and is not legal advice. The operative agreement is the version executed by both parties at onboarding.