Business Associate Agreement

1. Definitions

The following definitions apply throughout this Business Associate Agreement and are drawn from 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164 unless a more specific definition is given below.

• Business Associate. kolm.ai ("kolm"), which provides AI-agent audit, attestation, and evidence services to Covered Entities and their downstream Business Associates. kolm is not itself a Covered Entity.
• Covered Entity. The healthcare provider, health plan, or healthcare clearinghouse that executes this Agreement and whose audit engagement may involve Protected Health Information (PHI).
• Protected Health Information (PHI). Individually identifiable health information, as defined at 45 CFR 160.103, created, received, maintained, or transmitted by kolm on behalf of the Covered Entity in the course of an audit engagement.
• Security Incident. The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that processes PHI, as defined at 45 CFR 164.304.
• Subcontractor. A person or entity that creates, receives, maintains, or transmits PHI on behalf of kolm in support of an audit engagement. Subcontractors are listed at /trust.

2. Scope and applicability

This Business Associate Agreement applies when, and only when, a kolm audit engagement involves PHI belonging to the Covered Entity. kolm's standard agent-security audit process does not require access to PHI; this agreement covers regulated engagements where the Covered Entity chooses to include PHI-bearing data as part of the evidence scope. If no PHI is in scope, this agreement has no operative effect.

Engagements where PHI may be in scope include: AI-agent audits for healthcare providers or payors where the agent under review processes patient records; red-team assessments of systems that handle clinical notes or claims data; and audit-report generation where the evidence set includes PHI-derived inputs provided by the Covered Entity.

3. Permitted uses and disclosures of PHI

kolm may use or disclose PHI received from, or created on behalf of, the Covered Entity only as follows:

• As necessary to perform the audit services described in the master engagement agreement, including generating the cryptographically signed evidence report delivered to the Covered Entity.
• As required by applicable law, provided that kolm notifies the Covered Entity of the legal requirement prior to disclosure, to the extent permitted by that law.
• For the proper management and administration of kolm's operations, or to carry out legal responsibilities of kolm, provided the disclosure is required by law or kolm obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed, and that any breaches will be reported to kolm.
• To report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1).

PHI is processed only as permitted under this agreement and the applicable Security Rule safeguards. kolm will not use or disclose PHI for marketing purposes, for training shared or general-purpose models, or for any purpose not expressly permitted by this agreement or required by law.

4. Safeguards

kolm will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that kolm creates, receives, maintains, or transmits on behalf of the Covered Entity, in accordance with 45 CFR Part 164 Subpart C (the Security Rule).

• Administrative safeguards (45 CFR 164.308). Risk analysis conducted prior to any engagement that is in scope; workforce training on PHI handling; designated security responsibility; and documented policies for PHI access control and incident response.
• Physical safeguards (45 CFR 164.310). Facility access controls, workstation use and security policies, and device and media controls governing any systems where PHI is temporarily processed during the audit engagement.
• Technical safeguards (45 CFR 164.312). Unique user identification, emergency access procedure, automatic log-off, encryption and decryption of PHI in transit and at rest, audit controls, integrity controls, and transmission security.
• Organizational requirements (45 CFR 164.314). Subcontractor agreements substantially equivalent to this agreement; policies and procedures maintained in written form; documentation retained for six years from creation or last effective date, whichever is later.

5. Subcontractor flow-down

To the extent that kolm uses a Subcontractor to create, receive, maintain, or transmit PHI on kolm's behalf in the course of an audit engagement, kolm will execute a written agreement with that Subcontractor requiring the Subcontractor to comply with the same restrictions, conditions, and requirements that apply to kolm under this Business Associate Agreement, consistent with 45 CFR 164.308(b)(3) and 164.314(a).

Subcontractors that may receive PHI in the course of an audit engagement are listed on the trust page at /trust. The Covered Entity will receive prior written notice before any new Subcontractor with potential PHI exposure is added to the engagement. If the Covered Entity objects to the addition of a Subcontractor within fourteen days of notice, the parties will work in good faith to resolve the objection; if the objection cannot be resolved, the Covered Entity may terminate the engagement without penalty with respect to the Subcontractor change.

6. Reporting of impermissible use or disclosure; Security Incidents

kolm will report to the Covered Entity any use or disclosure of PHI not provided for by this agreement of which kolm becomes aware. Reporting obligations are as follows:

• Breach of unsecured PHI. Written notice to the Covered Entity within thirty (30) calendar days of discovery by kolm, as required by 45 CFR 164.410. The notice will include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; a brief description of what happened; the types of PHI involved; the steps individuals should take to protect themselves; a brief description of what kolm is doing to investigate, mitigate, and prevent further occurrences; and contact information for the Covered Entity's questions.
• Security Incidents. kolm will report Security Incidents to the Covered Entity within thirty (30) calendar days of discovery. Unsuccessful security incidents (e.g., pings, port scans, and similar probes that do not result in access to PHI) are reported in summary form on a quarterly basis.
• Impermissible use or disclosure. Any other use or disclosure of PHI not permitted by this agreement will be reported to the Covered Entity within thirty (30) calendar days of discovery. Notification under this subsection does not itself constitute a determination that a breach requiring individual notification has occurred; that determination remains with the Covered Entity.

7. Access, amendment, and accounting of disclosures

7.1 Access by the Covered Entity

To the extent kolm maintains PHI in a designated record set on behalf of the Covered Entity, kolm will make such PHI available to the Covered Entity or, at the Covered Entity's direction, to the applicable individual within ten (10) business days of a written request, so as to enable the Covered Entity to meet its obligations under 45 CFR 164.524. PHI held by kolm in the course of an audit engagement is not ordinarily part of a designated record set; if the Covered Entity instructs kolm that certain PHI is part of such a set, kolm will treat it accordingly.

7.2 Amendment

To the extent kolm maintains PHI in a designated record set on behalf of the Covered Entity, kolm will make such PHI available for amendment and will incorporate any amendments directed by the Covered Entity within ten (10) business days of a written request, so as to enable the Covered Entity to meet its obligations under 45 CFR 164.526. Amendments are recorded with a tombstone entry in the audit trail; the original signed evidence report is not altered.

7.3 Accounting of disclosures

kolm will maintain and make available, within thirty (30) business days of a written request, the information required to provide an accounting of disclosures of PHI as necessary to enable the Covered Entity to respond to a request by an individual for an accounting under 45 CFR 164.528. kolm will retain records of PHI disclosures for six (6) years from the date of the disclosure or the last effective date of this agreement, whichever is later.

8. Return or destruction of PHI at termination

Upon termination of this agreement, kolm will, at the Covered Entity's election, either return to the Covered Entity all PHI received from or created on behalf of the Covered Entity, or destroy all such PHI and provide the Covered Entity with written certification of destruction. Return will be in a verifiable, machine-readable format; destruction will be via methods that render the PHI unreadable, indecipherable, and otherwise cannot be reconstructed. kolm will sign a destruction certificate for the Covered Entity's records.

The return or destruction will be completed within thirty (30) calendar days of the termination effective date. If return or destruction is not feasible, kolm will extend the protections of this agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for as long as kolm retains the PHI.

9. Term and termination

9.1 Term

This agreement is effective as of the date both parties execute the master engagement agreement and remains in effect until that agreement terminates or expires, unless terminated earlier under this section.

9.2 Termination for cause

Either party may terminate this agreement if the other party materially breaches a material provision of this agreement and fails to cure the breach within thirty (30) calendar days of receiving written notice specifying the breach. The Covered Entity may terminate immediately upon written notice to kolm if the Covered Entity determines that a cure is not possible.

9.3 Effect of termination

Sections 3 (Permitted uses and disclosures), 4 (Safeguards), 7.3 (Accounting of disclosures), and 8 (Return or destruction) survive termination. Upon termination, the obligations in Section 8 apply immediately.

10. Miscellaneous

10.1 Governing law

This agreement is governed by the laws of the State of Delaware, without regard to conflict-of-laws principles, except to the extent federal law (including HIPAA, 45 CFR Parts 160 and 164) preempts or supersedes state law. For federal agency customers, state government customers, and customers in jurisdictions where local rules require a different governing law, the parties will negotiate an appropriate modification.

10.2 Indemnification

Each party will indemnify, defend, and hold harmless the other party from and against claims, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or relating to the indemnifying party's breach of this agreement or negligent or willful acts or omissions in connection with its obligations under this agreement. Liability caps and carve-outs are negotiated in the master engagement agreement; this agreement does not impose or waive any caps on its own.

10.3 Regulatory compliance

This agreement is intended to comply with HIPAA and the HITECH Act as implemented in 45 CFR Parts 160 and 164. To the extent any provision of this agreement conflicts with an applicable requirement of those regulations, the regulations control. The parties will amend this agreement as necessary to comply with changes in applicable law.

10.4 No third-party beneficiaries

This agreement is for the sole benefit of the Covered Entity and kolm and does not create any rights in any third party, except as required by applicable law.

10.5 Entire agreement

This Business Associate Agreement, together with the master engagement agreement into which it is incorporated, constitutes the entire agreement of the parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, or agreements relating to the same subject matter.

11. How to execute this agreement

Regulated engagements involving PHI require a countersigned copy of this agreement before any PHI-bearing data is included in the audit scope. The process is as follows:

• Email dev@kolm.ai with your legal entity name, whether you are a Covered Entity or a downstream Business Associate, and whether you would like the kolm template or prefer to provide your own for redline. The contact form at /contact may also be used.
• kolm will deliver the template the same business day. Material redlines are returned within five business days of receipt.
• A countersigned PDF is returned within two business days of agreed final text. A sales call is not required to execute the agreement.
• Once the agreement is in place, you are added to the Subcontractor notice list so that any future subprocessor change with PHI exposure reaches you with the prior notice this agreement requires.
• For OCR audits, IRB reviews, or downstream Covered Entity evidence requests, kolm responds to written evidence requests within five business days. The signed evidence report is verifiable offline; many audit questions resolve at that layer without further correspondence.

All BAA inquiries and breach reports go to dev@kolm.ai. Acknowledged within one business day.