Business Associate Agreement

1. Purpose

This Business Associate Agreement ("BAA") is entered into between the franchise partner ("Covered Entity") and Wellness Projection Lab LLC ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and their implementing regulations (collectively, "HIPAA Rules").

2. Definitions

Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in any form or medium, including electronic PHI (ePHI).

Business Associate: Wellness Projection Lab LLC, which creates, receives, maintains, or transmits PHI on behalf of the Covered Entity through the Platform.

Covered Entity: The franchise partner who uses the Platform to manage patient/client health information.

3. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted by this BAA or as required by law
• Implement administrative, physical, and technical safeguards to protect ePHI
• Report any security incident or breach of unsecured PHI within 72 hours of discovery
• Ensure that subcontractors who access PHI agree to the same restrictions
• Make PHI available to individuals who request access under HIPAA
• Make PHI available for amendment upon request
• Maintain and make available an accounting of disclosures
• Make internal practices and records available to the Secretary of HHS for compliance review

4. Security Measures

Business Associate implements the following security measures:

• Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Access Controls: Role-based access with individual authentication required for each user
• Audit Logging: All access to PHI is logged with user ID, timestamp, and action type
• Infrastructure: Hosted on SOC 2 Type II certified cloud infrastructure (Google Cloud Platform)
• Backups: Automated daily backups with 30-day retention
• Employee Training: All WPL personnel complete HIPAA training annually

5. Breach Notification

In the event of a breach of unsecured PHI, Business Associate will:

• Notify Covered Entity within 72 hours of discovery
• Provide the identity of affected individuals (if known)
• Describe the nature of the breach and types of PHI involved
• Describe the steps being taken to mitigate harm and prevent future breaches
• Cooperate with Covered Entity's breach notification obligations

6. Obligations of Covered Entity

Covered Entity agrees to:

• Obtain necessary consents from patients/clients for the use of the Platform
• Notify Business Associate of any restrictions on use or disclosure of PHI
• Not request Business Associate to use or disclose PHI in violation of HIPAA Rules
• Ensure staff accounts use individual credentials (no shared logins)
• Remove staff access promptly upon termination of employment

7. Term and Termination

This BAA remains in effect for the duration of the Franchise Service Agreement. Upon termination:

• Business Associate will return or destroy all PHI within 30 days
• If return or destruction is not feasible, protections under this BAA continue
• Business Associate will certify in writing that PHI has been returned or destroyed

8. Miscellaneous

Amendment: This BAA shall be amended as necessary to comply with changes in HIPAA Rules.

Survival: Obligations regarding PHI protection survive termination of this BAA.

Governing Law: This BAA is governed by HIPAA Rules and the laws of the State of New Jersey.