Business Associate Agreement

Between Trustora (Business Associate) and your agency (Covered Entity) · Last updated July 6, 2026

1. Parties and Purpose

This Business Associate Agreement (“Agreement”) is entered into between the healthcare agency accepting it during Trustora onboarding (the “Covered Entity”) and Trustora Healthcare (“Business Associate”). Trustora provides a practice-management, clinical-documentation, and billing platform through which it creates, receives, maintains, and transmits Protected Health Information (“PHI”) on the Covered Entity’s behalf. This Agreement satisfies the requirements of 45 CFR § 164.504(e) of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.

2. Definitions

Terms used but not otherwise defined in this Agreement — including PHI, electronic PHI (“ePHI”), Breach, Security Incident, Subcontractor, and Designated Record Set — have the meanings given in 45 CFR Parts 160 and 164.

3. Permitted Uses and Disclosures

Trustora may use or disclose PHI only: (a) to provide the platform services the Covered Entity has engaged it for — clinical documentation, service tracking, claim submission, remittance processing, eligibility verification, and related reporting; (b) as required by law; (c) for Trustora’s proper management and administration, provided any such disclosure is required by law or made with reasonable assurances of confidentiality; and (d) to provide data aggregation services relating to the Covered Entity’s health care operations. Trustora will not use or disclose PHI in any manner that would violate the Privacy Rule if done by the Covered Entity, and will limit uses and disclosures to the minimum necessary.

4. Safeguards

Trustora will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI it creates, receives, maintains, or transmits, in accordance with the Security Rule (45 CFR Part 164, Subpart C). These include encryption of PHI at rest and in transit, role-based access controls, and immutable audit logging.

5. Reporting and Breach Notification

Trustora will report to the Covered Entity any use or disclosure of PHI not permitted by this Agreement, any Security Incident of which it becomes aware, and any Breach of unsecured PHI as required by 45 CFR § 164.410 — without unreasonable delay and in no case later than 60 days after discovery. Breach reports will include, to the extent known, the identity of affected individuals and the nature of the PHI involved.

6. Subcontractors

Trustora will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf (for example, cloud hosting, clearinghouse, and secure messaging providers) agrees in writing to restrictions and conditions at least as restrictive as those that apply to Trustora under this Agreement, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2).

7. Individual Rights

To the extent Trustora holds PHI in a Designated Record Set, it will make that PHI available to the Covered Entity as needed to satisfy an individual’s right of access under 45 CFR § 164.524, incorporate amendments as directed under 45 CFR § 164.526, and document and make available the information required for an accounting of disclosures under 45 CFR § 164.528.

8. Availability to HHS

Trustora will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining the Covered Entity’s compliance with HIPAA.

9. Term and Termination

This Agreement takes effect when accepted during onboarding and continues while Trustora provides services to the Covered Entity. The Covered Entity may terminate this Agreement if Trustora materially breaches it and fails to cure within 30 days of written notice. Upon termination, Trustora will return or destroy all PHI received from or created on behalf of the Covered Entity where feasible; where return or destruction is not feasible (for example, audit records retained under regulatory requirements), Trustora will extend the protections of this Agreement to that PHI and limit further use and disclosure to the purposes that make return or destruction infeasible, for as long as it maintains the PHI.

10. Miscellaneous

Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA. This Agreement shall be amended as necessary to comply with changes in applicable law. Nothing in this Agreement creates rights in any third party.

For questions about this Agreement: support@trustora.com — Trustora Healthcare, Minneapolis, MN.