Business Associate Agreement

Effective Date: March 21, 2026 · FLPT.AI (FLPT AI LLC)

This Business Associate Agreement ("BAA") is entered into between FLPT AI LLC ("Business Associate" or "FLPT.AI"), and the covered entity identified below ("Covered Entity"), collectively referred to as the "Parties." This BAA supplements and is made part of the service agreement between the Parties governing use of FLPT.AI's VoIP and communications platform.

1. Definitions

Terms used but not defined in this BAA have the meanings given in the HIPAA Rules (45 C.F.R. Parts 160 and 164). Key terms include:

  1. Protected Health Information (PHI) — individually identifiable health information transmitted or maintained in any form.
  2. Electronic PHI (ePHI) — PHI transmitted or maintained in electronic media.
  3. HIPAA Rules — the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
  4. Services — VoIP calling, voicemail, call recording, and related communications services provided by FLPT.AI.

2. Obligations of FLPT.AI (Business Associate)

FLPT.AI agrees to:

  1. Use or disclose PHI only as permitted by this BAA or required by law.
  2. Use appropriate safeguards to prevent unauthorized use or disclosure of PHI.
  3. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI in accordance with 45 C.F.R. Part 164, Subpart C.
  4. Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach of Unsecured PHI, without unreasonable delay and no later than 60 days of discovery.
  5. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of FLPT.AI agree to the same restrictions and conditions as apply to FLPT.AI.
  6. Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA.
  7. Upon termination, return or destroy all PHI received from or created on behalf of Covered Entity, if feasible.

3. Permitted Uses and Disclosures

FLPT.AI may use or disclose PHI only to:

  1. Perform the Services specified in the service agreement.
  2. Carry out its legal responsibilities as required by law.
  3. For proper management and administration of FLPT.AI, provided disclosures are required by law or FLPT.AI obtains reasonable assurances of confidentiality.

FLPT.AI shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity, except as permitted under this Section 3.

4. Obligations of Covered Entity

Covered Entity agrees to:

  1. Notify FLPT.AI of any limitation in its Notice of Privacy Practices that may affect FLPT.AI's use or disclosure of PHI.
  2. Notify FLPT.AI of any changes in, or revocation of, an individual's authorization that may affect FLPT.AI's permitted uses or disclosures.
  3. Not request FLPT.AI to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules.
  4. Obtain any authorizations required by the HIPAA Privacy Rule for disclosures of PHI to FLPT.AI.

5. Technical Safeguards in Place

FLPT.AI currently maintains the following technical controls relevant to ePHI:

  1. Encryption at rest — all storage (servers, databases, media files) encrypted using AES-256 via AWS KMS.
  2. Encryption in transit — all data transmitted over TLS 1.2+; database connections require SSL.
  3. Access controls — JWT-based authentication with unique session tokens; brute-force lockout after failed attempts.
  4. Audit logging — all AWS API activity logged via AWS CloudTrail; application errors logged to AWS CloudWatch.
  5. Backup — automated daily database backups retained for 30 days.
  6. Subcontractors — infrastructure hosted on AWS (BAA signed). No other subcontractors process PHI.

6. Term and Termination

This BAA is effective as of the date Covered Entity accepts the FLPT.AI terms of service and remains in effect for the duration of the service relationship. Either party may terminate this BAA if the other party materially breaches a provision and fails to cure within 30 days of written notice. Upon termination, FLPT.AI shall return or destroy all PHI within 60 days, if feasible. If return or destruction is not feasible, FLPT.AI shall extend the protections of this BAA to the PHI and limit further uses and disclosures.

7. Miscellaneous

  1. Amendment. The Parties agree to amend this BAA as necessary to comply with changes in HIPAA Rules.
  2. No Third-Party Beneficiaries. Nothing in this BAA confers any rights or remedies upon any person other than the Parties.
  3. Governing Law. This BAA shall be governed by applicable federal law and the laws of the state where Covered Entity is located.
  4. Entire Agreement. This BAA, together with the service agreement, constitutes the entire agreement between the Parties with respect to PHI and supersedes all prior agreements on this subject.

8. Contact for HIPAA Matters

To report a security incident, request PHI deletion, or raise HIPAA-related concerns, contact FLPT.AI at:
[email protected]

Signatures
Business Associate
Signature
Name: ________________________
Title: _________________________
Date: _________________________
FLPT AI LLC
Covered Entity
Signature
Name: ________________________
Title: _________________________
Date: _________________________
Organization: _________________
© 2026 FLPT AI LLC · Privacy Policy · flpt.ai