Mikey AI

Mikey AI, Inc.

Business Associate Agreement

HIPAA-Compliant · 45 C.F.R. §§ 164.502(e) and 164.504(e)

Effective upon electronic acceptance · Last Updated March 1, 2026

Parties

This Business Associate Agreement ("Agreement") is entered into between:

  • Business Associate: Mikey AI, Inc., a Delaware corporation ("BA"), providing prior authorization management and EHR integration services.
  • Covered Entity: The healthcare provider or practice whose authorized representative accepts this Agreement through the Mikey AI platform ("CE").

Background

CE is a Covered Entity under HIPAA, as amended by the HITECH Act, and their implementing regulations (the "HIPAA Rules"). In providing its Services, BA may create, receive, maintain, or transmit Protected Health Information on behalf of CE. This Agreement establishes permitted uses, disclosures, and obligations of each party pursuant to 45 C.F.R. §§ 164.502(e) and 164.504(e).

1. Definitions

Capitalized terms not defined here have the meanings in the HIPAA Rules (45 C.F.R. Parts 160 and 164).

"PHI"Protected Health Information that BA creates, receives, maintains, or transmits on behalf of CE.
"ePHI"PHI that is created, received, maintained, or transmitted in electronic form.
"Services"Prior authorization management, EHR integration, AI-assisted form generation, and related services provided through Mikey AI.
"Breach"Unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy, per 45 C.F.R. § 164.402.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

BA may use or disclose PHI only: (a) as necessary to provide the Services; (b) for BA's proper management and legal obligations; (c) as required by law; or (d) as authorized in writing by CE.

2.2 Safeguards

BA shall implement appropriate administrative, physical, and technical safeguards to protect PHI and shall comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to ePHI.

2.3 Reporting

BA shall notify CE of any unauthorized use or disclosure of PHI, any Security Incident, or any Breach of Unsecured PHI — in no case later than 60 calendar days after discovery.

2.4 Subcontractors

BA shall require all subcontractors that handle PHI to agree in writing to restrictions at least as stringent as those in this Agreement.

2.5 Individual Rights

BA shall support CE in fulfilling individual rights to access, amendment, accounting of disclosures, and restriction as required by the HIPAA Privacy Rule.

2.6 Minimum Necessary

BA shall use, disclose, or request only the minimum PHI necessary to accomplish the intended purpose, per 45 C.F.R. § 164.502(b).

2.7 HHS Access

BA shall make its practices, books, and records relating to PHI available to the HHS Secretary for compliance purposes.

3. Obligations of Covered Entity

CE shall:

  1. Notify BA of any limitations in its Notice of Privacy Practices that may affect BA's use or disclosure of PHI;
  2. Notify BA of changes in or revocations of individual authorization that affect BA's permitted uses;
  3. Not request BA to use or disclose PHI in any manner that would violate the HIPAA Rules; and
  4. Obtain all required authorizations and consents before providing individual PHI to BA.

4. De-Identified Data

BA may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(b). Data that has been properly de-identified is no longer PHI and is not subject to this Agreement or the HIPAA Rules. For details on how Mikey AI uses de-identified and aggregated data, see the Terms of Service.

5. Term and Termination

5.1 Term

Effective upon electronic acceptance and continues for as long as BA provides Services to CE.

5.2 Termination for Cause

Upon material breach by BA, CE shall provide written notice. BA has 30 days to cure. If uncured, CE may terminate immediately. Either party may terminate without cause on 30 days' written notice.

5.3 Effect of Termination

Upon termination, BA shall return or securely destroy all PHI it holds and certify destruction in writing. Where return or destruction is not feasible, BA shall continue to protect the PHI and limit further use accordingly.

6. General

6.1 Amendment

The parties will amend this Agreement as necessary to comply with changes in applicable law.

6.2 Survival

BA's obligations to protect PHI and the effect-of-termination provisions survive termination of this Agreement.

6.3 No Third-Party Beneficiaries

Nothing in this Agreement confers rights upon any person other than the parties and their successors.

6.4 Governing Law

This Agreement is governed by the laws of Delaware and applicable federal law.

6.5 Entire Agreement

This Agreement, together with any applicable Terms of Service, constitutes the entire agreement regarding PHI. In the event of conflict, this Agreement controls.

6.6 Severability

If any provision is found invalid or unenforceable, the remaining provisions continue in full force.

6.7 Electronic Acceptance

Acceptance through the Mikey AI platform constitutes a legally binding signature for purposes of this Agreement.

Mikey AI, Inc. · Business Associate Agreement · Last Updated March 1, 2026

Questions? legal@mikeyai.com