Moxcares logo
Start free trial

Legal

Business Associate Agreement

The agreement that governs Moxcares' handling of PHI on behalf of clinic customers.

Last updated: June 9, 2026

This Business Associate Agreement ("BAA") is entered into between VVY Technologies, Inc. (d/b/a Moxcares), a Delaware corporation with registered office at 131 Continental Dr, Suite 305, Newark, DE 19713 ("Business Associate"), and the healthcare clinic or provider organization that accepts this BAA ("Covered Entity"). It supplements, and is incorporated into the Moxcares Terms of Service.

Effective Date: the date Covered Entity accepts this BAA during signup or onboarding.

1. Definitions

Terms used but not defined have the meanings in the HIPAA Rules (45 C.F.R. Parts 160 and 164). "PHI" means Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of a Covered Entity.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only:

  • to perform the services described in the Terms of Service (patient engagement, scheduling, intake, and related functions);
  • as required by law;
  • for the proper management and administration of Business Associate, and to carry out its legal responsibilities, provided any disclosure is required by law or made with reasonable assurances of confidentiality and breach-notification from the recipient.

Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted above.

3. Safeguards

Business Associate will implement administrative, physical, and technical safeguards (including those required by the HIPAA Security Rule for electronic PHI) that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI.

4. Reporting

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA, any Security Incident, and any Breach of Unsecured PHI, without unreasonable delay and no later than 30 days after discovery, consistent with 45 C.F.R. § 164.410.

5. Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as stringent as those that apply to Business Associate (flow-down). Business Associate's current PHI subcontractors include Google Cloud Platform, Anthropic, Twilio, and Postmark, each engaged under a business associate agreement or equivalent.

6. Access, Amendment, and Accounting

Business Associate will make PHI available to Covered Entity (or the individual) as needed for Covered Entity to meet its HIPAA obligations regarding individual access (§ 164.524), amendment (§ 164.526), and accounting of disclosures (§ 164.528).

7. Availability to HHS

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for determining Covered Entity's compliance.

8. Return or Destruction on Termination

On termination, Business Associate will return or destroy all PHI it maintains on behalf of Covered Entity where feasible. Where return/destruction is not feasible, Business Associate will extend protections and limit further use. This obligation interacts with the platform's retention posture (approximately seven years for healthcare recordkeeping per the Privacy Policy); the parties will reconcile the "return or destroy on termination" obligation with the recordkeeping retention period and data-deletion procedures.

9. Term and Termination

This BAA is effective on the Effective Date and continues until all PHI is returned or destroyed or protections are extended. Covered Entity may terminate if Business Associate materially breaches and fails to cure.

10. Miscellaneous

Governing law, interpretation in favor of HIPAA compliance, amendment to maintain compliance, and survival.

11. Limitation of Liability; Relationship to the Terms of Service

This BAA supplements and is incorporated into the Moxcares Terms of Service. Except as required by the HIPAA Rules, each party's liability arising out of or relating to this BAA — including liability for a use or disclosure of PHI not permitted by this BAA, a Security Incident, or a Breach — is subject to and limited by the Limitations of Liability section of the Terms of Service, including its tiered structure under which claims arising from a breach of data-security or confidentiality obligations or from a violation of HIPAA or this BAA are limited to the limits of the Company's applicable cyber-liability and technology errors-and-omissions insurance coverage then in effect. In the event of a conflict between this BAA and the Terms of Service with respect to the use, disclosure, or protection of PHI, this BAA controls; in all other respects, including the allocation and limitation of monetary liability, the Terms of Service control.

To request a counter-signed copy of this BAA tailored to your clinic, contact legal@moxcares.com.