M
IMEPro

Business Associate Agreement

Last updated: April 8, 2026

This Business Associate Agreement (“BAA”) is entered into between IMEPro, Inc. (“Business Associate”) and the covered entity or business associate that executes this Agreement (“Covered Entity”), pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations (collectively, the “HIPAA Rules”).

1. Definitions

Terms used but not defined in this BAA shall have the meanings given to them under the HIPAA Rules. “Protected Health Information” or “PHI” means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.

2. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted by this BAA or as required by law
  • Implement administrative, physical, and technical safeguards to protect PHI
  • Report any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions
  • Make PHI available to the Covered Entity to fulfill individual access requests under 45 CFR 164.524
  • Make PHI available for amendment and incorporate amendments as directed by the Covered Entity
  • Maintain and make available information required to provide an accounting of disclosures
  • Make internal practices and records available to the Secretary of HHS for determining compliance

3. Security Measures

IMEPro implements the following security measures to protect PHI:

  • Encryption at rest: All PHI stored using AES-256 encryption via Google Cloud SQL and Cloud Storage
  • Encryption in transit: TLS 1.3 for all data transmission
  • Access controls: Role-based access with multi-factor authentication
  • Audit logging: All PHI access is logged with user identity, timestamp, and action
  • AI processing: PHI processed via Google Vertex AI under Google Cloud BAA; no PHI is used for model training
  • No PHI in logs: Application logs are sanitized to exclude PHI
  • Session management: 8-hour absolute session timeout with 15-minute idle refresh

4. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely to perform functions, activities, or services for the Covered Entity as specified in the underlying service agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by the Covered Entity.

5. Breach Notification

Business Associate shall report to the Covered Entity any Breach of Unsecured PHI without unreasonable delay, and in no case later than 30 calendar days after discovery of the Breach. The notification shall include the identification of individuals affected, the types of information involved, and steps taken to mitigate harm.

6. Term and Termination

This BAA is effective upon execution and shall terminate when all PHI is destroyed or returned to the Covered Entity. Upon termination, Business Associate shall return or destroy all PHI, if feasible. If return or destruction is not feasible, protections under this BAA extend to retained PHI.

7. Subcontractors

IMEPro uses the following HIPAA-compliant subcontractors:

  • Google Cloud Platform — Infrastructure, compute, storage, and AI processing (BAA in place)
  • Cloudflare — CDN and WAF (BAA in place)

No other subcontractor has access to PHI. Payment processing (Stripe) and email delivery (Resend) do not handle PHI.

8. Contact

To execute this BAA or for questions about HIPAA compliance, contact us at support@imepro.io .