Effective Date: April 3rd 2026

This Business Associate Agreement (“Agreement”) is entered into between Neurvana AI Studio Operations (“Business Associate”) and the undersigned Covered Entity (“Covered Entity”) and governs the use, disclosure, and protection of Protected Health Information (“PHI”) in connection with the services provided.

Purpose and Scope

This Agreement applies to the extent that the Business Associate creates, receives, maintains, or transmits PHI on behalf of the Covered Entity in the course of providing non-clinical administrative services, including intake automation, referral triage, documentation drafting, and infrastructure support (“Administrative Relief Services”). The Business Associate shall only access and process PHI as necessary to perform these services and in accordance with applicable law.

Permitted Use and Disclosure of PHI

The Business Associate may use and disclose PHI solely to perform services for or on behalf of the Covered Entity, as permitted under this Agreement or as required by law. The Business Associate may also use PHI for its proper management and administration, provided that any disclosure for such purposes is required by law or subject to written obligations that provide the same level of protection as this Agreement. Any use or disclosure of PHI shall be limited to the minimum necessary to accomplish the intended purpose.

Restrictions on Use

The Business Associate shall not use or disclose PHI in any manner that would violate applicable HIPAA requirements if done by the Covered Entity. Without limiting the foregoing, the Business Associate shall not use PHI for marketing, resale, or profiling purposes, nor shall it use PHI to train, fine-tune, or improve general-purpose artificial intelligence models. PHI processed through the Business Associate’s systems shall not be combined with external datasets except as expressly permitted under this Agreement.

AI System Use and Responsibility Allocation

The parties acknowledge that the Business Associate provides AI-enabled administrative tools that generate draft outputs for operational support only. These outputs are non-clinical in nature and are not intended to provide medical advice, diagnosis, or treatment recommendations. The Covered Entity retains full responsibility for all clinical decisions, documentation, and regulatory compliance related to patient care.

PHI processed by the Business Associate’s systems is used solely for real-time task execution. Such data is not retained for the purpose of training or improving generalized models. Any temporary processing of PHI is limited to operational necessity and handled in a manner designed to minimize persistence.

Safeguards

The Business Associate shall implement administrative, physical, and technical safeguards consistent with 45 CFR Part 164 Subpart C to protect the confidentiality, integrity, and availability of PHI. These safeguards include access controls, encryption in transit and at rest, system monitoring, and audit logging. All PHI shall be stored and processed within United States-based infrastructure.

Subcontractors

The Business Associate may use subcontractors to perform services involving PHI, provided that each subcontractor agrees in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement. The Business Associate shall remain responsible for the acts and omissions of its subcontractors. Current infrastructure providers include Google Cloud Platform, which operates under its own HIPAA Business Associate Addendum .

Breach Notification and Security Incidents

The Business Associate shall notify the Covered Entity without unreasonable delay, and in no event later than seventy-two (72) hours after discovery of a Breach of unsecured PHI. Such notification shall include, to the extent known, a description of the incident, the types of PHI involved, and any steps taken to mitigate potential harm. The Business Associate shall cooperate with the Covered Entity in responding to the incident and fulfilling any regulatory obligations.

Routine unsuccessful security events, such as network scans or failed login attempts, shall not constitute reportable incidents unless they result in unauthorized access, use, or disclosure of PHI.

Individual Rights and Access

The Business Associate shall make PHI available to the Covered Entity as necessary for the Covered Entity to meet its obligations under applicable HIPAA provisions concerning access, amendment, and accounting of disclosures. The Covered Entity remains responsible for responding to individual requests and managing designated record sets.

Access for Regulatory Oversight

The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required for determining compliance with HIPAA.

Data Retention and Destruction

The Business Associate shall retain PHI only for as long as necessary to fulfill its obligations under this Agreement. Upon termination of services, the Business Associate shall return or securely destroy all PHI within thirty (30) days, unless retention is required by law. If return or destruction is not feasible, the Business Associate shall continue to protect such PHI in accordance with this Agreement and limit further use or disclosure.

Term and Termination

This Agreement shall remain in effect for the duration of services involving PHI. Either party may terminate this Agreement upon written notice if the other party materially breaches its obligations and fails to cure such breach within thirty (30) days. Upon termination, the Business Associate shall immediately cease all use of PHI except as necessary to comply with applicable legal obligations.

Responsibilities of the Covered Entity

The Covered Entity shall limit the PHI disclosed to the Business Associate to the minimum necessary and shall not request the Business Associate to use or disclose PHI in any manner that would violate applicable law. The Covered Entity is responsible for ensuring that its use of the Business Associate’s services complies with HIPAA and for maintaining appropriate safeguards within its own systems.

Miscellaneous

This Agreement shall be governed by applicable federal HIPAA regulations. In the event of any ambiguity, the terms shall be interpreted to permit compliance with applicable law. This Agreement may be amended as necessary to comply with future regulatory requirements.

Business Associate: Luke McNeur, Founder
Neurvana AI Studio Operations

Date: April 3rd, 2026