Project Line

Business Associate Agreement (BAA)

Template — effective on counter-signature. Last revised: May 16, 2026

This Agreement is entered into between Project Line ('Business Associate') and the clinic identified in the Virtual Medical Assistant (VMA) account ('Covered Entity'), and is intended to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR Parts 160 and 164.

1. Definitions

Terms used herein have the meaning ascribed to them under HIPAA. 'PHI' (Protected Health Information) is defined at 45 CFR 160.103.

2. Permitted uses and disclosures

Business Associate may use or disclose PHI only as necessary to provide the Service to Covered Entity, as required by law, or as expressly permitted by this Agreement. Business Associate will not use or disclose PHI for marketing, research or sale of any kind.

3. Safeguards

Business Associate will implement administrative, physical and technical safeguards as required by 45 CFR 164.308, 164.310 and 164.312 to protect the confidentiality, integrity and availability of PHI. Concrete controls in place are listed in the Privacy Policy §11.

4. Reporting of breaches

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, and any Security Incident or Breach (as defined at 45 CFR 164.402) of unsecured PHI, without unreasonable delay and in no event later than seventy-two (72) hours after discovery.

5. Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains or transmits PHI on its behalf agrees in writing to the same restrictions and conditions that apply to Business Associate under this Agreement. Current subcontractors are listed at /sub-processors.

6. Access, amendment and accounting

Business Associate will make PHI available to Covered Entity in accordance with 45 CFR 164.524, will incorporate amendments under 164.526, and will document and make available accounting of disclosures as required under 164.528 within thirty (30) days of a written request.

7. Books and records

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

8. Term and termination

This Agreement is effective upon signature and remains in effect until the termination of the Service. Upon termination, Business Associate will return or destroy all PHI in its possession; if return or destruction is infeasible, protections of this Agreement will extend to such PHI indefinitely.

9. Indemnification

Each party will indemnify the other for damages caused by its own material breach of this Agreement, subject to the limitation of liability stated in the Terms of Service.

10. Execution

Acceptance is recorded server-side via the Legal Acceptance dialog (signer name + title + email + IP + UTC timestamp). A counter-signed PDF copy is provided on email request to emil.mamadov@projectlineil.com.