GREENLIGHT

Legal

HIPAA Business Associate Agreement

Version 1.0 · Effective: February 7, 2026

1. Purpose

This HIPAA Business Associate Agreement ("BAA") is entered into between the healthcare provider or facility using the GreenLight platform ("Covered Entity" or "Provider") and Tourist SOS, Inc. ("Business Associate" or "Tourist SOS"). This BAA supplements the Provider Service Agreement and governs the use and disclosure of Protected Health Information ("PHI") as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

2. Definitions

Terms used but not defined in this BAA shall have the meaning ascribed to them in HIPAA, the HITECH Act, and their implementing regulations (45 CFR Parts 160 and 164).

  • Protected Health Information (PHI) — individually identifiable health information transmitted or maintained in any form, including electronic PHI (ePHI)
  • Permitted Purposes — insurance eligibility verification, claims submission, payment collection, denial management, and related billing activities performed through the GreenLight platform
  • Security Incident — the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations

3. Obligations of Business Associate

Tourist SOS agrees to:

  • Use and disclose PHI only for Permitted Purposes or as required by law
  • Implement administrative, physical, and technical safeguards to protect PHI as required by the HIPAA Security Rule
  • Encrypt all ePHI at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher)
  • Restrict access to PHI to authorized personnel on a need-to-know basis
  • Not use or disclose PHI for marketing, fundraising, or any purpose not authorized under this BAA
  • Report any Security Incident or Breach of Unsecured PHI to Provider without unreasonable delay and no later than 72 hours after discovery
  • Maintain audit logs of access to PHI for a minimum of 6 years
  • Make its internal practices, records, and policies relating to PHI available to the U.S. Department of Health and Human Services for purposes of determining compliance
  • Return or destroy all PHI upon termination of this BAA, where feasible, and retain only as required by law

4. Permitted Uses and Disclosures

Tourist SOS may use or disclose PHI:

  • To perform Permitted Purposes under the Provider Service Agreement
  • To U.S. insurance payers and clearinghouses for claims submission, eligibility verification, and payment processing
  • To subcontractors who have entered into a BAA with Tourist SOS and who need access to perform services (e.g., hosting providers, clearinghouse partners)
  • As required by law, including responding to a valid court order, subpoena, or government investigation
  • For the proper management and administration of Tourist SOS, provided any disclosure is required by law or Tourist SOS obtains reasonable assurance that the information will be protected

Tourist SOS shall not use PHI for any purpose other than those specified above without prior written consent from Provider.

5. Subcontractors

Tourist SOS shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Tourist SOS agrees in writing to the same restrictions and conditions that apply to Tourist SOS under this BAA.

Current subcontractors with access to PHI include but are not limited to:

  • Stedi, Inc. — EDI clearinghouse for claims submission and eligibility verification
  • Supabase, Inc. — database hosting and authentication
  • Vercel, Inc. — application hosting and infrastructure
  • Stripe, Inc. — payment processing (limited to billing data, not clinical PHI)

Tourist SOS will notify Provider of material changes to subcontractors that handle PHI.

6. Breach Notification

In the event of a Breach of Unsecured PHI, Tourist SOS shall:

  • Notify Provider without unreasonable delay and no later than 72 hours after discovery of the Breach
  • Provide, to the extent available: identification of each individual affected; a description of the PHI involved; the date of the Breach and date of discovery; a description of what Tourist SOS is doing to mitigate the Breach and prevent future occurrences
  • Cooperate with Provider in investigating the Breach and fulfilling any notification obligations under HIPAA
  • Bear the cost of notification to affected individuals if the Breach is solely attributable to Tourist SOS

7. Provider Obligations

Provider agrees to:

  • Obtain any required patient authorizations or consents before transmitting PHI to Tourist SOS
  • Not request Tourist SOS to use or disclose PHI in a manner that would violate HIPAA
  • Notify Tourist SOS promptly of any restrictions on the use or disclosure of PHI that Provider has agreed to with a patient
  • Notify Tourist SOS promptly of any changes in or revocation of patient authorization

8. Data Retention and Destruction

Tourist SOS retains PHI for the minimum period required to fulfill its obligations under this BAA and applicable law:

  • Billing records: 7 years from the date of service (industry standard)
  • Audit logs: 6 years from the date of creation
  • All other PHI: destroyed within 90 days of termination of this BAA, where feasible

Destruction shall be performed using methods consistent with NIST SP 800-88 guidelines. Where return or destruction is not feasible, Tourist SOS shall extend the protections of this BAA to the retained PHI.

9. Individual Rights

To the extent Tourist SOS maintains PHI in a Designated Record Set on behalf of Provider:

  • Tourist SOS shall make PHI available to Provider for purposes of satisfying individual access requests within 15 business days
  • Tourist SOS shall make PHI available for amendment and incorporate amendments as directed by Provider within 30 business days
  • Tourist SOS shall maintain and make available an accounting of disclosures as required by 45 CFR 164.528

10. Term and Termination

This BAA is effective upon Provider's acceptance and remains in effect for the duration of the Provider Service Agreement. Upon termination:

  • Tourist SOS shall return or destroy all PHI where feasible
  • Obligations regarding the protection of retained PHI survive termination
  • Either party may terminate this BAA if the other party materially breaches any provision and fails to cure within 30 days of written notice

Provider may terminate this BAA immediately if Tourist SOS has breached a material term and cure is not possible.

11. Governing Law

This BAA is governed by HIPAA, the HITECH Act, and their implementing regulations. To the extent not preempted by federal law, the laws of the State of Delaware shall apply.

12. Contact

Tourist SOS Privacy Officer: privacy@touristsos.com

For legal questions: legal@touristsos.com