GLP-1 Receptionist — Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA" or "Agreement") is entered into as of the date last signed below ("BAA Effective Date") by and between:
Covered Entity: _____ ("Covered Entity"), a healthcare provider or healthcare entity operating as a Covered Entity as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations; and
Business Associate: Maps Health Network LLC, a Wyoming limited liability company ("Business Associate"), the operator of GLP1Receptionist.com.
Covered Entity and Business Associate are each a "Party" and collectively the "Parties."
Recitals
WHEREAS, Covered Entity is a Covered Entity as defined at 45 CFR § 160.103, and engages in activities as a healthcare provider subject to HIPAA and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), 42 U.S.C. §§ 17931–17954;
WHEREAS, Business Associate provides AI voice receptionist services to Covered Entity through the GLP-1 Receptionist platform (the "Services"), which involve the creation, receipt, maintenance, transmission, or processing of Protected Health Information on behalf of Covered Entity;
WHEREAS, by virtue of providing such Services, Business Associate constitutes a "Business Associate" of Covered Entity as defined at 45 CFR § 160.103;
WHEREAS, HIPAA, as amended by HITECH, and the regulations at 45 CFR Parts 160, 162, and 164 (collectively, "HIPAA Rules") require Covered Entity to obtain satisfactory assurances from Business Associate that Business Associate will appropriately safeguard PHI; and
WHEREAS, this BAA is intended to comply with the requirements of 45 CFR § 164.504(e) and to govern the use and disclosure of PHI by Business Associate in connection with the Services;
NOW, THEREFORE, in consideration of the foregoing and the mutual covenants set forth herein, the Parties agree as follows:
Article 1 — Definitions
Capitalized terms used but not defined in this BAA have the meanings assigned to them under the HIPAA Rules. Where HIPAA Rules use a term, the regulatory definition controls. The following definitions apply:
1.1 "Breach" means the acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined at 45 CFR § 164.402. The term does not include: (a) any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a Covered Entity or Business Associate, if the acquisition, access, or use was made in good faith and within the scope of authority, and does not result in further use or disclosure in a manner not permitted; (b) any inadvertent disclosure by a person who is authorized to access PHI at a Covered Entity or Business Associate to another person authorized to access PHI at the same entity, if the information received is not further used or disclosed in a manner not permitted; or (c) a disclosure of PHI where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not have been able to retain such information.
1.2 "Business Associate" has the meaning set forth at 45 CFR § 160.103 and refers to Maps Health Network LLC in its capacity as defined herein.
1.3 "Covered Entity" has the meaning set forth at 45 CFR § 160.103 and refers to the subscribing clinic entity identified on the signature page.
1.4 "Designated Record Set" has the meaning set forth at 45 CFR § 164.501.
1.5 "ePHI" (Electronic Protected Health Information) means PHI that is transmitted by or maintained in electronic media, as defined at 45 CFR § 160.103.
1.6 "HIPAA Rules" means the Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subpart C), the Breach Notification Rule (45 CFR Part 164, Subpart D), the Enforcement Rule (45 CFR Part 160, Subpart C), and any other applicable provisions of 45 CFR Parts 160, 162, and 164 as amended.
1.7 "Individual" has the meaning set forth at 45 CFR § 160.103, and includes a person who qualifies as a personal representative pursuant to 45 CFR § 164.502(g).
1.8 "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 164, Subpart E.
1.9 "Protected Health Information" or "PHI" has the meaning set forth at 45 CFR § 160.103, limited to the PHI that Business Associate creates, receives, maintains, transmits, or processes on behalf of Covered Entity in connection with the Services.
1.10 "Required by Law" has the meaning set forth at 45 CFR § 164.103.
1.11 "Secretary" means the Secretary of the United States Department of Health and Human Services ("HHS") or any officer or employee of HHS to whom the authority involved has been delegated.
1.12 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 CFR § 164.304. For the avoidance of doubt, trivial and routine security probes, pings, and port scans that are automatically blocked and cause no actual access to PHI do not constitute Security Incidents requiring individual reporting under this BAA, though they are tracked in audit logs.
1.13 "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.
1.14 "Services" means the GLP-1 Receptionist AI voice receptionist platform and all associated services provided by Business Associate to Covered Entity pursuant to the Terms of Service and/or the SaaS Service Agreement, including call answering, patient scheduling, refill request routing, and warm transfers to clinical staff.
1.15 "Subcontractor" has the meaning set forth at 45 CFR § 160.103.
1.16 "Unsecured PHI" has the meaning set forth at 45 CFR § 164.402, referring to PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary in guidance issued pursuant to 42 U.S.C. § 17932(h)(2).
Article 2 — Permitted Uses and Disclosures
2.1 Provision of Services. Business Associate may use and disclose PHI as necessary to perform the Services for Covered Entity and in a manner consistent with this BAA and the HIPAA Rules. Specifically, and without limitation, Business Associate may use and disclose PHI to:
(a) Answer inbound patient calls on behalf of Covered Entity using the Grace AI voice receptionist;
(b) Collect patient intake information, including name, date of birth, reason for call, and medication information (including information related to GLP-1 medications such as Ozempic, Wegovy, Mounjaro, and Zepbound);
(c) Schedule and manage patient appointments and consultation requests;
(d) Accept and route patient medication refill requests;
(e) Perform warm transfers to Covered Entity's human clinical staff; and
(f) Store and transmit call recordings and transcripts to Covered Entity's authorized personnel through the Service dashboard.
2.2 Use for Operations of Business Associate. Business Associate may use PHI as permitted by 45 CFR § 164.504(e)(4) for the proper management and administration of Business Associate and to carry out its legal responsibilities, provided that: (a) the disclosure is Required by Law; or (b) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the person notifies Business Associate of any instances where confidentiality has been breached.
2.3 Reporting to Covered Entity. Business Associate may disclose PHI to Covered Entity's authorized workforce members and representatives as necessary to report on the Services, provide call summaries, or notify Covered Entity of security incidents or breaches.
2.4 De-identified Data. Business Associate may de-identify PHI in accordance with the standards at 45 CFR § 164.514(b) and use such de-identified data for analytics, product improvement, and other internal purposes. De-identified data is not PHI and is not subject to the restrictions of this BAA.
2.5 Required by Law. Business Associate may use and disclose PHI as Required by Law.
Article 3 — Prohibited Uses and Disclosures
3.1 General Prohibition. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the HIPAA Rules, or as Required by Law.
3.2 No Marketing. Business Associate shall not use or disclose PHI for marketing purposes as defined at 45 CFR § 164.501 without a valid HIPAA authorization from the Individual.
3.3 No Sale of PHI. Business Associate shall not sell PHI as defined at 45 CFR § 164.502(a)(5)(ii) without a valid HIPAA authorization from the Individual. Business Associate represents that it receives no remuneration in exchange for PHI in a manner that would constitute a "sale of PHI" under HIPAA.
3.4 No Use for Fundraising. Business Associate shall not use or disclose PHI for fundraising purposes without the applicable requirements of 45 CFR § 164.514(f) being met.
3.5 Genetic Information. Business Associate shall not use or disclose Genetic Information (as defined in the Genetic Information Nondiscrimination Act, Pub. L. 110-233) for underwriting purposes.
Article 4 — Safeguards
4.1 General Obligation. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized use, access, disclosure, modification, or destruction, consistent with the HIPAA Security Rule and the size, complexity, and capabilities of Business Associate's operations.
4.2 Administrative Safeguards (45 CFR § 164.308). Business Associate shall implement administrative safeguards, including:
(a) A formal security management process, including a current risk analysis and risk management program (45 CFR § 164.308(a)(1));
(b) Designation of a Security Officer responsible for developing and implementing security policies (45 CFR § 164.308(a)(2));
(c) Workforce training programs addressing HIPAA obligations applicable to each workforce member's functions (45 CFR § 164.308(a)(5));
(d) Access management procedures ensuring that only authorized personnel access ePHI (45 CFR § 164.308(a)(3), (4));
(e) A contingency plan including data backup, disaster recovery, and emergency mode operation procedures (45 CFR § 164.308(a)(7)); and
(f) Periodic evaluation of the sufficiency of security policies and procedures (45 CFR § 164.308(a)(8)).
4.3 Physical Safeguards (45 CFR § 164.310). Business Associate shall implement physical safeguards, including:
(a) Facility access controls limiting physical access to data centers and systems containing ePHI to authorized personnel (45 CFR § 164.310(a));
(b) Workstation use and security policies for devices that access ePHI (45 CFR § 164.310(b), (c)); and
(c) Device and media controls, including policies for the movement and disposal of hardware and electronic media containing ePHI (45 CFR § 164.310(d)).
4.4 Technical Safeguards (45 CFR § 164.312). Business Associate shall implement technical safeguards, including:
(a) Unique user identification and emergency access procedures (45 CFR § 164.312(a)(1), (2)(ii));
(b) Automatic logoff for sessions accessing ePHI (45 CFR § 164.312(a)(2)(iii));
(c) Encryption of ePHI in transit using TLS 1.2 or higher (45 CFR § 164.312(e)(2)(ii));
(d) Encryption of ePHI at rest using AES-256 or equivalent (45 CFR § 164.312(a)(2)(iv));
(e) Audit controls to record and examine activity in information systems containing ePHI (45 CFR § 164.312(b)); and
(f) Integrity controls to authenticate ePHI and detect unauthorized modification (45 CFR § 164.312(c), (e)(2)(i)).
4.5 Policies and Procedures. Business Associate shall maintain written policies and procedures for implementing the safeguards described in this Article and shall maintain documentation as required by 45 CFR § 164.316.
Article 5 — Subcontractors
5.1 Subcontractor BAA Requirement. Business Associate shall not disclose PHI to or allow access to PHI by any Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf unless Business Associate has entered into a written agreement with that Subcontractor that imposes on the Subcontractor the same or substantially equivalent restrictions and conditions with respect to PHI as apply to Business Associate under this BAA, consistent with 45 CFR § 164.504(e)(2)(ii)(D) and 45 CFR § 164.308(b).
5.2 Flow-Down. The Subcontractor BAA must include, at minimum, provisions requiring the Subcontractor to:
(a) Use and disclose PHI only as permitted by the Subcontractor's agreement with Business Associate;
(b) Implement safeguards equivalent to those required of Business Associate under Article 4;
(c) Report Security Incidents and Breaches to Business Associate promptly; and
(d) Agree to the same restrictions on use and disclosure of PHI as Business Associate.
5.3 Responsibility for Subcontractors. Business Associate remains fully responsible for the acts and omissions of its Subcontractors to the extent that Business Associate would be liable if Business Associate directly performed the Subcontractor's functions.
5.4 Current Subprocessors. A current list of Subcontractors who process PHI on behalf of Business Associate is available at GLP1Receptionist.com/subprocessors. Business Associate will provide Covered Entity with at least thirty (30) days' advance written notice before adding or replacing a Subcontractor that will access PHI, affording Covered Entity the opportunity to object.
Article 6 — Reporting Obligations
6.1 Security Incident Reporting. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, without unreasonable delay. For Security Incidents that do not rise to the level of a Breach (e.g., unsuccessful attempts to access ePHI that are automatically blocked), Business Associate shall provide periodic summary reports to Covered Entity upon request.
6.2 Breach Notification. If Business Associate discovers a Breach of Unsecured PHI as defined at 45 CFR § 164.402, Business Associate shall notify Covered Entity of the Breach:
(a) Without unreasonable delay; and
(b) In no event later than sixty (60) days after Business Associate discovers the Breach, consistent with 45 CFR § 164.410.
6.3 Content of Breach Notice. Breach notification under Section 6.2 shall include, to the extent then available:
(a) A description of the Breach, including date of Breach and date of discovery;
(b) The types of Unsecured PHI involved (e.g., name, date of birth, phone number, medication information);
(c) The number of Individuals affected or an estimate if the exact number is not then known;
(d) Any steps Individuals should take to protect themselves;
(e) A description of Business Associate's investigation and remediation steps; and
(f) Contact information for questions.
Business Associate shall supplement the notice as additional information becomes available. Covered Entity remains responsible for providing notice to affected Individuals and the Secretary pursuant to 45 CFR §§ 164.404 and 164.408.
6.4 Mitigating Harm. To the extent practicable, Business Associate shall mitigate any harmful effects resulting from a use or disclosure of PHI in violation of this BAA that becomes known to Business Associate.
Article 7 — Access, Amendment, and Accounting
7.1 Access by Individuals. Business Associate shall, within a reasonable time upon request by Covered Entity, make PHI contained in a Designated Record Set maintained by Business Associate available to Covered Entity so that Covered Entity may respond to an Individual's request for access pursuant to 45 CFR § 164.524.
7.2 Amendment. Business Associate shall, within a reasonable time upon request by Covered Entity, make PHI in a Designated Record Set available for amendment and shall incorporate any amendments to PHI that Covered Entity provides, consistent with 45 CFR § 164.526.
7.3 Accounting of Disclosures. Business Associate shall maintain documentation of PHI disclosures and the information necessary for Covered Entity to respond to Individual requests for an accounting of disclosures pursuant to 45 CFR § 164.528. Business Associate shall provide such documentation to Covered Entity within thirty (30) days of Covered Entity's written request. Business Associate's obligation to account for disclosures applies to disclosures as required by 45 CFR § 164.528.
7.4 Minimum Necessary. When making PHI available pursuant to this Article, Business Associate shall apply minimum necessary standards consistent with 45 CFR § 164.502(b).
Article 8 — Audit Rights (HHS Secretary Access)
8.1 Secretary Access. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of HHS for the purposes of determining compliance with the HIPAA Rules, consistent with 45 CFR § 164.504(e)(2)(ii)(I).
8.2 Covered Entity Audit Rights. Upon reasonable prior written notice (not less than five (5) business days, except in the event of a suspected Breach or active investigation), Covered Entity may audit Business Associate's policies, procedures, and records relating to PHI handling under this BAA, no more than once per calendar year unless a Breach has occurred. Covered Entity shall bear its own costs in connection with any audit, and shall take reasonable precautions to avoid disruption to Business Associate's operations.
Article 9 — Term & Termination
9.1 Term. This BAA is effective as of the BAA Effective Date and shall continue in force for so long as Business Associate provides Services to Covered Entity, or until terminated as provided herein.
9.2 Termination for Cause. Either Party may terminate this BAA, and any underlying service agreement, if the other Party materially breaches this BAA and fails to cure such breach within thirty (30) days after receiving written notice specifying the breach in reasonable detail. If cure is not feasible, the non-breaching Party may immediately terminate this BAA upon written notice.
9.3 Immediate Termination. Either Party may terminate this BAA immediately upon written notice if the other Party repeatedly fails to comply with HIPAA requirements, if a pattern of non-compliance is established, or if the Secretary takes formal enforcement action against the other Party.
9.4 Concurrent Termination. This BAA terminates automatically upon the termination or expiration of the underlying service agreement(s) between the Parties. Termination of this BAA does not automatically terminate the underlying service agreement.
9.5 Survival. The following obligations survive the termination or expiration of this BAA: Article 1 (Definitions), Article 3 (Prohibited Uses), Article 6 (Reporting, for incidents that occurred during the term), Article 8 (Secretary Access), this Section 9.5, Article 10 (Return/Destruction), Article 11 (Indemnification), and Article 12 (Governing Law). Obligations relating to PHI survive until all PHI has been returned or destroyed pursuant to Article 10.
Article 10 — Return and Destruction of PHI
10.1 Obligation upon Termination. Upon termination or expiration of this BAA, Business Associate shall, at Covered Entity's election as provided in a written request within thirty (30) days of termination:
(a) Return all PHI in Business Associate's possession (and that of any Subcontractor) to Covered Entity; or
(b) Destroy all PHI in Business Associate's possession (and that of any Subcontractor) and provide written certification of destruction.
If neither instruction is received within thirty (30) days after termination, Business Associate shall destroy all PHI.
10.2 Infeasibility of Return or Destruction. If Business Associate determines that return or destruction of PHI is not feasible (e.g., because PHI is embedded in backup systems from which it cannot be segregated without disproportionate effort), Business Associate shall: (a) notify Covered Entity in writing of the infeasibility and the reasons therefor; (b) extend the protections of this BAA to such PHI for as long as Business Associate retains it; and (c) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible.
10.3 Timing. Business Associate shall complete the return or destruction of PHI within sixty (60) days of the later of: (a) the termination date; or (b) the date Business Associate receives Covered Entity's written instruction.
Article 11 — Mutual Indemnification
11.1 Business Associate Indemnification. Business Associate shall defend, indemnify, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any claims, damages, penalties, fines, losses, liabilities, and expenses (including reasonable attorneys' fees) arising out of or relating to:
(a) Business Associate's unauthorized use or disclosure of PHI in violation of this BAA;
(b) Business Associate's violation of the HIPAA Rules in connection with the Services; or
(c) Business Associate's gross negligence or willful misconduct in connection with PHI handling.
11.2 Covered Entity Indemnification. Covered Entity shall defend, indemnify, and hold harmless Business Associate and its members, officers, employees, and agents from and against any claims, damages, penalties, fines, losses, liabilities, and expenses (including reasonable attorneys' fees) arising out of or relating to:
(a) Covered Entity's unauthorized use or disclosure of PHI, including any misuse of PHI transmitted by Business Associate to Covered Entity;
(b) Covered Entity's failure to comply with HIPAA Rules applicable to the Covered Entity; or
(c) Covered Entity's failure to provide required patient notices, consents, or authorizations that are the Covered Entity's responsibility under HIPAA.
11.3 Indemnification Procedure. The indemnification obligations of Section 11.1 and 11.2 are subject to the indemnification procedure in the Terms of Service or SaaS Service Agreement, including requirements for notice, defense control, and cooperation.
Article 12 — Governing Law & General Provisions
12.1 Governing Law. This BAA is governed by the laws of the State of Wyoming, without regard to conflict-of-law principles. To the extent that any conflict arises between Wyoming law and applicable federal HIPAA regulations, federal law controls.
12.2 Amendment. This BAA may be amended only by a written instrument signed by authorized representatives of both Parties. The Parties agree to amend this BAA as necessary to comply with changes in HIPAA Rules, including changes in HHS regulations or guidance, with any such amendment effective no later than the effective date of the applicable regulatory requirement.
12.3 Entire Agreement; Incorporation. This BAA, together with the Terms of Service and any Order Form or SaaS Service Agreement executed by the Parties, constitutes the entire agreement between the Parties with respect to the use and disclosure of PHI in connection with the Services. In the event of a conflict between this BAA and any other agreement between the Parties with respect to PHI handling, this BAA controls.
12.4 No Third-Party Beneficiaries. Nothing in this BAA is intended to confer any rights on any Individual or third party, including patients of Covered Entity, except as expressly required by HIPAA.
12.5 Counterparts. This BAA may be executed in counterparts, each of which shall be deemed an original. Electronic signatures (including DocuSign or equivalent) are fully binding and valid.
Signature Blocks
Covered Entity
Entity Name: _________
Authorized Signatory Name: _________
Title: _________
Address: ____________
Email: ________
NPI (if applicable): __________
Signature: __________
Date: ________
Business Associate
Maps Health Network LLC
Authorized Signatory Name: Mark "Shep" Shepherd
Title: Founder / Managing Member
Address: 30 N. Gould St, Ste N, Sheridan, WY 82801
Email: markshepmv@gmail.com
Signature: __________
Date: ________
Exhibit A — Permitted Uses and Disclosures Specific to This Engagement
This Exhibit A identifies and limits the specific uses and disclosures of PHI that Business Associate is authorized to perform on behalf of Covered Entity in connection with the Services.
A.1 Scope of Services
Business Associate is authorized to create, receive, maintain, and transmit PHI solely in connection with the following Service functions:
| Function | PHI Used or Disclosed | Authorized Purpose |
|---|---|---|
| Call answering via Grace AI | Caller identity, reason for call, medication information (including Ozempic, Wegovy, Mounjaro, Zepbound) | Identifying and routing patients |
| Appointment scheduling | Patient name, date of birth, contact information, appointment preferences | Creating and managing scheduling records on behalf of Covered Entity |
| Medication refill routing | Patient name, date of birth, medication name, dose, prescribing provider | Routing refill requests to appropriate clinical staff |
| Warm transfer to clinical staff | PHI disclosed to the receiving staff member as necessary for continuity of care | Patient handoff to human staff |
| Call recording and transcription | Full call audio and transcript, which may contain any PHI disclosed during the call | Creating a record for Covered Entity's review and quality assurance |
| Storage in Service dashboard | Recorded audio, transcripts, structured intake data | Making call records available to Covered Entity's authorized personnel |
A.2 Restrictions
Business Associate shall not, in performing the Services under Exhibit A:
(a) Use PHI for any purpose not identified in this Exhibit;
(b) Disclose PHI to any party other than Covered Entity's authorized workforce, authorized Subcontractors under Article 5, or as Required by Law;
(c) Use PHI to make clinical decisions or provide medical advice (all clinical judgment remains with Covered Entity's licensed staff);
(d) Use PHI for training AI models in a manner that identifies Covered Entity's patients; or
(e) Share PHI with any marketing, advertising, or data analytics company.
A.3 Acknowledgment
This Exhibit A is incorporated into and forms part of the BAA. Covered Entity's execution of the BAA constitutes acknowledgment of and agreement to the scope and restrictions set forth in this Exhibit.
Cross-reference: This BAA should be read in conjunction with the GLP-1 Receptionist Terms of Service, Privacy Policy & HIPAA Notice, and SaaS Service Agreement.
© 2026 Maps Health Network LLC. All rights reserved.
← Back to GLP1Receptionist.com home