Neela Cares, Inc. — HIPAA Notice / BAA

Effective Date: September 8, 2025
Last Updated: September 8, 2025

1) Overview

This HIPAA Notice and Business Associate Agreement (“BAA”) describes how Neela Cares, Inc. (“Neela Cares,” “we,” “us,” or “our”) protects and uses Protected Health Information (“PHI”) in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related regulations. This BAA forms part of our Terms of Service and applies when Neela Cares handles PHI on behalf of Covered Entities or other Business Associates.

2) Definitions

• HIPAA: The Health Insurance Portability and Accountability Act and its implementing regulations at 45 C.F.R. Parts 160 and 164.
• PHI: Protected Health Information, as defined by HIPAA, that Neela Cares receives, maintains, or transmits on behalf of a Covered Entity.
• Covered Entity: A health plan, healthcare provider, or healthcare clearinghouse subject to HIPAA.
• Business Associate: An entity that performs certain functions or activities involving PHI on behalf of a Covered Entity.

3) Neela Cares’ Obligations

• Use and disclose PHI only as permitted or required by this BAA or as required by law.
• Implement administrative, physical, and technical safeguards in compliance with the HIPAA Security Rule (45 C.F.R. §164.306).
• Ensure that any subcontractors who create, receive, maintain, or transmit PHI on our behalf agree to the same restrictions and safeguards.
• Report any known use or disclosure of PHI not provided for by this BAA, including breaches of unsecured PHI as required under 45 C.F.R. §164.410.
• Make available PHI for access, amendment, and accounting of disclosures as required by HIPAA, when directed by the Covered Entity.
• Make our internal practices, books, and records related to PHI available to the Secretary of Health and Human Services upon request.
• Return or securely destroy PHI upon termination of this BAA, if feasible.

4) Permitted Uses and Disclosures

Neela Cares may use or disclose PHI only:

• To perform services for or on behalf of the Covered Entity as specified in the service agreement.
• For proper management, administration, and legal responsibilities, provided disclosures are required by law or secured by confidentiality obligations.
• To de-identify PHI in accordance with 45 C.F.R. §164.514(b), for use in product improvement, analytics, or research purposes that do not identify individuals.

5) Breach Notification

Neela Cares will notify the Covered Entity without unreasonable delay, and no later than 60 days after discovery, of any breach of unsecured PHI. The notification will include the nature of the breach, affected individuals, and mitigation actions taken. We will cooperate with the Covered Entity in any required notifications to individuals or authorities.

6) Minimum Necessary & Access Controls

• Neela Cares limits access to PHI to authorized personnel who require it for legitimate business or compliance purposes.
• Access controls include multi-factor authentication, session timeouts, encryption (TLS 1.2+ in transit, AES-256 at rest), and role-based permissions.
• PHI is not used for marketing, profiling, or advertising purposes.

7) Subcontractors and Subprocessors

Neela Cares engages subprocessors to support the Service. Each subprocessor undergoes due diligence, executes a BAA or equivalent, and maintains HIPAA-appropriate safeguards. The current list of subprocessors is available at www.neelacares.com/subprocessors.

8) Covered Entity Responsibilities

• Provide PHI only as necessary for Neela Cares to perform contracted services.
• Comply with HIPAA Privacy Rule requirements applicable to Covered Entities.
• Obtain necessary consents or authorizations for Neela Cares to process PHI as required by law.
• Notify Neela Cares of any restrictions or limitations on PHI use that may affect performance of services.

9) Term and Termination

• This BAA remains in effect for the duration of the underlying service agreement or until all PHI is returned or destroyed.
• Either party may terminate this BAA if the other materially breaches its obligations and fails to cure the breach within 30 days of notice.
• Upon termination, Neela Cares will return or securely destroy all PHI, unless return or destruction is infeasible (in which case protections continue).

10) Indemnification

Each party agrees to indemnify and hold harmless the other from claims, damages, and liabilities resulting from its own breach of this BAA or applicable HIPAA requirements.

11) Miscellaneous

• This BAA is governed by the laws of [Your State], excluding conflicts-of-law principles.
• If any provision is found invalid, the remainder remains in effect.
• This BAA, together with the Terms of Service, constitutes the entire agreement regarding HIPAA compliance between the parties.

12) Contact Information

For questions about this BAA or HIPAA compliance, contact:

Neela Cares, Inc.
Privacy: privacy@neelacares.com
Security: security@neelacares.com
Support: support@neelacares.com