Business Associate Addendum / LabPreCheck

Incorporation And Scope

This Addendum becomes part of the customer contract when LabPreCheck is used in a HIPAA-regulated workflow.

This Business Associate Addendum applies to the extent Nunuworks, Inc., doing business as LabPreCheck, creates, receives, maintains, or transmits protected health information on behalf of a customer organization through the LabPreCheck service.

This document is incorporated into the LabPreCheck Terms of Service. Together, the Terms and this Business Associate Addendum form the core customer agreement for HIPAA-regulated use of LabPreCheck. The Terms continue to apply to both practices and labs, and this Addendum adds the HIPAA-specific obligations that apply when protected health information is involved.

A practice customer may use LabPreCheck as a covered entity or other regulated provider organization. A lab customer may use LabPreCheck as a business associate, subcontractor, or other regulated organization in the dental workflow. This Addendum is written to address either customer type where HIPAA applies to the relationship.

Definitions

These definitions make the Addendum work for both practice and lab customers.

Capitalized terms not defined in this Addendum have the meanings given in the LabPreCheck Terms of Service or under HIPAA. If there is a conflict between this Addendum and the Terms on HIPAA-specific subject matter, this Addendum controls for that subject matter only.

“Customer” means the practice or lab organization that accepts the LabPreCheck Terms of Service.

“Regulated Customer” means a Customer acting as a covered entity, business associate, or subcontractor subject to HIPAA.

“Protected Health Information” or “PHI” has the meaning given under HIPAA and includes electronic PHI where applicable.

“Service Providers” means LabPreCheck subcontractors or downstream providers that support the service and are permitted to handle PHI under written agreements and applicable law.

Permitted Uses And Disclosures

LabPreCheck may use PHI only to run the service and perform legally permitted support functions.

LabPreCheck may use and disclose PHI only as necessary to perform the services described in the Terms, this Addendum, the applicable order or subscription relationship, and documented instructions from the Regulated Customer, except where law requires another use or disclosure.

LabPreCheck will not use or disclose PHI in a manner that would violate HIPAA if done by the Regulated Customer, except to the extent HIPAA specifically permits or requires a business associate to do so.

Provide, maintain, secure, support, and improve the LabPreCheck service for the Regulated Customer.

Use PHI for internal management and administration or to carry out legal responsibilities where HIPAA permits.

Disclose PHI only as permitted by this Addendum, the Terms, applicable law, or the Regulated Customer’s instructions.

Safeguards And Subcontractors

LabPreCheck protects PHI through safeguards, access controls, and written downstream obligations.

LabPreCheck will implement and maintain reasonable and appropriate safeguards to protect PHI, including safeguards required by the HIPAA Security Rule for electronic protected health information.

LabPreCheck may use Service Providers to support the service. Any Service Provider that is permitted to create, receive, maintain, or transmit PHI on behalf of LabPreCheck will be bound by written obligations that are materially consistent with the protections required of LabPreCheck under this Addendum.

Administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI.

Role-based access controls and workforce limitations tied to service responsibilities.

Written restrictions and equivalent obligations for permitted Service Providers that handle PHI.

Incident And Breach Reporting

LabPreCheck will notify and cooperate when HIPAA-related incidents affect PHI in the service.

LabPreCheck will notify the Regulated Customer of impermissible uses or disclosures of PHI, security incidents, and breaches of unsecured PHI to the extent and in the manner required by law and by the service relationship.

LabPreCheck will cooperate in good faith with the Regulated Customer regarding incident review, containment, mitigation, and legally required notifications to the extent the matter concerns PHI processed through the LabPreCheck service.

Report uses or disclosures of PHI not permitted by this Addendum or by law.

Report security incidents affecting PHI as required by applicable law and contractual duties.

Report breaches of unsecured PHI without unreasonable delay and provide the information reasonably needed for the Regulated Customer’s response obligations.

Customer Rights Support

LabPreCheck will reasonably support HIPAA-related customer requests where the service must assist.

To the extent HIPAA requires the Regulated Customer to provide access, amendment, or accounting support and LabPreCheck holds the relevant PHI or records in a way that requires service assistance, LabPreCheck will provide commercially reasonable cooperation consistent with the service design and applicable law.

Nothing in this Addendum requires LabPreCheck to disclose information in a manner that would violate law, compromise another customer’s data, or bypass the service’s security controls.

Provide access to PHI within the service where the Regulated Customer needs that support to meet legal obligations.

Support reasonable requests for amendment or correction where the service data needs to be updated.

Support reasonable requests for information needed for an accounting of disclosures where HIPAA requires it.

Make records relating to PHI handling available to the Secretary of Health and Human Services to the extent required by law.

Term And Return Or Destruction

The BAA lasts as long as PHI is handled through the service and continues to protect retained PHI after termination if needed.

This Addendum terminates when the Terms and the applicable service relationship terminate and LabPreCheck no longer creates, receives, maintains, or transmits PHI on behalf of the Regulated Customer, except for provisions that must survive by law or by their nature.

Where return or destruction of PHI is not feasible, LabPreCheck will continue to protect the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible or are otherwise permitted by law.

This Addendum remains in effect for as long as LabPreCheck handles PHI on behalf of the Regulated Customer.

If the service relationship ends, LabPreCheck will return or destroy PHI when feasible, or continue protecting it if return or destruction is not feasible.

A material HIPAA-related breach that cannot be cured may permit termination as allowed by law and the Terms.

Contact And Manual Exceptions

Use the contact path for negotiated legal review or manual exceptions.

The standard LabPreCheck customer legal package is the default path for both practices and labs. If a customer requests negotiated terms, a separate paper agreement, or a manual legal exception, that request should be submitted through Contact.

This public page is the standard source of truth for the default incorporated Business Associate Addendum. It does not limit the possibility of a separately negotiated written agreement where LabPreCheck expressly agrees to one in writing.

Incorporation And Scope

This Addendum becomes part of the customer contract when LabPreCheck is used in a HIPAA-regulated workflow.

Definitions

These definitions make the Addendum work for both practice and lab customers.

“Customer” means the practice or lab organization that accepts the LabPreCheck Terms of Service.

“Regulated Customer” means a Customer acting as a covered entity, business associate, or subcontractor subject to HIPAA.

“Protected Health Information” or “PHI” has the meaning given under HIPAA and includes electronic PHI where applicable.

“Service Providers” means LabPreCheck subcontractors or downstream providers that support the service and are permitted to handle PHI under written agreements and applicable law.

Permitted Uses And Disclosures

LabPreCheck may use PHI only to run the service and perform legally permitted support functions.

Provide, maintain, secure, support, and improve the LabPreCheck service for the Regulated Customer.

Use PHI for internal management and administration or to carry out legal responsibilities where HIPAA permits.

Disclose PHI only as permitted by this Addendum, the Terms, applicable law, or the Regulated Customer’s instructions.

Safeguards And Subcontractors

LabPreCheck protects PHI through safeguards, access controls, and written downstream obligations.

LabPreCheck will implement and maintain reasonable and appropriate safeguards to protect PHI, including safeguards required by the HIPAA Security Rule for electronic protected health information.

Administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI.

Role-based access controls and workforce limitations tied to service responsibilities.

Written restrictions and equivalent obligations for permitted Service Providers that handle PHI.

Incident And Breach Reporting

LabPreCheck will notify and cooperate when HIPAA-related incidents affect PHI in the service.

Report uses or disclosures of PHI not permitted by this Addendum or by law.

Report security incidents affecting PHI as required by applicable law and contractual duties.

Report breaches of unsecured PHI without unreasonable delay and provide the information reasonably needed for the Regulated Customer’s response obligations.

Customer Rights Support

LabPreCheck will reasonably support HIPAA-related customer requests where the service must assist.

Nothing in this Addendum requires LabPreCheck to disclose information in a manner that would violate law, compromise another customer’s data, or bypass the service’s security controls.

Provide access to PHI within the service where the Regulated Customer needs that support to meet legal obligations.

Support reasonable requests for amendment or correction where the service data needs to be updated.

Support reasonable requests for information needed for an accounting of disclosures where HIPAA requires it.

Make records relating to PHI handling available to the Secretary of Health and Human Services to the extent required by law.

Term And Return Or Destruction

The BAA lasts as long as PHI is handled through the service and continues to protect retained PHI after termination if needed.

This Addendum remains in effect for as long as LabPreCheck handles PHI on behalf of the Regulated Customer.

If the service relationship ends, LabPreCheck will return or destroy PHI when feasible, or continue protecting it if return or destruction is not feasible.

A material HIPAA-related breach that cannot be cured may permit termination as allowed by law and the Terms.

Contact And Manual Exceptions

Use the contact path for negotiated legal review or manual exceptions.

Business Associate Addendum

Incorporation And Scope

Definitions

Permitted Uses And Disclosures

Safeguards And Subcontractors

Incident And Breach Reporting

Customer Rights Support

Term And Return Or Destruction

Contact And Manual Exceptions

Table of Contents

Business Associate Addendum

Incorporation And Scope

Definitions

Permitted Uses And Disclosures

Safeguards And Subcontractors

Incident And Breach Reporting

Customer Rights Support

Term And Return Or Destruction

Contact And Manual Exceptions

Table of Contents