Business Associate Agreement

Last updated: March 2026

1. Definitions

“Business Associate” refers to M4NG0 Inc., the entity providing the M4NG0 OS software platform.

“Covered Entity” refers to the healthcare organization deploying M4NG0 OS.

“Protected Health Information (PHI)” refers to individually identifiable health information as defined under HIPAA, including patient names, dates of birth, medical record numbers, diagnoses, treatment records, billing data, and any data linked to a specific patient.

“Electronic PHI (ePHI)” refers to PHI that is created, received, maintained, or transmitted in electronic form within the M4NG0 OS system.

2. Scope of Agreement

This Agreement governs the relationship between the Covered Entity and the Business Associate with respect to the handling of PHI within the M4NG0 OS platform. M4NG0 OS is deployed on-premise on hardware owned and controlled by the Covered Entity. The Business Associate provides the software, updates, and technical support.

3. Obligations of the Business Associate

The Business Associate agrees to:

• Not use or disclose PHI other than as permitted by this Agreement or as required by law.
• Implement administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of ePHI.
• Report any security incident or breach of unsecured PHI to the Covered Entity within 48 hours of discovery.
• Ensure that any subcontractors who access PHI agree to the same restrictions and conditions.
• Make available to the Covered Entity any information required to fulfill obligations under the HIPAA Privacy Rule.
• Maintain audit records of all PHI access within the M4NG0 OS system for a minimum of six (6) years.

4. Data Architecture Commitments

Given the on-premise nature of M4NG0 OS, the Business Associate commits to the following architectural guarantees:

• Local Storage: All PHI is stored in an encrypted local database on hardware owned by the Covered Entity. No PHI is transmitted to or stored on servers operated by the Business Associate.
• Encryption: PHI fields are encrypted using AES-256 at rest. All data in transit uses TLS 1.3.
• Key Management: Encryption keys are generated during initial deployment and held exclusively by the Covered Entity. The Business Associate has no access to encryption keys.
• Zero Access: The Business Associate cannot access, view, or retrieve patient data from the Covered Entity's deployment — by architecture, not policy.
• Telemetry: No patient data, usage analytics, or system telemetry is transmitted to the Business Associate unless explicitly enabled by the Covered Entity for support purposes.

5. Obligations of the Covered Entity

The Covered Entity agrees to:

• Maintain physical and network security of the hardware on which M4NG0 OS is deployed.
• Manage user accounts, role assignments, and access permissions within the M4NG0 OS system.
• Notify the Business Associate of any changes to restrictions on the use or disclosure of PHI.
• Ensure staff are trained on proper use of the system and handling of PHI.

6. Term and Termination

This Agreement remains in effect for the duration of the service relationship. Upon termination:

• The Covered Entity retains full ownership of all data within the M4NG0 OS deployment.
• The Business Associate will provide reasonable technical assistance for data export in standard formats (FHIR R4 JSON, CSV).
• If the Covered Entity requests, the Business Associate will certify in writing that no copies of PHI are retained.

7. Breach Notification

In the event of a breach of unsecured PHI, the Business Associate will notify the Covered Entity within 48 hours. The notification will include: the nature of the breach, the PHI involved, the individuals affected, recommended mitigation steps, and corrective actions taken.

8. Governing Law

This Agreement shall be governed by applicable federal regulations including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as well as applicable state and local laws governing the protection of health information.