Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into between Rooted Maternal Wellness LLC d/b/a LactaRoute (“Business Associate” or “LactaRoute”), a technology platform operator, and the healthcare provider or practice (“Covered Entity”) that has registered for and uses the LactaRoute platform.

This BAA is incorporated into and made part of the LactaRoute Terms of Service. By activating or continuing to use a LactaRoute account, the Covered Entity agrees to this BAA.

Terms used but not otherwise defined in this BAA have the meanings assigned to them in HIPAA, including 45 C.F.R. Parts 160 and 164.

• HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH, and implementing regulations.
• Protected Health Information (PHI) has the meaning given in 45 C.F.R. § 160.103.
• Electronic PHI (ePHI) means PHI that is created, received, maintained, or transmitted in electronic form.
• Services means the scheduling, clinical documentation, billing, and practice management features provided by LactaRoute.

LactaRoute agrees to:

• Not use or disclose PHI except as permitted or required by this BAA or as required by law.
• Use appropriate safeguards, and comply with the HIPAA Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as permitted by this BAA.
• Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, without unreasonable delay and in no case later than 60 calendar days following discovery of a breach.
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of LactaRoute agree to the same restrictions and conditions that apply to LactaRoute.
• Make available PHI in a designated record set to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. § 164.524.
• Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA.
• Upon termination of this BAA, return or destroy all PHI received from or created on behalf of the Covered Entity, if feasible, or extend the protections of this BAA to any retained PHI.

LactaRoute may use or disclose PHI:

• To provide the Services described in the Terms of Service, including scheduling, clinical charting, billing, and care coordination features.
• For LactaRoute's proper management and administration, provided any disclosure is required by law or LactaRoute obtains reasonable assurances that the recipient will hold the PHI confidentially.
• To provide data aggregation services relating to the health care operations of the Covered Entity.
• To de-identify PHI in accordance with 45 C.F.R. § 164.514, after which the resulting data is no longer PHI and not subject to this BAA.

The Covered Entity agrees to:

• Notify LactaRoute of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by.
• Not request that LactaRoute use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
• Obtain any necessary authorizations from patients before using LactaRoute features that involve disclosures of PHI not otherwise permitted by HIPAA.
• Maintain an accurate and current list of authorized users of the Covered Entity's LactaRoute account.

LactaRoute implements and maintains commercially reasonable administrative, physical, and technical safeguards for ePHI, including:

• Encryption of ePHI at rest and in transit using industry-standard protocols (TLS 1.2+, AES-256).
• Role-based access controls limiting PHI access to authorized personnel.
• Regular security assessments and monitoring.
• Encrypted storage of sensitive credentials (API keys, Stripe keys) using AES-256-GCM.
• Hosting on AWS infrastructure with SOC 2 Type II certification.

LactaRoute uses the following subcontractors (“Subprocessors”) that may create, receive, maintain, or transmit ePHI in connection with the Services. Each operates under agreements consistent with the obligations set forth in this BAA:

• Amazon Web Services (AWS) — cloud infrastructure, database hosting, storage, and transcription services. AWS maintains its own HIPAA BAA with LactaRoute.
• Anthropic (Claude) — AI-powered clinical note generation from transcribed text. No audio or raw PHI is stored by Anthropic beyond the duration of the API request.
• Stripe — payment processing. Stripe is PCI DSS Level 1 certified and processes only billing-related data.

LactaRoute will notify the Covered Entity of any material changes to its Subprocessor list by updating this BAA. Continued use of the Service after such update constitutes acceptance.

In the event of a breach of unsecured PHI, LactaRoute will:

• Notify the Covered Entity without unreasonable delay and in no case later than 60 calendar days following discovery of the breach, as required by 45 C.F.R. § 164.410.
• Include in such notification the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach, to the extent known.
• Provide any other information reasonably requested by the Covered Entity to enable it to fulfill its own breach notification obligations under 45 C.F.R. § 164.404.
• Cooperate with the Covered Entity in complying with applicable state breach notification laws, including the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:11-44 et seq.).

This BAA is effective as of the Effective Date and remains in effect until the Covered Entity's use of LactaRoute terminates. Either party may terminate this BAA upon 30 days written notice if the other party has materially breached any provision and failed to cure the breach within that period.

Upon termination, LactaRoute will, within 60 days, either return or destroy all PHI received from or created on behalf of the Covered Entity, to the extent feasible. To the extent return or destruction is not feasible, LactaRoute will extend the protections of this BAA to the PHI and limit further use and disclosure.

To the maximum extent permitted by applicable law, LactaRoute's liability under this BAA shall not exceed the amount paid by the Covered Entity to LactaRoute in the twelve (12) months preceding the claim. LactaRoute shall not be liable for any indirect, incidental, special, or consequential damages arising from a breach of this BAA.

This BAA shall be governed by the laws of the State of New Jersey, without regard to its conflict of laws provisions, and applicable federal law including HIPAA.

LactaRoute may amend this BAA to comply with changes in applicable law or regulation, including HIPAA, by providing 30 days written notice to the Covered Entity. Continued use of LactaRoute after the effective date of any amendment constitutes acceptance of the amended BAA.

Questions regarding this BAA should be directed to: info@rootedmaternalwellness.com