Legal

Last updated: February 17th, 2025

1: Purpose & Scope

Purpose:

This Business Associate Agreement (BAA) is between Silver House Healthcare, LLC and its affiliated entities (“Covered Entity” “Silver House” “We” “Our” “Us”) and You, the participating healthcare provider, clinic, or telehealth organization (“Sub-Business Associate” “You” “Your”). By signing this agreement, You agree to comply with all HIPAA, PHI security, and patient data protection regulations while participating in the BATWatch network and working with Silver House.

This agreement also applies to BatWatch, LLC and its Series LLCs (“Business Associate” “BATWatch”), which provide logistics, operational oversight, test coordination, provider network management, and care coordination support for providers like You.

Scope:

Who This Applies To:

(“Covered Entity” “Silver House” “We” “Our” “Us”) refers to Silver House Healthcare, LLC and all its locally-focused professional corporations that provide clinical oversight, telehealth services, and direct patient care.

(“Business Associate” “BATWatch”) refers to BatWatch, LLC and its locally-focused companies, which support operational functions but do not make clinical decisions.

(“Sub-Business Associate” “You” “Your”). refers to any physician, NP, clinic, telehealth group, or healthcare provider that is part of the BatWatch network and agrees to follow this agreement.

How This Agreement Works:

One agreement covers all Silver House state-based PCs and BatWatch Series LLCs. You don’t need a separate agreement for each state where we operate.

You agree to follow the BATWatch Protocol for lab ordering, patient testing, and care coordination while maintaining clinical independence for medical decisions.

This BAA ensures HIPAA compliance for all parties, allowing BATWatch and Silver House to provide necessary operational and referral support to You.

By entering into this Agreement, You gain access to:

The BATWatch Provider Network & Referral System – Join the only provider network pioneering proactive cognitive health and working to end Alzheimer’s before it begins. As a BATWatch provider, You gain access to new patient referrals at no cost, allowing You to expand Your practice effortlessly.

A Centralized Process for Lab Ordering, Review, and Interpretation – We handle logistics, ensuring a seamless process from testing to results, so You can focus on patient care without added complexity.

Streamlined Compliance & Operational Support – A simplified, collaborative relationship that eliminates administrative headaches while maintaining full regulatory compliance.

Test & Treatment Agnostic: Always Best in Class – We live and breathe cognitive health so You don’t have to. BATWatch continuously evaluates new tests and treatments, ensuring only best-in-class, evidence-based solutions are used. We remain test-agnostic and treatment-agnostic, meaning We only recommend what is most effective, accurate, and covered by insurance as the field evolves. This ensures Your patients always receive the most up-to-date and clinically validated options—without You needing to stay on top of the latest advancements, or worried about insurance coverage, and medically necessary justification protocols.  

Integrated Treatment Coordination – If a patient’s results are negative, they simply continue annual monitoring with an easy, recurring testing process. If results are positive, our streamlined solution ensures patients receive the right next steps—without placing additional burdens on You as a provider. BATWatch takes care of treatment oversight, providing a structured, evidence-based protocol while keeping You informed.

The Future of Medicine, Today – Partner with the only team driving a proactive approach to cognitive health—changing the future for millions while shaping the next era of patient care. Your patients gain access to a game-changing solution in Alzheimer’s prevention, giving them a chance to act before it’s too late.

New Revenue Potential Without Additional Workload – You continue to provide the best care possible while BATWatch facilitates the process, ensuring Your patients are supported and that You benefit from a seamless integration of cognitive health into Your practice. 

What This Agreement Covers:

HIPAA & PHI protection for all shared patient data.

Guidelines for lab review, referral handling, and patient education.

Ensuring best practices in cognitive health screening and treatment protocols.

2: Definitions

2.1. Protected Health Information (PHI)

PHI refers to any individually identifiable health information (oral, written, or electronic) that relates to a patient’s past, present, or future physical or mental health condition, healthcare services received, or payment for healthcare.

• This includes test results, patient charts, diagnoses, treatment plans, billing information, and communications regarding patient care.
• PHI excludes de-identified information that cannot reasonably identify an individual.

2.2. Electronic Protected Health Information (ePHI)

A subset of PHI that is created, stored, processed, or transmitted electronically. This includes:

• Digital medical records, lab results, and treatment data.
• Secure messaging, encrypted emails, or other electronic exchanges of PHI between providers.

2.3. Covered Entity

Silver House and its locally-focused professional corporations that provide clinical oversight, telehealth services, and direct patient care.

• Covered Entities are responsible for ensuring compliance with HIPAA and directing clinical operations.

2.4. Business Associate

BATWatch and its locally-focused companies, which support operational functions such as:

• Logistics, care coordination, and provider network management.
• Lab ordering, test interpretation, and patient education.
  Administrative support for referral management and compliance.
• Business Associates do not provide direct medical care or make clinical decisions.

2.5. Sub-Business Associate (“You”)

Any physician, NP, clinic, telehealth group, or healthcare provider that is part of the BATWatch network and receives referrals, lab orders, or testing coordination through this agreement.

• By signing this BAA, You agree to uphold PHI security, HIPAA compliance, and protocol adherence while maintaining full clinical autonomy.

2.6. Minimum Necessary Standard

The HIPAA principle that only the minimum amount of PHI necessary should be accessed, used, or disclosed for a specific purpose.

• Example: A provider reviewing lab results should only access the relevant test data needed to evaluate cognitive risk factors.
• All BATWatch network providers must adhere to this standard when handling PHI.

2.7. Permitted Uses & Disclosures

Under HIPAA, You may only use or disclose PHI for the following purposes:

• Treatment – Reviewing lab results, consulting with patients, making treatment recommendations.
• Payment – Submitting insurance claims or processing billing related to cognitive health screening services.
• Healthcare Operations – Data review for quality control, compliance audits, and referral management.
• Legal & Regulatory Compliance – Required disclosures to comply with state or federal laws.

Any unauthorized use, sale, or disclosure of PHI beyond these permitted purposes is strictly prohibited.

2.8. De-Identified Data

PHI that has been stripped of all identifiable information and can no longer be linked to an individual.

• We may use de-identified data for research, analytics, and quality improvement while ensuring it remains HIPAA-compliant.

2.9. Security Safeguards

All parties agree to implement administrative, physical, and technical safeguards to protect PHI and ePHI, including:

• Encryption for all electronic patient data.
• Secure storage and transmission protocols for lab results and records.
• Access controls to prevent unauthorized PHI exposure.
• Employee training on HIPAA and data protection requirements.

2.10. Data Breach & Notification Requirements

If You discover a potential or actual data breach involving PHI:

• You must notify Us within 24 hours of discovery.
• A full investigation will be conducted to assess risk and compliance impact.
• Affected patients and regulatory agencies will be notified as required by law.

Failure to report breaches may result in termination of this agreement and legal penalties.

3: Responsibilities & Compliance

This section outlines the specific responsibilities of each party under this agreement, ensuring compliance with HIPAA regulations and best practices for PHI security.

3.1. Responsibilities of Silver House

Silver House and its locally-focused professional corporations are responsible for:

• Ensuring that all PHI shared with BATWatch and network providers is done in compliance with HIPAA regulations.
• Maintaining direct patient care responsibilities, including clinical oversight and medical decision-making.
• Overseeing treatment protocols and ensuring network providers adhere to evidence-based best practices.
• Ensuring that BATWatch and its network providers only access and use PHI as necessary for authorized healthcare purposes.
• Monitoring compliance with this agreement and taking corrective action if any violations occur.

3.2. Responsibilities of BATWatch

BATWatch and its locally-focused companies serve as the operational and logistical support system but do not provide direct medical care. BATWatch agrees to:

• Facilitate lab ordering, results interpretation, and referral coordination for network providers.
• Ensure all PHI remains protected through administrative, physical, and technical safeguards.
• Limit PHI access to only what is necessary to perform services as outlined in this agreement.
• Implement and enforce HIPAA-compliant security measures, including encryption, secure data storage, and restricted access to PHI.
• Report any unauthorized use or disclosure of PHI immediately and take corrective action to mitigate risks.
• Ensure that all Sub-Business Associates are aware of and comply with their responsibilities under this agreement.

3.3. Your Responsibilities

All Sub-Business Associates, including physicians, NPs, clinics, telehealth groups, and other healthcare providers in the BATWatch network, agree to:

• Adhere to all HIPAA regulations regarding PHI access, use, and disclosure.
• Follow BATWatch protocols for ordering and reviewing lab tests and implementing best practice recommendations for patient care.
• Maintain clinical independence while ensuring that medical decisions are informed by the BATWatch Protocol, unless medically necessary to deviate from it.
• Securely store and transmit PHI in compliance with HIPAA and Our security policies.
• Report any unauthorized PHI disclosures or security breaches within 24 hours of discovery.
• Ensure that any staff or employees with access to PHI are properly trained on HIPAA compliance.
• Cooperate with Us in the event of an audit, compliance review, or investigation.

3.4. Permitted Uses and Disclosures of PHI

Sub-Business Associates may only use or disclose PHI as necessary for:

• Treatment, including lab result review, patient evaluation, and medical decision-making.
• Payment, including submitting insurance claims or processing billing for services related to cognitive health screenings.
• Healthcare operations, such as internal compliance audits and quality control processes.
• Legal and regulatory requirements, such as reporting to government agencies when required by law.

Any use or disclosure of PHI outside of these permitted purposes requires explicit written authorization from the patient or must fall under an approved HIPAA exemption.

3.5. Prohibited Uses of PHI

Under this agreement, PHI may not be:

• Used for marketing, sales, or advertising without prior patient authorization.
• Sold, transferred, or exchanged for financial gain.
• Disclosed to unauthorized third parties, including non-affiliated providers or organizations.
• Accessed for personal reasons or used for non-healthcare-related purposes.

Any violation of these prohibitions may result in immediate termination of the agreement and legal consequences.

3.6. Security and Safeguards

All parties must implement the following security measures to protect PHI and ePHI:

• Access Controls: Limit access to PHI based on role and necessity.
• Encryption: Ensure all PHI is encrypted during transmission and storage.
• Secure Storage: Maintain PHI in locked or restricted-access areas for physical records and in HIPAA-compliant digital storage for electronic records.
• Audit Logs: Maintain logs of PHI access and review them periodically to detect unauthorized use.
• Workforce Training: Provide regular HIPAA training to all employees handling PHI.

3.7. Breach Notification and Response

If a Sub-Business Associate experiences a breach of PHI, the following steps must be taken:

• Immediate Notification: The breach must be reported to Us within 24 hours.
• Investigation and Containment: BATWatch and the reporting party will conduct an investigation to assess the scope and impact of the breach.
• Regulatory Reporting: If required by law, affected individuals and regulatory agencies will be notified in accordance with HIPAA guidelines.
• Corrective Action: Measures will be taken to prevent future breaches, including additional training, policy updates, or technical safeguards.

Failure to report a known or suspected breach may result in legal liability and termination from the BatWatch network.

3.8. Compliance Audits and Monitoring

To ensure continued compliance:

• BATWatch reserves the right to conduct periodic audits of Sub-Business Associates’ handling of PHI.
• Sub-Business Associates agree to provide necessary documentation and cooperation during compliance reviews.
• Non-compliance findings must be addressed through corrective actions within an agreed timeframe.

4: Term and Termination

This section outlines the duration of this agreement, the conditions under which it may be terminated, and the required actions upon termination to ensure compliance with HIPAA regulations.

4.1. Term of the Agreement

This agreement becomes effective on the date a You sign or electronically agree to the terms and remains in effect until:

• Either party terminates the agreement in accordance with the termination provisions outlined below.
• You cease participation in the BATWatch
• BATWatch ceases operations or restructures in a way that renders this agreement unnecessary.

Unless terminated, this agreement automatically renews on an annual basis to maintain continuity of compliance.

4.2. Voluntary Termination by Either Party

Any party may terminate this agreement at any time with 30 days’ written notice for any reason, provided that:

• All outstanding obligations related to PHI security and compliance have been met.
• Any ongoing services for referred patients are properly transitioned.
• PHI and all related documentation are handled in accordance with HIPAA requirements.

4.3. Immediate Termination for Cause

BATWatch may terminate this agreement immediately if:

• You violate HIPAA regulations or this agreement in a manner that compromises patient privacy.
• There is fraudulent activity or misrepresentation by You.
• You fail to implement corrective actions within 15 days of receiving a written notice of non-compliance.
• There is a data breach or unauthorized disclosure of PHI due to negligence or intentional misconduct.

If terminated for cause, You must immediately cease using or accessing BATWatch resources, referrals, and PHI.

4.4. Required Actions Upon Termination

Upon termination of this agreement, the Sub-Business Associate agrees to:

• Cease all access to PHI received through BATWatch.
• Securely return or destroy any PHI in their possession in compliance with HIPAA’s Privacy Rule, unless legally required to retain it.
• Certify destruction of PHI, if applicable, in writing upon request.
• Discontinue use of BATWatch branding, network referrals, and patient outreach tools provided under this agreement.
• Cooperate with BatWatch to transition any ongoing patient services to another approved provider, ensuring continuity of care.

4.6. Effect on Existing Patient Care & Referrals

• If a patient was referred to the Sub-Business Associate prior to termination, the Sub-Business Associate must continue providing care until the patient is either discharged or transferred to another provider.
• Any outstanding insurance claims or billing related to services provided under this agreement must be processed in accordance with applicable payer policies.

5: Reporting & Breach Notification

This section outlines the obligations of BATWatch and Sub-Business Associates regarding security incidents, breaches, and reporting requirements under HIPAA.

5.1. Breach Notification Obligations

If BATWatch, or any Sub-Business Associate, discovers a potential unauthorized disclosure, breach, or security incident involving PHI, they must:

• Report the incident to BATWatch’s Compliance Team within 3 business days of discovery.
• Provide details of the breach, including:
  • Date of discovery and date of occurrence (if known).
  • Types of PHI involved (e.g., names, medical data, insurance details).
  • Scope of the breach (e.g., number of affected individuals).
  • Actions taken to mitigate risk and prevent future occurrences.

BATWatch will then evaluate and determine whether the incident qualifies as a HIPAA-defined breach requiring notification to affected individuals and regulatory agencies.

5.2. Investigation & Mitigation

• The responsible party (either BATWatch or the Sub-Business Associate) must conduct an internal investigation into the breach.
• If a breach is confirmed, appropriate corrective actions must be implemented, including:
  • Revoking unauthorized access to PHI.
  • Strengthening security measures to prevent recurrence.
  • Training staff on compliance gaps, if necessary.

Failure to fully cooperate with an investigation or mitigation plan may result in termination of the agreement.

5.3. Patient & Regulatory Notification Requirements

If a breach is confirmed and involves 500 or more individuals, BATWatch will:

• Notify affected patients within 60 days of discovery, as required by HIPAA.
• Report the breach to the U.S. Department of Health and Human Services (HHS) and, if required, to media outlets.

For breaches affecting fewer than 500 individuals, BATWatch will:

• Notify affected patients within 60 days of discovery.
• Report the breach annually to HHS as required by law.

Sub-Business Associates must cooperate fully with BATWatch in issuing required notifications.

5.4. Security Incident Reporting

A security incident that does not result in PHI exposure must still be reported to BATWatch within 5 business days if it involves:

• Attempted unauthorized access (e.g., phishing attempts, unauthorized logins).
• System vulnerabilities affecting PHI storage or transmission.
• Suspicious activity suggesting a data breach may occur.

While not all security incidents are breaches, proactive reporting is required to maintain compliance.

5.5. Responsibilities for Sub-Business Associates

Sub-Business Associates must:

• Implement HIPAA-compliant safeguards to prevent breaches.
• Have a HIPAA compliance officer or team to oversee security practices.
• Maintain written policies on breach detection, reporting, and mitigation.

Failure to adhere to breach reporting obligations may result in:

• Legal liability for regulatory penalties.
• Loss of access to BATWatch resources and referrals.
• Termination of this agreement

6: Subcontractor & Third-Party Requirements

This section outlines the obligations of subcontractors and third parties who may handle PHI on behalf of BATWatch, Silver House, or any Sub-Business Associate.

6.1. Requirement for Compliance with HIPAA

Any subcontractor or third-party service provider engaged by BATWatch or Sub-Business Associates that has access to, transmits, stores, or processes PHI must:

• Comply with HIPAA and all applicable privacy and security regulations.
• Enter into a Business Associate Agreement (BAA) before handling any PHI.
• Implement appropriate safeguards to prevent unauthorized access, use, or disclosure of PHI.

Failure to comply with these requirements may result in termination of agreements and potential legal liability.

6.2. Written Agreements with Subcontractors

All Sub-Business Associates and BATWatch must ensure that subcontractors handling PHI sign a HIPAA-compliant BAA that includes:

• Permitted uses and disclosures of PHI aligned with the scope of work.
• Obligations to safeguard PHI, including encryption, secure storage, and restricted access.
• Breach reporting requirements consistent with Section 5.
• Termination provisions for non-compliance.

A subcontractor cannot use or disclose PHI beyond what is allowed in their agreement with BATWatch or the Sub-Business Associate.

6.3. Responsibilities of Sub-Business Associates When Using Third Parties

If a Sub-Business Associate hires a third-party vendor (e.g., telehealth platforms, EHR providers, data storage services) that will handle PHI, they must:

• Vet the vendor’s security policies to ensure HIPAA compliance.
• Maintain documentation of the vendor’s compliance policies for audits.
• Monitor subcontractor activities to prevent unauthorized use of PHI.
• Immediately report any security concerns or breaches related to subcontractors to BATWatch.

If a subcontractor is found violating HIPAA, the Sub-Business Associate must terminate their access to PHI immediately.

6.4. Security Standards for Subcontractors

To minimize risk, any subcontractor handling PHI must follow these security requirements:

• Encryption of PHI during storage and transmission.
• Access controls to limit PHI access only to authorized personnel.
• Regular security audits to ensure ongoing compliance.
• Incident response plans for handling potential breaches.

Failure to meet these security standards may result in suspension or termination of access to BATWatch services.

6.5. Liability for Subcontractors

BATWatch and Sub-Business Associates are responsible for ensuring their subcontractors comply with HIPAA.

• If a subcontractor causes a breach, the Sub-Business Associate remains liable for any penalties or legal consequences.
• Subcontractors must indemnify BATWatch and Sub-Business Associates for any violations that result in financial or reputational harm.
• BATWatch reserves the right to audit subcontractors for compliance verification.

6.6. Exceptions for Non-PHI Vendors

Vendors who do not handle PHI (e.g., marketing firms, administrative support) are not required to sign a BAA.

• However, they must not be granted access to PHI in any form.
• If they inadvertently receive PHI, they must report it and delete it immediately.

7: Liability & Indemnification

This section ensures both parties understand their responsibilities in case of HIPAA violations and outlines protections for both sides.

7.1. Liability of BATWatch

• BATWatch shall be responsible for complying with all applicable HIPAA regulations and security protocols when handling PHI.
• BATWatch shall not be liable for any misuse or improper disclosure of PHI by the Covered Entity or any other third party outside of its control.

7.2. Liability of Covered Entity (PCPs & Clinics)

• The Covered Entity shall remain responsible for ensuring PHI shared with BATWatch is authorized and complies with HIPAA regulations.
• The Covered Entity acknowledges that BATWatch is not assuming the role of a medical provider and is only performing operational and administrative functions.

7.3. Mutual Indemnification

• Each party agrees to indemnify, defend, and hold harmless the other from any claims, liabilities, damages, or expenses arising out of:
  • Violations of HIPAA or other data privacy laws caused by their own negligence.
  • Unauthorized disclosures of PHI caused by their own breach of security protocols.
• Indemnification shall not apply to breaches caused by third parties beyond the control of either party.

7.4. Limitation of Liability

• Neither party shall be liable for incidental, consequential, or punitive damages resulting from unintentional HIPAA violations, except in cases of gross negligence or willful misconduct.
• BATWatch’s total liability under this agreement shall not exceed the amount of fees paid to BATWatch in the previous 12 months (or another agreed-upon limitation).

8. Miscellaneous Provisions

8.1. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the state in which the Silver House is located, except to the extent preempted by federal law, including HIPAA and related regulations.

8.2. Amendments & Modifications

BATWatch and Silver House reserve the right to modify or amend this Agreement as necessary to comply with changes in applicable laws, regulations, or best practices. Any material changes will be communicated in writing at least 30 days before implementation, unless an immediate change is required by law.

8.3. Dispute Resolution

In the event of a dispute arising under this Agreement, the parties agree to engage in good faith negotiations to resolve the matter. If a resolution cannot be reached within 30 days, the dispute shall be submitted to mediation before either party pursues litigation.

8.4. No Third-Party Beneficiaries

This Agreement is for the benefit of the Silver House and BATWatch only and does not create rights for any third parties, including patients or other healthcare entities.

8.5. Assignment

Neither party may assign its rights or obligations under this Agreement without prior written consent from the other party, except in the event of a merger, acquisition, or corporate restructuring.

8.6. Entire Agreement

This Agreement, along with any referenced policies and procedures, constitutes the entire agreement between the parties regarding the subject matter herein and supersedes all prior agreements, understandings, or representations, whether written or oral.

8.7. Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remainder of the Agreement shall remain in full force and effect, and the invalid provision shall be replaced with a valid provision that most closely aligns with the original intent.

8.8. Survival

The provisions regarding PHI security, confidentiality, indemnification, and dispute resolution shall survive the termination or expiration of this Agreement.

8.9. Notices

All notices, requests, and other communications required or permitted under this Agreement shall be sent electronically or in writing to the designated contacts for each party. Notices shall be deemed effective upon receipt.

Electronic Signature & Acceptance

By electronically signing or clicking “I Agree” to this Business Associate Agreement, the undersigned provider (“Sub-Business Associate”) acknowledges and agrees that:

1. Legally Binding Agreement – This electronic acceptance constitutes a legally binding contract under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act), the Uniform Electronic Transactions Act (UETA), and applicable state laws.
2. Consent to Electronic Delivery – The Sub-Business Associate agrees to receive, review, and execute this agreement electronically, and waives any requirement for a physical signature unless expressly required by law.
3. Audit Trail & Verification – The Sub-Business Associate acknowledges that electronic records of acceptance, including time-stamped logs, IP addresses, and email confirmations, shall serve as official proof of execution and shall be admissible in legal proceedings.
4. Effect of Signature – By signing electronically, the Sub-Business Associate agrees to comply with the terms of this agreement in full, including all HIPAA, PHI security, and compliance obligations, as outlined in this document.
5. Retention & Access – A copy of the electronically signed agreement will be provided to the Sub-Business Associate and maintained in the records of BATWatch for compliance purposes. The Sub-Business Associate may request a copy at any time.