.svg){kind=icon}
BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT
Last Updated: May 13, 2026
Introduction
This Business Associate Agreement (the “BAA”) is incorporated into the Spendly Terms of Service (the “Terms”) by reference and is attached as Exhibit A thereto. This BAA governs the handling of Protected Health Information (“PHI”) by Spendly, Inc., a Delaware corporation (“Spendly” or “Business Associate”), on behalf of customers that are HIPAA Covered Entities or Business Associates of Covered Entities (each, a “Customer,” “you,” or “Covered Entity”).
By accepting the Terms and using the Spendly platform, services, and any related applications (collectively, the “Services”), Customer acknowledges and accepts this BAA. The Effective Date of this BAA is the date on which Customer accepts the Terms.
This BAA supplements, and is part of, the agreement between Spendly and Customer governing the Services (including the Bill Intelligence Agreement or applicable order form, the “Underlying Agreement”). In the event of any conflict between this BAA and the Underlying Agreement or the Terms with respect to PHI, this BAA controls.
Customers who require a separately executed Business Associate Agreement (such as those whose procurement processes require a wet signature) may request a standalone BAA by contacting Spendly at spendly@getspendly.com. The substantive terms of the standalone BAA are identical to this web-posted version.
Recitals
WHEREAS, Customer is a Covered Entity (or a Business Associate of a Covered Entity) as defined under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”);
WHEREAS, Spendly provides Bill Intelligence services to Customer, including AI-driven analysis of dental laboratory invoices, statements, and related billing documents to identify overcharges, miscoded items, and billing discrepancies (the “Services”), pursuant to the Underlying Agreement;
WHEREAS, in performing the Services, Spendly may receive, create, maintain, or transmit Protected Health Information (“PHI”) on behalf of Customer;
WHEREAS, the Parties enter into this BAA to comply with the requirements of HIPAA, including 45 C.F.R. § 164.504(e);
NOW, THEREFORE, in consideration of the mutual promises contained herein, the Parties agree as follows:
1. Definitions
Capitalized terms used but not otherwise defined in this BAA shall have the meanings ascribed to them in HIPAA. Without limiting the foregoing, the following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
1.1 “Business Associate” shall have the meaning given at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean Spendly, Inc.
1.2 “Covered Entity” shall have the meaning given at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean Customer.
1.3 “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
1.4 “PHI” means Protected Health Information that Spendly creates, receives, maintains, or transmits on behalf of Customer.
1.5 Breach Determination. A “Breach” shall not include any acquisition, access, use, or disclosure of PHI that Spendly has determined, in accordance with the four-factor risk assessment set forth in 45 C.F.R. § 164.402, presents a low probability that PHI has been compromised.
2. Permitted Uses and Disclosures of PHI
2.1 Services. Spendly may use and disclose PHI only as necessary to perform the Services described in the Underlying Agreement, or as Required by Law. Specifically, Spendly may use PHI contained in lab invoices, statements, and related billing documentation submitted by Customer to identify billing errors, overcharges, miscoded line items, and other discrepancies, and to provide reports and recommendations to Customer.
2.2 Management and Administration. Spendly may use PHI for the proper management and administration of Spendly or to carry out its legal responsibilities. Spendly may disclose PHI for such purposes provided that the disclosure is Required by Law, or Spendly obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient notifies Spendly of any instance of which it becomes aware in which the confidentiality of the PHI has been breached.
2.3 Data Aggregation. Spendly may use PHI to provide Data Aggregation services relating to the health care operations of Customer as permitted under 45 C.F.R. § 164.504(e)(2)(i)(B).
2.4 De-Identification. Spendly may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). Provided that Spendly implements appropriate de-identification criteria in accordance with the Standards for Privacy of Individually Identifiable Health Information set forth in 45 C.F.R. § 164.514(b), Customer acknowledges and agrees that de-identified information is not PHI and that Spendly may use such de-identified information for any lawful purpose, including benchmarking, research, trend analysis, product improvement, and to train Spendly’s artificial intelligence and machine learning algorithms and other internal uses to improve Spendly’s products and services.
2.5 Minimum Necessary. Spendly shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b).
2.6 Prohibited Uses. Spendly shall not use or disclose PHI in any manner that would violate HIPAA if done by Customer, except as expressly permitted by Sections 2.2, 2.3, and 2.7. Spendly shall not sell PHI or use or disclose PHI for marketing purposes except as permitted by HIPAA and only with Customer’s prior written authorization.
2.7 Artificial Intelligence. Spendly may use PHI within internal and external artificial intelligence (“AI”) systems and models to perform the Services, in accordance with and only to the extent permitted by the HIPAA Rules. Where Spendly engages third-party AI service providers in connection with the Services, Spendly shall ensure such providers are bound by written agreements meeting the requirements of Section 3.4 (Subcontractors). Spendly may use de-identified information (de-identified in accordance with Section 2.4) for any lawful purpose, including in AI models or systems Spendly develops or utilizes.
3. Obligations of Spendly
3.1 Safeguards. Spendly shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including ePHI, as required by 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316. Access to Spendly’s systems and PHI will be controlled via user IDs and passwords. Spendly is not responsible for any unauthorized use or disclosure of a user ID or password, or for any breach of this BAA arising as a result of any such unauthorized use or disclosure by Customer.
3.2 Reporting of Unauthorized Use or Disclosure. Spendly shall report to Customer any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Security Incident, without unreasonable delay and in no case later than sixty (60) calendar days after discovery, as required by 45 C.F.R. §§ 164.400–414. The Parties acknowledge that unsuccessful Security Incidents (such as routine pings, port scans, and unsuccessful login attempts that do not result in unauthorized access) occur frequently and need not be reported individually; this Section 3.2 shall constitute notice of such unsuccessful incidents.
3.3 Breach Notification. Following discovery of a Breach of Unsecured PHI, Spendly shall notify Customer in writing without unreasonable delay and in no case later than sixty (60) calendar days after discovery. The notification shall include the information required under 45 C.F.R. § 164.404(c) to the extent known and available, including:
(a) the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
(b) a description of what happened, including the date of the Breach and the date of discovery;
(c) a description of the types of Unsecured PHI involved;
(d) a description of what Spendly is doing to investigate the Breach, mitigate harm, and prevent recurrence; and
(e) any other information reasonably requested by Customer to enable Customer to comply with its notification obligations under 45 C.F.R. §§ 164.404 and 164.406.
Customer shall be responsible for taking all further actions, including notification of affected individuals, the Secretary, and the media, at its sole cost.
3.4 Subcontractors. As timely as reasonably possible, and in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Spendly shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Spendly agrees in writing to substantially the same restrictions, conditions, and requirements that apply to Spendly under this BAA. Spendly’s Subcontractors that may handle PHI include, without limitation, cloud infrastructure providers and artificial intelligence service providers used in connection with the Services.
3.5 Designated Record Set. Customer acknowledges and agrees that Customer is solely responsible for PHI maintained by Customer in its own systems and records, and that the lab invoice and billing data submitted to Spendly does not constitute a Designated Record Set in the possession of Spendly. Spendly will cooperate in good faith with Customer to make PHI available so Customer can fulfill its obligations with respect to Individuals’ rights of access and amendment, while recognizing that Spendly’s obligations under Sections 3.6 and 3.7 are limited as described in this Section 3.5.
3.6 Access to PHI. To the extent Spendly maintains PHI in a Designated Record Set, within fifteen (15) business days of a written request by Customer, Spendly shall make such PHI available as necessary to enable Customer to comply with 45 C.F.R. § 164.524.
3.7 Amendment of PHI. To the extent Spendly maintains PHI in a Designated Record Set, within thirty (30) business days of a written request by Customer, Spendly shall make any amendment to such PHI as directed by Customer pursuant to 45 C.F.R. § 164.526.
3.8 Accounting of Disclosures. Spendly shall document and, within thirty (30) business days of a written request by Customer, provide an accounting of disclosures of PHI sufficient to permit Customer to respond to a request under 45 C.F.R. § 164.528. Spendly shall maintain documentation of such disclosures for a period of at least six (6) years following the date of termination of this BAA.
3.9 Access by the Secretary. Spendly shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Customer’s compliance with HIPAA.
3.10 Mitigation. Spendly shall mitigate, to the extent practicable, any harmful effect known to Spendly of a use or disclosure of PHI by Spendly in violation of this BAA.
3.11 Compliance with Subpart E. To the extent Spendly is to carry out one or more of Customer’s obligations under Subpart E of 45 C.F.R. Part 164, Spendly shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligations.
4. Obligations of Customer
4.1 Notice of Privacy Practices. Customer shall notify Spendly of any limitations in its Notice of Privacy Practices under 45 C.F.R. § 164.520 to the extent such limitations may affect Spendly’s use or disclosure of PHI.
4.2 Changes in Permission. Customer shall notify Spendly of any changes in, or revocation of, an individual’s permission to use or disclose PHI to the extent such changes may affect Spendly’s use or disclosure of PHI.
4.3 Restrictions. Customer shall notify Spendly of any restriction on the use or disclosure of PHI that Customer has agreed to under 45 C.F.R. § 164.522 to the extent such restriction may affect Spendly’s use or disclosure of PHI.
4.4 Permissible Requests. Customer shall not request that Spendly use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer, except as expressly permitted under Sections 2.2, 2.3, and 2.7.
4.5 Authorizations and Patient Requests. Customer is solely responsible for obtaining all authorizations from its patients required under HIPAA to enable Spendly to perform the Services. Customer represents and warrants that it has obtained the necessary authorizations prior to disclosing any PHI to Spendly. If Spendly receives any patient request for access to, amendment of, or accounting of disclosures relating to PHI, Spendly shall forward such request in writing to Customer within five (5) business days of receipt, and Customer shall be solely responsible for responding to such requests.
4.6 Submission of PHI. Customer shall ensure that any lab invoices, statements, or related documents submitted to Spendly contain only the minimum PHI necessary for Spendly to perform the Services. Customer is encouraged to redact or omit patient identifiers where feasible without impairing the Services.
4.7 Notification of Breach. Customer shall promptly notify Spendly of any Breach of HIPAA obligations that may affect Spendly’s use or disclosure of PHI.
5. Term and Termination
5.1 Term. This BAA shall be effective as of the date Customer accepts the Terms and shall remain in effect until terminated as set forth in this Section 5 or until the Underlying Agreement terminates, whichever is later.
5.2 Termination for Cause. Either Party may terminate this BAA and the Underlying Agreement upon written notice to the other Party if the other Party has materially breached this BAA and has failed to cure such breach within thirty (30) calendar days after receiving written notice of the breach. If cure is not feasible, the non-breaching Party may terminate immediately and shall have the right to report the violation to the Secretary.
5.3 Termination for Regulatory Change. Either Party may terminate this BAA upon thirty (30) days’ prior written notice if the HIPAA Rules are amended, or Customer agrees to or becomes subject to restrictions on the use or disclosure of PHI, such that Spendly determines, in its reasonable discretion, that performance of this BAA may cause Spendly to incur unanticipated material costs to comply or face adverse regulatory action.
5.4 Obligations of Spendly Upon Termination. Upon termination of this BAA for any reason, Spendly, with respect to PHI received from Customer, or created, maintained, or received by Spendly on behalf of Customer, shall:
(a) retain only that PHI which is necessary for Spendly to continue its proper management and administration or to carry out its legal responsibilities;
(b) return to Customer or, if agreed to by Customer, destroy the remaining PHI that Spendly still maintains in any form;
(c) continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Spendly retains the PHI;
(d) not use or disclose the PHI retained by Spendly other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 2.2 above which apply prior to termination; and
(e) return to Customer or, if agreed to by Customer, destroy the PHI retained by Spendly when it is no longer needed by Spendly for its proper management and administration or to carry out its legal responsibilities.
5.5 Survival. The obligations of Spendly under this Section 5, and Sections 3.8 and 6, shall survive the termination of this BAA and the Underlying Agreement.
6. Limitation of Liability
EXCEPT IN INSTANCES WHERE CUSTOMER VIOLATES ITS OBLIGATIONS UNDER SECTION 4 OF THIS BAA OR ITS CONFIDENTIALITY OBLIGATIONS UNDER THE UNDERLYING AGREEMENT, IN WHICH CASE ITS LIABILITY TO SPENDLY SHALL NOT BE LIMITED, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, COVER, PUNITIVE OR OTHER DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY EITHER PARTY OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT OR OTHER, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF THIS BAA OR ANY LIMITED REMEDY HEREUNDER. SPENDLY’S MAXIMUM LIABILITY TO CUSTOMER UNDER THIS BAA SHALL IN NO EVENT EXCEED THE AMOUNT OF FEES PAID BY CUSTOMER DURING THE MOST RECENT SIX (6) MONTH PERIOD BEFORE THE EVENT GIVING RISE TO THE CLAIM.
The provisions of this BAA allocate the risks between Spendly and Customer. The Parties agree that Spendly’s pricing and other terms and conditions of the Underlying Agreement and this BAA reflect the allocation of risk and the limitation of liability specified herein.
7. Miscellaneous
7.1 Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
7.2 Modifications. Spendly may modify this BAA from time to time by posting an updated version at getspendly.com/baa and providing notice to Customer by email or through the Spendly platform. Continued use of the Services following such notice constitutes Customer’s acceptance of the modified BAA. Spendly will not reduce Customer’s rights under this BAA in a manner that would cause Spendly to fall below HIPAA’s minimum requirements for Business Associates.
7.3 Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA. In the event of any inconsistency between this BAA and the Underlying Agreement or the Terms, this BAA shall control with respect to PHI.
7.4 Relationship of the Parties. Customer and Spendly agree that Spendly’s services hereunder are being carried out as an independent contractor and not as an employee or agent of Customer.
7.5 No Third-Party Beneficiaries. There are no third-party beneficiaries to this BAA.
7.6 Notices. Notices to Spendly under this BAA shall be sent to spendly@getspendly.com or to such other address as Spendly may designate by posting on the Spendly platform. Notices to Customer shall be sent to the email address associated with Customer’s Spendly account or to such other address as Customer may designate in writing.
7.7 Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to its conflict of laws principles, except to the extent preempted by federal law.
7.8 Cooperation in Investigations. The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities. Each Party shall cooperate in good faith with the other Party in connection with any such request, investigation, complaint, action, or other inquiry.
7.9 Standalone Execution. Customers who require a separately executed Business Associate Agreement may request a standalone signed version by contacting Spendly. The substantive terms of the standalone BAA are identical to this web-posted version. If a standalone BAA is executed between the Parties, the standalone BAA controls and this web-posted BAA does not apply to such Customer.
How to Accept This BAA
There are two ways Customer may accept this BAA:
1. Click-through acceptance via the Terms (default). By accepting the Spendly Terms of Service and using the Services, Customer accepts this BAA as part of the Terms. No separate signature is required. This is the default method of acceptance for the vast majority of Customers.
2. Separately executed BAA. Customers whose procurement processes require a wet signature on the BAA may request a separately executed version by contacting Spendly at spendly@getspendly.com. The substantive terms are identical to this web-posted version.
Contact
For questions about this BAA, please contact Spendly at spendly@getspendly.com.
