KENI BUSINESS ASSOCIATE AGREEMENT (BAA)

Company: GETKENI LLC (“Business Associate” or “Keni”)
Address: 15435 SW 75th Circle Ln, Apt 107, Miami, Florida 33193, USA
Website: https://www.getkeni.io

1. Introduction

This Business Associate Agreement (“BAA”) supplements the applicable Keni Terms of Service or Master Services Agreement (“Underlying Agreement”) between GETKENI LLC (“Keni”) and any client (the “Covered Entity”) whose use of the Keni platform may involve the creation, transmission, maintenance, or disclosure of Protected Health Information (“PHI”) as defined under:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA),

The Health Information Technology for Economic and Clinical Health Act (HITECH), and

Their implementing regulations, 45 CFR Parts 160 and 164 (“HIPAA Rules”).

If and only to the extent Keni qualifies as a “Business Associate” under the HIPAA Rules, this BAA governs the handling of PHI.
If Keni does not qualify as a Business Associate, this BAA is null and void.

2. Definitions

All capitalized terms used in this BAA have the same meaning as in the HIPAA Rules, including:
Business Associate, Breach, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (ePHI), Health Care Operations, Individual, Minimum Necessary, Privacy Rule, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

3. Responsibilities of Business Associate (Keni)

Keni agrees to:

3.1. Use and Disclosure

Not use or disclose PHI except as permitted by this BAA or as required by law.

3.2. Safeguards

Implement appropriate administrative, physical, and technical safeguards to protect PHI and comply with the HIPAA Security Rule (45 CFR §164 Subpart C).

3.3. Reporting

Promptly report to the Covered Entity any unauthorized use, disclosure, or Breach of Unsecured PHI, and any material Security Incident as required by law.
Keni is not required to report routine, unsuccessful attempts such as pings, scans, or failed logins that do not pose a material threat.

3.4. Subcontractors

Ensure that any subcontractor that creates, receives, or transmits PHI on behalf of Keni agrees in writing to the same restrictions and safeguards required by this BAA.

3.5. Access and Amendment

Provide Covered Entity access to PHI in a Designated Record Set within 15 days upon written request (45 CFR §164.524).
Incorporate amendments to PHI within 30 days when requested under 45 CFR §164.526.

3.6. Accounting of Disclosures

Provide information necessary for the Covered Entity to provide an accounting of disclosures of PHI within 30 days of request (45 CFR §164.528).

3.7. Compliance Assistance

Comply with applicable Privacy Rule requirements when carrying out any Covered Entity obligation under 45 CFR Part 164, Subpart E.

3.8. Inspection by Secretary

Make its practices, records, and policies relating to PHI available to the U.S. Department of Health and Human Services (HHS) upon request.

4. Permitted Uses and Disclosures by Business Associate

Keni may:

4.1. Provide Services

Use and disclose PHI as necessary to perform its services under the Underlying Agreement.

4.2. De-identify Data

De-identify PHI in accordance with 45 CFR §164.514; de-identified data may be used for analytics, performance, or improvement purposes.

4.3. Legal and Administrative Use

Use PHI for internal management and legal compliance, provided that any disclosures are made only to lawful entities that agree to maintain confidentiality.

4.4. Required by Law

Disclose PHI when legally required.

4.5. Data Aggregation

Provide data aggregation services for the Covered Entity’s healthcare operations (45 CFR §164.501).

5. Impermissible Uses or Disclosures

Keni shall not use or disclose PHI in a manner that would violate the Privacy Rule if performed by the Covered Entity.
All use and disclosure must follow the Minimum Necessary standard.

6. Responsibilities of Covered Entity

The Covered Entity represents and warrants that it:

Has obtained all necessary consents or authorizations for Keni to handle PHI;

Will notify Keni of any privacy practice limitations or revocations impacting PHI use; and

Will inform Keni of any restrictions on PHI use under 45 CFR §164.522.

If the Covered Entity fails to comply or changes restrictions in a way that affects Keni’s ability to perform its obligations, Keni may immediately terminate this BAA and/or the Underlying Agreement.

7. Prohibited Requests

The Covered Entity shall not request Keni to use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by the Covered Entity itself.

8. Term and Termination

8.1. Term

This BAA becomes effective upon the effective date of the Underlying Agreement and terminates automatically when that agreement ends or when terminated as described below.

8.2. Termination for Cause

Either party may terminate this BAA with 30 days’ written notice if the other party materially breaches it and fails to cure the breach within the notice period.

8.3. Termination for Compliance Concerns

Either party may terminate this BAA if continued performance would violate law or risk regulatory action.

8.4. Effect of Termination

Upon termination:

Keni will return or securely destroy all PHI where feasible;

If retention is necessary for legal compliance, Keni will continue to protect PHI as required under this BAA;

All confidentiality and safeguard obligations survive termination.

9. Miscellaneous

9.1. Amendments

The parties agree to amend this BAA as necessary to remain compliant with changes in HIPAA or other applicable law.

9.2. Governing Law

This BAA shall be governed by and construed under the laws of the State of Florida, while maintaining compliance with the HIPAA Rules.

9.3. Assignment

Keni may assign or subcontract its obligations to qualified third parties that agree to comply with HIPAA-equivalent protections.

9.4. Cooperation

Both parties agree to cooperate in the event of a breach investigation, mitigation, or government inquiry related to PHI.

9.5. Relation to Underlying Agreement

This BAA supplements, and where necessary supersedes, the Underlying Agreement solely regarding PHI-related obligations.

9.6. No Third-Party Rights

This BAA does not create rights for any third party.

9.7. Limitation of Liability

Keni’s total liability for any claims under this BAA shall not exceed the total fees paid by the Covered Entity to Keni during the six (6) months preceding the event giving rise to liability.
Keni shall not be liable for indirect, incidental, or consequential damages.

9.8. Entire Agreement

This BAA constitutes the entire agreement regarding PHI and supersedes any prior agreements relating to HIPAA obligations.

9.9. Notices

Notices under this BAA shall be delivered in accordance with the notice provisions of the Underlying Agreement or as follows:

If to Business Associate:
GETKENI LLC
15435 SW 75th Circle Ln, Apt 107
Miami, Florida 33193
Attn: Legal Department
📧 [email protected]

If to Covered Entity:
To the address or email associated with the Client’s Keni account.

© 2025 GETKENI LLC – All Rights Reserved.

Keni and the Keni Platform are trademarks of GETKENI LLC.
Version 1.0 – Effective October 2025.