Between The Price Group Holdings LLC (DBA Tendly) and Covered Entity
This Business Associate Agreement ("Agreement") is entered into between The Price Group Holdings LLC, a limited liability company doing business as Tendly ("Business Associate" or "Tendly"), and the individual or entity that has accepted the Tendly Terms of Service and created a Tendly account ("Covered Entity").
This Agreement is incorporated by reference into and forms part of the Tendly Terms of Service. By creating a Tendly account, the Covered Entity agrees to be bound by the terms of this Agreement. This Agreement is effective as of the date the Covered Entity creates their Tendly account ("Effective Date").
WHEREAS, Business Associate provides practice management software and related services to healthcare providers, therapists, coaches, and other wellness practitioners pursuant to the Tendly Terms of Service ("Services Agreement");
WHEREAS, in the course of providing those services, Business Associate may receive, create, maintain, transmit, or have access to Protected Health Information belonging to individuals who are clients of the Covered Entity;
WHEREAS, the parties intend to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, "HIPAA Rules");
NOW THEREFORE, in consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. The following definitions apply:
1.1 "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the Protected Health Information, as defined at 45 CFR § 164.402.
1.2 "Business Associate" means Tendly, as defined above.
1.3 "Covered Entity" means the practitioner, practice, or organisation that has accepted this Agreement and uses the Tendly Services.
1.4 "Designated Record Set" has the meaning given at 45 CFR § 164.501.
1.5 "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by or maintained in electronic media, as defined at 45 CFR § 160.103.
1.6 "HIPAA Rules" means, collectively, the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule promulgated under HIPAA and HITECH, as amended from time to time.
1.7 "Individual" has the meaning given at 45 CFR § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.8 "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 164, Subparts A and E.
1.9 "Protected Health Information" or "PHI" has the meaning given at 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in connection with the Services.
1.10 "Required by Law" has the meaning given at 45 CFR § 164.103.
1.11 "Secretary" means the Secretary of the United States Department of Health and Human Services or the Secretary's designee.
1.12 "Security Incident" has the meaning given at 45 CFR § 164.304.
1.13 "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.
1.14 "Services" means the practice management software and related services provided by Business Associate to Covered Entity pursuant to the Services Agreement.
1.15 "Subcontractor" means any third-party service provider engaged by Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate in connection with the Services.
1.16 "Unsecured PHI" has the meaning given at 45 CFR § 164.402.
Business Associate agrees to use and disclose PHI only as follows:
(a) Performance of Services. Business Associate may use and disclose PHI as necessary to perform the Services described in the Services Agreement, including but not limited to: storing client records and clinical documentation; facilitating telehealth sessions; processing insurance claims where enabled by the Covered Entity; generating AI-assisted session notes where enabled by the Covered Entity; and sending appointment reminders and secure communications.
(b) Business Associate Operations. Business Associate may use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities, provided that such use complies with the HIPAA Rules.
(c) Disclosures Required by Law. Business Associate may disclose PHI as Required by Law, provided that Business Associate shall promptly notify Covered Entity of any such requirement, to the extent permitted by law, prior to making such disclosure.
(d) Data Aggregation. Business Associate may use PHI to provide data aggregation services to Covered Entity relating to the healthcare operations of Covered Entity, as permitted by 45 CFR § 164.504(e)(2)(i)(B). Any such aggregated data will be de-identified in accordance with 45 CFR § 164.514 before use for any internal Business Associate purpose.
(e) As Directed by Covered Entity. Business Associate may use or disclose PHI in the manner directed by Covered Entity in writing, provided that the Covered Entity represents and warrants that such direction is consistent with the HIPAA Rules.
Business Associate shall not:
(a) Use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
(b) Use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, except as permitted under Sections 2.1(b) and 2.1(d);
(c) Sell PHI, as defined under 45 CFR § 164.502(a)(5)(ii);
(d) Use PHI for marketing, as defined under 45 CFR § 164.501, without a valid authorisation;
(e) Use PHI, including session note content, transcripts, audio recordings, or any other clinical information, to train, fine-tune, benchmark, or otherwise improve any artificial intelligence or machine learning model, whether operated by Business Associate or any third party.
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, including ePHI, in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards shall include, without limitation:
(a) Encryption of all ePHI at rest using AES-256 encryption;
(b) Encryption of all ePHI in transit using TLS 1.2 or higher;
(c) Role-based access controls restricting access to PHI to authorised personnel on a need-to-know basis;
(d) Unique user identification and authentication for all accounts accessing PHI;
(e) Automatic session timeout after a period of inactivity;
(f) Immutable audit logging of all access to, and modifications of, PHI, including the identity of the person accessing the information, the date and time, and the nature of the access;
(g) Documented risk analysis and risk management program in accordance with 45 CFR § 164.308(a)(1);
(h) Workforce training on HIPAA requirements and Business Associate's security policies;
(i) Emergency access procedures and contingency planning in accordance with 45 CFR § 164.308(a)(7).
(a) Impermissible Uses and Disclosures. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, without unreasonable delay and in no event later than ten (10) business days following Business Associate's discovery of such use or disclosure.
(b) Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. The parties acknowledge and agree that this Section constitutes notice that Business Associate experiences attempted, unsuccessful Security Incidents on an ongoing basis, including pings, port scans, and similar routine internet traffic, and that no further notice of such unsuccessful attempts is required under this Agreement.
(c) Breach Notification. In the event of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity without unreasonable delay and in no event later than sixty (60) calendar days following discovery of the Breach. The notification shall include, to the extent reasonably available to Business Associate at the time of notification:
Business Associate acknowledges that Covered Entity is responsible for providing notification of the Breach to affected Individuals, to the Secretary, and, where applicable, to prominent media outlets, as required by 45 CFR §§ 164.404–164.408. Business Associate shall cooperate fully and promptly with Covered Entity in connection with any such notifications and shall provide all information in Business Associate's possession reasonably necessary for Covered Entity to fulfil its notification obligations.
Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of the requirements of this Agreement.
(a) Business Associate shall ensure that any Subcontractor to whom Business Associate provides PHI, or who creates, receives, maintains, or transmits PHI on behalf of Business Associate, agrees to the same restrictions and conditions that apply to Business Associate under this Agreement, by entering into a written agreement that complies with 45 CFR § 164.308(b) and § 164.502(e)(1)(ii).
(b) The current Subcontractors with whom Business Associate has executed Business Associate Agreements, who may receive or process PHI in connection with the Services, are:
| Subcontractor | Purpose |
|---|---|
| Supabase, Inc. | Database storage and infrastructure |
| Vercel, Inc. | Application hosting and content delivery |
| OpenAI, L.L.C. | AI note generation (session audio/text processing) |
| Daily.co (Daily) | HIPAA-compliant telehealth video |
| Twilio Inc. | SMS reminders and notifications |
| Resend, Inc. | Transactional email delivery |
| Claim.MD | Insurance claim submission and ERA processing |
(c) Business Associate shall notify Covered Entity of any material changes to the Subcontractor list that affect the handling of PHI by updating the Notice of Privacy Practices available at app.tendly.health/legal/notice-of-privacy-practices and, where a new Subcontractor will receive PHI previously not shared with that party, by providing at least fourteen (14) days' prior written notice to the Covered Entity's email address of record.
(d) Business Associate shall remain fully liable to Covered Entity for the acts and omissions of each Subcontractor to the same extent Business Associate would be liable if performing the services directly.
(a) Individual Access. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity within fifteen (15) days of a written request for the purpose of enabling Covered Entity to respond to Individuals' requests for access to their PHI in accordance with 45 CFR § 164.524.
(b) Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity within fifteen (15) days of a written request, and shall incorporate any amendments to PHI directed by Covered Entity, for the purpose of enabling Covered Entity to respond to Individuals' amendment requests in accordance with 45 CFR § 164.526.
Business Associate shall document all disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures, in accordance with 45 CFR § 164.528. Business Associate shall make such documentation available to Covered Entity within fifteen (15) days of a written request.
Business Associate shall make its internal practices, books, and records, including policies and procedures and PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules, in accordance with 45 CFR § 164.504(e)(2)(ii)(H).
Business Associate shall make reasonable efforts to use and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and § 164.514(d).
Covered Entity shall comply with all applicable requirements of the HIPAA Rules in connection with PHI that Covered Entity provides to or makes accessible to Business Associate.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
Covered Entity shall maintain and provide its own Notice of Privacy Practices to Individuals in accordance with 45 CFR § 164.520, which shall describe all uses and disclosures of PHI that may be made by Business Associate on behalf of Covered Entity. Covered Entity shall promptly notify Business Associate of any changes to its Notice of Privacy Practices to the extent such changes affect Business Associate's obligations under this Agreement.
Covered Entity shall obtain any and all authorisations, consents, and other permissions required by the HIPAA Rules or applicable law from Individuals before directing Business Associate to use or disclose PHI in a particular manner. Covered Entity represents and warrants that it has obtained all necessary authorisations before providing any Individual's PHI to Business Associate through the Services.
Covered Entity shall notify Business Associate in writing of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI.
Where Covered Entity provides care to or maintains records relating to Individuals who are minors, Covered Entity is responsible for determining the applicable rules governing access to, disclosure of, and authorisation for the use of such minor's PHI under applicable state and federal law, including HIPAA's minor patient provisions. Covered Entity shall direct Business Associate with respect to the handling of such PHI accordingly.
Covered Entity is responsible for maintaining the confidentiality and security of login credentials to the Tendly platform. Covered Entity shall promptly notify Business Associate at privacy@tendly.health of any suspected or confirmed unauthorised access to Covered Entity's Tendly account.
Covered Entity shall notify Business Associate in writing in the event of any changes to Covered Entity's status as a Covered Entity, including cessation of operations, that may affect this Agreement.
This Agreement shall be effective as of the Effective Date and shall remain in effect for the duration of the Services Agreement, unless earlier terminated in accordance with this Article 4.
Covered Entity may terminate this Agreement and the Services Agreement upon written notice if:
(a) Business Associate has materially breached this Agreement and has not cured the breach within thirty (30) days of receiving written notice from Covered Entity identifying the specific breach; or
(b) Business Associate has failed to cure a material breach where cure is not possible.
Business Associate may terminate this Agreement and the Services Agreement upon written notice if:
(a) Covered Entity has materially breached this Agreement and has not cured the breach within thirty (30) days of receiving written notice from Business Associate identifying the specific breach; or
(b) Covered Entity requests Business Associate to engage in any activity that, in Business Associate's reasonable judgement, would violate the HIPAA Rules.
This Agreement shall automatically terminate upon the termination or expiration of the Services Agreement for any reason.
(a) Upon termination of this Agreement for any reason, Business Associate shall, within thirty (30) days of the termination date, return to Covered Entity or destroy all PHI received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity, in any form or medium.
(b) Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed within the thirty (30) day period specified above.
(c) If return or destruction of PHI is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible. In such event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
(d) Notwithstanding the above, Business Associate may retain:
The obligations of Business Associate under Section 4.5 shall survive termination of this Agreement. Any other provisions of this Agreement that by their nature should survive termination shall do so.
This Agreement may be amended:
(a) By mutual written agreement of the parties; or
(b) By Business Associate unilaterally upon thirty (30) days' written notice to Covered Entity, where such amendment is necessary to comply with changes in applicable law or regulations, including changes to the HIPAA Rules. Written notice under this Section may be provided by email to the email address associated with Covered Entity's Tendly account. Covered Entity's continued use of the Services after the expiration of the thirty (30) day notice period constitutes acceptance of the amendment. If Covered Entity does not accept the amendment, Covered Entity may terminate the Services Agreement within the thirty (30) day notice period.
This Agreement, together with the Services Agreement and any exhibits or addenda thereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements and understandings, whether oral or written, relating to the subject matter hereof.
Nothing in this Agreement shall confer any rights or remedies upon any person other than the parties hereto and their respective successors and permitted assigns. Individuals whose PHI is held by Business Associate on behalf of Covered Entity are not third-party beneficiaries of this Agreement.
Business Associate is an independent contractor of Covered Entity. Nothing in this Agreement shall be construed to create a partnership, joint venture, employment, or agency relationship between the parties.
This Agreement shall be governed by and construed in accordance with the laws of the United States of America, and specifically the HIPAA Rules, without regard to conflicts of law principles. To the extent not governed by federal law, this Agreement shall be governed by the laws of the state in which the Covered Entity's principal place of business is located.
If any provision of this Agreement is held invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith to replace any invalid provision with a valid provision that most nearly achieves the intent and economic effect of the invalid provision.
No waiver of any provision of this Agreement shall be effective unless in writing. No waiver of any provision shall be deemed a waiver of any other provision or of the same provision on any other occasion.
Notices under this Agreement shall be provided as follows:
To Business Associate:
Email: privacy@tendly.health
Company: The Price Group Holdings LLC (DBA Tendly)
To Covered Entity:
At the email address associated with Covered Entity's Tendly account.
Notice shall be deemed received: (a) immediately upon delivery if sent to the email address specified; or (b) three (3) business days after deposit in the U.S. mail if sent by first-class certified mail, return receipt requested.
This Agreement shall be interpreted to permit Business Associate to engage in all activities necessary for Business Associate to provide the Services to Covered Entity and to comply with applicable law. This Agreement shall not be construed more strictly against either party as the drafter. Headings are for convenience only and shall not affect the interpretation of any provision.
This Agreement may be accepted electronically. Covered Entity's acceptance of the Tendly Terms of Service, which incorporates this Agreement by reference, constitutes a valid and enforceable acceptance of this Agreement with the same legal effect as a handwritten signature. Electronic acceptance shall be deemed an original for all purposes.
The parties acknowledge that the HIPAA Rules may be amended or supplemented from time to time by regulations issued by the Secretary. This Agreement shall be interpreted and applied in accordance with the HIPAA Rules as in effect from time to time. Business Associate shall use reasonable efforts to implement changes required by any regulatory amendment within the timeframes mandated by the applicable regulation.
For ease of reference, the following is a non-exhaustive summary of the purposes for which Business Associate is permitted to use and disclose PHI under this Agreement:
Services to Covered Entity:
Business Associate operations:
As required by law:
Each of the following Subcontractors has entered into a written Business Associate Agreement with Business Associate that imposes substantially the same obligations as this Agreement with respect to PHI:
| Subcontractor | Data processed | BAA status |
|---|---|---|
| Supabase, Inc. | All ePHI stored in the platform | Executed |
| Vercel, Inc. | ePHI in transit during application requests | Executed |
| OpenAI, L.L.C. | Session content for AI note generation | Executed |
| Daily.co (Daily) | Telehealth video session content | Executed |
| Twilio Inc. | Client contact information, appointment details | Executed |
| Resend, Inc. | Client email addresses, appointment details | Executed |
| Claim.MD | Insurance claim data and ERA content | Executed |
Business Associate shall maintain executed copies of all Subcontractor BAAs and shall make these available to the Secretary upon request. Business Associate shall update this Schedule as the Subcontractor list changes, subject to the notification requirements of Section 2.6(c).
This Business Associate Agreement is incorporated into and forms part of the Tendly Terms of Service.
The Price Group Holdings LLC (DBA Tendly) — privacy@tendly.health
Version 1.0 — Effective April 13, 2026