BAA

Business Associate Agreement

The Business Associate Agreement for Pebble customers when Growing Higher LLC creates, receives, maintains, or transmits protected health information on their behalf.

Last updated: June 7, 2026

Business Associate Agreement

Last updated: June 7, 2026

Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into as of the date and time Customer accepts this BAA during account registration, account setup, or use of the Pebble platform (the “Effective Date”), by and between Growing Higher LLC (“Business Associate”) and the person, provider, practice, clinic, company, organization, or other entity identified as the customer in the applicable Pebble account registration, order form, or services agreement (“Covered Entity” or “Customer”).

This BAA supplements and is incorporated into the Terms of Service or other written agreement between Covered Entity and Business Associate governing Covered Entity’s use of the Pebble platform (the “Agreement”). If an individual accepts this BAA on behalf of a practice, clinic, company, organization, or other entity, that individual represents that they are authorized to bind that entity.

The Covered Entity information submitted during account registration or otherwise maintained in Customer’s Pebble account, including legal name, entity type, jurisdiction, notice address, and authorized signer information, is incorporated into this BAA by reference.

This BAA applies only to the extent Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity and Business Associate meets the definition of “business associate” under HIPAA.

1. Background

Covered Entity is or may be a covered entity or business associate under HIPAA. Business Associate provides software, hosting, workflow, patient portal, document, messaging, scheduling, billing, and related services through Pebble. In providing those services, Business Associate may create, receive, maintain, or transmit Protected Health Information for or on behalf of Covered Entity.

The parties intend this BAA to satisfy applicable requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended by the HITECH Act.

2. Definitions

Capitalized terms not defined in this BAA have the meanings given to them under HIPAA.

“Breach” has the meaning given to that term at 45 CFR 164.402.

“Designated Record Set” has the meaning given to that term at 45 CFR 164.501.

“Electronic PHI” or “ePHI” has the meaning given to “electronic protected health information” at 45 CFR 160.103.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, the HITECH Act, and their implementing regulations, as amended.

“Individual” has the meaning given to that term at 45 CFR 160.103 and includes a personal representative under 45 CFR 164.502(g).

“Protected Health Information” or “PHI” has the meaning given to that term at 45 CFR 160.103, limited to information created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.

“Reportable Event” means any use or disclosure of PHI not permitted by this BAA, any Security Incident, or any Breach of Unsecured PHI.

“Required by Law” has the meaning given to that term at 45 CFR 164.103.

“Secretary” means the Secretary of the U.S. Department of Health and Human Services or the Secretary’s designee.

“Security Incident” has the meaning given to that term at 45 CFR 164.304.

“Subcontractor” has the meaning given to that term at 45 CFR 160.103.

“Unsecured PHI” has the meaning given to “unsecured protected health information” at 45 CFR 164.402.

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as permitted by this BAA, the Agreement, or Required by Law.

Business Associate may use or disclose PHI to provide, operate, secure, maintain, support, and improve the services described in the Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.

Business Associate may use PHI for its proper management and administration and to carry out its legal responsibilities.

Business Associate may disclose PHI for its proper management and administration or legal responsibilities only if the disclosure is Required by Law or Business Associate obtains reasonable assurances that the recipient will keep the PHI confidential, use or disclose it only as Required by Law or for the purpose for which it was disclosed, and notify Business Associate of any breach of confidentiality of which the recipient becomes aware.

Business Associate may use PHI to report violations of law to appropriate federal, state, or local authorities consistent with 45 CFR 164.502(j).

Business Associate may use PHI to provide data aggregation services relating to Covered Entity’s health care operations to the extent permitted by HIPAA and the Agreement.

Business Associate may de-identify PHI in accordance with 45 CFR 164.514. Business Associate may use and disclose de-identified information as permitted by applicable law and the Agreement, provided the information does not identify Covered Entity, Individuals, or other natural persons unless otherwise permitted.

Business Associate will not sell PHI or use PHI for marketing except as permitted by HIPAA and the Agreement. Business Associate will not use PHI to train third-party or general-purpose artificial intelligence models unless Covered Entity separately agrees in writing.

4. Business Associate Obligations

Business Associate will not use or disclose PHI other than as permitted or required by this BAA, the Agreement, or Required by Law.

Business Associate will use appropriate administrative, physical, and technical safeguards to prevent uses or disclosures of PHI not permitted by this BAA.

Business Associate will comply with the HIPAA Security Rule with respect to ePHI that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.

To the extent Business Associate carries out a HIPAA obligation of Covered Entity, Business Associate will comply with the HIPAA requirements that apply to Covered Entity in performing that obligation.

Business Associate will make uses, disclosures, and requests for PHI consistent with HIPAA’s minimum necessary standard.

Business Associate will mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.

5. Reportable Events and Breach Notice

Business Associate will report to Covered Entity any Reportable Event of which Business Associate becomes aware without unreasonable delay and no later than fifteen business days after discovery, unless a shorter period is required by law or agreed in writing.

If Business Associate discovers a Breach of Unsecured PHI involving Covered Entity’s PHI, Business Associate will provide notice to Covered Entity without unreasonable delay and in no case later than thirty calendar days after discovery.

To the extent known and reasonably available, Business Associate’s notice will include:

  • a brief description of what happened;
  • the date of the Reportable Event and the date of discovery;
  • the types of PHI involved;
  • the Individuals affected or reasonably believed to be affected;
  • mitigation and investigation steps taken or planned;
  • steps Individuals should consider taking to protect themselves, if applicable; and
  • other information reasonably needed by Covered Entity to meet its legal obligations.

Business Associate will supplement its notice as additional material information becomes available.

Covered Entity is responsible for notifications to Individuals, HHS, media, state regulators, or other parties unless the parties separately agree in writing that Business Associate will perform specific notification tasks on Covered Entity’s behalf.

The parties agree that this BAA constitutes notice of routine attempted but unsuccessful Security Incidents that do not result in unauthorized access, acquisition, use, disclosure, modification, loss, or destruction of PHI, such as pings, scans, unsuccessful login attempts, unsuccessful denial-of-service attempts, and similar background activity.

6. Subcontractors

Business Associate may use Subcontractors to provide the services. Business Associate will require each Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate’s behalf to agree in writing to substantially similar restrictions, conditions, and safeguards that apply to Business Associate with respect to such PHI.

Business Associate will maintain appropriate written agreements with PHI-relevant Subcontractors as required by HIPAA.

7. Access, Amendment, and Accounting

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make that PHI available to Covered Entity as reasonably necessary for Covered Entity to meet its access obligations under 45 CFR 164.524.

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make amendments to PHI as directed or agreed to by Covered Entity in accordance with 45 CFR 164.526.

Business Associate will maintain and make available information required for Covered Entity to provide an accounting of disclosures under 45 CFR 164.528, to the extent Business Associate is required to account for such disclosures under HIPAA.

If an Individual contacts Business Associate directly to request access, amendment, accounting, restriction, confidential communication, or any similar HIPAA right concerning PHI controlled by Covered Entity, Business Associate may redirect the Individual to Covered Entity.

8. Access by HHS

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining compliance with HIPAA.

No legal privilege is waived by Business Associate’s compliance with this section.

9. Covered Entity Obligations

Covered Entity will notify Business Associate of any limitation in Covered Entity’s Notice of Privacy Practices to the extent the limitation may affect Business Associate’s use or disclosure of PHI.

Covered Entity will notify Business Associate of any change in or revocation of an Individual’s permission to use or disclose PHI to the extent the change or revocation may affect Business Associate’s use or disclosure of PHI.

Covered Entity will notify Business Associate of any restriction on use or disclosure of PHI that Covered Entity has agreed to or is required to follow to the extent the restriction may affect Business Associate’s use or disclosure of PHI.

Covered Entity will not request that Business Associate use or disclose PHI in a manner that would not be permitted under HIPAA or other applicable law if done by Covered Entity.

Covered Entity is responsible for configuring its account, users, roles, permissions, patient portal access, templates, notices, consent forms, and workflows in accordance with Covered Entity’s legal and clinical obligations.

Covered Entity remains responsible for patient care, clinical decision-making, medical record content, patient consents, patient notices, record-release decisions, billing decisions, payer submissions, and compliance with state professional rules.

10. Part 2 and Specially Protected Records

If Covered Entity is a Part 2 program, receives Part 2 records, or uses the services to create, receive, maintain, or transmit substance use disorder patient records subject to 42 CFR Part 2, Covered Entity must notify Business Associate before storing or processing those records through the services.

The parties may need a separate Part 2 or qualified service organization addendum before Part 2 records are stored or processed through the services. This BAA alone should not be treated as a complete Part 2 agreement.

Covered Entity is responsible for identifying other specially protected records and informing Business Associate of restrictions that affect Business Associate’s services.

11. Term and Termination

This BAA begins on the Effective Date and remains in effect while the Agreement remains in effect or while Business Associate maintains PHI for or on behalf of Covered Entity, whichever is longer.

Either party may terminate this BAA and the Agreement for cause if the other party materially breaches this BAA and fails to cure the breach within thirty days after written notice, unless immediate termination is required by law or reasonably necessary to protect PHI.

Upon termination, Business Associate will return or destroy PHI that Business Associate maintains for Covered Entity if feasible and as provided in the Agreement. If return or destruction is not feasible or retention is required by law, backup, audit, dispute, security, or archival obligations, Business Associate will continue to protect retained PHI under this BAA and limit further use or disclosure to the purpose that makes retention necessary.

This section survives termination of the BAA and the Agreement.

12. Relationship to Agreement

This BAA is part of and subject to the Agreement. If this BAA conflicts with the Agreement, this BAA controls only with respect to HIPAA-required PHI handling terms. The Agreement controls all other commercial terms, including fees, payment, warranties, limitation of liability, indemnity, dispute resolution, governing law, and notices unless this BAA states otherwise.

13. Amendment and Interpretation

The parties will amend this BAA as reasonably necessary to comply with changes in HIPAA or other applicable law.

Any ambiguity in this BAA will be interpreted to permit compliance with HIPAA.

References to HIPAA provisions mean those provisions as amended.

14. Notices

Notices to Covered Entity may be sent to the email address, mailing address, or account administrator contact maintained in Customer’s Pebble account or otherwise provided in the Agreement.

Notices to Business Associate must be sent to Growing Higher LLC at the notice address listed in the Agreement or by email to security@pebblepm.com.

Either party may update its notice contact information as permitted by the Agreement or through the Pebble account settings.

15. Electronic Acceptance

Covered Entity accepts this BAA by checking the applicable acceptance box, creating an account, signing an order form that incorporates this BAA, or otherwise using the services after being presented with this BAA.

Business Associate may maintain an electronic record of acceptance, including Customer identity, account identifier, signer identity, signer title, timestamp, IP address, BAA version, and document hash or immutable version identifier.