User Terms of Agreement

Provider Service & HIPAA Business Associate Agreement

This Provider Service & HIPAA Business Associate Agreement (“Agreement”) is entered into as of [Effective Date], by and between:

Tabendi Healthcare Network, with a principal place of business at 715 W. Lake Street, Suite 201, Addison, IL, 60101 (“Business Associate” or “THN”), and, the Provider (“Covered Entity” or “Provider”).

THN and Provider may be collectively referred to as the “Parties” and individually as a “Party.”


1. Purpose and Scope

1.1 Purpose – This Agreement sets forth the terms and conditions under which THN will provide technology-enabled healthcare connection and administrative services (“Services”) to Provider, and the terms under which THN will handle Protected Health Information (“PHI”) on Provider’s behalf, in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and their implementing regulations.

1.2 Nature of Relationship – Provider is a HIPAA “Covered Entity” and THN is a HIPAA “Business Associate” as those terms are defined in 45 C.F.R. §160.103.


2. Service Terms

2.1 Services Provided – THN shall provide a technology platform to facilitate patient-provider connections, appointment scheduling, telehealth, messaging, and administrative support.

2.2 Provider Responsibilities – Provider agrees to:

  • Maintain all required professional licenses and credentials.
  • Use the Services in compliance with applicable laws and regulations.
  • Provide accurate and current information in the platform.
  • Obtain patient consent where required before using the Services.

2.3 Fees and Payment – Provider shall pay THN according to the pricing schedule in Exhibit A. Payment is due as specified in the service invoice terms.

2.4 Service Availability – THN will use commercially reasonable efforts to maintain availability of the Services but does not guarantee uninterrupted access.


3. HIPAA Business Associate Obligations

THN agrees to:

3.1 Use and Disclosure – Use or disclose PHI only as permitted by this Agreement or as Required by Law.

3.2 Safeguards – Implement administrative, physical, and technical safeguards in accordance with 45 C.F.R. §§164.308, 164.310, and 164.312 to protect PHI.

3.3 Minimum Necessary – Limit the use, disclosure, and request of PHI to the minimum necessary.

3.4 Reporting – Report to Provider within five (5) business days any use or disclosure of PHI not permitted by this Agreement, including breaches of Unsecured PHI and any Security Incidents.

3.5 Mitigation – Mitigate any harmful effects of an improper PHI use or disclosure to the extent practicable.

3.6 Subcontractors – Ensure any subcontractors with access to PHI agree in writing to comply with the same restrictions and safeguards.

3.7 Access and Amendments – Provide access to PHI in a Designated Record Set and make amendments as directed by Provider in accordance with 45 C.F.R. §§164.524 and 164.526.

3.8 Accounting of Disclosures – Maintain records and provide an accounting of disclosures in accordance with 45 C.F.R. §164.528.

3.9 HHS Access – Make internal practices, books, and records related to PHI available to the Secretary of Health and Human Services for HIPAA compliance review.


4. Permitted Uses and Disclosures by THN

THN may:

  • Use PHI to provide the Services.
  • Use PHI for THN’s proper management and administration, provided disclosures are Required by Law or confidentiality assurances are obtained.
  • Use PHI to provide data aggregation services relating to Provider’s healthcare operations under 45 C.F.R. §164.504(e)(2)(i)(B).


5. Term and Termination

5.1 Term – This Agreement remains in effect until terminated in writing by either Party.

5.2 Termination for Cause – Upon material breach, the non-breaching Party may terminate if breach is not cured within 30 days of notice.

5.3 Effect of Termination – Upon termination, THN will return or destroy all PHI, unless return/destruction is not feasible, in which case protections will continue.


6. Indemnification

Each Party shall indemnify, defend, and hold harmless the other Party against all claims, damages, fines, penalties, or costs arising from the Party’s breach of this Agreement or violation of HIPAA.


7. Limitation of Liability

Except for obligations relating to HIPAA violations, willful misconduct, or gross negligence, neither Party shall be liable for indirect, incidental, or consequential damages.


8. Miscellaneous

8.1 Governing Law – This Agreement is governed by the laws of the State of the provider practicing without regard to conflicts principles.

8.2 Entire Agreement – This Agreement constitutes the entire understanding of the Parties regarding the Services and HIPAA compliance.

8.3 Amendments – Any amendment must be in writing and signed by both Parties.

8.4 Survival – HIPAA-related obligations survive termination of this Agreement.


IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

Name of the Provider Name:

Tabendi Healthcare Network

Chool Liyanapatabendi, CEO















Exhibit A – Services & Fees

1. Services Provided by Tabendi Healthcare Network

THN will provide the following services (“Services”) to the Provider:

  1. Platform Access
  • Secure web and mobile access to the Tabendi Healthcare Network platform.
  • Patient-provider matching and connection functionality.
  • Real-time notifications of appointment requests and updates.
  1. Telehealth Tools
  • HIPAA-compliant video conferencing and chat.
  • File and prescription sharing capabilities.
  1. Administrative Support
  • Appointment scheduling, rescheduling, and cancellation features.
  • Insurance information capture and processing.
  • Payment processing and invoicing support.
  1. Analytics and Reporting
  • Provider-specific performance and utilization reports.
  • Aggregate de-identified data analytics for operational improvements.
  1. Technical Support
  • Live chat and email support during business hours.
  • Critical system outage support 24/7.


2. Fees

  1. Per-Connection Fee – Provider shall pay for each confirmed patient connection initiated through the platform. The per-connection fee will be the amount displayed to the Provider within the Tabendi Healthcare Network platform at the time of each confirmed patient connection. The Provider acknowledges and agrees that fees are subject to change and that the fee presented in-app at the time of the transaction shall be deemed accepted and binding upon confirmation of the connection.
  2. Subscription Fee (if applicable) – Monthly subscription fee of as displayed in the Tabendi Healthcare Network platform for access to premium features, if selected.
  3. Payment Method – Fees will be charged automatically to the payment method on file.
  4. Fee Changes – Provider acknowledges and agrees that all fees, including but not limited to per-connection fees and subscription fees, are subject to change at any time in Tabendi Healthcare Network’s sole discretion. Updated fees will be displayed to the Provider within the Tabendi Healthcare Network platform prior to the Provider’s confirmation of any transaction or renewal. Provider’s continued use of the Services after such in-app display constitutes acceptance of the updated fees. No separate written notice is required.





Exhibit B – HIPAA Security Safeguards Summary

Tabendi Healthcare Network implements the following safeguards in compliance with the HIPAA Security Rule (45 C.F.R. §§164.302–318):

1. Administrative Safeguards

  • Workforce HIPAA training upon hire and annually thereafter.
  • Role-based access controls and user account management.
  • Risk analysis and periodic security risk assessments.
  • Incident response and breach notification procedures.

2. Technical Safeguards

  • Encryption of PHI in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Unique user IDs and multi-factor authentication for platform access.
  • Automatic session timeouts and activity logging.
  • Intrusion detection and prevention systems (IDPS).

3. Physical Safeguards

  • Secure hosting in SSAE 18/SOC 2-compliant data centers.
  • Restricted physical access to servers storing PHI.
  • Secure disposal or destruction of media containing PHI.

4. Breach Notification Process

  • All breaches of Unsecured PHI will be reported to the Provider without unreasonable delay and no later than five (5) business days after discovery.
  • Notifications will include the nature of the breach, types of PHI involved, and steps taken to mitigate harm.