1. Purpose and Scope

This Business Associate Agreement ("BAA") is entered into between Autonimate, doing business as Audiosa ("Business Associate"), and the healthcare organization ("Covered Entity") that has agreed to Audiosa's Terms of Service and requires HIPAA compliance.

This BAA supplements the Terms of Service and is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, "HIPAA Rules").

This BAA sets forth the terms under which Business Associate may receive, create, maintain, use, or disclose Protected Health Information ("PHI") on behalf of Covered Entity.

2. Definitions

Terms used in this BAA shall have the same meaning as defined in the HIPAA Rules. Key definitions include:

"Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
"Electronic Protected Health Information" (ePHI) means PHI transmitted or maintained in electronic media.
"Breach" means the acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that compromises the security or privacy of the PHI.
"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
"Subcontractor" means a person to whom Business Associate delegates a function, activity, or service.

3. Permitted Uses and Disclosures

3.1 Permitted Uses

Business Associate may use or disclose PHI only as follows:

To perform functions, activities, or services for Covered Entity as specified in the Terms of Service
To transcribe and analyze call recordings containing PHI
For the proper management and administration of Business Associate
To carry out legal responsibilities of Business Associate
To provide data aggregation services, if permitted by the Terms of Service

3.2 Prohibited Uses

Business Associate shall NOT:

Use or disclose PHI in a manner not permitted by this BAA or HIPAA Rules
Use or disclose PHI for marketing purposes without authorization
Sell PHI without authorization
Use or disclose PHI in violation of the minimum necessary standard

4. Obligations of Business Associate

Business Associate agrees to:

4.1 Safeguards

Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI
Comply with the Security Rule requirements applicable to business associates
Ensure that any agent or subcontractor agrees to the same restrictions and conditions

4.2 Reporting

Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware
Report any Security Incident of which it becomes aware
Report any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 days after discovery

4.3 Access and Amendment

Provide access to PHI to Covered Entity or individuals as required by HIPAA
Make amendments to PHI as directed by Covered Entity
Provide an accounting of disclosures as required by HIPAA

4.4 Documentation

Document disclosures of PHI and information related to such disclosures
Make internal practices and records available to HHS for compliance audits
Maintain required documentation for 6 years from the date of creation

5. Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA.

Current Subcontractors Processing PHI:

Deepgram: Speech-to-text transcription (BAA in place)
OpenAI: AI analysis (Data Processing Agreement in place)
DigitalOcean: Cloud hosting (BAA available upon request)

6. Breach Notification

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 days after discovery.

The notification shall include, to the extent known:

Identification of each individual whose PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed
A brief description of the Breach
The date of the Breach and date of discovery
A description of the types of PHI involved
Steps individuals should take to protect themselves
Steps Business Associate is taking to investigate and mitigate harm

7. Term and Termination

7.1 Term

This BAA shall be effective upon execution and shall terminate when all PHI is destroyed or returned to Covered Entity, or protections are extended in accordance with Section 7.3.

7.2 Termination for Cause

Either party may terminate this BAA if the other party materially breaches any provision and fails to cure within 30 days of written notice.

7.3 Effect of Termination

Upon termination, Business Associate shall:

Retain only PHI necessary for Business Associate's legal obligations
Return or destroy all other PHI
Continue to protect PHI that cannot be returned or destroyed

8. Miscellaneous

Regulatory References: Any reference to a section of HIPAA Rules means that section as in effect or as amended.
Amendment: This BAA shall be amended as necessary to comply with HIPAA Rules.
Survival: Obligations regarding PHI shall survive termination of this BAA.
No Third-Party Beneficiaries: Nothing in this BAA creates rights in any third party.
Interpretation: Any ambiguity shall be resolved in favor of a meaning that permits compliance with HIPAA Rules.

9. HIPAA Contact Information

Autonimate (DBA Audiosa)
HIPAA Privacy Officer
805 E Hillsboro Blvd Suite 1
Deerfield Beach, FL 33441

Email: hipaa@audiosa.ai
Phone: Contact via email for phone callback

HIPAA Business Associate Agreement

Important: BAA Execution Required