Business Associate Agreement

Version 1.0
Effective Date: September 15, 2025
Based on HHS Model BAA

Agreement Overview

This Business Associate Agreement ("Agreement") is entered into between you (the "Covered Entity" or healthcare provider) and HealingFactor, Inc. ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

WHEREAS, the parties have entered into Terms of Service pursuant to which Business Associate will provide medical transcription and note-taking platform services involving the use or disclosure of Protected Health Information ("PHI");

WHEREAS, Business Associate may be considered a "business associate" of Covered Entity under HIPAA;

WHEREAS, the parties intend to protect the privacy and provide for the security of PHI in compliance with HIPAA, the HITECH Act, and related regulations;

NOW, THEREFORE, the parties agree as follows:

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms are defined in 45 CFR Parts 160, 162, and 164 (the "HIPAA Rules") and the HITECH Act.

"Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium by Business Associate on behalf of Covered Entity
"Breach" shall have the meaning given to such term under the HIPAA Rules
"Unsecured PHI" shall have the meaning given to such term under the HITECH Act and HIPAA Rules

2. Permitted Uses and Disclosures of PHI

2.1 General Use

Business Associate may use or disclose PHI only to:

Provide medical transcription and note-taking services as specified in the Terms of Service
Perform platform functions including audio transcription, AI-powered note generation, and secure data storage
Access and integrate with Electronic Health Record (EHR) systems as authorized by Covered Entity
Read, scan, collect, and store PHI from EHR systems to provide Platform services and improve functionality
Process voice recordings to create voice identification profiles for speaker recognition and attribution
Train AI/ML models to improve Platform accuracy, efficiency, and quality with Covered Entity's opt-in consent
De-identify PHI in accordance with 45 CFR § 164.514, provided such de-identified data may be used without restriction
Comply with legal requirements when required by law

2.2 Minimum Necessary

Business Associate shall limit PHI access, use, and disclosure to the minimum necessary to accomplish the intended purpose, except where unlimited access is specifically permitted under HIPAA.

2.3 No Re-disclosure

Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as required by law.

3. Security Safeguards

Business Associate implements comprehensive administrative, physical, and technical safeguards to protect PHI:

3.1 Technical Safeguards

Encryption at Rest: All PHI encrypted using AES-256 encryption with secure key management
Encryption in Transit: All data transmission secured with TLS 1.3
Access Controls: Role-based access control with multi-factor authentication required
Audit Controls: Comprehensive logging and application-level audit trails
Data Integrity: Checksums and validation to ensure PHI is not improperly altered or destroyed

3.2 Physical Safeguards

Secure Infrastructure: HIPAA-compliant data centers with 24/7 physical security
Workstation Security: Controlled access to systems containing PHI
Device Controls: Media containing PHI subject to encryption and access controls

3.3 Administrative Safeguards

Security Officer: Designated security officer responsible for HIPAA compliance
Workforce Training: All personnel with PHI access receive HIPAA training
Access Management: Procedures for granting, modifying, and terminating PHI access
Incident Response: Documented procedures for security incident response

4. Business Associate Obligations

4.1 Workforce Management

Business Associate shall:

Ensure workforce members with PHI access have appropriate authorization
Implement workforce supervision and access justification procedures
Provide HIPAA security awareness training to all relevant personnel
Terminate PHI access immediately upon workforce member departure

4.2 Subcontractor Management

Business Associate engages the following subcontractors who may have access to PHI:

Cloud Infrastructure Provider - Secure hosting and infrastructure services under executed Business Associate Agreement
Audio Transcription Service Provider - Speech-to-text processing services under executed Business Associate Agreement
EHR Integration Services - Electronic health record system integration and data synchronization under executed Business Associate Agreement
AI/ML Training Services - Machine learning model training and optimization services under executed Business Associate Agreement

Business Associate shall ensure that any subcontractors who have access to PHI agree to the same restrictions and conditions that apply to Business Associate under this Agreement.

4.3 Reporting and Mitigation

Business Associate shall:

Report any use or disclosure of PHI not provided for by this Agreement
Mitigate, to the extent practicable, any harmful effects of unauthorized PHI use or disclosure
Document and investigate all security incidents involving PHI

5. Breach Notification

5.1 Discovery and Notification Timeline

Business Associate shall notify Covered Entity within 72 hours of discovery of any breach of unsecured PHI.

5.2 Breach Notification Content

Notification shall include:

Description of the breach and types of PHI involved
Number of individuals affected (estimated if exact number unknown)
Steps taken to investigate and mitigate the breach
Contact information for Business Associate's breach response team
Assessment of risk to individuals whose PHI was involved

5.3 Risk Assessment

Business Associate maintains documented procedures for breach risk assessment following HHS four-factor analysis:

Nature and extent of PHI involved, including identifiers and likelihood of re-identification
Unauthorized person who used PHI or to whom disclosure was made
Whether PHI was actually acquired or viewed
Extent to which risk to PHI has been mitigated

6. Individual Rights Support

6.1 Access Requests

Business Associate shall provide access to PHI in a Designated Record Set within 30 days of a request from Covered Entity or individual, in the time and manner designated by Covered Entity.

6.2 Amendment Requests

Business Associate shall make amendments to PHI in a Designated Record Set as directed by Covered Entity within 60 days of request.

6.3 Accounting of Disclosures

Business Associate shall:

Document disclosures of PHI as required for Covered Entity to respond to accounting requests under 45 CFR § 164.528
Provide such documentation to Covered Entity within 30 days of request
Maintain accounting records for 6 years from date of disclosure

6.4 Restriction Requests

Business Associate shall comply with any restrictions on use or disclosure of PHI that Covered Entity has agreed to under 45 CFR § 164.522.

7. Compliance and Monitoring

7.1 HHS Access

Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of Health and Human Services for determining Covered Entity's compliance with HIPAA Rules.

7.2 Compliance Program

Business Associate maintains a comprehensive HIPAA compliance program including:

Regular risk assessments and security evaluations
Documented policies and procedures for PHI handling
Ongoing monitoring of security controls and access logs
Annual compliance training for all workforce members

7.3 Compliance Reporting

Business Associate shall provide Covered Entity with evidence of HIPAA compliance upon reasonable request, including:

Security assessment reports
Audit logs demonstrating proper PHI access controls
Training records for workforce members with PHI access
Incident response and breach assessment documentation

7. EHR Integration and Voice Processing

7.1 EHR System Access

With Covered Entity's authorization, Business Associate may:

Access Covered Entity's EHR systems through secure integration methods
Read and scan the structure of EHR system webpages to organize Output appropriately
Automatically transfer generated medical documentation from the Platform into EHR systems
Collect PHI from EHR systems to improve Platform services and prepare for future patient encounters

7.2 Voice ID Processing

With Covered Entity's opt-in consent, Business Associate may:

Record and process voice samples to create voice identification profiles ("Voice ID")
Store Voice ID data linked to user accounts for speaker recognition purposes
Use Voice ID to assign speaker labels for attribution when creating medical documentation
Retain Voice ID data until manually deleted by Covered Entity or authorized users

7.3 EHR Integration Safeguards

Business Associate shall:

Ensure all EHR access is properly authenticated and authorized
Limit EHR data collection to information necessary for Platform functionality
Maintain audit logs of all EHR system interactions
Respect EHR vendor terms and technical limitations
Obtain appropriate consents before accessing EHR systems

8. Data Retention and Return

8.1 Standard Retention

Business Associate shall retain PHI in accordance with Covered Entity's instructions and applicable legal requirements, with minimum retention of 6 years for HIPAA compliance.

8.2 Voice ID and Learned Output Retention

Voice ID: Stored and retained until manually deleted by Covered Entity or authorized users
Learned Output: Medical documentation marked for AI training stored and retained until manually deleted
EHR Integration Data: Retained according to the same settings selected for other PHI data

8.3 Return or Destruction

Upon termination of this Agreement or upon request by Covered Entity:

Business Associate shall return or destroy all PHI within 30 days
Voice ID and Learned Output shall be permanently deleted unless export is specifically requested
EHR integration data shall be included in standard PHI return or destruction procedures
If return or destruction is not feasible, Business Associate shall extend protections of this Agreement to such PHI
Business Associate shall provide certification of PHI destruction when requested

8.4 Backup and Recovery

PHI in backup systems shall be destroyed in accordance with Business Associate's documented data retention policies, typically within 7 days of primary deletion.

9. Advanced Data Processing Rights

9.1 AI Model Training

When AI model training features are implemented in the Platform, and with Covered Entity's explicit opt-in consent:

Business Associate may use PHI to train AI/ML models to improve Platform accuracy and functionality
Training data will be linked to Covered Entity's customer ID for personalized model improvements
Covered Entity maintains full control over participation in AI training programs
Opt-in consent will be required before any AI training features are activated
Opt-out mechanisms will be available at any time through Platform settings
Clear disclosure will be provided about what data is used and how training improves Platform functionality

9.2 De-Identified Data Usage

Business Associate has the right to:

Create de-identified data from PHI following 45 CFR § 164.514 standards
Use de-identified data for Platform improvement, research, and analytics
Link de-identified data with customer IDs for customized Platform training
Disclose de-identified data to third parties for legitimate business purposes

9.3 Aggregate Data

Business Associate may collect and use aggregate data that does not identify individuals for:

Platform operation, maintenance, and improvement
Product development and service enhancement
Industry research and benchmarking
Business intelligence and analytics

10. Term and Termination

10.1 Term

This Agreement shall become effective on the date of acceptance and shall remain in effect until terminated in accordance with its terms or upon termination of the Terms of Service.

10.2 Material Breach

Either party may terminate this Agreement immediately upon 30 days written notice if the other party fails to cure a material breach within such notice period.

10.3 Regulatory Action

Either party may terminate this Agreement immediately if the other party is named in a criminal proceeding for alleged HIPAA violation or if a regulatory finding of HIPAA violation is made.

10.4 EHR Integration Termination

If EHR system providers restrict or prohibit the integration rights granted under this Agreement:

Business Associate will not be liable for inability to provide EHR integration services
Alternative integration methods may be explored with Covered Entity's consent
Core Platform services shall continue without EHR integration functionality

10.5 Survival

Provisions regarding PHI protection, return of information, compliance obligations, and EHR integration restrictions shall survive termination of this Agreement.

11. Amendment and Modification

11.1 Regulatory Changes

The parties agree to amend this Agreement as necessary to maintain compliance with changes in HIPAA Rules, HITECH Act requirements, or other applicable privacy and security laws.

11.2 Amendment Process

Amendments must be in writing and signed by authorized representatives of both parties, except where automatic updates are required for regulatory compliance.

11.3 Technology Updates

Business Associate may update EHR integration methods and AI processing capabilities to:

Improve Platform functionality and user experience
Maintain compatibility with evolving EHR systems
Enhance security and compliance measures
Add new features that benefit Covered Entity's workflow

12. Limitation of Liability

Business Associate's liability under this Agreement shall be subject to the limitation of liability provisions set forth in the Terms of Service, except that such limitations shall not apply to:

Obligations specifically required under HIPAA Rules
Willful misconduct or gross negligence in PHI handling
Breach notification failures or delays

13. Governing Law and Disputes

This Agreement shall be governed by the same laws and dispute resolution procedures as set forth in the Terms of Service, provided that HIPAA requirements shall take precedence over conflicting provisions.

14. Entire Agreement

This Agreement, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, or agreements relating to such subject matter.

15. Contact Information

For HIPAA and BAA-related matters:

HealingFactor, Inc.
HIPAA Compliance Officer
Email: legal@healingfactor.tech

For security incidents:

24/7 Security Incident Response
Email: legal@healingfactor.tech

Acceptance

By using HealingFactor services or clicking "Accept" during account creation, you acknowledge that:

You are authorized to bind your healthcare organization to this Agreement
You have read and understand the terms of this Business Associate Agreement
Your organization agrees to comply with all HIPAA obligations as a Covered Entity
This Agreement is legally binding and required for HIPAA compliance

Questions about this Agreement? Contact our legal team at legal@healingfactor.tech