Business Associate Agreement (BAA)
Between: Serno ("Business Associate")
And: [COVERED ENTITY NAME / SUBSCRIBER] ("Covered Entity")
Effective Date: [DATE OF EXECUTION]
Recitals
WHEREAS, Covered Entity is a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, "HIPAA"), and its implementing regulations at 45 CFR Parts 160 and 164;
WHEREAS, Business Associate provides AI-assisted clinical documentation services (the "Services") to Covered Entity pursuant to the Terms of Service Agreement (the "Service Agreement");
WHEREAS, in the course of providing the Services, Business Associate will create, receive, maintain, and/or transmit Protected Health Information ("PHI") on behalf of Covered Entity;
WHEREAS, HIPAA requires Covered Entity to enter into a written agreement with Business Associate establishing the permitted and required uses and disclosures of PHI;
NOW, THEREFORE, in consideration of the foregoing and the mutual covenants herein, the parties agree as follows:
1. Definitions
All capitalized terms not defined herein shall have the meanings set forth in HIPAA (45 CFR Parts 160 and 164).
1.1 "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under 45 CFR Part 164, Subpart E, which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
1.2 "Business Associate" has the meaning set forth in 45 CFR §160.103. For purposes of this Agreement, Business Associate is Serno.
1.3 "Covered Entity" has the meaning set forth in 45 CFR §160.103.
1.4 "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR §160.103.
1.5 "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5).
1.6 "Protected Health Information" or "PHI" has the meaning set forth in 45 CFR §160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
1.7 "Required By Law" has the meaning set forth in 45 CFR §164.103.
1.8 "Security Incident" has the meaning set forth in 45 CFR §164.304.
1.9 "Subcontractor" means any person or entity who creates, receives, maintains, or transmits PHI on behalf of Business Associate.
1.10 "Unsecured PHI" has the meaning set forth in 45 CFR §164.402.
2. Permitted Uses and Disclosures by Business Associate
2.1 Permitted Uses. Business Associate may use PHI only as follows:
(a) To perform the Services described in the Service Agreement, specifically the generation of structured clinical notes from Covered Entity's session observations;
(b) For the proper management and administration of Business Associate's operations, or to carry out the legal responsibilities of Business Associate;
(c) To provide data aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), using only de-identified data;
(d) As required by law.
2.2 Permitted Disclosures. Business Associate may disclose PHI only as follows:
(a) To Covered Entity, in connection with the provision of Services;
(b) As directed in writing by Covered Entity;
(c) To Subcontractors, in accordance with Section 5 of this Agreement;
(d) For the proper management and administration of Business Associate, provided that: (i) the disclosure is Required By Law, or (ii) Business Associate obtains reasonable written assurances that the PHI will remain confidential and will be used only for the purpose disclosed;
(e) As Required By Law.
2.3 Prohibited Uses and Disclosures. Business Associate shall not:
(a) Use or disclose PHI in any manner not permitted by this Agreement or Required By Law;
(b) Use PHI for marketing purposes as defined in 45 CFR §164.501;
(c) Sell PHI as defined in 45 CFR §164.502(a)(5)(ii);
(d) Use PHI to train, fine-tune, or improve any artificial intelligence or machine learning model without explicit written authorization from Covered Entity;
(e) Use or disclose PHI in violation of any applicable state law that is more stringent than HIPAA.
3. Obligations of Business Associate
3.1 Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to:
(a) Protect the confidentiality, integrity, and availability of PHI in accordance with 45 CFR §164.306 (Security Standards);
(b) Prevent use or disclosure of PHI not permitted by this Agreement;
(c) Comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C) with respect to ePHI.
Business Associate's safeguards include, but are not limited to:
- AES-256 encryption at rest (AWS KMS);
- TLS 1.2+ encryption in transit;
- Multi-factor authentication on all systems handling PHI;
- Access controls based on minimum-necessary principles;
- Audit logging via AWS CloudTrail (immutable, retained for 6 years);
- Automatic deletion of raw session observation inputs within 24 hours of note generation;
- Annual HIPAA training for all workforce members with access to PHI.
3.2 Reporting.
(a) Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. Business Associate shall provide notice to Covered Entity at [COVERED ENTITY EMAIL] within 5 business days of discovering a Security Incident.
(b) Breach Notification. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. The notification shall include, to the extent possible:
- The date of the Breach and date of discovery;
- A description of the nature of the Breach;
- The types of Unsecured PHI involved;
- The number of individuals affected;
- The steps taken to investigate, mitigate, and prevent recurrence;
- Contact information for affected individuals (if available).
Business Associate acknowledges that it is Covered Entity's responsibility to notify affected individuals, the Secretary of HHS, and (where applicable) the media, in accordance with 45 CFR §§164.404–164.408.
3.3 Individual Rights.
(a) Access. Business Associate shall make PHI in a Designated Record Set available to Covered Entity within 30 days of a written request to enable Covered Entity to fulfill patient access requests under 45 CFR §164.524.
(b) Amendment. Business Associate shall make PHI in a Designated Record Set available for amendment within 30 days of a written request and shall incorporate any amendments directed by Covered Entity pursuant to 45 CFR §164.526.
(c) Accounting of Disclosures. Business Associate shall maintain records of disclosures of PHI and shall make such records available to Covered Entity within 30 days of request to enable Covered Entity to respond to requests for an accounting of disclosures under 45 CFR §164.528.
3.4 Government Access. Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of the U.S. Department of Health and Human Services ("Secretary") for purposes of determining Covered Entity's or Business Associate's compliance with HIPAA, as required by 45 CFR §164.504(e)(2)(ii)(I).
3.5 Minimum Necessary. Business Associate shall request, use, and disclose only the minimum PHI necessary to accomplish the purposes of this Agreement.
3.6 De-identification. Where technically feasible and consistent with the Services, Business Associate shall use de-identified data in lieu of PHI. Notelyx recommends that Covered Entity submit anonymized session observations (without patient names, dates of birth, or other direct identifiers) when inputting data for AI note generation.
4. Obligations of Covered Entity
4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation in Covered Entity's Notice of Privacy Practices to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
4.2 Individual Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI to the extent that such changes may affect Business Associate's use or disclosure of PHI.
4.3 Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
4.4 Lawful Instructions. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as permitted under Section 2.1(b) and (c).
4.5 De-identification Obligation. Covered Entity agrees to make reasonable efforts to avoid including direct patient identifiers (including name, date of birth, Social Security number, or account numbers) in session observation inputs submitted to the Service.
5. Subcontractors
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement. Business Associate's current material Subcontractors with access to PHI are:
| Subcontractor | Purpose | BAA in Place |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Infrastructure, database, AI processing, storage | Yes (AWS BAA via AWS Artifact) |
Business Associate shall notify Covered Entity of any change to material Subcontractors that handle PHI within 30 days of such change.
6. Term and Termination
6.1 Term. This Agreement is effective as of the Effective Date and shall remain in effect for as long as Business Associate creates, receives, maintains, or transmits PHI on behalf of Covered Entity, or until terminated in accordance with this Section.
6.2 Termination for Cause. Either party may terminate this Agreement immediately upon written notice if the other party has violated a material term of this Agreement and has not cured such violation within 30 days of receiving written notice of the violation.
6.3 Covered Entity's Obligation to Terminate. Per 45 CFR §164.504(e)(2)(iii), Covered Entity must terminate this Agreement if it knows of a pattern of activity or practice by Business Associate that constitutes a material breach or violation of this Agreement, and Business Associate has not taken reasonable steps to cure the violation.
6.4 Effect of Termination. Upon termination of this Agreement:
(a) Business Associate shall, if feasible, return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate maintains in any form;
(b) If return or destruction is not feasible (e.g., PHI is embedded in backup systems), Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible;
(c) Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed within 60 days of termination.
7. Miscellaneous
7.1 Amendment. The parties agree to amend this Agreement as necessary to comply with changes in HIPAA, the HITECH Act, and any regulations promulgated thereunder. Either party may request such amendment in writing.
7.2 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights or remedies on any third party, including patients.
7.3 Interpretation. This Agreement shall be interpreted to give effect to HIPAA and its implementing regulations. In the event of any conflict between this Agreement and the Service Agreement, this Agreement shall govern with respect to PHI.
7.4 Survival. The obligations of the parties under Sections 3, 5, and 6.4 shall survive termination of this Agreement.
7.5 Governing Law. This Agreement is governed by federal law (HIPAA, HITECH) and, to the extent not preempted, the laws of the State of Federal Republic of Germany (Hesse).
7.6 Entire Agreement. This Agreement, together with the Service Agreement, constitutes the entire agreement between the parties regarding the use and disclosure of PHI.
7.7 Counterparts / Electronic Signature. This Agreement may be executed in counterparts, including electronically, each of which shall be deemed an original.
Signature Block
NOTELYX (Business Associate)
Signature: ___________________________
Name: ___________________________
Title: ___________________________
Date: ___________________________
Email: legal@notelyx.app
[COVERED ENTITY NAME] (Covered Entity)
Signature: ___________________________
Name: ___________________________
Title: ___________________________
License Number: ___________________________
Practice Name: ___________________________
Date: ___________________________
Email: ___________________________
Attorney Review Note: This BAA is drafted per 45 CFR §164.504(e). Confirm the 60-day breach notification period (you may wish to shorten to 10-15 days for competitive positioning — HHS requires "without unreasonable delay" and no later than 60 days). Verify state-specific mental health privacy laws that may be more restrictive than HIPAA (e.g., California's CMIA, 42 CFR Part 2 if any SUD treatment is involved). Update Subcontractor table as infrastructure evolves. Consider an electronic execution flow (e.g., DocuSign) integrated into the onboarding workflow to ensure BAA is signed before any PHI access is granted.