HIPAA BUSINESS ASSOCIATE AGREEMENT

ThisBusiness Associate Agreement (this “Agreement”) is made and entered intothis ___ _______________ (the “Effective Date”), by and between___________________, a/an ____________ ___________ (the “Covered Entity”),and PSYNTH, INC., a Delaware corporation (“Business Associate”) inconnection with the Psynth, Inc. SaaS License Agreement, dated as of__________________, between the Covered Entity and Business Associate(the “Master Agreement”). Each capitalized term in this Agreement shall have the meaning specifiedin the HIPAA Rules, unless otherwise defined in this Agreement.  “HIPAA Rules” shall mean the Privacy,Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and164 (available at www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html).

ARTICLE I.   

Usesand Disclosures of PHI

I.1           Services.  BusinessAssociate provides certain services pursuant to the terms of the MasterAgreement (the “Services”) to Covered Entity and may use, create,receive, transmit or maintain protected health information (“PHI”) onbehalf of Covered Entity in connection with provision of the Services.  

I.2           GeneralProhibition and Limitations.  Business Associate shall neither use nordisclose PHI, nor copy, duplicate or otherwise reproduce any part of the PHIexcept as required to perform the Services, and in accordance with thisAgreement or as required by law.  Exceptas otherwise provided in this Agreement or the Master Agreement, BusinessAssociate may use or disclose PHI on behalf of Covered Entity or in connectionwith its performance of the Services, if that use or disclosure would notviolate the HIPAA Rules if done by Covered Entity, or the minimum necessarypolicies and procedures of Covered Entity. If any limitation, restriction, or prohibition contained in thisAgreement upon Business Associate’s use or disclosure of PHI could reasonablybe expected to result in Business Associate’s violation or breach of anyprofessional obligation or ethical responsibility of Business Associate toCovered Entity, then that limitation, restriction, or prohibition shall be ofno force or effect and shall be disregarded with respect to that use or disclosure.  

I.3           BusinessAssociate’s Use of PHI.  Business Associate may use PHI as necessaryfor the proper management and administration of Business Associate or to carryout the legal responsibilities of Business Associate.

I.4           BusinessAssociate’s Disclosure of PHI.  Business Associate may disclose PHI asnecessary for the proper management and administration of Business Associateif:

(a)           the disclosureis required by law; or

(b)          prior to thedisclosure, Business Associate obtains reasonable assurances from the Person towhom Business Associate will disclose the PHI that the Person will: (i) holdthe PHI in confidence and use or further disclose the PHI only as required bylaw or for the lawful purpose for which Business Associate disclosed it to thePerson; and (ii) promptly notify Business Associate of each instance of whichthe Person becomes aware in which the confidentiality of the PHI is breached.

I.5           Safeguards.  

(a)           PrivacySafeguards.  Business Associate will develop, implement,maintain, and use appropriate administrative, technical, and physicalsafeguards to protect the privacy of PHI to the extent required by the HIPAARules.  The safeguards will reasonablyprotect PHI from any intentional or unintentional use or disclosure inviolation of the HIPAA Rules and limit incidental uses or disclosures madepursuant to a use or disclosure otherwise permitted by this Agreement.  To the extent the parties agree that theBusiness Associate will carry out directly one or more of Covered Entity’sobligations under the HIPAA Rules, Business Associate will directly comply withthe requirements of such rules that apply to the Covered Entity.

(b)          Compliancewith Security Rules.  Business Associate will comply with theSecurity Rule and use appropriate administrative, technical, and physicalsafeguards that reasonably and appropriately protect the confidentiality,integrity, and availability of Electronic PHI that Business Associate creates,receives, maintains, or transmits on Covered Entity’s behalf.

I.6           Subcontractors.  In eachinstance that Business Associate engages any other Person (including anyagents, representatives, contractors and others but excluding a member ofBusiness Associate’s Workforce) to assist Business Associate with respect tothe Services who will have access to PHI, Business Associate shall enter in awritten agreement with the Person requiring that Person to (a) appropriatelysafeguard PHI created, received, maintained, or transmitted on behalf ofBusiness Associate; and (b) comply with the same restrictions and conditionsimposed under this Agreement upon Business Associate with respect to PHI.

I.7           Prohibitionon Sale of PHI.  Business Associate shall not engage in anysale (as defined in the HIPAA Rules) of PHI.

I.8           De-IdentifiedPHI. Business Associate mayde-identify any PHI in accordance with 45 CFR. § 164.514(b). Covered Entityacknowledges and agrees that de-identified information is not PHI, and thatBusiness Associate may use such de-identified information for any lawful purpose.

I.9           Use ofThird-Party Companies. BusinessAssociate hereby discloses that it contracts with third-party companiesincluding Anthropic (Claude), OpenAI (ChatGPT),AssemblyAI, and Google (Gemini) for certainartificial intelligence and large language model (“AI Models”)technologies used in connection with providing the Services. Business Associatehas entered into business associate agreements with such third-party providersthat include the same or more stringent protections for PHI as outlined in thisAgreement. Such business associate agreements specifically prohibit thethird-party companies from using PHI for training their AI Models. Anyde-identified data that may be used for improving Business Associate'sproprietary technology will be de-identified in accordance with HIPAA standardsas outlined in Section 1.8 of this Agreement. Covered Entity may requestdocumentation of these third-party business associate agreements and mayopt-out of having any of their data, even in de-identified information, usedfor Business Associate's technological improvements by providing written noticeto Business Associate.

I.10        Ambient Listening Feature. Where Covered Entity enables the Ambient Listening feature, BusinessAssociate's processing of session audio and transcripts shall be governed bythe following:

(a)           Audio Processing in Transit. Audio is transmitted via TLS 1.3 to a zero-retention endpoint operatedby Business Associate's authorized transcription sub-processor, transcribed inreal time, and discarded at the sub-processor without persistent storage.Business Associate does not retain audio recordings at rest in itsinfrastructure.

(b)          Transcript Storage. Transcripts and any AI-generated summariesderived from the Ambient Listening feature constitute PHI under this Agreementand are stored at rest in Business Associate's infrastructure, encrypted inaccordance with Section 1.5.

(c)           Patient Authorization andConsent. Covered Entity represents and warrants that,prior to enabling the Ambient Listening feature for any patient session,Covered Entity has obtained all necessary authorizations from the patient (orthe patient's personal representative, where applicable) for the recording,transcription, and processing of session audio under HIPAA, applicable statelaws governing recording and consent (including two-party consentjurisdictions), and any applicable professional ethical obligations. BusinessAssociate's in-product confirmation mechanisms are operational tools providedfor Covered Entity's convenience and do not transfer the underlying legalobligation from Covered Entity to Business Associate.

(d)          Indemnification. Covered Entity shall indemnify Business Associate against any claims,damages, or regulatory actions arising from Covered Entity's failure to obtainvalid patient authorization or consent for Ambient Listening, except to theextent such claims arise from Business Associate's breach of this Agreement.

 

ARTICLE II.  

Breaches and Security Incidents

II.1         Reporting.

(a)           ImpermissibleUse or Disclosure.  Business Associate will report to CoveredEntity any use or disclosure of PHI not permitted by this Agreement no morethan 30 days after Business Associate discovers such non-permitted use ordisclosure.

(b)          Breach ofUnsecured PHI.  Business Associate will report to CoveredEntity any potential Breach of Unsecured PHI no more than 5 days after discovery of such potential Breach.  Business Associate will treat a potentialBreach as being discovered in accordance with 45 C.F.R. § 164.410.  Business Associate will make the report toCovered Entity’s privacy officer.  If adelay is requested by a law enforcement official in accordance with 45 C.F.R.§ 164.412, Business Associate may delay notifying Covered Entity for theapplicable time period.  BusinessAssociate’s report will include at least the following, provided that absenceof any information will not be cause for Business Associate to delay thereport:

(i)            The nature ofthe Breach, which will include a brief description of what happened, includingthe date of any Breach and the date of the discovery of any Breach;

(ii)          The nature andextent of the PHI involved in the Breach (such as whether full name, SocialSecurity number, date of birth, home address, account number, diagnosis, orother information was involved) and the likelihood of re-identification;

(iii)        Who made thenon-permitted use or disclosure and who received the non-permitted disclosure;

(iv)         Whether thePHI was actually acquired or viewed;

(v)          The correctiveor investigational action Business Associate took or will take to preventfurther non-permitted uses or disclosures, to mitigate harmful effects, and toprotect against any further Breaches; and

(vi)         Otherinformation, including a written report and risk assessment under 45 C.F.R§ 164.402, as Covered Entity may reasonably request.

(c)           SecurityIncidents.  Business Associate will report to CoveredEntity any Security Incident involving PHI of which Business Associate becomesaware.  Business Associate will make thisreport monthly, except if anysuch Security Incident resulted in a disclosure not permitted by this Agreementor Breach of Unsecured PHI, Business Associate will make the report inaccordance with the provisions set forth above.

II.2         Mitigation.  BusinessAssociate shall mitigate, to the extent practicable, any harmful effect knownto the Business Associate resulting from a use or disclosure of PHI inviolation of this Agreement.

II.3         BreachNotification to Third Parties.  To the extent requested by Covered Entity,Business Associate shall reasonably assist Covered Entity in preparing orsending breach notifications.

ARTICLE III.                 

Access, Amendment, and Disclosure Accounting

III.1       Access.  IfBusiness Associate maintains PHI in a Designated Record Set, Business Associateshall, within a reasonable time after Covered Entity’s written request, make itavailable to Covered Entity as necessary to satisfy the Covered Entity’sobligation to provide an individual the right to access PHI in 45 C.F.R.§ 164.524.  

III.2       Amendment.  IfBusiness Associate maintains PHI in a Designated Record Set, Business Associateshall, within a reasonable time after Covered Entity’s written request, amendor to take other measures to the extent necessary for Covered Entity to satisfyits obligations to provide an individual the right to amend PHI under 45 C.F.R.§ 164.526.

III.3       Accountingof PHI Disclosures.  Business Associate will maintain a writtenrecord of each disclosure of PHI made by Business Associate to any other Personthat would be required to be disclosed by Covered Entity in an accounting ofdisclosures of PHI in accordance with 45 C.F.R. § 164.528.  That record should include, if reasonablyavailable, (a) the disclosure date, (b) the name and (if known) address of thePerson to whom Business Associate made the disclosure, (c) a brief descriptionof the PHI disclosed, and (d) a brief statement of the purpose of thedisclosure that reasonably sets forth the basis for the disclosure (the “DisclosureInformation”).  If, during the periodcovered by an accounting of disclosures, Business Associate made multipledisclosures to the same Person (including Covered Entity) for a single purposeor pursuant to an authorization, Business Associate may provide with respect tothat accounting period (x) the Disclosure Information for the first of therepetitive disclosures, (y) the frequency, period or number of the repetitivedisclosures and (z) the date of the last repetitive disclosure.  Business Associate will make this DisclosureInformation available to Covered Entity within a reasonable time after CoveredEntity’s written request to enable Covered Entity to timely respond to anindividual’s request for an accounting of disclosures.

III.4       RestrictionAgreements and Confidential Communications.  Covered Entityshall notify Business Associate of any limitations in its notice of privacypractices under 45 C.F.R. § 164.520, if such limitation may affectBusiness Associate’s use or disclosure of PHI. Business Associate will comply with any notice from Covered Entity to(a) restrict use or disclosure of PHI pursuant to 45 C.F.R. § 164.522(a),or (b) provide for confidential communications of PHI pursuant to 45 C.F.R.§ 164.522(b), provided that Covered Entity notifies Business Associate inwriting of the restriction or confidential communications obligations thatBusiness Associate must follow.  CoveredEntity will promptly notify Business Associate in writing of the termination ofany such restriction or confidential communications requirement and instructBusiness Associate whether any PHI will remain subject to the terms of therestriction agreement.

III.5       Departmentof Health and Human Services.  Business Associate shall make its internalpractices, books, and records relating to the use and disclosure of PHIavailable to the Secretary of the Department of Health and Human Services (“DHHS”)for purposes of determining compliance with federal law during the term of theAgreement and for a period of five years after termination of theAgreement.  Business Associate shallsubmit such compliance reports as may be required by DHHS, cooperate with theSecretary of DHHS in any investigation or compliance review, and permit accessby the Secretary of DHHS during normal business hours to its facilities, booksand records and other information pertinent to HIPAA compliance.  By complying with this provision, neither partyshall be deemed to have waived any attorney-client, accountant-client or otherprivilege.

ARTICLE IV.                 

Termand Termination

IV.1       Term.  This Agreement shall be effective on theEffective Date and shall terminate automatically upon termination of the MasterAgreement.  This Agreement replaces andsupersedes any previous HIPAA business associate agreement between the partieswith respect to the Services.

IV.2       Termination.  If Covered Entitydetermines that Business Associate has breached any material provision of thisAgreement, Covered Entity shall promptly notify Business Associate in writingof the breach and provide that Business Associate shall have 30 days after itsreceipt of the notice to cure the breach. If Business Associate does not cure the breach within that 30-dayperiod, Covered Entity may terminate the Master Agreement.  Any such termination will be effectiveimmediately or at such date specified by Covered Entity or Business Associatein the written notice.

IV.3       Obligations upon Termination; Return or Destruction.  Upontermination of the Services and to the extent permitted by applicable law andconsistent with its ethical and professional obligations, Business Associatewill return the PHI in its possession or under its reasonable control toCovered Entity, or destroy or permanently delete the PHI, regardless of theform or medium (including in any electronic medium under Business Associate’scustody or control) in which the PHI is maintained by Business Associate.  Business Associate will complete such return,destruction, or deletion as promptly as reasonably possible.  Business Associate will identify all PHI thatcannot feasibly be returned to Covered Entity, or destroyed or deleted, andwill limit its further use or disclosure of that PHI to those purposes thatmake its return, destruction or deletion infeasible.  Business Associate will inform Covered Entityin writing that such return, destruction, or deletion has been completed andidentify any PHI for which return, destruction or deletion is infeasible.  This provision shall apply to PHI that is inthe possession of any Subcontractors of Business Associate.  Further, Business Associate shall require anysuch Subcontractor to certify to Business Associate that it has returned toBusiness Associate or destroyed all such information which could be returned ordestroyed.  Business Associate willcomplete these obligations as promptly as possible.  The respective rights and obligations ofBusiness Associate under this Section shall survive the termination of thisAgreement.

IV.4       Continuing Obligations.  BusinessAssociate’s obligation to protect the privacy and safeguard the security of PHIas specified in the Agreement will be continuous and survive termination ofthis Agreement.

ARTICLE V.   

General Provisions

V.1        MasterAgreement.  This Agreement is hereby incorporated intothe Master Agreement as an addendum to the Master Agreement.  In the event of any inconsistency between theprovisions of this Agreement and the Master Agreement, the provisions of thisAgreement will prevail, unless the applicable terms of the Master Agreementwould be more protective of PHI.

V.2        Notices.  Anynotices required or permitted hereunder shall be deemed to be duly given if inwriting and delivered personally, sent by the United States certified orregistered mail, postpaid, sent by email, or sent via fax to the addresses andnumbers set forth below the signatures of the parties, or such addresses ornumbers as may be specified in writing by the parties.

V.3        Change inRegulations; Amendment to Agreement.  Upon the effective date of any finalregulation or amendment to the HIPAA Rules that conflicts with any term orcondition of this Agreement or which imposes any requirement, condition orobligation upon Business Associate or Covered Entity not imposed by thisAgreement, then Covered Entity and Business Associate shall exercise theirrespective utmost good faith and commercially reasonable efforts to amend thisAgreement to incorporate the applicable terms and conditions of that regulationor amendment such that this Agreement contractually imposes those terms andconditions upon the parties as applicable. Each regulatory reference in this Agreement means, as applicable, theregulatory section as then in effect or as amended.

V.4        Interpretation.  Anyambiguity in this Agreement shall be resolved in favor of a meaning thatresults in Covered Entity complying with the HIPAA Rules.

V.5        BindingEffect.  This Agreement shall be binding upon andinure to the benefit of the parties hereto, and their respective successors andassigns.

V.6        Counterparts.  ThisAgreement may be executed in any number of counterparts, which taken togethershall constitute one and the same instrument and each of which shall beconsidered an original for all purposes.

V.7        Invalidity.  In theevent any provision of this Agreement is determined to be invalid orunenforceable, then the remainder of this Agreement shall not be affectedthereby.

V.8        GoverningLaw.  This Agreement shall be governed by andconstrued in accordance with the laws of the State of Oklahoma applicable tocontracts made and performed entirely therein shall govern this Agreement.

V.9        Waivers.  No party'srights under this Agreement will be deemed waived except by a writing signed bysuch party.

V.10      Entire Agreement.  This Agreementconstitutes the entire understanding and agreement of the parties with respectto its subject matter, and may not be altered or modified except by aninstrument in writing signed by the parties.

[SIGNATURE(S) TOFOLLOW]

IN WITNESS WHEREOF and intending to be legallybound hereby, Covered Entity and Business Associate have each caused thisAgreement to be executed by a duly authorized officer as of the day and yearfirst above written.

BUSINESS ASSOCIATE:

PSYNTH,INC.

By:                                                                        

Name: Stephen Stearman

Title: CEO

Address:

301 E. Archer St.

Tulsa OK 74120

Email:  Stephen@psynth.ai

COVERED ENTITY:                                          

[__________________]

By                                                                        

Name:                                                                  

Title:                                                                    

Address:

Email:  _____________@______.com

Psynth, Inc.
301 E. Archer St.
Tulsa, OK 74120
support@psynth.ai
Menu
CareersTrust CenterGlossary
LegalPrivacy PolicyBusiness Associate AgreementData Processing AgreementCookie PolicySubprocessorsTerms of Service