Business Associate Agreement

Effective Date: [DATE]

This BAA is required by HIPAA before any Protected Health Information (PHI) is processed through our Service. By signing up for a paid plan or otherwise uploading PHI, you accept the terms of this BAA in addition to our Terms of Service.

Parties

This Business Associate Agreement ("BAA") is entered into between:

Covered Entity: The healthcare provider or practice that subscribes to the MindScribe Service ("Covered Entity" or "you"), and

Business Associate: MindScribe Health, Inc., a [State] corporation ("Business Associate" or "MindScribe").

1. Definitions

Capitalized terms used but not otherwise defined have the meanings given in the HIPAA Rules at 45 CFR Parts 160 and 164. Key terms include:

"Breach," "Designated Record Set," "Disclosure," "Health Care Operations," "HIPAA Rules," "Individual," "Minimum Necessary," "Protected Health Information" ("PHI"), "Required by Law," "Secretary," "Security Incident," "Subcontractor," "Unsecured PHI," and "Use" shall have the meanings given to such terms in the HIPAA Rules.

2. Permitted Uses and Disclosures of PHI by Business Associate

Business Associate may use or disclose PHI only:

To perform the services described in the underlying Service Agreement
For the proper management and administration of Business Associate
To carry out Business Associate's legal responsibilities
To provide data aggregation services relating to the Health Care Operations of Covered Entity, where applicable
As Required by Law

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted above.

3. Obligations of Business Associate

Business Associate agrees to:

3.1 Safeguards

Implement appropriate administrative, physical, and technical safeguards, including those required by 45 CFR §164.308, §164.310, and §164.312, that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI.

3.2 Reporting

Report to Covered Entity:

Any Use or Disclosure of PHI not permitted by this BAA, of which Business Associate becomes aware
Any Security Incident of which it becomes aware (excluding unsuccessful, routine occurrences such as pings and port scans)
Any Breach of Unsecured PHI without unreasonable delay and in no event later than 30 days after discovery

3.3 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

3.4 Access by Individuals

Within fifteen (15) business days of a request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to enable Covered Entity to meet its obligations under 45 CFR §164.524.

3.5 Amendment

Within thirty (30) business days of a request from Covered Entity, Business Associate shall make amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR §164.526.

3.6 Accounting of Disclosures

Business Associate shall document Disclosures of PHI and information related to such Disclosures, and within thirty (30) business days of a request, provide to Covered Entity such information necessary to permit Covered Entity to respond to a request for an accounting of Disclosures pursuant to 45 CFR §164.528.

3.7 Records Available to Secretary

Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules.

3.8 Mitigation

Business Associate shall take reasonable steps to mitigate any harmful effect known to it of a Use or Disclosure of PHI in violation of this BAA.

4. Obligations of Covered Entity

Covered Entity shall:

Notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's Use or Disclosure of PHI
Notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose PHI
Notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522
Not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity
Be solely responsible for obtaining all necessary consents and authorizations from Individuals

5. Term and Termination

5.1 Term

This BAA is effective as of the date Covered Entity first uploads PHI to the Service and continues until terminated as set forth herein, or until all PHI provided by Covered Entity to Business Associate is destroyed or returned, whichever is later.

5.2 Termination for Cause

Covered Entity may terminate this BAA and the underlying Service Agreement if Covered Entity determines that Business Associate has materially breached this BAA and Business Associate fails to cure the breach within thirty (30) days of written notice.

5.3 Effect of Termination

Upon termination, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity that Business Associate still maintains in any form. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures to those purposes that make return or destruction infeasible.

6. Miscellaneous

6.1 Regulatory References

References to sections in the HIPAA Rules mean the section as in effect or as amended.

6.2 Amendment

The parties agree to amend this BAA as needed to comply with changes in the HIPAA Rules.

6.3 Survival

The obligations of Business Associate under Section 5.3 ("Effect of Termination") shall survive termination of this BAA.

6.4 Interpretation

Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

6.5 No Third-Party Beneficiaries

Nothing in this BAA shall confer any rights, remedies, or benefits upon any person other than the parties.

7. Signatures

By clicking "I Accept" during account onboarding, by signing up for a paid plan, or by uploading PHI to the Service, Covered Entity executes this BAA and agrees to be bound by its terms.

For Covered Entity records: A copy of this executed BAA, including the date of acceptance and the name of the accepting individual, is maintained in your practice's account settings under "Compliance Documents."

Contact

MindScribe Health, Inc.
Attn: HIPAA Privacy Officer
[Street Address]
[City, State ZIP]
Email: hipaa@mindscribehealth.com