Business Associate Agreement
Effective Date: February 2026
Document Version: 2.0
Preamble
This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between the healthcare provider, health plan, or healthcare clearinghouse that has executed a subscription agreement or terms of service with Rymeda, Inc. (the "Covered Entity") and Rymeda, Inc., a Delaware corporation with its principal place of business in California (the "Business Associate"), collectively referred to as the "Parties."
This BAA is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 U.S.C. §1320d et seq.; the HIPAA Privacy Rule at 45 CFR Part 164, Subpart E; the HIPAA Security Rule at 45 CFR Part 164, Subpart C; the HIPAA Breach Notification Rule at 45 CFR Part 164, Subpart D; and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), 42 U.S.C. §17921 et seq., as amended from time to time (collectively, "HIPAA Rules").
WHEREAS, Business Associate provides clinical documentation, practice management, billing, AI-assisted charting, marketplace, and related healthcare technology services (the "Services") to Covered Entity as described in the Terms of Service; and
WHEREAS, in performing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity; and
WHEREAS, the Parties wish to establish the terms and conditions under which Business Associate will use and disclose PHI in compliance with the HIPAA Rules;
NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, the Parties agree as follows:
1. Definitions
Capitalized terms used but not otherwise defined in this BAA shall have the meanings assigned to them under 45 CFR §160.103 and §164.501. The following definitions apply:
1.1 "Protected Health Information" or "PHI"
Individually identifiable health information as defined in 45 CFR §160.103, whether oral, written, or electronic, that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. In the context of Rymeda's platform, PHI includes but is not limited to: patient demographic data (name, date of birth, gender, address, phone, email), clinical chart records (problems with ICD-10 codes, medications, allergies, vital signs, lab results, treatment plans), clinical notes (SOAP notes, progress notes, intake notes, discharge summaries), voice recordings of clinical encounters, AI-generated transcriptions and medical reports, insurance information (provider name, plan, member ID, group number), appointment records, invoices with CPT codes, insurance claims with diagnosis and procedure codes, and secure messages between providers and patients.
1.2 "Electronic Protected Health Information" or "ePHI"
PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR §160.103. On the Rymeda platform, ePHI includes all PHI stored in MongoDB Atlas databases, voice audio files stored in AWS S3 buckets, AI-processed transcriptions via OpenAI and Google Gemini services, data transmitted via API calls, and ePHI cached in application memory during processing.
1.3 "Covered Entity"
A health plan, healthcare clearinghouse, or healthcare provider who transmits health information in electronic form in connection with a covered transaction, as defined in 45 CFR §160.103, and who has entered into a subscription agreement or Terms of Service with Rymeda, Inc. for the use of the Rymeda platform.
1.4 "Business Associate"
Rymeda, Inc., which performs functions or activities on behalf of, or provides certain services to, Covered Entity that involve the creation, receipt, maintenance, or transmission of PHI, as defined in 45 CFR §160.103.
1.5 "Breach"
The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402. A Breach is presumed unless Business Associate demonstrates that there is a low probability that the PHI has been compromised based on the four-factor risk assessment set forth in 45 CFR §164.402(2). Breach excludes the three exceptions set forth in 45 CFR §164.402(1): (i) unintentional acquisition, access, or use by a workforce member acting in good faith; (ii) inadvertent disclosure between authorized persons; and (iii) situations where the unauthorized recipient would not reasonably have been able to retain the PHI.
1.6 "Security Incident"
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR §164.304. This includes failed login attempts, unauthorized API access attempts, unauthorized access to patient records, privilege escalation attempts, and anomalous data access patterns detected by Rymeda's monitoring systems.
1.7 "Unsecured PHI"
PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS in guidance issued under 42 U.S.C. §17932(h)(2), as defined in 45 CFR §164.402. Rymeda encrypts all PHI using AES-256 at rest and TLS 1.3 in transit, rendering it "secured" under HHS guidance.
1.8 "Required By Law"
A mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law, as defined in 45 CFR §164.103. Includes court orders, subpoenas, statutory mandates (including California Confidentiality of Medical Information Act, Cal. Civ. Code §56 et seq.), and administrative requirements.
1.9 "Secretary"
The Secretary of the United States Department of Health and Human Services ("HHS") or the Secretary's designee.
1.10 "Individual"
The person who is the subject of the PHI, as defined in 45 CFR §160.103. On the Rymeda platform, this refers to patients whose records are created, maintained, and managed through the clinical management system by Covered Entity's authorized workforce.
1.11 "Subcontractor"
A person or entity to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of Business Associate, as defined in 45 CFR §160.103.
2. Obligations of Business Associate
Business Associate (Rymeda, Inc.) agrees to the following obligations with respect to PHI created, received, maintained, or transmitted on behalf of Covered Entity:
2.1 Permitted Use and Disclosure Only
Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as Required By Law, in accordance with 45 CFR §164.504(e)(2)(i) and §164.504(e)(2)(ii)(A). Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except as expressly permitted under Sections 2.1 and 3 of this BAA.
2.2 Appropriate Safeguards
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 CFR §164.308 (Administrative Safeguards), §164.310 (Physical Safeguards), and §164.312 (Technical Safeguards). Specific safeguards are detailed in Section 4 of this BAA.
2.3 Reporting of Unauthorized Use or Disclosure
Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 CFR §164.410. Specifically:
- Security Incidents: Business Associate shall report confirmed Security Incidents (as defined in Section 1.6) to Covered Entity within twenty-four (24) hours of discovery. Business Associate shall provide a written summary of attempted but unsuccessful Security Incidents on a quarterly basis upon Covered Entity's written request.
- Unauthorized Use or Disclosure: Business Associate shall report any unauthorized use or disclosure of PHI to Covered Entity within five (5) business days of discovery.
- Breaches: Business Associate shall report any Breach of Unsecured PHI to Covered Entity in accordance with Section 5 of this BAA, no later than thirty (30) calendar days after discovery of such Breach.
2.4 Subcontractor Agreements
In accordance with 45 CFR §164.502(e)(1)(ii) and 42 U.S.C. §17934(b), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to such PHI. Business Associate shall enter into a written agreement with each such Subcontractor that contains substantially similar terms to this BAA. Current Subcontractors are listed in Section 6 and on the Subprocessor List.
2.5 Access to PHI
Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity as necessary to satisfy Covered Entity's obligations to provide Individual access to PHI under 45 CFR §164.524. Business Associate shall respond to such requests within fifteen (15) business days of receipt. Where PHI is maintained electronically, Business Associate shall provide such PHI in the electronic form and format requested by the Individual if it is readily producible, or in a readable electronic form and format as agreed to by the Covered Entity and the Individual, in accordance with 45 CFR §164.524(c)(2)(ii).
2.6 Amendment of PHI
Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity for amendment and shall incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR §164.526. Business Associate shall respond to amendment requests within thirty (30) calendar days, with a single thirty (30)-day extension permitted upon written notice to Covered Entity.
2.7 Accounting of Disclosures
Business Associate shall maintain and make available to Covered Entity the information required for Covered Entity to provide an accounting of disclosures of PHI in accordance with 45 CFR §164.528. Business Associate shall maintain records of disclosures for a period of six (6) years from the date of the disclosure. Rymeda's immutable, append-only audit trail system records all PHI access events, disclosures, and modifications, enabling comprehensive accounting of disclosures.
2.8 Availability to Secretary
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules, in accordance with 45 CFR §164.504(e)(2)(ii)(H). This obligation shall survive the termination of this BAA.
2.9 Minimum Necessary Standard
Business Associate shall limit its use, disclosure, or request of PHI, to the extent practicable, to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR §164.502(b) and 42 U.S.C. §17935(b). Rymeda enforces the minimum necessary standard through its role-based access control system, which restricts PHI access based on clinical role: Physicians, Nurse Practitioners, and Physician Assistants have full clinical chart access; Registered Nurses and Therapists have scoped clinical access; Billers access only billing-related data; and Front Desk staff access only scheduling-related data. Organization Admins and Owners have operational access but no direct clinical chart access.
2.10 Return or Destruction of PHI
Upon termination of this BAA for any reason, Business Associate shall, at the election of Covered Entity, return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This obligation is further detailed in Section 8.4 of this BAA.
2.11 Prohibition on Sale of PHI
Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except as permitted under 42 U.S.C. §17935(d)(2), including treatment and payment activities, health care operations activities, and with a valid authorization from the Individual.
2.12 Prohibition on Marketing Use
Business Associate shall not use or disclose PHI for fundraising or marketing purposes without a valid authorization from the Individual as required by 42 U.S.C. §17936.
3. Permitted Uses and Disclosures
Except as otherwise limited in this BAA, Business Associate may use or disclose PHI as follows:
3.1 Services Performance
Business Associate may use and disclose PHI as necessary to perform the Services set forth in the Terms of Service, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity. This includes:
- Treatment Activities: Facilitating care team coordination, clinical chart management, SOAP note documentation, voice note transcription, clinical decision support via ORIS AI, appointment scheduling, secure messaging between providers and patients, and care plan management.
- Payment Activities: Invoice creation and management with CPT codes, insurance claims processing (submission, adjudication, appeals), billing lifecycle management, and payment processing through Stripe.
- Healthcare Operations: Quality assessment, auditing and compliance monitoring, credentialing and verification (NPI/NPPES validation, license verification, DEA verification), staff management, provider onboarding, and analytics dashboards.
3.2 Management and Administration
Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, in accordance with 45 CFR §164.504(e)(4). Business Associate may disclose PHI for such purposes only if: (a) the disclosure is Required By Law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required By Law or for the purposes for which it was disclosed, and that the person will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached.
3.3 Data Aggregation
Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), provided that all aggregated data is de-identified in accordance with 45 CFR §164.514(a)-(c) using either the Expert Determination method (§164.514(b)(1)) or the Safe Harbor method (§164.514(b)(2)). Business Associate shall not re-identify any de-identified data without Covered Entity's prior written consent.
3.4 Required By Law
Business Associate may use or disclose PHI as Required By Law, as defined in 45 CFR §164.103. Business Associate shall notify Covered Entity promptly of any such required disclosure, unless prohibited by law from doing so.
3.5 AI-Assisted Clinical Documentation
AI Processing Disclosure
Business Associate processes ePHI through AI services as part of its clinical documentation pipeline. Voice recordings of clinical encounters are transcribed using OpenAI Whisper. AI-generated SOAP notes, suggested ICD-10 codes, and confidence scores are produced using OpenAI and Google Gemini models. All AI-generated content is flagged with "AI_DRAFT" status and requires provider review and signature before clinical use. Original voice recordings are preserved and model versioning is tracked. Patients may opt out of AI processing in accordance with California AB 3030 requirements and the Patient Consent forms. Business Associate maintains Business Associate Agreements or equivalent data processing agreements with all AI Subcontractors.
4. Safeguards
Business Associate shall implement and maintain the following safeguards in compliance with 45 CFR Part 164, Subpart C (Security Rule):
4.1 Administrative Safeguards (45 CFR §164.308)
| Standard | Implementation |
|---|---|
| Security Management Process | Annual risk assessments, risk mitigation planning, continuous vulnerability management, and periodic security posture reviews |
| Assigned Security Responsibility | Designated Security Officer responsible for development and implementation of security policies and procedures |
| Workforce Security | Background checks, security clearance procedures, role-based access provisioning, and termination procedures including immediate access revocation |
| Information Access Management | Nine-role clinical permission matrix (Physician, NP, PA, RN, Therapist, Biller, Front Desk, Org Admin, Owner) with three-tier PHI access: full clinical access, scoped clinical access, and operational-only access |
| Security Awareness and Training | Mandatory HIPAA security training for all workforce members, periodic security reminders, phishing simulation exercises, and incident response training |
| Security Incident Procedures | Documented Incident Response Plan with defined escalation paths, 24-hour Security Incident reporting, and post-incident analysis |
| Contingency Plan | Data backup plan, disaster recovery plan, emergency mode operation plan, and periodic testing of contingency procedures |
| Evaluation | Periodic technical and non-technical evaluations of security policies and procedures, including penetration testing and third-party audits |
4.2 Physical Safeguards (45 CFR §164.310)
| Standard | Implementation |
|---|---|
| Facility Access Controls | AWS data centers with multi-factor access controls, 24/7 monitoring, biometric authentication, and SOC 2 Type II certification. Rymeda infrastructure hosted in AWS US-East-1 region with physical security managed by Amazon Web Services. |
| Workstation Use | Policies governing workstation access, screen lock requirements, and clean desk procedures for workforce members |
| Workstation Security | Endpoint protection, full-disk encryption requirements, and remote wipe capability for devices accessing ePHI |
| Device and Media Controls | Hardware and electronic media tracking, data disposal procedures ensuring cryptographic erasure, and media re-use controls |
4.3 Technical Safeguards (45 CFR §164.312)
| Standard | Rymeda Implementation |
|---|---|
| Access Control | Unique user identification: UUID-based user IDs with JWT authentication. Emergency access: Documented break-glass procedures. Automatic logoff: Session expiration and token rotation. Encryption/decryption: AES-256 with per-tenant AWS KMS keys. |
| Audit Controls | Immutable, append-only audit trails recording all user actions, data access events, and system operations. Audit logs include entity type, entity ID, user ID, action performed, clinical role, timestamp, and metadata. Logs queryable by entity, user, action type, and date range. Export capability for compliance reviews. Six (6)-year retention. Admin/owner-restricted access. |
| Integrity Controls | Signed clinical notes are immutable (status transitions: draft → ai_draft → reviewed → signed → amended). Voice recordings preserved as original source. Data integrity verification through checksums and hash validation. MongoDB document-level versioning. |
| Person or Entity Authentication | JWT-based authentication with HS256 signing. NPI/NPPES-based provider verification with confidence scoring. Multi-step verification state machine (unverified → pending → npi_validated → verified). Administrative review queue for manual verification. |
| Transmission Security | TLS 1.3 for all data in transit. HTTPS-only API endpoints. Encrypted WebSocket connections for real-time features. VPC isolation with WAF protection and DDoS mitigation for infrastructure-level transmission security. |
4.4 PHI Redaction Pipeline
Business Associate operates an automated PHI detection and redaction pipeline that identifies and removes or masks PHI before data reaches external processing layers. The pipeline uses multi-stage ML-powered entity recognition to detect patient identifiers, clinical data, and other PHI elements, ensuring that Subcontractors receive only the minimum necessary data to perform their designated functions.
4.5 Tenant Isolation
Business Associate maintains complete data separation between tenants (Covered Entity organizations) with isolated compute, storage, and network boundaries. Zero cross-tenant data visibility or data leakage paths are maintained. Each tenant's ePHI is encrypted with dedicated per-tenant AWS KMS keys.
5. Breach Notification
5.1 Discovery of Breach
A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of Business Associate, as set forth in 45 CFR §164.410(a)(2).
5.2 Notification Timeline
| Event | Timeframe | Responsible Party |
|---|---|---|
| Discovery of potential Breach | Day 0 | Business Associate |
| Four-factor risk assessment initiated | Within 24 hours of discovery | Business Associate |
| Notification to Covered Entity | No later than 30 calendar days after discovery | Business Associate |
| Notification to affected Individuals | No later than 60 calendar days after Covered Entity receives notification | Covered Entity (with Business Associate assistance) |
| Notification to HHS Secretary | Concurrent with Individual notification (500+ affected) or annual log (fewer than 500) | Covered Entity |
| Notification to media (if applicable) | Within 60 calendar days (if 500+ residents of a state/jurisdiction are affected) | Covered Entity |
5.3 Content of Notification
Business Associate's notification to Covered Entity shall include, to the extent available:
- The identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
- A brief description of what happened, including the date of the Breach and the date of discovery;
- A description of the types of Unsecured PHI involved (e.g., patient names, clinical notes, diagnosis codes, insurance information, voice recordings);
- Any steps Individuals should take to protect themselves from potential harm;
- A brief description of what Business Associate is doing to investigate the Breach, mitigate harm, and prevent future Breaches;
- Contact procedures, including a toll-free telephone number, email address, and postal address.
5.4 Four-Factor Risk Assessment
Business Associate shall conduct a risk assessment per 45 CFR §164.402(2) to determine whether an impermissible use or disclosure constitutes a Breach, considering at minimum:
- Nature and extent of PHI involved: Types and amount of identifiers involved, likelihood of re-identification;
- Unauthorized person who used the PHI or to whom the disclosure was made: Whether the recipient is subject to HIPAA or other privacy obligations;
- Whether the PHI was actually acquired or viewed: Forensic evidence of access versus mere exposure;
- Extent to which the risk to the PHI has been mitigated: Assurances obtained from the recipient, data recovery actions taken, encryption status at time of incident.
5.5 Breach Log
Business Associate shall maintain a log of all Breaches and suspected Breaches, including those affecting fewer than 500 Individuals, in accordance with 45 CFR §164.408(c). The Breach log shall be provided to Covered Entity upon request and shall include the four-factor risk assessment, notification actions taken, and remediation steps. Additional detail is available in the Breach Notification Policy.
5.6 California-Specific Breach Requirements
For California residents, Business Associate shall additionally comply with:
- Cal. Civ. Code §1798.82 (SB 446): Notification within thirty (30) days of discovery when a breach affects personal information of California residents.
- CMIA (Cal. Civ. Code §56.36): Notification to the California Department of Public Health and affected patients within fifteen (15) business days of detecting a breach of medical information.
- Cal. Health & Safety Code §1280.15: Reporting to the California Department of Public Health (CDPH) within fifteen (15) business days for breaches involving patient medical information maintained by a licensed healthcare facility.
- California Attorney General notification: Required when a breach affects more than 500 California residents.
6. Subcontractors
6.1 Current Subcontractors
The following Subcontractors currently create, receive, maintain, or transmit PHI on behalf of Business Associate in connection with the Services:
| Subcontractor | Function | PHI/ePHI Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage (S3), key management (KMS), networking | All ePHI at rest and in transit; voice audio files; database hosting | US-East-1 |
| MongoDB Atlas | Database-as-a-service for application data | Patient records, clinical charts, clinical notes, staff records, audit logs, all structured ePHI | US (AWS) |
| Stripe, Inc. | Payment processing for subscriptions and marketplace transactions | Billing data associated with patient invoices; payment card information (PCI DSS compliant); no clinical PHI | United States |
| OpenAI | Voice transcription (Whisper API) and AI-assisted clinical note generation | Voice audio recordings (ePHI), clinical note content for AI processing | United States |
| Google (Gemini) | AI-assisted clinical note generation and clinical decision support | Clinical note content for AI processing, de-identified clinical context | United States |
| ORIS AI | Clinical AI assistant, task generation, daily runbooks | Clinical context for decision support (with guardrails: emergency detection, blocked content filtering, rate limiting) | United States |
| SendGrid (Twilio) | Transactional email delivery | Email addresses, notification content (minimized PHI with redaction pipeline) | United States |
| Plausible Analytics | Privacy-focused website analytics | No PHI — cookie-free, no personal data collected | EU (no PHI transfer) |
A complete and current list of subprocessors is maintained at the Subprocessor List page.
6.2 Flow-Down Requirements
Business Associate shall ensure that each Subcontractor listed above (and any future Subcontractor that will create, receive, maintain, or transmit PHI) has entered into a written agreement containing substantially the same restrictions and conditions as this BAA, including the implementation of appropriate safeguards for ePHI, as required by 45 CFR §164.502(e)(1)(ii) and 42 U.S.C. §17934(b). Business Associate shall monitor Subcontractor compliance and conduct periodic assessments of Subcontractor security posture.
6.3 Prior Written Approval
Business Associate shall provide Covered Entity with thirty (30) days' advance written notice before engaging a new Subcontractor that will have access to PHI. The notice shall include: (a) the identity of the Subcontractor; (b) the nature of the services to be provided; (c) the categories of PHI to be processed; and (d) the location(s) where PHI will be processed.
6.4 Objection Rights
Covered Entity may object in writing to the engagement of a new Subcontractor within the thirty (30)-day notice period. If Covered Entity raises a reasonable objection, Business Associate shall: (a) work with Covered Entity in good faith to find a mutually acceptable alternative; or (b) if no alternative is available, permit Covered Entity to terminate this BAA and the underlying Services agreement without penalty, with Business Associate providing a pro-rata refund of any prepaid fees and cooperating in the orderly transition of PHI as set forth in Section 8.4.
7. Obligations of Covered Entity
Covered Entity agrees to the following obligations:
7.1 Notice of Privacy Practices
Covered Entity shall provide Business Associate with its Notice of Privacy Practices produced in accordance with 45 CFR §164.520, as well as any changes to such Notice, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
7.2 Permission Changes and Revocations
Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
7.3 Restrictions on Use or Disclosure
Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
7.4 Permissible Requests
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as specifically permitted under Section 3 of this BAA (management and administration, data aggregation).
7.5 Minimum Necessary Cooperation
Covered Entity shall make reasonable efforts to limit the PHI provided to Business Associate to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR §164.502(b). Covered Entity is responsible for configuring appropriate access controls within the Rymeda platform, including assigning correct clinical roles to staff members and maintaining accurate care team relationships for patient records.
7.6 Authorization for AI Processing
Covered Entity acknowledges that the Services include AI-assisted clinical documentation features (voice transcription, AI-generated SOAP notes, suggested ICD-10 codes) as described in Section 3.5. Covered Entity is responsible for obtaining appropriate patient authorizations for AI processing of PHI and voice recording consent in accordance with the Patient Consent requirements, California Penal Code §632 (two-party recording consent), and California AB 3030 (AI disclosure in healthcare).
8. Term and Termination
8.1 Effective Date
This BAA shall be effective as of the date Covered Entity first accepts the Terms of Service or executes a separate subscription agreement with Business Associate (the "Effective Date"), and shall remain in effect for the duration of the underlying Services agreement, unless terminated earlier as provided herein.
8.2 Termination for Material Breach
Either Party may terminate this BAA if the other Party materially breaches any provision of this BAA and the breach remains uncured for thirty (30) calendar days after the non-breaching Party provides written notice specifying the nature of the breach and the actions required to cure it.
If cure is not possible, the non-breaching Party may terminate this BAA immediately upon written notice. If neither termination nor cure is feasible, the non-breaching Party shall report the breach to the Secretary.
8.3 Effect of Termination of Underlying Agreement
Termination of the underlying Services agreement (Terms of Service or subscription agreement) shall automatically terminate this BAA, subject to the PHI return/destruction obligations set forth in Section 8.4.
8.4 Return or Destruction of PHI
Upon termination of this BAA for any reason, Business Associate shall:
- At the election of Covered Entity, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate maintains in any form. Business Associate shall retain no copies of such PHI.
- Provide Covered Entity with a thirty (30)-day data export window during which Covered Entity may export all PHI in machine-readable format through the platform's export functionality.
- Provide written certification of the destruction of PHI within thirty (30) days of completing the destruction, specifying the methods used (cryptographic erasure for electronic media, NIST SP 800-88 compliant methods for physical media).
8.5 Infeasibility of Return or Destruction
If Business Associate determines that the return or destruction of PHI is not feasible (for example, PHI embedded in immutable audit logs required for regulatory compliance or backup systems with fixed retention periods), Business Associate shall:
- Extend the protections of this BAA to the retained PHI for as long as it is maintained;
- Limit further uses and disclosures of such PHI to the purposes that make return or destruction infeasible;
- Continue to comply with all applicable HIPAA Rules with respect to the retained PHI;
- Provide written notice to Covered Entity identifying the specific PHI retained and the reasons return or destruction is infeasible.
8.6 Minimum Retention Period
Notwithstanding the foregoing, Business Associate shall retain PHI for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, in accordance with 45 CFR §164.530(j). During this retention period, all protections of this BAA remain in full force and effect.
9. Miscellaneous
9.1 Regulatory References
Any reference in this BAA to a section of the HIPAA Rules shall mean the section as in effect or as amended from time to time. This BAA shall be interpreted in a manner consistent with the HIPAA Rules, including the HITECH Act (42 U.S.C. §17921 et seq.), the Omnibus Rule (78 Fed. Reg. 5566, Jan. 25, 2013), and any subsequent amendments or successor regulations.
9.2 Amendment
The Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. No amendment to this BAA shall be effective unless agreed to in writing and signed by both Parties, except that Business Associate may update this BAA to comply with changes to applicable law upon thirty (30) days' written notice to Covered Entity. If Covered Entity does not object within the notice period, the amendment shall be deemed accepted.
9.3 Survival
The respective rights and obligations of Business Associate and Covered Entity under Sections 2.7 (Accounting of Disclosures), 2.8 (Availability to Secretary), 5 (Breach Notification), 8.4 (Return or Destruction of PHI), 8.5 (Infeasibility), 8.6 (Minimum Retention Period), and 9 (Miscellaneous) shall survive the termination or expiration of this BAA.
9.4 No Third-Party Beneficiaries
Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors and permitted assigns, any rights, remedies, obligations, or liabilities whatsoever. Individuals whose PHI is the subject of this BAA are not third-party beneficiaries of this BAA, notwithstanding that certain provisions are intended to protect their interests.
9.5 Governing Law
This BAA shall be governed by and construed in accordance with the HIPAA Rules (federal law). To the extent not preempted by HIPAA, this BAA shall be governed by the laws of the State of Delaware, without regard to conflict of laws principles. California-specific requirements, including the Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.), California breach notification laws (Cal. Civ. Code §1798.82, Cal. Health & Safety Code §1280.15), and California recording consent requirements (Cal. Penal Code §632), shall apply to PHI of California residents where they provide protections more stringent than HIPAA, as required by 45 CFR §160.203.
9.6 Entire Agreement
This BAA, together with the Terms of Service, Privacy Policy, and Data Processing Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter.
9.7 Severability
If any provision of this BAA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the intent of the Parties.
9.8 Waiver
The failure of either Party to enforce any provision of this BAA shall not constitute a waiver of the right to enforce such provision or any other provision in the future.
9.9 Interpretation
Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules. In the event of a conflict between the terms of this BAA and the Terms of Service or any other agreement between the Parties, the terms of this BAA shall control with respect to the protection of PHI.
9.10 Notices
All notices, requests, and other communications under this BAA shall be in writing and shall be deemed to have been duly given when delivered personally, sent by certified mail (return receipt requested), or sent by nationally recognized overnight courier service to the following addresses:
10. Contact Information
For questions regarding this BAA, to report a Security Incident or Breach, or to exercise any rights hereunder:
Security Officer
Security Incident reports, vulnerability disclosures, security reviews
Related Policies
This BAA should be read in conjunction with the following documents, which are incorporated by reference:
Terms of Service
Underlying Services agreement
Privacy Policy
Data collection and processing practices
HIPAA Notice of Privacy Practices
PHI uses and disclosures
Patient Consent Forms
Telehealth, voice recording, AI processing consent
Breach Notification Policy
Detailed breach response procedures
Incident Response Plan
Security incident handling procedures
Data Processing Agreement
GDPR data processing terms
Subprocessor List
Current third-party processors
Security
Platform security architecture
Service Level Agreement
Uptime and availability commitments