This Business Associate Agreement (“Agreement”) is effective upon the date of the last signature below and is entered into by and between Spoken Notes, (“Spokennotesai.com” herein) the entity identified and registered in Spoken Notes’ systems by its authorized representative as set forth at the end of this document (“Client” herein).
WHEREAS, Client operates as a HIPAA Covered Entity or Business Associate and engages in a professional relationship with Spoken Notes, wherein Spoken Notes will provide specific Services to Client. In the course of providing these Services, Spoken Notes may receive, handle, store, disclose, or otherwise process Protected Health Information (“PHI”) on behalf of Client.
THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth below, the parties agree as follows:
1. Definitions
Unless otherwise defined in this Agreement, all capitalized terms shall have the meanings assigned to them by HIPAA Regulations.
“Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
“De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
“HIPAA Regulations” collectively refer to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and their implementing regulations, including, without limitation, the Privacy Rule (45 C.F.R. Parts 160 and 164), and the Security Rule (45 C.F.R. Parts 160 and 164), as they may be amended from time to time.
“PHI” shall have the meaning ascribed to it in 45 C.F.R. § 160.103, limited to the information received from, or created or received on behalf of, the Client by Spoken Notes pursuant to the Services under this Agreement. References to PHI include Electronic PHI where applicable under HIPAA Regulations.
“Services” refers to the therapy note management and related services provided by Spoken Notes to Client under the contractual arrangement through which Spoken Notes will be creating, receiving, maintaining, or transmitting PHI.
“Unsecured Protected Health Information” or “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary.
2. Use and Disclosure of PHI
2.1. Performance of Services
Spoken Notes is authorized to use or disclose PHI solely as required to perform Services for the Client, consistent with the terms of this Agreement and as permitted under HIPAA Regulations, or as required by law.
2.2. Administrative and Legal Activities
Spoken Notes may use or disclose PHI for its proper management and administrative operations or to fulfill its legal responsibilities, provided that disclosures are required by law, or Spoken Notes obtains reasonable assurances from the recipient that the information will remain confidential and be used or further disclosed only as required by law or for the purpose it was disclosed to the recipient. In such cases, the recipient must notify Spoken Notes of any breaches in confidentiality.
2.3. Research and Development
Spoken Notes is authorized to use PHI for research and development of its solution and for improving performance, models, and algorithms. This use shall be subject to appropriate safeguards and limited to the minimum necessary PHI required for these purposes. The Covered Entity acknowledges and agrees that it shall not be able to claim any intellectual property rights relating to the elements developed, improved, or derived from this authorized use of PHI by Spokennotes.ai.
2.4. Data Aggregation and De-Identification
Spoken Notes may use PHI to provide Data Aggregation services relating to the health care operations of the Client. Spoken Notes may also De-Identify PHI in accordance with 45 CFR §164.514(a)-(c).
3. Obligations Regarding PHI
3.1. Spoken Notes’ Obligations
Spoken Notes commits to: a) Use or disclose PHI only as necessary to perform the Services or as required by law, ensuring the minimum necessary PHI is used for any purpose beyond the Services. b) Implement appropriate safeguards to best of their ability to prevent unauthorized use or disclosure of PHI, adhering to the Security Rule with respect to electronic PHI. c) Ensure any subcontractors that create, receive, maintain, or transmit PHI on behalf of Spoken Notes agree to similar restrictions and conditions as Spoken Notes with regard to such information. d) Report to Client any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI and security incidents, within thirty (30) calendar days of discovery. e) Allow for the amendment of PHI and make available PHI as necessary for the Client to fulfill its obligations under the Privacy Rule. f) Upon request, provide information to the Client to help it comply with its disclosure accounting obligations under HIPAA. g) Make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA Regulations.
3.2.1 Client’s Obligations
The Client agrees not to request Spoken Notes to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if conducted by the Client directly, unless allowed for a Business Associate.
3.2.2. Notification Procedures
Spoken Notes acknowledges that all formal notifications, reports, or any other notices required under this agreement may be transmitted electronically to the designated contact within Spoken Notes’ account information. It is the responsibility of Spoken Notes to keep its contact details current throughout the duration of this agreement. Failure to update contact information promptly may result in delayed notifications of breaches as outlined in this agreement.
3.2.3. PHI Use and Security
Spoken Notes commits to restricting access to Protected Health Information (PHI) to the minimum possible and necessary for the provision of its services. It is incumbent upon Spoken Notes to implement suitable privacy and security measures to safeguard PHI in accordance with HIPAA regulations. It is the sole responsibility of Spoken Notes to ensure the lawful sharing of PHI through its services.
3.2.4. Reporting Changes to Spoken Notes
Spoken Notes must be promptly informed of any changes or withdrawal of permissions by an individual regarding the use or disclosure of their PHI, in as much as these changes impact Spoken Notes’ handling of PHI.
3.2.5. Reporting Agreed Restrictions
Spoken Notes must be informed of any restrictions to the use or disclosure of PHI that Spoken Notes has consented to be in compliance with 45 C.F.R. § 164.522, to the extent such restrictions affect its operations.
3.2.6. Notification of Privacy Practice Limitations
Any limitations within a notice of privacy practices in accordance with 45 C.F.R. § 164.520 must be communicated to Spoken Notes, as they may influence its use or disclosure of PHI.
4. Term and Termination
4.1. Effective Duration
This agreement takes effect from the acceptance date below and will automatically conclude upon the cessation of all services requiring a business associate agreement under HIPAA, unless otherwise terminated by either Spoken Notes or the Client as per Section 4.2.
4.2. Termination for Breach
4.2.1. Spoken Notes Breach
Upon discovering a material breach by Spoken Notes, the Client may: (a) Allow Spoken Notes a reasonable timeframe to remedy the breach or end the violation, failing which the Client may terminate this agreement and associated services; (b) Terminate immediately if the breach is irreparable; or (c) Report the violation to the Secretary if neither remedy nor termination is feasible.
4.2.2. Client’s Breach
Should Spoken Notes identify a material breach by the Client, it must first attempt to rectify the breach. If unsuccessful, Spoken Notes may: (a) Terminate this agreement; or (b) Report the issue to the Secretary if termination is impractical.
5. Post-Termination
5.1. Termination Protocol for PHI
Upon the conclusion of their service, Spoken Notes is tasked with either the return or destruction of all Protected Health Information (PHI), adhering strictly to the conditions set forth in this agreement. This provision will apply to PHI in the possession of Spoken Notes’ agents and subcontractors but will not include the PHI used by Spoken Notes within the framework of Section 2.3 (Research and Development).
5.2. Handling Infeasible PHI Return or Destruction
In the event that the return or destruction of PHI is not possible, Spoken Notes will promptly notify the Client of such a scenario. Following this notification, Spoken Notes will implement all necessary measures to ensure the continued safeguarding of the PHI, thus fulfilling its ongoing commitment to the protection of sensitive information.
6. Notification Process
Effective legal notices, including breach notifications, require written delivery via email to Spoken Notes at sales@spokennotesai.com; Attention: Chief Executive Officer.
7. General Provisions
7.1. Independent Contractual Relationship
Both parties acknowledge and agree that the relationship established by this Agreement is solely that of independent contractors. This Agreement is not intended to, and does not, create any partnership, agency, joint venture, or employment relationship between Spoken Notes and the Covered Entity. Neither party, nor their respective agents or employees, shall be considered the agent of the other party for any purpose whatsoever, nor does either party have the authority to enter into contracts, assume obligations, or make warranties or representations on behalf of the other party.
7.2. Exclusive Rights and Remedies
This Agreement is crafted to benefit solely Spoken Notes and the Covered Entity and, except as explicitly stated herein, does not grant any rights, benefits, or claims upon any third parties. The provisions outlined herein are designed to delineate the responsibilities and expectations of Spokennotes.ai and the Covered Entity concerning the handling and protection of PHI, under the scope of HIPAA compliance. No other entity or individual is entitled to rely upon or enforce any provision of this Agreement.
7.3. Compliance with Laws; Reference Adaptability
In the execution of their duties under this Agreement, both parties commit to adherence to all applicable laws and regulations, including but not limited to HIPAA and HITECH statutes. References within this Agreement to specific sections of the Privacy Rule, Security Rule, or any other regulatory framework, are to be interpreted as referring to the current version of such sections, including any amendments or reinterpretations that may occur over the term of this Agreement.
7.4. Assignment and Delegation
This Agreement, and any rights or obligations herein, may not be assigned or delegated by either party without the express written consent of the other, except that such consent shall not be unreasonably withheld or delayed. Assignment or delegation is permissible to a successor through merger, or an acquirer of substantially all of one party’s assets. Any attempt to assign or delegate in violation of this section shall be null and void. This Agreement shall bind and inure to the benefit of the parties hereto and their respective successors and permitted assigns.
7.5. Modifications and Amendments; Waivers
This Agreement may be modified or amended only by a written agreement duly signed by authorized representatives of both parties. The parties are committed to promptly amending this Agreement as necessary to comply with the evolving requirements of HIPAA, HITECH, and any other applicable laws. A waiver of any provision of this Agreement shall only be effective if provided in writing and signed by the waiving party. Such waiver shall not be construed as a waiver of any subsequent breach or default of the same or similar nature.
7.6. Interpretation and Ambiguity
The parties agree that any ambiguity found within this Agreement shall be interpreted in a manner that most closely aligns with the mutual intentions of the parties at the time of the Agreement’s inception, primarily to facilitate compliance with HIPAA and HITECH regulations. The language used in this Agreement shall be deemed to be the language chosen by both parties to express their mutual intent and, as such, shall not be construed for or against either party.
7.7. Entire Agreement; Precedence
This Agreement constitutes the entire understanding and agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous agreements, representations, or understandings, whether written or oral. In the event of any inconsistency between this Agreement and any other agreement (except where explicitly stated otherwise), the terms of this Agreement shall prevail.
7.8. Severability
If any term or provision of this Agreement is found to be illegal, unenforceable, or invalid under any applicable law or court decision, such term or provision shall be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law, and the remaining provisions will continue in full force and effect.
7.9. Governing Law and Jurisdiction
This Agreement and any disputes arising out of it shall be governed by and construed in accordance with the laws of the State of Ohio, excluding its conflict of law principles. Exclusive jurisdiction and venue for any legal proceedings related to this Agreement shall be in the state and federal courts located in Cuyahoga County, Ohio. Both parties consent to the jurisdiction of such courts and agree that the process may be served in the manner allowed by Ohio law.
7.10. Acknowledgment of Electronic and Digital Signatures
This Agreement and any amendments hereto may be executed using electronic or digital signatures, including typed name or click acceptance of the agreement, which shall have the same force and effect as manual signatures. Electronic signatures shall be considered as valid and binding as if they were on a printed document, thereby facilitating efficiency and expediency in the agreement process.
8. Data Ownership
Spoken Notes acknowledges that its data stewardship does not confer data ownership rights with respect to any PHI shared with it under this Agreement. The Client retains all ownership rights to the PHI provided to Spoken Notes.