Business Associate Agreement

2.1. Permitted Uses and Disclosures:

• Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Terms of Service, or as required by law.
• Business Associate may use or disclose PHI for the proper management and administration of its business, provided that the disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially.
• Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
• Business Associate may de-identify PHI in accordance with 45 CFR 164.514(a)-(c).

2.2. Safeguards:

• Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
• Business Associate shall comply with the Security Rule requirements applicable to business associates under HIPAA.
• Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this BAA. Business Associate shall remain liable for the acts and omissions of its subcontractors to the same extent as if Business Associate were performing the services directly.
• Business Associate shall provide at least thirty (30) days' advance notice before engaging any new subcontractor that will have access to PHI, giving Covered Entity the opportunity to object. The current list of subcontractors processing PHI is available in the Data Processing Agreement at transcribe.health/legal/dpa.

2.3. Reporting:

• Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410.
• Business Associate shall report any Security Incident of which it becomes aware.
• Reports of Breaches shall be made without unreasonable delay and in no case later than forty-eight (48) hours after discovery of the Breach, with supplemental information provided as it becomes available. Business Associate shall provide regular status updates at intervals of no less than every twenty-four (24) hours until the incident is resolved.
• Business Associate shall cooperate with Covered Entity in the investigation of any Breach and shall preserve and make available forensic evidence and audit logs relevant to the incident.

2.4. Access to PHI:

• Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
• Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526.
• Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

2.5. Accounting of Disclosures:

• Business Associate shall maintain and make available information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.

3.1. Covered Entity shall:

• Notify Business Associate of any limitations in the Notice of Privacy Practices of Covered Entity that may affect Business Associate's use or disclosure of PHI.
• Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
• Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

• Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

4.1. Technical Safeguards:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Client-side encryption of audio captured by the Transcribe Health Medical Scribe Chrome extension, with per-session keys scoped to the user's active browser session — so that ciphertext rather than plaintext ePHI audio leaves the user's device
• Role-based access controls (RBAC)
• Multi-factor authentication (MFA)
• Automated session timeout, including an inactivity timeout in the Chrome extension
• Comprehensive audit logging, including a tamper-evident audit log generated by the Chrome extension and mirrored to Business Associate's server-side audit log

4.2. Physical Safeguards:

• Data centers with SOC 2 Type II compliance
• Physical access controls and monitoring
• Environmental controls (fire suppression, climate control)

4.3. Administrative Safeguards:

• Workforce training on HIPAA requirements
• Documented security policies and procedures
• Regular risk assessments
• Incident response procedures
• Business continuity and disaster recovery plans

4.4. Data Handling:

• Sessions, audio recordings, transcriptions, and generated documents are retained until deleted by Covered Entity, the account is closed, or — where Covered Entity has enabled the optional automatic retention policy — that policy triggers deletion. The automatic retention policy is configurable in 1-day to 30-day windows and is disabled by default.
• PHI is stored in encrypted databases with organization-level isolation
• Multi-tenant architecture with strict data segregation
• Access to PHI is logged and auditable; audit logs are retained for at least six (6) years to satisfy HIPAA Security Rule documentation requirements (45 CFR 164.312(b) and 164.530(j))
• AI processing does not retain PHI beyond the immediate transcription request; AI providers are contractually bound by zero-retention agreements
• Browser-extension audio handling is within the scope of Business Associate's permitted uses and safeguards under this BAA. Where Covered Entity's Authorized Users install the Transcribe Health Medical Scribe Chrome extension, ePHI audio is captured in the browser, encrypted client-side before leaving the user's device, transmitted as ciphertext to Business Associate's Canadian backend, and decrypted only inside Business Associate's processing environment. Locally buffered audio on the user's device is purged once upload is confirmed. The Extension introduces no new subcontractor and routes only to Business Associate's existing backend and previously disclosed Sub-processors.

5.1.

• This BAA shall be effective upon acceptance by Covered Entity and shall remain in effect until the earlier of: termination of the underlying Terms of Service, or termination of this BAA by either party.

5.2.

• Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure the breach within 30 days of receiving written notice of the breach.

5.3. Upon termination:

• Business Associate shall, at Covered Entity's election, return in a commonly used, machine-readable format or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, if feasible. Destruction of PHI from active systems shall be completed within thirty (30) days and from backup systems within ninety (90) days.
• Upon completion of destruction, Business Associate shall provide Covered Entity with written certification confirming that all PHI has been destroyed, including confirmation that subcontractors have completed their destruction obligations.
• If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

6.1. In addition to HIPAA requirements, Business Associate acknowledges and complies with:

• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• Applicable provincial health privacy legislation, including PHIPA (Ontario), HIA (Alberta), Law 25 (Quebec), PIPA (British Columbia), and others as applicable
• Cross-border data transfer requirements under Canadian federal and provincial law

7.1. Regulatory References:

• Any reference in this BAA to a section in HIPAA means the section as in effect or as amended.

7.2. Amendment:

• The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with HIPAA and the HITECH Act.

7.3. Survival:

• The respective rights and obligations of Business Associate under Section 5.3 of this BAA shall survive the termination of this BAA.

7.4. Interpretation:

• Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA.

7.5. Governing Law:

• This BAA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein.