Business Associate Agreement

HIPAA-required agreement governing the use, disclosure, and safeguarding of Protected Health Information (PHI) by Transcribe Health as a Business Associate.

Last Updated: June 19, 2026

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA") is entered into by and between the healthcare provider or covered entity ("Covered Entity") that accepts this agreement and Transcribe Health Corporation ("Business Associate"), a corporation incorporated under the federal laws of Canada.

Last Updated: June 19, 2026

1. DEFINITIONS

For purposes of this BAA, the following terms shall have the meanings set forth below:

  • "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended.
  • "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, as amended.
  • "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
  • "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
  • "Breach Notification Rule" means the Breach Notification for Unsecured Protected Health Information at 45 CFR Part 164, Subpart D.
  • "Protected Health Information" or "PHI" means any information, whether oral or recorded in any form or medium, that (i) relates to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes Electronic Protected Health Information ("ePHI").
  • "Services" means the AI-powered clinical documentation and clinical-intelligence platform provided by Business Associate to Covered Entity, including the medical transcription product, the AI-generated clinical-note product, the standalone Assistant chat (a persistent chat surface where Authorized Users of the Covered Entity may submit clinical questions — which may include patient context constituting PHI — and receive AI-generated answers cited to public medical literature), the Transcribe Health Medical Scribe Chrome extension (a browser-side component that captures clinical-encounter audio constituting ePHI, client-side-encrypts that audio prior to transmission, integrates with supported EHR systems, and inserts AI-generated text into clinical-note fields), and all related software, applications, application programming interfaces, updates, and services.
  • "Security Incident" means, consistent with 45 CFR §164.304, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system, in each case affecting ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. "Security Incident" does not include any Unsuccessful Security Incident.
  • "Unsuccessful Security Incident" means a Security Incident that does not result in unauthorized access to, or the unauthorized use, disclosure, modification, or destruction of, ePHI, or in interference with an information system that maintains ePHI, including without limitation pings and other broadcast attacks on a firewall, port scans, unsuccessful or denied log-on attempts, malformed or malicious packets, and denied or blocked network traffic routinely absorbed by Business Associate's security controls.

1.5. SERVICE CLASSIFICATION

The parties acknowledge and agree that:

  • Business Associate provides a clinical documentation assistant service. Business Associate is not an EMR, EHR, designated record set custodian, or system of record for Covered Entity, and the Services have not been certified under ONC, Santé Québec, OntarioMD, or any other EMR/EHR certification regime.
  • Covered Entity is the custodian of the Designated Record Set. Covered Entity warrants that it maintains a separate medical record system that satisfies all certification, retention, and record-keeping requirements applicable to its practice and jurisdiction.
  • PHI created or processed by the Services is provided to Covered Entity for incorporation into Covered Entity's record system. Covered Entity is responsible for the timely transfer of finalized Service outputs into its certified medical record system.
  • Business Associate's obligations under HIPAA Sections 164.524 (access) and 164.526 (amendment) are limited to PHI then-currently held within the Services and shall be satisfied by making such PHI available to Covered Entity, which remains responsible for satisfying Individual access and amendment rights against the underlying Designated Record Set. Without limiting the foregoing, upon Covered Entity's written request, Business Associate shall provide a copy of the PHI then held within the Services in a commonly used, machine-readable format within fifteen (15) business days, sufficient to enable Covered Entity to meet its thirty (30) day individual-access deadline under 45 CFR 164.524.

2. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1. Permitted Uses and Disclosures:

  • Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Terms of Service, or as required by law.
  • Business Associate may use or disclose PHI for the proper management and administration of its business, provided that the disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially.
  • Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
  • Business Associate may de-identify PHI in accordance with 45 CFR 164.514(a)-(c).

2.2. Safeguards:

  • Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
  • Business Associate shall comply with the Security Rule requirements applicable to business associates under HIPAA.
  • Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this BAA. Business Associate shall remain liable for the acts and omissions of its subcontractors to the same extent as if Business Associate were performing the services directly.
  • Business Associate shall provide at least thirty (30) days' advance notice before engaging any new subcontractor that will have access to PHI, giving Covered Entity the opportunity to object. The current subcontractor list is in the Data Processing Agreement at transcribe.health/legal/dpa.
  • If Covered Entity objects in writing within fifteen (15) days of Business Associate's notice, the parties shall confer in good faith for thirty (30) days to resolve the objection, which may include an alternative subcontractor or additional safeguards. If unresolved, Covered Entity's sole and exclusive remedy is to terminate this BAA and the corresponding Services, without penalty and without early-termination liability, on written notice.

2.3. Reporting:

  • Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410.
  • Business Associate shall report to Covered Entity any Successful Security Incident of which it becomes aware in accordance with the timing in this Section 2.3. The parties acknowledge that Unsuccessful Security Incidents occur frequently and carry no material risk to ePHI; this paragraph constitutes Covered Entity's notice of, and the parties' agreed reporting mechanism for, all Unsuccessful Security Incidents, which Business Associate need not report individually. On Covered Entity's reasonable written request, no more than once per calendar quarter, Business Associate shall provide an aggregate summary of the categories of Unsuccessful Security Incidents observed.
  • For purposes of this BAA, "Discovery" of a Breach means the first day on which the Breach is known to Business Associate, or by exercising reasonable diligence would have been known, treating Business Associate as having knowledge if the Breach is known, or would have been known by reasonable diligence, to any workforce member or agent of Business Associate other than the person committing the Breach, consistent with 45 CFR 164.410(a)(2).
  • Reports of Breaches of Unsecured PHI shall be made without unreasonable delay and in no case later than five (5) business days after Discovery of the Breach, with supplemental information provided as it becomes available. Business Associate shall provide regular status updates to Covered Entity at mutually agreed intervals until the incident is resolved. This internal reporting window is intended to allow Covered Entity to satisfy its own notification obligations, including the outer limit of without unreasonable delay and no later than sixty (60) days under 45 CFR 164.404–164.410.
  • Business Associate shall cooperate with Covered Entity in the investigation of any Breach and shall preserve and make available forensic evidence and audit logs relevant to the incident.

2.4. Access to PHI:

  • Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
  • Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526.
  • Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

2.5. Accounting of Disclosures:

  • Business Associate shall maintain and make available information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.

3. OBLIGATIONS OF COVERED ENTITY

3.1. Covered Entity shall:

  • Notify Business Associate of any limitations in the Notice of Privacy Practices of Covered Entity that may affect Business Associate's use or disclosure of PHI.
  • Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

4. SECURITY MEASURES

Business Associate implements the following security measures to protect ePHI:

4.1. Technical Safeguards:

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Client-side encryption of audio captured by the Transcribe Health Medical Scribe Chrome extension, with per-session keys scoped to the user's active browser session — so that ciphertext rather than plaintext ePHI audio leaves the user's device
  • Role-based access controls (RBAC)
  • Multi-factor authentication (MFA)
  • Automated session timeout, including an inactivity timeout in the Chrome extension
  • Comprehensive audit logging, including a tamper-evident audit log generated by the Chrome extension and mirrored to Business Associate's server-side audit log

4.2. Physical Safeguards:

  • Data centers with SOC 2 Type II compliance
  • Physical access controls and monitoring
  • Environmental controls (fire suppression, climate control)

4.3. Administrative Safeguards:

  • Security awareness and HIPAA training scheduled in the compliance calendar
  • Documented security policies and procedures
  • Regular risk assessments
  • Incident response procedures
  • Business continuity and disaster recovery plans

4.4. Data Handling:

  • The platform enforces a mandatory default retention schedule for every organization: audio recordings are automatically deleted 90 days after transcription, and transcript and session records are retained for 7 years (a six-year HIPAA minimum) and then automatically deleted. Covered Entity may additionally enable an optional automatic retention policy, configurable in 1-day to 30-day windows and disabled by default, to purge sessions, audio recordings, transcriptions, and generated documents earlier than the mandatory default. PHI is also deleted on Covered Entity request or account closure, subject to the termination provisions of Section 5.3.
  • PHI is stored in encrypted databases with organization-level isolation
  • Multi-tenant architecture with strict data segregation
  • Access to PHI is logged and auditable; audit logs are retained for at least six (6) years to satisfy HIPAA Security Rule documentation requirements (45 CFR 164.312(b) and 164.530(j))
  • AI processing does not retain PHI beyond the immediate transcription request; AI providers are contractually bound by zero-retention agreements
  • Browser-extension audio handling is within the scope of Business Associate's permitted uses and safeguards under this BAA. Where Covered Entity's Authorized Users install the Transcribe Health Medical Scribe Chrome extension, ePHI audio is captured in the browser, encrypted client-side before leaving the user's device, transmitted as ciphertext to Business Associate's Canadian backend, and decrypted only inside Business Associate's processing environment. Locally buffered audio on the user's device is purged once upload is confirmed. The Extension introduces no new subcontractor and routes only to Business Associate's existing backend and previously disclosed Sub-processors.

4.5. Audit Rights and Assurance:

  • Upon Covered Entity's reasonable written request, no more than once per twelve (12) month period, Business Associate shall make available, under a mutual non-disclosure agreement, its then-current SOC 2 Type II report once such report has been issued, together with a summary of any remediation of exceptions noted therein.
  • The SOC 2 Type II report (once available) shall be deemed to satisfy Covered Entity's audit and assessment rights under this BAA with respect to the controls within its scope.
  • Covered Entity may conduct an on-site or remote audit of Business Associate's PHI-relevant controls in lieu of, or in addition to, the report only (i) following a Breach affecting Covered Entity's PHI, or (ii) following identification of a material control deficiency, on at least thirty (30) days' prior written notice, during normal business hours, no more than once per calendar year absent a subsequent Breach, in a manner that does not unreasonably disrupt operations or compromise other customers' data, subject to the confidentiality obligations of this BAA and the Terms of Service.

5. TERM AND TERMINATION

5.1.

  • This BAA shall be effective upon acceptance by Covered Entity and shall remain in effect until the earlier of: termination of the underlying Terms of Service, or termination of this BAA by either party.

5.2.

  • Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure the breach within 30 days of receiving written notice of the breach.

5.3. Upon termination:

  • Business Associate shall, at Covered Entity's election, return (machine-readable) or destroy all PHI to the extent feasible. Destruction from active systems within thirty (30) days, from backup systems within ninety (90) days, consistent with Business Associate's Data Retention and Disposal Policy.
  • On completion, Business Associate shall provide written certification, including confirmation that subcontractors completed their destruction obligations.
  • Return or destruction is "not feasible" only where, and for so long as, PHI resides in immutable, encrypted backup media subject to a bounded, automatically expiring retention cycle from which selective deletion is not technically practicable, or where PHI is subject to a legal hold or record-retention obligation imposed by law (including the mandatory transcript-retention period in Section 4.4 and the Data Retention and Disposal Policy v4.0). Where not feasible, Business Associate shall extend the protections of this BAA to such PHI, limit further uses/disclosures to the purposes that make destruction infeasible, and destroy the residual PHI upon expiry of the applicable backup-retention cycle or legal hold.

6. CANADIAN HEALTH PRIVACY COMPLIANCE

6.1. In addition to HIPAA requirements, Business Associate acknowledges and complies with:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Applicable provincial privacy and health-privacy legislation, including PHIPA (Ontario), the Health Information Act (HIA, Alberta), the Personal Information Protection Act (PIPA, Alberta), the Act respecting the protection of personal information in the private sector as amended by Law 25 (Quebec), the Personal Information Protection Act (PIPA, British Columbia), and other provincial privacy legislation as applicable.
  • Cross-border data transfer requirements under Canadian federal and provincial law

7. MISCELLANEOUS

7.1. Regulatory References:

  • Any reference in this BAA to a section in HIPAA means the section as in effect or as amended.

7.2. Amendment:

  • The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with HIPAA and the HITECH Act.

7.3. Survival:

  • The respective rights and obligations of Business Associate under Sections 5.3, 7.6, and 7.7 of this BAA shall survive the termination of this BAA.

7.4. Interpretation:

  • Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA.

7.5. Governing Law:

  • This BAA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein.

7.6. Limitation of Liability:

  • The Limitation of Liability set forth in the Terms of Service applies to this BAA and to all claims arising out of or relating to the use, disclosure, or safeguarding of PHI. The parties do not establish any supercap or enhanced liability for PHI or Security-Rule claims; such claims are subject to the same Limitation of Liability as all other claims under the Terms of Service, except for any liability that cannot be limited under applicable law.

7.7. Insurance:

  • Business Associate is in the process of procuring cyber-liability and technology errors-and-omissions insurance appropriate to the nature and scale of its Services and intends to maintain such coverage. Once such coverage is in force, Business Associate shall, upon Covered Entity's reasonable written request, provide a certificate of insurance evidencing it.

8. DATA PROCESSING AGREEMENT

This BAA operates in conjunction with the Data Processing Agreement (available at transcribe.health/legal/dpa), which sets out additional terms governing the processing of Personal Information under PIPEDA and applicable provincial privacy legislation. The DPA includes detailed Schedules covering processing activities, technical and organizational security measures, and the current list of sub-processors. In the event of a conflict between this BAA and the DPA with respect to the handling of Protected Health Information, this BAA shall prevail.

9. CONTACT INFORMATION

Transcribe Health Corporation Security Officer (security and incident matters): security@transcribe.health Privacy matters and PHI requests: privacy@transcribe.health By accepting this BAA, Covered Entity acknowledges that it has read, understood, and agrees to be bound by the terms of this Business Associate Agreement.