This Business Associate Agreement ("BAA") is entered into by and between Veridical Technologies LLC, doing business as AttorneyAide ("Business Associate"), and the customer executing or accepting this Agreement (the "Customer").
Customer represents and warrants that it is either:
- (i) a Covered Entity, or
- (ii) a Business Associate acting on behalf of a Covered Entity,
as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), and that it is entering into this BAA in connection with its use of the Services involving Protected Health Information ("PHI").
This BAA supplements and is incorporated into the parties' applicable service agreement or Terms of Service (the "Agreement").
This BAA is effective as of the date Customer first accepts it electronically or first uploads PHI to the Services, whichever occurs first (the "Effective Date").
1. Purpose and Scope
This BAA is intended to comply with HIPAA, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (collectively, "HIPAA").
Business Associate may receive, create, maintain, or transmit PHI on behalf of Customer solely for the purpose of providing the services described in the Agreement (the "Services").
2. Permitted Uses and Disclosures
Business Associate may use and disclose PHI solely to:
- Perform and support the Services as authorized by Customer;
- Maintain, secure, and ensure the reliability and functionality of the Services;
- Comply with applicable legal obligations; or
- As otherwise permitted or required by HIPAA.
Business Associate shall not:
- Use PHI for advertising or marketing purposes;
- Sell PHI;
- Use PHI to train, fine-tune, or improve general-purpose artificial intelligence or machine learning models.
3. Safeguards
Business Associate shall implement and maintain appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI, consistent with HIPAA Security Rule requirements.
Such safeguards include, but are not limited to:
- Encryption of PHI in transit and at rest;
- Access controls and authentication mechanisms;
- Audit logging;
- Policies and procedures designed to prevent unauthorized access, use, or disclosure.
While Business Associate employs reasonable and industry-standard safeguards, no system can be guaranteed to be completely secure.
4. User Access Controls and Customer Responsibilities
Customer is responsible for implementing appropriate administrative safeguards to ensure that access to the Services is limited to authorized workforce members.
Each user account must be assigned to a single authorized individual. Shared credentials are prohibited.
Customer acknowledges that unique user identification is necessary to support audit controls and access tracking under the HIPAA Security Rule (45 C.F.R. ยง 164.312).
Customer remains solely responsible for:
- Determining whether its use of the Services complies with HIPAA;
- Managing workforce access permissions;
- Ensuring that only authorized individuals access PHI through the Services.
5. Subcontractors
Business Associate may engage subcontractors to assist in providing the Services, provided that any subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to comply with restrictions and safeguards substantially similar to those set forth in this BAA.
Business Associate remains responsible for ensuring that subcontractors appropriately safeguard PHI in accordance with HIPAA.
6. Breach Notification
Business Associate shall notify Customer without unreasonable delay, and in no event later than sixty (60) days after discovery, of a Breach of Unsecured PHI as defined under HIPAA.
Such notification shall include, to the extent known:
- A description of the breach;
- The types of PHI involved;
- Steps taken to mitigate harm; and
- Information reasonably necessary for Customer to comply with its breach notification obligations.
7. Access, Amendment, and Accounting
To the extent required by HIPAA and applicable to the Services:
- Business Associate shall make PHI available to Customer for access requests;
- Business Associate shall incorporate amendments to PHI as directed by Customer;
- Business Associate shall provide information necessary for Customer to fulfill accounting of disclosure obligations, if applicable.
8. Return or Destruction of PHI
Upon termination of the Agreement, Business Associate shall, at Customer's option and to the extent feasible:
- Return PHI to Customer; or
- Delete or destroy PHI.
If return or destruction is not feasible, Business Associate shall continue to protect such PHI in accordance with this BAA and limit further uses and disclosures to those purposes that make return or destruction infeasible.
9. State Health Privacy Laws
(a) Washington My Health My Data Act (MHMDA)
To the extent Consumer Health Data (as defined under Washington law) is processed through the Services:
- Business Associate acts as a "Processor";
- Business Associate shall process such data only pursuant to documented instructions from Customer;
- Business Associate shall not use Consumer Health Data for its own operational or commercial purposes except as strictly necessary to provide and maintain the Services.
(b) California CCPA/CPRA
To the extent applicable:
- Business Associate acts as a "Service Provider";
- Business Associate shall not Sell or Share Personal Information as defined under the CCPA/CPRA;
- Business Associate shall not retain, use, or disclose Personal Information outside the direct business relationship with Customer.
10. Term and Termination
This BAA shall remain in effect for the duration of the Agreement.
Either party may terminate this BAA if the other party materially breaches its obligations and fails to cure such breach within a reasonable period after written notice.
Termination of this BAA shall not relieve either party of obligations that by their nature survive termination, including confidentiality and PHI protection obligations.
11. Limitation of Scope
Nothing in this BAA shall be construed to:
- Create a partnership, joint venture, or agency relationship;
- Expand either party's obligations beyond those required by HIPAA;
- Transfer ownership of PHI.
Customer retains all rights, title, and interest in and to PHI.
12. Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of Washington, to the extent not preempted by federal law.