Business Associate Agreement

Agreement Overview

This Business Associate Agreement ("BAA") is entered into between SigXA, Inc. ("Business Associate" or "SigXA") and the healthcare provider or covered entity ("Covered Entity" or "Customer") using SigXA's AI medical scribe platform and services ("Services").

This BAA governs the use and disclosure of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations.

Definitions

The following terms used in this Agreement shall have the meanings assigned to them under HIPAA and the HITECH Act:

• Breach - As defined in 45 CFR § 164.402
• Covered Entity - As defined in 45 CFR § 160.103
• Designated Record Set - As defined in 45 CFR § 164.501
• Individual - As defined in 45 CFR § 160.103
• Protected Health Information (PHI) - As defined in 45 CFR § 160.103
• Required by Law - As defined in 45 CFR § 164.103
• Secretary - Secretary of the Department of Health and Human Services

Permitted Uses and Disclosures

General Use and Disclosure Provisions

Business Associate may only use and disclose PHI as specified in this BAA, as required by law, or as otherwise authorized by Covered Entity in writing.

Specific Permitted Uses

Business Associate may use and disclose PHI to:

• Provide AI-powered medical transcription and clinical documentation services
• Generate structured clinical notes and medical records
• Support real-time documentation during patient encounters
• Integrate with Covered Entity's Electronic Health Record (EHR) systems
• Provide technical support and troubleshooting for the Services
• Ensure platform security and prevent unauthorized access

Business Associate's Own Management and Administration

Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided:

• The use is required for such purposes; and
• Business Associate obtains reasonable assurances from any person to whom PHI is disclosed that it will be held confidentially and used only as required for the purpose disclosed and will notify Business Associate of any breaches of confidentiality.

Prohibited Uses and Disclosures

Business Associate shall not use or disclose PHI:

• For marketing purposes without written authorization
• To train AI models or improve algorithms (SigXA uses only de-identified, synthetic, or publicly available data for AI training)
• For any purpose other than those specified in this BAA
• In a manner that would constitute a sale of PHI under HIPAA
• To create a limited data set without proper authorization

Safeguards and Security Requirements

Administrative Safeguards

Business Associate shall:

• Implement administrative safeguards to prevent unauthorized access to PHI
• Designate a security officer responsible for developing and implementing security policies
• Conduct regular security awareness training for all workforce members
• Implement access controls ensuring only authorized personnel access PHI
• Maintain audit logs of all PHI access and system activities

Physical Safeguards

Business Associate shall:

• Implement physical access controls to secure facilities and workstations
• Restrict physical access to systems containing PHI
• Implement workstation security controls
• Secure media containing PHI and control media reuse

Technical Safeguards

Business Associate shall:

• Implement access controls to limit PHI access to authorized users
• Maintain audit logs and conduct regular security monitoring
• Ensure data integrity and prevent improper alteration or destruction of PHI
• Encrypt PHI in transit using TLS 1.3 or equivalent security standards
• Encrypt PHI at rest using AES-256 encryption or equivalent
• Implement automatic session timeouts and user authentication controls

Zero Audio Retention Policy

Special Provision for Audio Processing: Business Associate maintains a strict zero audio retention policy. Audio recordings containing PHI are:

• Processed in real-time for transcription and clinical documentation
• Immediately and permanently deleted upon completion of processing
• Never stored on Business Associate's servers or systems
• Not retained in any temporary files, cache, or backup systems
• Subject to immediate purging from system memory after processing

Subcontractors and Agents

Business Associate shall ensure that any subcontractors or agents that receive PHI on behalf of Business Associate:

• Agree to the same restrictions and conditions that apply to Business Associate
• Enter into a written agreement containing terms substantially similar to this BAA
• Implement appropriate safeguards to protect PHI
• Report any security incidents or breaches to Business Associate immediately

Data Breach Notification

Discovery and Notification Requirements

Business Associate shall notify Covered Entity without unreasonable delay, but no later than 24 hours after discovery of any breach of unsecured PHI or any security incident involving PHI.

Breach Notification Content

The notification shall include, to the extent possible:

• Description of the breach and PHI involved
• Date of the breach and date of discovery
• Steps taken to investigate and mitigate the breach
• Assessment of risk of harm to individuals
• Contact information for further details

Breach Response Cooperation

Business Associate shall:

• Cooperate with Covered Entity's breach response efforts
• Provide any additional information requested by Covered Entity
• Assist in any required notifications to regulatory authorities
• Take appropriate corrective actions to prevent future breaches

Individual Rights

Access Rights

Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or Individual upon request, within 30 days of such request, to the extent such PHI is maintained by Business Associate.

Amendment Rights

Business Associate shall make amendments to PHI in a Designated Record Set as directed by Covered Entity within 60 days of such request.

Accounting of Disclosures

Business Associate shall maintain records of disclosures and provide an accounting of such disclosures to Covered Entity or Individual as required by HIPAA.

Minimum Necessary Standard

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.

Books and Records

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA.

Termination

Term of Agreement

This BAA shall remain in effect until terminated by either party or until all PHI is destroyed or returned to Covered Entity.

Termination for Cause

Covered Entity may immediately terminate this BAA and the underlying Services Agreement if Business Associate:

• Breaches a material term of this BAA
• Fails to cure such breach within 30 days of written notice
• Repeatedly violates the terms of this BAA

Effect of Termination

Upon termination of this BAA, Business Associate shall:

• Return or destroy all PHI received from or created on behalf of Covered Entity
• Retain no copies of PHI except as required by law
• Extend the protections of this BAA to any retained PHI
• Limit further uses and disclosures to those purposes that make retention necessary

Compliance Monitoring

Covered Entity has the right to:

• Monitor Business Associate's compliance with this BAA
• Request documentation of security measures and safeguards
• Receive reports on security incidents and breach prevention measures
• Audit Business Associate's practices related to PHI protection (with reasonable notice)

Regulatory Updates

Business Associate agrees to modify this BAA as necessary to comply with changes to HIPAA, HITECH, or other applicable regulations. Such modifications shall be communicated to Covered Entity with at least 30 days' advance notice.

Limitation of Liability

Notwithstanding any other provision of this BAA or the underlying Services Agreement, Business Associate's liability for any breach of this BAA shall be subject to the limitation of liability provisions contained in the Services Agreement.

Governing Law

This BAA shall be governed by the laws of the United States and the state where Business Associate's principal place of business is located, without regard to conflict of law principles.

Contact Information

For questions regarding this Business Associate Agreement, please contact: