Claire AI — AI documentation assistant for physical therapists
1000+ CliniciansHow It WorksSavingsPricingTeam
LoginStart Free Trial
Legal

Business Associate Agreement

HIPAA Business Associate Agreement Addendum

BUSINESS ASSOCIATE AGREEMENT ADDENDUM

WHEREAS, Covered Entity and Business Associate have entered into a Subscription Agreement (the “Subscription Agreement” or “Agreement”); and

WHEREAS, Covered Entity and Business Associate desire to comply with the Administrative Simplification subtitle of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and subtitle D of the American Recovery and Reinvestment Act of 2009, entitled the Health Information Technology for Clinical and Economic Health Act, Public Law 111-50 (“HITECH”) with respect to the services that each party provides that are subject to these laws, and

WHEREAS, the Parties desire to enter into this Agreement to protect PHI, and to amend any agreements between them, whether oral or written, with the execution of this Agreement;

NOW THEREFORE, in consideration of the mutual promises and other valuable consideration herein, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

I. Applicability

The terms of this Agreement apply to services which qualifies Business Associate as a “Business Associate” of Covered Entity within the meaning of the HIPAA Rules.

II. Definitions

Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule, Security Rule and the HITECH Act.

“Breach” means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information (as defined in 45 CFR Parts 160 and 164).

“Business Associate” means the party identified above as Business Associate.

“Covered Entity” means the party identified above as Covered Entity.

“Designated Record Set” means a group of records maintained by or for Covered Entity that is (i) the medical records and billing records about individuals maintained by or for a covered health care provider (as defined in 45 CFR §160.103); (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan (as defined in 45 CFR §160.103); or (iii) used, in whole or in part, by or for Covered Entity to make decisions about individuals, wherein “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.

“Electronic Health Record” means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. (HITECH § 13400)

“Electronic PHI” (EPHI) shall have the same meaning as the term “electronic protected health information” in 45 CFR §160.103, limited however to the information created or received by Business Associate from or on behalf of Covered Entity.

“Individual” means the person who is the subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

“Minimum Necessary” shall have the same meaning given to this term under the Privacy Rule, including but not limited to 45 C.F.R. §164.501 and 160.103.

“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, subparts A and E.

“PHI” (PHI) shall have the same meaning as the term “protected health information” in 45 CFR §160.103, limited however to the information created or received by Business Associate from or on behalf of Covered Entity.

“Required By Law” shall mean a mandate contained in law that compels Covered Entity or Business Associate to make a use or disclosure of PHI and that is enforceable in a court of law, including court orders and court-ordered warrants, subpoenas, or summonses issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information, a civil or an authorized investigative demand, Medicare conditions of participation with respect to health care providers (as defined in 45 CFR §160.103) participating in the program, and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

“Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

“Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (45 CFR §164.304)

“Security Rule” means the Security Standards in 45 CFR Part 160 and Part 164, subparts A and C, as set forth from and after the date on which compliance by Covered Entity with the Security Rule is required. References in this Agreement to implementation of or compliance with any requirements of the Security Rule by Covered Entity or Business Associate shall be construed as referring to such implementation and compliance from and after the compliance date for Covered Entity under the Security Rule, and not before such date.

“Unsecured PHI” means protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance (as defined in 45 CFR Parts 160 and 164). In the case that the Secretary does not issue timely guidance, “Unsecured PHI” shall mean protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

“De-Identified Data” means information that has been de-identified in accordance with 45 C.F.R. § 164.514(a)-(c), including removal of all identifiers listed under 45 C.F.R. § 164.514(b)(2) (the “Safe Harbor” method), or pursuant to the “Expert Determination” method under applicable HIPAA regulations, such that the information is not individually identifiable and does not constitute Protected Health Information.

III. Permitted Uses and Disclosures by Business Associate

Business Associate may use or disclose PHI on behalf of, or to provide services to, Covered Entity for the limited purposes stated below, but only to the extent such use or disclosure of PHI would not violate: (1) the Privacy Rule or the Security Rule, (2) the HITECH Act, or (3) the minimum necessary policies and procedures of Covered Entity.

A. Business Associate provides an AI powered medical record transcription service that translates audio recordings of examination/treatment sessions into medical record documentation that the provider can then enter into the patient’s/client’s official medical record. Business Associate’s service requires disclosure of PHI to technology vendors to perform the services anticipated in the Service Agreement.

B. Disclosure of PHI for Management and Administration. Except as otherwise limited in this Agreement and subject to the Business Associate’s Obligations in Section IV, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom such information is disclosed that such information will remain confidential and used or further disclosed only as Required By Law or for the purpose for which such information was disclosed to such person, and such person notifies Business Associate of any instances of which such person is aware in which the confidentiality of such information has been breached.

C. Data Aggregation. Business Associate may provide data aggregation services to Covered Entity relating to the health care operations of the Covered Entity upon request by Covered Entity.

D. Use and Disclosure of De-identified Data. Business Associate may use or disclose de-identified PHI.

E. Compliance with Notice of Privacy Practices. Business Associate’s use or disclosure of PHI shall also be in accordance with the limitations and restrictions set forth in Covered Entity’s Notice of Privacy Practices, as they may be amended from time to time.

IV. Obligations of Business Associate

A. Privacy and Security Safeguards. Business Associate shall use industry standard appropriate safeguards to prevent access, use or disclosure of the PHI other than as provided for by or permitted under this Agreement and comply with all state and federal laws governing the protection of the confidentiality of PHI, including without limitation the sections of the HIPAA Privacy and Security Rules and the HITECH Act that apply directly to Business Associates. Specifically, Business Associate shall implement administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that Business Associate uses, creates, receives, maintains, or transmits on behalf of Covered Entity.

1. Business Associate shall comply with HHS guidance addressing methods for rendering PHI, whether in paper or electronic form, unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction, and to update and evaluate such encryption and destruction methods annually to ensure they are compatible with HHS guidance.

B. Non-disclosure. Except as otherwise permitted by this Agreement and required for Business Associate to perform its contracted Services, Business Associate may not further disclose PHI to any other individual or third party except as Required by Law or to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

1. In the event that Business Associate receives a subpoena for Covered Entity’s PHI, Business Associate agrees to notify Covered Entity within five (5) business days to provide Covered Entity an opportunity to challenge the validity of any such request.

C. Business Associate agrees to ensure that any technology vendor or agent, including a subcontractor, to whom Business Associate provides or from whom Business Associate receives PHI on behalf of Covered Entity agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

D. Security Incidents. Business Associate shall notify Covered Entity in writing within ten (10) business days after discovery of any and all attempted or successful Security Incidents, whether such incidents involve secured or unsecured PHI, including any Security Incident that results in the modification, compromise of integrity or destruction of PHI. A Security Incident will be treated as “discovered” by a Business Associate as of the first day on which such security incident or breach is known to the Business Associate, or, by exercising reasonable diligence would have been known to the Business Associate, or any of its employees, subcontractors, officers or agents. For purposes of this provision, a Security Incident shall not include inconsequential incidents that occur on a frequent basis, such as port scans or “pings,” unsuccessful log-on attempts, broadcast attacks on Business Associate’s (or its technology vendors’) platform(s), firewall, malware, denials of service or any combination thereof that are detected and neutralized by Business Associate’s (or its technology vendors’) anti-virus and other defensive software and not allowed past Business Associate’s (or its technology vendors’) firewall, unless such incident results in unauthorized access, use, destruction, modification or disclosure of PHI. The Parties acknowledge this Notice is sufficient.

1. In the event that an attempted or successful Security Incident is a Breach that involves unauthorized access, use or disclosure of Unsecured PHI, Business Associate shall provide written notification to the Covered Entity of: (1) the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired or disclosed during such breach, (2) a brief description of what happened, including the date of the Breach, (3) the date of discovery of the Breach, (4) the steps the individual should take to protect themselves from potential harm resulting from the breach, and (5) a brief description of what Business Associate is doing to investigate the breach, mitigate losses, and protect against further breaches. Such notification shall be provided as soon as reasonably possible after Business Associate performs its investigation into the Security Incident, but in no case later than fifteen (15) days after the discovery of the Security Incident.

E. Breach Mitigation. Business Associate agrees to mitigate, to the extent practicable and at its own expense, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its agents, subcontractors and assigns in violation of the requirements of this Agreement.

F. Hold Harmless and Indemnification. Covered Entity shall defend, indemnify, and hold harmless Business Associate and its directors, officers, employees, contractors, and agents from and against any and all claims, causes of action, damages, losses, liabilities, costs, fines, penalties, and expenses (including reasonable attorneys’ fees) arising out of or related to any Security Incident or Breach involving PHI unless it is caused by the negligence, gross negligence, willful misconduct, or breach of the Service Agreement or this Business Associate Agreement.

For purposes of this section, a Security Incident or Breach shall be deemed not to result from the actions of Business Associate where Business Associate has complied with (a) all applicable obligations under HIPAA and this Agreement, and (b) industry standard administrative, physical, and technical safeguards. Nothing in this section shall require Business Associate to indemnify Covered Entity for events beyond Business Associate’s reasonable control.

G. Maintenance of and Access to PHI.

1. If Business Associate has PHI in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, to PHI in any such Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524.

2. If Business Associate has PHI in a Designated Record Set, Business Associate agrees to make any amendments to PHI in any such Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual.

3. Obligation to Maintain an Audit Trail of PHI Disclosures. If Business Associate makes any disclosures to any individual or entity other than the Covered Entity, Business Associate shall provide upon Covered Entity’s request and at no charge, an accounting of all such disclosures, including sufficient information to permit Covered Entity to meet its obligations under 45 C.F.R. 164.528.

At a minimum, this audit trail shall include the date of all disclosures, the name(s) of the recipient (and address where possible), a brief description of the PHI disclosed, and the purpose of the disclosure. Accounting of such disclosures shall be available to Covered Entity within ten (10) days of a request. If an Individual requests an accounting directly from Business Associate, Business Associate shall forward a copy of the request within ten (10) days of its receipt.

4. Withdrawal of Consent or Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual’s specific consent or authorization for the use of his or her PHI, and (i) the Individual revokes such consent or authorization in writing, (ii) the effective date of such authorization has expired, or (iii) the consent or authorization is found to be defective in any manner that renders it invalid, Business Associate agrees, if it has notice of such revocation or invalidity, to cease the Use and Disclosure of any such Individual’s PHI except to the extent it has relied on such Use or Disclosure, or where an exception under the Privacy Standards expressly applies.

H. Access to Business Associate’s Books and Records. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI available at the request of Covered Entity or the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. Business Associate agrees to notify Covered Entity promptly of: (1) any request by the Secretary to examine such internal practices, books, records, policies, procedures, and PHI, and (2) the results and disposition of any such request.

V. Obligations of Covered Entity

A. Covered Entity shall notify Business Associate of any limitations in Covered Entity’s Notice of Privacy Practices in accordance with 45 CFR §164.520, to the extent that any such limitation may affect Business Associate’s use or disclosure of PHI.

B. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by any applicable Individual to use or disclose PHI, to the extent that any such change may affect Business Associate’s use or disclosure of PHI.

C. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, or otherwise, to the extent that any such restriction may affect Business Associate’s use or disclosure of PHI.

D. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Covered Entity.

VI. Term and Termination

A. Term. This Agreement shall be effective and enforceable by the parties to this Agreement as of the Effective Date first set forth on the signature page of the Subscription Agreement and the term shall run concurrently with that of the Subscription Agreement. Unless terminated as provided in this Section below, this Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Subscription Agreement; provided, however, certain provisions and requirements of this Agreement shall survive such expiration or termination of this Agreement.

B. Termination for Cause.

1. By Covered Entity. As provided for under 45 C.F.R. § 164.504(e)(2)(iii), Covered Entity may terminate this Agreement, the Subscription Agreement and any related agreements if the Covered Entity makes the determination that the Business Associate has breached a material term of this Agreement after the Covered Entity has given Business Associate written notice of the breach accusations and thirty (30) days to cure the alleged breach. Failure by Business Associate to cure said breach or violation within thirty (30) days in a manner that complies with the terms of this Agreement shall be grounds for immediate termination of this Agreement and the Subscription Agreement by the Covered Entity.

2. By Business Associate. If Business Associate determines that Covered Entity has breached a material term of this Agreement, Business Associate shall provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with thirty (30) calendar days to cure said breach upon mutually agreeable terms. Failure by Covered Entity to cure said breach or violation within thirty (30) days in the manner set forth above shall be grounds for immediate termination of the Subscription Agreement by the Business Associate.

C. Effect of Termination.

1. Except as provided in paragraph 2 of this Section, upon termination of this Agreement, for any reason or for no reason, Business Associate shall return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors, subprocessors, vendors or agents of Business Associate. Business Associate shall not retain any copies of such PHI.

2. If Business Associate determines that returning or destroying the PHI is infeasible or in violation of law, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties to this Agreement that return or destruction of PHI is infeasible or in violation of law, Business Associate and its subcontractors and agents shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible or in violation of law, for so long as Business Associate, including its subcontractors, subprocessors, vendors and agents maintain such PHI.

VII. Miscellaneous

A. Ownership of PHI. Covered Entity retains all right, title, and interest in and to Protected Health Information provided to or created by Business Associate on behalf of Covered Entity. Nothing in this Agreement transfers ownership of PHI to Business Associate.

Notwithstanding the foregoing, Business Associate may create, use, and disclose De-Identified Data derived from PHI in compliance with 45 C.F.R. § 164.514. De-Identified Data shall not be considered PHI and may be used by Business Associate for product development, analytics, service improvement, security monitoring, research, benchmarking, and other lawful business purposes, provided that Business Associate does not attempt to re-identify the information.

B. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or the Security Rule means the section as enforceable at the applicable time.

C. Amendment. The parties to this Agreement agree to take such action as is reasonably necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule, the Security Rule, the HITECH Act and HIPAA by providing written notice to the other party with sufficient time for the other party to object to the amendment. If the other party does not object within the time frame indicated, the Amendment will go into effect as of the date provided in the amendment.

D. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Rules and HITECH. If there are any inconsistent provisions between this Agreement and the Service Agreement, the provisions of this Agreement shall prevail with respect to PHI and to the extent required for HIPAA compliance. All other terms of such Service Agreement shall remain in force and effect. The word “including” as used in this Agreement shall be construed to mean “including but not limited to.”

E. Compliance with State Law. Notwithstanding anything to the contrary in this Agreement, if any provision of the laws of Florida applicable to Business Associate, because of Business Associate’s relationship with Covered Entity, is contrary to and more stringent than an applicable requirement of the Privacy Rule, this Agreement shall be construed to permit Business Associate to comply with such provision of State law to the extent that Business Associate is required to comply with such provision and to the extent that such provision is not preempted by the Privacy Rule or other applicable preemptive federal law or regulation.

IN WITNESS WHEREOF, Customer/User/Covered Entity and Company/Business Associate have executed this Agreement as of the date this Agreement is electronically executed.

Copyright © 2026 CLAIRE HEALTH LLC. All rights reserved.

Claire AI — AI documentation assistant for physical therapists

The AI scribe built exclusively for physical therapy. Lives inside your EMR, listens to your visits, writes your notes.

IFY

Product

  • Features
  • How It Works
  • Calculator
  • Pricing
  • Integrations

Solutions

  • Resources
  • Contact
  • Student License

Legal

  • Privacy Policy
  • Terms of Use

© 2026 Claire AI. All rights reserved.

Made with care for physical therapists everywhere.