Effective Date: This Agreement becomes effective as of the date the Covered Entity commences its use of the Service (the "Effective Date").
This Business Associate Agreement (this "Agreement") is entered into by and between Pazific Technologies LLC, d/b/a BellaVita AI ("Business Associate") and the individual or entity accepting this Agreement and utilizing the Service ("Covered Entity").
BACKGROUND
A. Covered Entity is a "covered entity" or a "business associate" of a covered entity, as defined by the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and its implementing regulations, including the Privacy Rule, the Security Rule, and the Breach Notification Rule (collectively, "HIPAA Regulations"). As such, Covered Entity is obligated to comply with the HIPAA Regulations concerning the privacy and security of Protected Health Information.
B. Business Associate provides a proprietary software-as-a-service offering (the "Service") to Covered Entity, as further described in the separate Terms of Service Agreement between the Parties (the "Terms of Service").
C. In the course of delivering the Service, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") for or on behalf of Covered Entity.
D. By virtue of its activities involving PHI in connection with the Service, Business Associate qualifies as a "business associate" of Covered Entity under HIPAA Regulations.
E. Both Parties are committed to upholding the confidentiality, integrity, and availability of PHI and intend for this Agreement to delineate the terms and conditions governing Business Associate's handling of PHI, in full compliance with HIPAA Regulations and other applicable federal and state laws pertaining to health information privacy and security.
NOW, THEREFORE, in consideration of the foregoing recitals, the mutual promises contained herein, and other valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
Unless otherwise specified herein, capitalized terms used in this Agreement shall carry the meanings assigned to them in the HIPAA Regulations, including 45 C.F.R. Parts 160, 162, and 164, and the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act").
For clarity within this Agreement:
PHI (Protected Health Information): Refers to Protected Health Information as defined in 45 C.F.R. § 160.103, specifically limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity through Covered Entity’s utilization of the Service.
Security Incident: Denotes any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with the operation of an information system.
Service: Means the proprietary software-as-a-service platform, including all associated web applications and functionalities, provided by Business Associate to Covered Entity under the Terms of Service, through which Business Associate may process PHI for Covered Entity.
Unsecured PHI: Signifies Protected Health Information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services (e.g., encryption). This definition encompasses both physical and electronic PHI.
Unsuccessful Security Incidents: Includes, but is not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denial of service attacks, provided that such incidents do not result in unauthorized access, use, disclosure, modification, or destruction of PHI.
Business Associate agrees to manage and safeguard PHI in accordance with the terms of this Agreement and HIPAA Regulations.
2.1 Permissible Uses and Disclosures
Business Associate shall use or disclose PHI exclusively to perform the Service for or on behalf of Covered Entity as outlined in the Terms of Service, as explicitly permitted or required by this Agreement, or as Mandated by Law.
a. Service Delivery: Business Associate may use and disclose PHI to provide the core functionalities of the Service to Covered Entity, which includes, without limitation, processing audio recordings to generate transcriptions, and creating AI-powered notes and reports, consistent with the descriptions in the Terms of Service and Privacy Policy. b. Internal Operations and Legal Compliance: Business Associate may use PHI for its proper internal management and administration or to fulfill its legal responsibilities. Disclosures for such purposes are permitted only if: (i) the disclosures are Mandated by Law; or (ii) Business Associate obtains satisfactory assurances from the recipient that the information will remain confidential, will be used or further disclosed only as Mandated by Law or for the specific purpose of the disclosure, and the recipient will notify Business Associate of any known breaches of confidentiality. c. Data Aggregation Services: Business Associate is permitted to use PHI to provide data aggregation services related to the healthcare operations of Covered Entity, as allowed by 45 C.F.R. § 164.504(e)(2)(i)(B). d. De-identification of Data: Business Associate may de-identify any PHI that it creates or receives under this Agreement, provided such de-identification strictly adheres to the standards and methods set forth in 45 C.F.R. § 164.514(b). Upon proper de-identification, such information ceases to be PHI under HIPAA Regulations and is no longer subject to the terms of this Agreement. Business Associate shall retain all rights, title, and interest in and to such de-identified data. e. Sub-processors: Business Associate shall ensure that any sub-processors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree in writing to the same restrictions and conditions that apply to the Business Associate with respect to such PHI by entering into a downstream Business Associate Agreement.
2.2 Restrictions on PHI Use and Disclosure
a. Prohibition on PHI Sale: Business Associate shall not sell PHI, as defined by HIPAA Regulations, without the express written authorization of Covered Entity, unless an exception under 45 C.F.R. § 164.508 applies. This restriction does not apply to payments made by Covered Entity to Business Associate for services rendered under the Terms of Service. b. Compliance with Covered Entity's Permissible Uses: Business Associate shall not use or further disclose PHI in any manner that would constitute a violation of HIPAA Regulations if such use or disclosure were performed by Covered Entity. c. No AI Model Training: Business Associate explicitly agrees not to use PHI for the purpose of training artificial intelligence models.
2.3 Security and Privacy Protections
Business Associate shall implement and maintain robust administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. These safeguards are designed to prevent the unauthorized use or disclosure of PHI beyond the scope permitted by this Agreement. Business Associate commits to complying with Subpart C of 45 C.F.R. Part 164 concerning electronic PHI.
2.4 Incident Reporting
a. Breach Notification: Business Associate shall notify Covered Entity of any Breach of Unsecured PHI discovered by Business Associate without unreasonable delay, and in no event later than ten (10) business days following discovery. The notification shall, to the extent information is available, include: (i) the identity of each individual whose PHI is known or reasonably believed to have been affected; (ii) the date of the Breach (if known) and the date of its discovery; (iii) the nature and scope of the Breach; and (iv) Business Associate’s actions taken in response to the Breach. Business Associate shall collaborate with Covered Entity to facilitate Covered Entity’s obligations to notify affected individuals and the Secretary, as required by HIPAA Regulations. b. Security Incidents: Business Associate shall inform Covered Entity of any Security Incident of which Business Associate becomes aware. The Parties stipulate that this Section 2.4(b) serves as ongoing notification by Business Associate to Covered Entity regarding the occurrence of Unsuccessful Security Incidents, for which no additional specific notice is required. c. Access to PHI: The Parties acknowledge that the Service is intended for the generation of documentation and is not an Electronic Health Record (EHR). Business Associate shall not be responsible for responding to individual requests for access to PHI. Any such requests received by Business Associate shall be forwarded to Covered Entity within five (5) business days.
2.5 Engagement of Subcontractors
Business Associate shall ensure that any of its subcontractors or agents who create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to abide by the same restrictions, conditions, and requirements that apply to Business Associate concerning such PHI under this Agreement.
2.6 Assistance with Individual Rights
a. Access to PHI: Should Business Associate maintain PHI within a Designated Record Set, Business Associate shall make such PHI available to Covered Entity (or, as directed by Covered Entity, to an Individual) within fifteen (15) business days of Covered Entity's written request, thereby enabling Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524. If an Individual directly requests access to PHI from Business Associate, Business Associate shall promptly forward the request to Covered Entity. Covered Entity retains sole responsibility for all determinations regarding the granting or denial of an Individual’s access request. b. Amendment of PHI: If Business Associate maintains PHI in a Designated Record Set, Business Associate shall facilitate amendments to PHI as directed or agreed upon by Covered Entity at the request of Covered Entity or an Individual, within thirty (30) business days of Covered Entity's written request, to enable Covered Entity to meet its obligations under 45 C.F.R. § 164.526. If an Individual directly requests an amendment to PHI from Business Associate, Business Associate shall promptly forward the request to Covered Entity. Covered Entity retains sole responsibility for all determinations regarding the granting or denial of an Individual’s amendment request. c. Accounting of Disclosures: Business Associate shall maintain documentation of disclosures of PHI and related information as required for Covered Entity to respond to an Individual's request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528. Business Associate shall provide such information to Covered Entity within thirty (30) days of Covered Entity’s written request, to enable Covered Entity to satisfy its obligations under 45 C.F.R. § 164.528.
2.7 Regulatory Access to Records
Business Associate shall make its internal practices, books, and records pertaining to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary upon written request, for the purpose of enabling the Secretary to determine Covered Entity’s compliance with HIPAA Regulations.
2.8 Adherence to Minimum Necessary Principle
When using, disclosing, or requesting PHI from Covered Entity, Business Associate shall limit the PHI to the minimum amount necessary to achieve the intended purpose of the use, disclosure, or request.
2.9 Exclusion of Substance Use Disorder Records
Covered Entity acknowledges and agrees that the Service is not designed for, and Business Associate does not intend to receive, process, or store, any records concerning the identity, diagnosis, prognosis, or treatment of any patient maintained in connection with any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States pursuant to 42 C.F.R. Part 2 ("Part 2 Data"). Covered Entity shall not provide or transmit any Part 2 Data to Business Associate through the Service. Business Associate disclaims any and all liability arising from Covered Entity’s transmission or processing of Part 2 Data through the Service.
3.1 Permissible Data Directives
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA Regulations if such use or disclosure were performed by Covered Entity.
3.2 Notifications to Business Associate
a. Covered Entity shall provide Business Associate with a current copy of its Notice of Privacy Practices, and any subsequent amendments, to the extent such information impacts Business Associate’s permitted uses or disclosures of PHI. b. Covered Entity shall promptly notify Business Associate of any changes in, or revocation of, an Individual's permission to use or disclose PHI, if such changes affect Business Associate’s permitted uses or disclosures. c. Covered Entity shall promptly notify Business Associate of any agreed-upon or required restrictions to the use or disclosure of PHI, to the extent such restrictions affect Business Associate’s permitted uses or disclosures.
3.3 Covered Entity's Data Management Accountability
a. Covered Entity bears sole responsibility for implementing and maintaining appropriate safeguards to ensure the confidentiality, privacy, and security of PHI transmitted to Business Associate, in accordance with HIPAA Regulations, until such PHI is received by Business Associate. b. Covered Entity represents and warrants that it has obtained all necessary consents, authorizations, and permissions from patients and/or their legal guardians, as required by all applicable laws and ethical guidelines, including HIPAA, for the collection, recording (e.g., audio recordings of sessions), use, exchange, and disclosure of PHI to Business Associate through the Service. Covered Entity shall maintain records of such consents and provide copies to Business Associate upon reasonable request.
4.1 Term of Agreement
This Agreement shall commence on the Effective Date and shall remain in effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is either destroyed or returned to Covered Entity, or, if return or destruction is deemed infeasible, protections are extended to such information in accordance with Section 4.3. The provisions of this Agreement necessary for compliance with HIPAA Regulations shall survive the termination of this Agreement.
4.2 Termination for Non-Compliance
Should either Party become aware of a material breach of any provision of this Agreement by the other Party, the non-breaching Party shall provide written notice detailing the material breach to the breaching Party. The breaching Party shall have thirty (30) calendar days from receipt of such notice to remedy the breach or cease the violation. If the breach is not cured within the specified timeframe, or if a cure is not reasonably possible, the non-breaching Party may, if feasible, terminate this Agreement and any related portion(s) of the Terms of Service upon written notice to the breaching Party. If termination of this Agreement is not feasible and the breaching Party has violated HIPAA Regulations, the non-breaching Party may report the breaching Party’s breach or violation to the Secretary.
4.3 Post-Termination Data Handling
a. Upon the termination of this Agreement for any reason, Business Associate shall, to the extent feasible and as directed by Covered Entity, return or destroy all PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) that Business Associate or any of its subcontractors or agents still retain in any form. Business Associate shall not retain any copies of such PHI. Consistent with the Service's automated data handling practices, audio recordings used for transcription are destroyed immediately upon successful processing as a standard security measure. b. In the event Business Associate determines that the return or destruction of PHI is infeasible, Business Associate shall provide written notification to Covered Entity outlining the conditions that render such return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and restrict further uses and disclosures of such PHI solely to those purposes that make its return or destruction infeasible, for as long as Business Associate maintains such PHI. The obligations of Business Associate under this Section 4.3(b) shall survive the termination of this Agreement. c. Notwithstanding the foregoing, audio recordings of patient/client visits or sessions uploaded to the Service are automatically and permanently deleted from Business Associate’s systems once the transcription process is successfully completed, as detailed in the Privacy Policy. Covered Entity maintains sole responsibility for managing the retention of notes, transcripts, and reports data within the Service according to its configured settings, and for transferring any necessary PHI to appropriate, long-term record-keeping systems.
5.1 Nature of Relationship
The Parties operate as independent contractors. Nothing in this Agreement shall be construed to establish an agency, partnership, joint venture, or employment relationship between them.
5.2 Absence of Third-Party Rights
Except where expressly stipulated herein, this Agreement is not intended to, nor shall anything herein, confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever. No other person or entity shall be considered a third-party beneficiary of this Agreement.
5.3 Governing Law
This Agreement shall be governed by and interpreted in accordance with the laws of the State of Florida, without giving effect to its conflict of laws principles. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Pinellas County, Florida.
5.4 Interpretation
Any ambiguity found within this Agreement shall be resolved in a manner that facilitates the Parties' compliance with HIPAA Regulations.
5.5 Amendment
The Parties acknowledge that federal and state laws pertaining to electronic data security and privacy are subject to rapid evolution. The Parties agree to undertake necessary actions to amend this Agreement periodically as required for compliance with HIPAA Regulations and any other applicable law concerning the security or confidentiality of PHI. Any amendment or modification to this Agreement must be in writing and duly executed by authorized representatives of both Parties.
5.6 Relationship to Primary Service Agreement
This Agreement constitutes an integral component of the Terms of Service between the Parties. In the event of any discrepancy or conflict between the terms of this Agreement and the Terms of Service, the provisions of this Agreement shall prevail and control exclusively with respect to the subject matter of PHI. All other non-conflicting terms of the Terms of Service shall remain in full force and effect. The indemnification obligations and limitation of liability provisions stipulated within the Terms of Service, including any specific provisions regarding data breach liability caps, shall apply to and govern each Party's performance under this Agreement.
5.7 Notices
All formal notices to the Company must be sent to the email address listed in the "Contact Information" section. To be effective, any notice sent via physical mail must also be sent via email on the same day. Notices shall be deemed received: (i) one (1) business day after email transmission; or (ii) five (5) business days after being deposited in the U.S. Mail (Certified, Return Receipt Requested), provided that the sender can produce a corresponding email delivery receipt.
If you have any questions or concerns regarding the Service or these legal documents (including the Website Terms of Use, Terms of Service, Privacy Policy, or Business Associate Agreement), please contact the Company. For the fastest response, please contact us via email. All formal notices or inquiries should be directed to:
Email: legal@bellavitaai.com
Attn: Privacy & Compliance Officer
Entity: Pazific Technologies LLC d/b/a BellaVita AI
Mailing Address: 7901 4th St N STE 300, St. Petersburg, FL 33702