This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between the healthcare provider or entity subscribing to AfiaSync services ("Covered Entity") and AfiaSync LLC ("Business Associate"), collectively referred to as the "Parties."

This BAA supplements and is incorporated into the AfiaSync Terms of Service and is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164.

1. Definitions

Capitalized terms not otherwise defined in this Agreement shall have the meanings assigned to them under HIPAA and the HITECH Act. The following definitions apply:

• "Business Associate" means AfiaSync LLC, which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity in connection with the AfiaSync platform.
• "Covered Entity" means the healthcare provider, health plan, or healthcare clearinghouse that has entered into a subscription agreement with AfiaSync and is subject to HIPAA.
• "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
• "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR § 160.103.
• "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
• "Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.
• "Services" means the clinical documentation platform and related services provided by AfiaSync under the Terms of Service.

2. Obligations of Business Associate

Business Associate agrees to the following obligations:

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the Terms of Service, or as required by law. Specifically, Business Associate may use and disclose PHI:

• To perform functions, activities, or services for or on behalf of the Covered Entity as specified in the Terms of Service, provided that such use or disclosure would not violate the HIPAA Privacy Rule
• For the proper management and administration of Business Associate, provided that any disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially
• To provide data aggregation services relating to the healthcare operations of the Covered Entity, if permitted under the Terms of Service
• To de-identify PHI in accordance with 45 CFR § 164.514(a)–(c)

2.2 Prohibited Uses

Business Associate shall not:

• Use or disclose PHI for marketing purposes without prior written authorization from the Covered Entity and the individual
• Sell PHI, as defined in 45 CFR § 164.502(a)(5)(ii)
• Use PHI received from the Covered Entity to train or improve artificial intelligence or machine learning models (Azure OpenAI Service data processing is covered under Microsoft's data protection commitments and does not involve model training on customer data)

3. Safeguards

Business Associate shall implement and maintain appropriate safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement:

3.1 Administrative Safeguards

• Designation of a Privacy and Security Officer
• Workforce training on HIPAA policies and procedures
• Risk analysis and risk management programs
• Sanction policies for workforce members who violate HIPAA
• Contingency planning, including data backup and disaster recovery

3.2 Physical Safeguards

• All PHI is stored in Microsoft Azure US-based data centers with SOC 2 Type II certification
• Physical access to data centers is managed by Microsoft under its Azure compliance framework

3.3 Technical Safeguards

• Encryption at Rest: AES-256 encryption for all stored data, including database records, files, and backups
• Encryption in Transit: TLS 1.2 or higher for all data transmissions
• Access Controls: Authentication via Microsoft Entra ID; role-based access control (RBAC) with least-privilege principles; multi-tenant data isolation
• Audit Logging: Comprehensive logging of all access to, creation of, modification of, and deletion of PHI, with logs retained for a minimum of six years
• Automatic Session Termination: Sessions automatically expire after a period of inactivity

4. Breach Notification

4.1 Reporting Obligations

Business Associate shall report to Covered Entity any Breach of unsecured PHI without unreasonable delay, and in no event later than 60 days after discovery of the Breach, consistent with 45 CFR § 164.410.

4.2 Immediate Notification

Notwithstanding the 60-day maximum, Business Associate shall notify Covered Entity as soon as reasonably practicable, and will use best efforts to provide initial notification within 5 business days of discovery of a confirmed Breach.

4.3 Content of Notification

Breach notifications shall include, to the extent available:

• Identification of each individual whose PHI has been, or is reasonably believed to have been, affected
• A description of the Breach, including the date of the Breach and the date of discovery
• A description of the types of unsecured PHI involved (e.g., names, diagnoses, Social Security numbers)
• Steps individuals should take to protect themselves from potential harm
• A description of what Business Associate is doing to investigate, mitigate, and prevent future Breaches
• Contact information for Business Associate's Privacy Officer

4.4 Security Incidents

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. The Parties acknowledge that unsuccessful security incidents (such as pings, port scans, unsuccessful login attempts, or denial-of-service attacks that do not result in unauthorized access) occur regularly and agree that no additional notice is required for such unsuccessful attempts.

4.5 Mitigation

Business Associate shall take prompt corrective action to mitigate any harmful effects of a Breach or Security Incident and to prevent further unauthorized use or disclosure of PHI.

5. Obligations of Covered Entity

Covered Entity agrees to:

• Provide Business Associate with its Notice of Privacy Practices, and any changes thereto, to the extent such changes affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522
• Notify Business Associate of any revocation of authorization by an individual, to the extent such revocation affects Business Associate's permitted uses or disclosures
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity

6. Subcontractors

6.1 Subcontractor Agreements

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

6.2 Current Subprocessors

The following Microsoft Azure services are used as subprocessors. Microsoft Corporation has executed a BAA with AfiaSync covering these services:

• Azure Cosmos DB — Primary database for patient records and clinical data
• Azure Blob Storage — Storage for audio recordings and uploaded documents
• Azure OpenAI Service — AI-powered SOAP note generation (customer data is not used for model training)
• Azure Speech Services — Transcription of clinical encounter audio
• Azure Service Bus — Asynchronous messaging for background processing
• Microsoft Entra ID — Identity and authentication services

6.3 Notification of Subprocessor Changes

Business Associate will maintain a current list of subprocessors on its website and will provide notice of material changes to subprocessors at least 30 days in advance.

7. Individual Rights — Access to PHI

Business Associate shall make PHI maintained in the AfiaSync platform available to Covered Entity to enable Covered Entity to fulfill its obligations to provide individuals with access to their PHI in accordance with 45 CFR § 164.524. Business Associate shall respond to Covered Entity requests for access within 15 business days.

8. Amendment of PHI

Business Associate shall make PHI available for amendment and shall incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR § 164.526.

9. Accounting of Disclosures

Business Associate shall maintain and make available to Covered Entity information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain such information for at least six years from the date of the disclosure.

10. Return or Destruction of PHI

10.1 Upon Termination

Upon termination of this Agreement or the Terms of Service, Business Associate shall:

• Provide Covered Entity with a 30-day window to export all PHI from the platform
• After the export window, return or destroy all PHI in its possession, including all copies in any form
• Certify in writing that all PHI has been returned or destroyed

10.2 Exceptions

If return or destruction of PHI is not feasible, Business Associate shall:

• Extend the protections of this Agreement to the retained PHI
• Limit further uses and disclosures to the purposes that make return or destruction infeasible
• Retain such PHI only for the minimum period required by law or legitimate business need

11. Term and Termination

11.1 Term

This Agreement is effective as of the date both Parties have executed it, and shall remain in effect for the duration of the Covered Entity's subscription to AfiaSync, unless terminated earlier as provided herein.

11.2 Termination for Cause

Either Party may terminate this Agreement if the other Party materially breaches any provision of this Agreement and fails to cure such breach within 30 days of written notice. If cure is not possible, the non-breaching Party may terminate immediately.

11.3 Effect of Termination

The obligations of Business Associate under Sections 3 (Safeguards), 4 (Breach Notification), 9 (Accounting of Disclosures), and 10 (Return or Destruction of PHI) shall survive termination of this Agreement.

12. Miscellaneous

12.1 Regulatory References

Any reference in this Agreement to a section of HIPAA or the HITECH Act means the section as in effect or as amended from time to time, and for which compliance is required.

12.2 Amendment

This Agreement may be amended only by a written instrument signed by both Parties. The Parties agree to amend this Agreement as necessary to comply with changes in HIPAA regulations.

12.3 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA and the HITECH Act.

12.4 Governing Law

This Agreement shall be governed by federal law, including HIPAA and the HITECH Act, and to the extent not preempted, by the laws of the State of Delaware, United States.

13. Contact Information

For questions about this BAA, to request execution of this agreement, or to report a potential Breach: