Business Associate Agreement (BAA)

Brevity AI, Inc.

Business Associate Agreement (BAA)

Effective Date: October 26, 2025

This Business Associate Agreement (this “BAA”) is entered into by and between Brevity AI, Inc. (“Business Associate”) and the covered entity (or business associate of another covered entity) entering into the Brevity AI Terms of Use (“Covered Entity”) (each a “Party” and together, the “Parties”). This BAA forms part of and is incorporated by reference into the Terms of Use between the Parties (the “Agreement”).

This BAA is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”), and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), each as amended from time to time.

1. Definitions

Capitalized terms used but not defined in this BAA have the meanings given in HIPAA. For clarity:

  • “PHI” has the meaning set forth in HIPAA and includes electronic PHI (“ePHI”).
  • “De-identified Data” means data de-identified in accordance with 45 C.F.R. § 164.514(a)-(c).
  • “Breach” has the meaning set forth in 45 C.F.R. § 164.402.
  • “Security Incident” has the meaning set forth in 45 C.F.R. § 164.304.

2. Permitted Uses and Disclosures by Business Associate

Business Associate may Use and Disclose PHI only as follows:

  • to provide, maintain, secure, support, and improve the services described in the Agreement (the “Services”), including transcription, document processing, clinical note generation, chat assistance, and related functionality;
  • for proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities, provided any Disclosures for such purposes are required by law or made subject to reasonable assurances under 45 C.F.R. § 164.504(e)(4);
  • to De-identify PHI as permitted by 45 C.F.R. § 164.514(a)-(c). Business Associate may use and Disclose De-identified Data for any lawful purpose.

Business Associate will not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted for management/administration or legal responsibilities. Business Associate does not sell PHI.

3. Subcontractors and Third Parties

Business Associate may engage subcontractors to assist in providing the Services, including cloud infrastructure and storage, AI processing, email delivery, payment processing, and caching/coordination. Business Associate may update subcontractors from time to time. A current list of subprocessors is maintained in Business Associate’s Privacy Policy (Subprocessors).

Business Associate will ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to substantially the same restrictions and conditions that apply to Business Associate with respect to PHI, as required by 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2).

4. Safeguards

Business Associate will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. Part 164, Subpart C. Without limitation and as applicable to the Services, such safeguards include:

  • Access controls and role-based authorization; organization scoping for cases and files;
  • Encryption in transit (HTTPS/TLS) and secure cookie/session configurations;
  • Audit logging for recording operations and security-relevant events with log integrity protections;
  • Secure key and secret handling using environment variables and platform controls;
  • Network and infrastructure security consistent with our cloud provider’s security practices; and
  • Workforce training and policies to reduce risks to PHI.

5. Reporting Obligations

  • Security Incidents. Business Associate will report to Covered Entity Security Incidents of which it becomes aware that result in unauthorized access to PHI. Routine, unsuccessful attempts (e.g., pings, scans) are excluded.
  • Breach Notification. Business Associate will notify Covered Entity without unreasonable delay and in no case later than ten (10) business days after Discovery of any Breach of Unsecured PHI, and will provide the information Covered Entity needs to comply with the Breach notification requirements of the HITECH Act and 45 C.F.R. §§ 164.404–410, as such information becomes available.

6. Minimum Necessary; Mitigation

Business Associate will limit Uses, Disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose and will mitigate, to the extent practicable, any known harmful effect resulting from a Use or Disclosure of PHI in violation of this BAA.

7. Access, Amendment, and Accounting

To the extent Business Associate maintains PHI in a Designated Record Set for Covered Entity, Business Associate will:

  • make PHI available to Covered Entity (or as directed, to an Individual) so Covered Entity may meet its obligations under 45 C.F.R. § 164.524;
  • make amendments to PHI as directed by Covered Entity under 45 C.F.R. § 164.526; and
  • document Disclosures and provide information to Covered Entity to support accounting of Disclosures under 45 C.F.R. § 164.528.

Covered Entity is responsible for determining whether PHI resides in a Designated Record Set and for directing Business Associate accordingly.

8. Books and Records; Compliance

Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.

9. Data Retention and Deletion

  • Customer Deletion. Covered Entity may delete case documents and recordings through the Services. Business Associate will delete related PHI within its active systems promptly thereafter.
  • Backups. PHI may persist in backups for up to thirty (30) days after deletion and will be purged per Business Associate’s retention schedules.
  • Termination. Upon termination or expiration of the Agreement, Business Associate will, at Covered Entity’s written request received within thirty (30) days, return to Covered Entity a commercially reasonable export of PHI that Business Associate then maintains for Covered Entity. Thereafter, Business Associate will delete PHI, except to the extent retention is required by law or stored in backups pending scheduled purge.

10. Prohibited Data Types

Covered Entity will not submit, and will ensure its users do not submit, records governed by 42 C.F.R. Part 2 (substance use disorder treatment records) or other specially protected data types the Services are not designed to process, unless the Parties agree in writing and implement appropriate safeguards.

11. Responsibilities of Covered Entity

Covered Entity will:

  • provide only the minimum necessary PHI to Business Associate for the Services;
  • obtain any necessary authorizations and provide required notices under HIPAA and applicable law;
  • not store payment card information in the Services; and
  • configure user roles and access controls consistent with the principle of least privilege.

12. Term and Termination

  • Term. This BAA is effective as of the Effective Date and continues until the Agreement is terminated.
  • Termination for Cause. If either Party materially breaches this BAA and fails to cure within thirty (30) days after written notice, the non-breaching Party may terminate this BAA and the Agreement to the extent feasible. If termination is not feasible, the non-breaching Party will report the violation to the Secretary in accordance with 45 C.F.R. § 164.504(e)(1)(ii).

Upon termination, Business Associate will return or destroy PHI as provided in Section 9, if feasible. If return or destruction is infeasible, Business Associate will extend protections of this BAA to such PHI and limit further Uses and Disclosures to those purposes that make return or destruction infeasible.

13. No Third-Party Beneficiaries

This BAA is for the benefit of the Parties and not for any third party.

14. Amendment

The Parties will amend this BAA from time to time as necessary to comply with changes in HIPAA, the HITECH Act, or other applicable law.

15. Interpretation; Conflicts

Any ambiguity will be resolved in favor of a meaning that permits compliance with HIPAA. If there is a conflict between this BAA and the Agreement with respect to PHI, this BAA controls. Otherwise, the Agreement controls.

16. Miscellaneous

This BAA may be executed or accepted electronically. It is incorporated into and forms part of the Agreement. Capitalized terms used but not defined herein have the meanings given in the Agreement.

Entity Notice: “Brevity AI, Inc.” is a Delaware corporation. References in this BAA to “Brevity AI,” “Brevity,” or “Business Associate” mean Brevity AI, Inc.

By using the Services and, where applicable, enabling PHI processing, Covered Entity agrees to this BAA. If Covered Entity requires a separately signed version of this BAA for record-keeping, Covered Entity may request one at support@getbrevity.ai.