Business Associate Agreement (BAA)

This Business Associate Agreement (the BAA) is entered into by and between COADIA, Inc. dba Moco (Business Associate) and the entity agreeing to these terms (Covered Entity). This BAA is incorporated into and made part of the Moco Platform Terms of Use. If there is a conflict, this BAA controls for HIPAA matters.

1. Purpose

This BAA satisfies the requirements of HIPAA, the HITECH Act, and their implementing rules regarding uses and disclosures of Protected Health Information.

2. Definitions

PHI. Individually identifiable health information as in 45 C.F.R. 160.103.

Unsecured PHI. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals as in 45 C.F.R. 164.402.

Audio Data. Voice recordings captured by the Service during clinical encounters.

Transcripts. Text created from Audio Data.

Voice Feature Data. Numerical features derived from Audio Data that cannot reasonably be used to reconstruct a person's voice.

De-identified Data. Data de-identified in compliance with 45 C.F.R. 164.514 using Expert Determination or Safe Harbor.

Security Incident. As in 45 C.F.R. 164.304.

Minimum Necessary. The standard in 45 C.F.R. 164.502(b).

3. Permitted uses and disclosures by Business Associate

3.1 Services. We may use and disclose PHI to perform the Service for Covered Entity and for health care operations on Covered Entity's behalf, including capturing, storing, and transcribing Audio Data and generating Transcripts for treatment, payment, and health care operations.

3.2 Management and legal duties. We may use and disclose PHI for our proper management and administration or to carry out our legal responsibilities, provided disclosures are required by law or made to a recipient who agrees to keep the information confidential and to notify us of any breach.

3.3 De-identification. We may create De-identified Data from PHI in accordance with 45 C.F.R. 164.514. We will not attempt to reidentify individuals and we will prohibit recipients from doing so.

3.4 No sale of PHI. We do not receive remuneration in exchange for PHI. This restriction does not apply to De-identified Data created under 45 C.F.R. 164.514, subject to applicable law and 42 C.F.R. Part 2.

4. Safeguards and compliance

4.1 Security Rule. We will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI as required by 45 C.F.R. 164.308 through 164.312.

4.2 Policies and training. We will maintain policies, procedures, and workforce training required by HIPAA.

4.3 Minimum necessary and access control. We apply role-based access and the minimum necessary standard to PHI. Access to raw Audio Data is restricted and reviewed at least quarterly. Audio stores use separate encryption keys.

4.4 Subcontractors. We will ensure that each subcontractor that creates, receives, maintains, or transmits PHI on our behalf agrees in writing to the same restrictions and safeguards required here.

5. Reporting and cooperation

5.1 Breach notice. We will notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and no later than ten days after discovery. Notice will include the information required by 45 C.F.R. 164.404(c) to the extent known at the time and will be updated as more becomes known.

5.2 Security Incidents. We will document and report Security Incidents as required by HIPAA and will provide summaries upon request.

5.3 Cooperation. We will cooperate with Covered Entity in investigating and mitigating any Breach.

6. Individual rights support

6.1 Access. We will make PHI available to Covered Entity to support access requests under 45 C.F.R. 164.524.

6.2 Amendment. We will accommodate amendments to PHI as required by 45 C.F.R. 164.526.

6.3 Accounting. We will document disclosures and provide an accounting as required by 45 C.F.R. 164.528.

7. Special restrictions

7.1 42 C.F.R. Part 2. For records subject to Part 2, we will not use or disclose beyond treatment, payment, and operations without specific patient consent. We will not include Part 2 data in De-identified Data unless consent expressly permits it or de-identification occurs before Part 2 applies.

7.2 State laws. Where state privacy or biometric laws impose stricter rules, we will apply those rules in addition to HIPAA.

8. Audit and documentation

8.1 HHS access. We will make internal practices, books, and records relating to PHI available to the Secretary of HHS for determining compliance.

8.2 Customer assurance. On request under NDA we will provide a current SOC or ISO report, penetration test summary, and HIPAA training attestations or will permit a reasonable audit not more than once per year.

9. Term and termination

9.1 Term. This BAA remains in effect while we provide services involving PHI to Covered Entity.

9.2 Termination for cause. Either party may terminate for material breach that is not cured within thirty days after written notice.

9.3 Return or destruction. Upon termination, at Covered Entity's election we will return or destroy PHI if feasible. If return or destruction is infeasible, we will extend the protections of this BAA and limit further uses and disclosures to those purposes that make the return or destruction infeasible. We will complete requested deletions of raw Audio Data and will schedule deletion of derived features not required for legal, security, or fraud logs.

9.4 Backups. Deletions propagate as backups expire on their normal cycle. We do not modify historical backups.

10. Obligations of Covered Entity

10.1 Compliance. Covered Entity will comply with HIPAA and will not request that we use or disclose PHI in a way that would violate HIPAA.

10.2 Minimum necessary. Covered Entity will apply the minimum necessary standard and will configure the Service to limit PHI to what is needed.

10.3 Permissions. Covered Entity is responsible for obtaining any authorizations required for uses and disclosures that are not permitted or required by HIPAA.

11. Miscellaneous

11.1 Third party beneficiaries. None.

11.2 Governing law. The governing law specified in the Platform Terms applies, without regard to conflicts rules.

11.3 Amendments. This BAA will be amended to reflect changes in HIPAA or other applicable laws.

11.4 Survival. Duties regarding PHI survive termination.

11.5 Order of precedence. This BAA controls in case of conflict with other agreements regarding HIPAA obligations.