Basilias logo
Basilias

Business Associate Agreement for BASILIAS AI

Last Updated: 24th July 2025

This Business Associate Agreement (“BAA” or “Agreement”) is entered into by and between the Covered Entity (the "User") and BASILIAS AI ("BASILIAS" or the "Business Associate"). This Agreement is applicable only where the User is a Covered Entity or a Business Associate and only when BASILIAS is acting as a Business Associate as defined in 45 CFR § 160.103.

The Parties have entered into one or more agreements, written or oral, pursuant to which BASILIAS performs functions or activities for, or provides services to, the User that involve the use and disclosure of Protected Health Information (the “Agreement”). This BAA is designed to ensure the protection and security of Protected Health Information (PHI) used or disclosed in connection with the BASILIAS AI, in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It provides transparency for both parties involved and is essential for privacy, security, and compliance.

1. Definitions

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in 45 CFR Part 160 and Part 164 (“HIPAA Rules”), as amended from time to time.

  • "Business Associate" shall generally have the same meaning as the term “business associate” at 45 CFR 160.103. BASILIAS AI acknowledges its role as a Business Associate.
  • "Covered Entity" shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
  • "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. This collectively refers to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act, including all regulations under 45 C.F.R. Parts 160 and 164, as modified, supplemented, and amended.
  • "Protected Health Information" and "PHI" shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of the HIPAA Rules. For this Agreement, PHI is limited to such protected health information that is received by BASILIAS from, or created, received, maintained, or transmitted by BASILIAS on behalf of the User, through the use of the Services. The scope of PHI may include patient names, dates of service, medical record numbers, and the full content of clinical conversations.
  • "Services" shall mean the AI-powered transcription of audio from clinical encounters into text, provided by BASILIAS to the User pursuant to an Agreement. This includes the AI scribe services where BASILIAS processes PHI on behalf of the User.
  • "Security Measures" refers to the administrative, physical, and technical safeguards required under the HIPAA Security Rule.
  • "Security Incident" includes any unauthorized use or disclosure of PHI.
  • "Unsuccessful Security Incidents" means, without limitation, pings and other broadcast attacks on BASILIAS’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of PHI. Notice is hereby deemed given for Unsuccessful Security Incidents, and no further notice of such Unsuccessful Security Incidents shall be given unless they result in unauthorized access.
  • "Effective Date": The date on which this Business Associate Agreement becomes active and legally binding, which, for the purpose of this Agreement, shall be the date the User signs up for or first utilizes any of BASILIAS’ services. By signing up for or utilizing BASILIAS’ services, the User is deemed to have signed and accepted this BAA, and this Agreement shall be legally binding as of that date
  • "De-Identified Data" shall be defined according to HIPAA’s Safe Harbor or Expert Determination methods.

2. Permitted Uses and Disclosures of PHI

BASILIAS will not use or disclose PHI in a manner other than as permitted or required by the Agreement, this BAA, or by law.

  • Provision of Services: BASILIAS may use and disclose PHI solely for the purpose of performing the AI as contracted by the User. Such use or disclosure would not violate the HIPAA Rules if done by the User, unless expressly permitted otherwise by this BAA.
  • Business Associate's Proper Management and Administration: BASILIAS may use and disclose PHI for the proper management and administration of BASILIAS’s business and to carry out its legal responsibilities. Any such disclosure may only occur if (i) it is required by law; or (ii) BASILIAS obtains, in writing, prior to making any disclosure to a third party (1) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (2) an agreement from this third party to notify BASILIAS of any breaches of the confidentiality of the PHI.
  • Data Aggregation: BASILIAS may use PHI to create de-identified, aggregated data for purposes such as service improvements or analytics. BASILIAS may use PHI to create de-identified information in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c), and BASILIAS may own all such de-identified data. This requires explicit permission and may be used for data aggregation services relating to the health care operations of the Covered Entity.
  • No Unauthorized Use: BASILIAS will explicitly not use or further disclose PHI in any manner that is not permitted by this BAA or that would violate HIPAA. BASILIAS shall only use the minimum necessary PHI for proper business purposes. BASILIAS shall not sell PHI.

3. Obligations of BASILIAS (The Business Associate)

BASILIAS remains steadfast in its commitment to upholding the principles of HIPAA and protecting the privacy and security of healthcare information.

  • Safeguards: BASILIAS must implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all electronic PHI that it creates, receives, maintains, or transmits on behalf of the User. These robust security measures include, but are not limited to:
    • Access Controls: Restricting access to PHI only to authorized personnel through secure user authentication mechanisms and role-based access controls.
    • Encryption: Employing encryption techniques to protect PHI during transmission and storage, both in transit and at rest.
    • Audit Trails: Maintaining comprehensive audit trails to monitor and track access to PHI.
    • Cloud Hosting: BASILIAS utilizes cloud hosting. BASILIAS has entered into a Business Associate Agreement (BAA) with it's cloud hosting provider to ensure the secure handling and storage of PHI within the cloud infrastructure. This BAA with it's cloud hosting providers reinforces BASILIAS's commitment to HIPAA compliance and data protection.
  • AI Model Training - CRITICAL CLAUSE:
    • PHI will not be used to train or improve BASILIAS's AI algorithms or models.
  • Reporting of Security Incidents and Breaches: BASILIAS shall report to the User any use and/or disclosure of PHI that is not permitted or required by this BAA of which BASILIAS becomes aware. BASILIAS must report any Security Incident, including any unauthorized use or disclosure of PHI, to the User without unreasonable delay. BASILIAS is committed to reporting such incidents by HIPAA requirements. This also includes breaches of unsecured PHI as required by 45 CFR 164.410. The notification will be made without unreasonable delay. The BAA should detail the information that will be included in the breach notification to assist the User in its own investigation and reporting duties. BASILIAS has established incident response procedures to promptly address and mitigate any breaches or incidents involving PHI. BASILIAS agrees to mitigate, to the extent practicable, any harmful effect that is known to BASILIAS of a use or disclosure of PHI by BASILIAS in violation of the requirements of this Agreement.
  • Subcontractors: BASILIAS shall require its subcontractors (e.g., cloud hosting providers like AWS, Google Cloud, Microsoft, ElevenLabs, Vercel) who create, receive, maintain, or transmit PHI on behalf of BASILIAS to agree in writing to (a) substantially the same or no less restrictive restrictions and conditions that apply to BASILIAS with respect to such PHI; (b) appropriately safeguard the PHI; and (c) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. BASILIAS remains responsible for its Subcontractors’ compliance with the obligations of this BAA. BASILIAS will maintain a list of its subcontractors and make it available to the User upon request.
  • Individual Rights Support:
    • Access to PHI: To the extent that BASILIAS maintains PHI in a Designated Record Set, BASILIAS shall provide access to such PHI to the User in a time and manner that meets the requirements of 45 C.F.R. § 164.524 for the User to respond to a request for access by a person who is the subject of the PHI.
    • Amendment: BASILIAS shall make available to the User PHI held in a designated record set for amendment and incorporate any such amendment as directed by the User to allow the User to comply with 45 C.F.R. § 164.526.
    • Accounting of Disclosures: BASILIAS shall document any and all disclosures of PHI by BASILIAS or its agents, including subcontractors, as well as any other information related to such disclosures of PHI that would be required for the User to respond to an individual’s request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
  • Access to Records (Secretary of HHS): BASILIAS must make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (HHS) for compliance auditing purposes.
  • Data Accuracy and Integrity: BASILIAS is dedicated to ensuring the integrity and accuracy of PHI, implementing measures to prevent unauthorized alteration or destruction of healthcare data. While BASILIAS strives for high transcription accuracy, the Covered Entity is ultimately responsible for reviewing, editing, and confirming the accuracy of the final transcription before it is entered into the official medical record.

4. Obligations of the Covered Entity (The User)

  • Permissions and Restrictions: The User agrees that it shall not request BASILIAS to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the User (except to the extent permitted by HIPAA for a business associate). The User must notify BASILIAS of any limitation(s) in its own notice of privacy practices under 45 CFR 164.520, or any restriction to the use or disclosure of PHI that the User has agreed to in accordance with 45 CFR 164.522, to the extent that such limitation or restriction may affect BASILIAS's use or disclosure of PHI.
  • Notification of Changes: The User must inform BASILIAS of any changes in, or revocation of, permission by an individual to use or disclose their PHI.
  • Safeguards and Appropriate Use of PHI: The User is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA.

5. Term and Termination

  • Term: This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in this BAA, or (2) expiration of the Agreement. The term begins upon acceptance and terminates upon termination of all services requiring a BAA, unless terminated sooner.
  • Termination for Cause: Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice. If cure is not feasible, the Covered Entity shall report the violation to the Secretary.
  • Return or Destruction of PHI:
    • Upon termination of the Agreement, for any reason, BASILIAS shall return or destroy all PHI received from the User, or created or received by BASILIAS on behalf of the User. This provision shall apply to PHI that is in the possession of subcontractors or agents of BASILIAS. BASILIAS shall retain no copies of the PHI. This must be done within a specified timeframe (e.g., 60 days), if feasible to do so.
    • If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, then BASILIAS shall provide notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, BASILIAS shall extend the protections of this BAA, without limitation, to such PHI and limit any further use or disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.
    • A certificate of destruction should be provided upon request.

6. Miscellaneous

  • Indemnification/Limitation of Liability: The total and aggregate liability of BASILIAS to the User for all damages arising out of or in connection with a breach of this Agreement caused by BASILIAS is limited to one thousand dollars. This limitation applies to all causes of action in the aggregate, including, without limitation, breach of contract, misrepresentations, negligence, strict liability, and other torts, and applies notwithstanding any failure of essential purpose of any remedy.
  • Governing Law: This Agreement is governed by the laws of the State of Delaware.
  • Entire Agreement: This BAA constitutes the entire agreement of the Parties, superseding all prior oral and written agreements or understandings between them with respect to the matters provided for herein.
  • No Third Party Beneficiaries: This BAA is between the parties hereto. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than BASILIAS and the User and any respective successors and assigns.
  • Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. The terms of this BAA shall prevail in the case of any conflict with the terms of any Agreement to the extent necessary to allow the User and BASILIAS to comply with applicable provisions of HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule.
  • Amendment: This BAA shall not be amended except by the mutual written agreement of the Parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the User to comply with the requirements of the HIPAA Rules and any other applicable law.
  • Assignment: Neither Party may assign any of its rights or obligations under this BAA without the prior written consent of the other Party.
  • Notice: Any notices required hereunder shall be given as set forth in the Agreement. All legal notices under this Agreement shall be delivered via electronic mail to the specified addresses for both BASILIAS and the User.
  • Survival: The respective rights and obligations of BASILIAS under the termination provisions shall survive the termination of this Agreement.
  • Independent Contractors / No Agency Relationship: The Parties are and shall be independent contractors to one another, and nothing in this BAA shall be deemed to cause this BAA to create an agency, partnership, or joint venture between the Parties.
  • Privileges and Protections Not Waived: Nothing herein shall be construed as a waiver of applicable legal or other privileges or protections held or enjoyed by either Party.