CosignMD
Business Associate Agreement
Effective Date: The date Covered Entity creates an account on CosignMD
This Business Associate Agreement ("BAA") is entered into by and between the healthcare provider or practice creating an account on cosignmd.ai ("Covered Entity") and Clarity Health Innovations Inc., a California corporation operating the CosignMD platform ("Business Associate").
This BAA supplements the CosignMD Terms of Service and is incorporated by reference. In the event of a conflict between this BAA and the Terms of Service, this BAA shall control with respect to Protected Health Information.
1. Definitions
- "HIPAA"
- The Health Insurance Portability and Accountability Act of 1996, as amended by HITECH, and all implementing regulations at 45 CFR Parts 160 and 164.
- "PHI" (Protected Health Information)
- Individually identifiable health information transmitted or maintained in any form, as defined in 45 CFR 160.103.
- "ePHI" (Electronic PHI)
- PHI that is transmitted or maintained in electronic media.
- "Breach"
- The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
- "Security Incident"
- The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations in an information system containing ePHI.
- "Subcontractor"
- A person or entity that creates, receives, maintains, or transmits PHI on behalf of Business Associate.
2. Permitted Uses and Disclosures
Business Associate may use and disclose PHI solely to:
- Perform services under the CosignMD platform on behalf of Covered Entity, including clinical note generation, billing code capture, call triage, facesheet processing, prescription management, and cloud synchronization.
- Carry out the legal responsibilities of Business Associate, including obligations under HIPAA.
- Provide data aggregation services relating to healthcare operations of Covered Entity, provided such data is de-identified per 45 CFR 164.514.
Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity, except as permitted above.
3. Safeguards
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including:
- Encryption in transit: All data transmitted via TLS 1.2+
- Encryption at rest: AES-256 encryption on database (Neon Postgres) and object storage (AWS S3)
- Authentication: Magic-link email authentication with JWT tokens (4-hour expiry, auto-refresh). Device-level PIN lock after 5 minutes of inactivity
- Access controls: All database queries scoped by authenticated user ID. API keys never transmitted to client browsers
- Audit logging: All access to PHI is recorded in an immutable audit log with user ID, action, resource type, timestamp, and IP address
- Session management: Server-side token revocation capability for emergency session termination
- Brute-force protection: Rate limiting on authentication endpoints (IP-based and per-account)
4. Subcontractors
Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to substantially the same restrictions and conditions as this BAA. Business Associate has executed BAAs with the following subcontractors:
| Subcontractor | Service | PHI Handled |
|---|
| Anthropic (Claude API) | AI clinical reasoning and note generation | Clinical notes, diagnoses, billing codes |
| Deepgram | Medical speech-to-text transcription | Dictated clinical audio |
| Neon | PostgreSQL database hosting | All cloud-synced patient data |
| Amazon Web Services (S3) | Voicemail audio storage | Voicemail recordings |
| Twilio (Conduit) | Voice calls, SMS, and fax | Phone call audio, SMS content, fax documents |
5. Breach Notification
- Business Associate shall report to Covered Entity any Breach of unsecured PHI within 30 calendar days of discovery.
- Notification shall include, to the extent known: the nature of the Breach, the types of PHI involved, the identity of each individual affected, the steps taken to mitigate harm, and a description of the investigation.
- Business Associate shall report Security Incidents that do not constitute a Breach within 60 calendar days in an aggregate summary.
- Notifications shall be sent to the email address associated with Covered Entity's CosignMD account.
6. Rights of Covered Entity and Individuals
- Access: Business Associate shall make PHI available to Covered Entity within 15 business days of a written request, in the format maintained by the platform (JSON export or equivalent electronic format).
- Amendment: Business Associate shall make PHI available for amendment and incorporate approved amendments within 15 business days.
- Accounting of disclosures: Business Associate shall make available information required to provide an accounting of disclosures for up to 6 years prior to the date of the request, using data maintained in the audit log.
- Restriction requests: Business Associate shall comply with restrictions on use or disclosure of PHI that Covered Entity has agreed to, provided Business Associate is notified in writing.
7. Term and Termination
- This BAA is effective upon Covered Entity's creation of a CosignMD account and remains in effect for the duration of the service relationship.
- Either party may terminate this BAA upon 30 days' written notice if the other party materially breaches this BAA and fails to cure within 30 days.
- Upon termination: Business Associate shall, at Covered Entity's election, return or destroy all PHI in its possession within 60 calendar days. If return or destruction is not feasible, protections of this BAA extend to such PHI and Business Associate shall limit further uses and disclosures to purposes that make return or destruction infeasible.
- Covered Entity may export all data via the CosignMD platform at any time prior to account termination.
8. General Provisions
- Regulatory amendments: The parties shall amend this BAA as necessary to comply with changes to HIPAA or its implementing regulations.
- No third-party beneficiaries: Nothing in this BAA confers rights on any third party, except that individuals whose PHI is maintained by Business Associate may enforce their rights under HIPAA.
- Governing law: This BAA shall be governed by federal HIPAA regulations and, to the extent not preempted, the laws of the State of California.
- Survival: Sections 5 (Breach Notification), 6 (Rights), and 7.3 (Data Return/Destruction) survive termination of this BAA.
9. Contact Information
Business Associate:
Clarity Health Innovations Inc.
Email: info@clarityhealthinnovations.com
Web: cosignmd.ai