HIPAA Business Associate Agreement
Effective Date: April 18, 2026 | Last updated: April 18, 2026
Recitals
This Business Associate Agreement ("BAA") is entered into between the licensed mental health professional or healthcare organization accessing TherapyScribe.AI ("Covered Entity") and Your Life Consulting, LLC, operating as TherapyScribe.AI ("Business Associate").
A. Covered Entity is a "Covered Entity" as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, and the regulations promulgated thereunder, including 45 C.F.R. Parts 160 and 164 ("HIPAA Regulations").
B. Business Associate provides session recording, AI-powered transcription, and clinical note generation services to Covered Entity. In performing these services, Business Associate creates, receives, maintains, or transmits Protected Health Information ("PHI") on behalf of Covered Entity.
C. The parties intend to protect the privacy and security of PHI in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and applicable state and federal law.
D. HIPAA requires Covered Entity to enter into a BAA with Business Associate that meets certain requirements with respect to the use and disclosure of PHI, which are met by this BAA.
Article I — Definitions
Capitalized terms not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act.
1.1 "Breach" — as defined under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
1.2 "Designated Record Set" — as defined under 45 C.F.R. § 164.501.
1.3 "Disclose" / "Disclosure" — the release, transfer, or provision of access to PHI outside of Business Associate or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.
1.4 "Electronic PHI" or "ePHI" — PHI transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
1.5 "Protected Health Information" / "PHI" — any information that: (a) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care, or payment for health care; (b) identifies the individual or could reasonably be used to identify them; and (c) has the meaning given under 45 C.F.R. § 160.103, including ePHI. In the context of TherapyScribe, PHI includes session audio recordings, transcriptions, and AI-generated clinical notes.
1.6 "Security Incident" — as defined under 45 C.F.R. § 164.304.
1.7 "Services" — session audio recording, AI-powered transcription, AI-generated clinical documentation (SOAP, DAP, BIRP, and other note formats), and related features provided through TherapyScribe.AI.
1.8 "Unsecured PHI" — as defined under 42 U.S.C. § 17932(h) and 45 C.F.R. § 164.402.
1.9 "Subcontractors" — third-party service providers engaged by Business Associate that create, receive, maintain, or transmit PHI in the performance of Services. Current Subcontractors with executed BAAs include Amazon Web Services (infrastructure), Microsoft Azure (AI processing), and Deepgram (transcription services).
Article II — Obligations of Business Associate
2.1 Permitted Uses and Disclosures
Business Associate shall not use or disclose PHI other than as necessary to perform the Services, as permitted by this BAA, or as required by law. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164. Business Associate may use PHI: (i) for proper management and administration of Business Associate; (ii) to carry out its legal responsibilities, provided disclosures are required by law or the recipient agrees in writing to maintain confidentiality; (iii) for data aggregation related to Covered Entity's health care operations. Business Associate shall never use PHI to train AI models or for any purpose beyond providing the Services.
2.2 Prohibited Marketing and Sale of PHI
Business Associate shall not use or disclose PHI for marketing or fundraising purposes. Business Associate shall not receive remuneration in exchange for PHI. Session content, transcripts, and notes shall never be used to advertise to, profile, or market to clients or patients of Covered Entity.
2.3 Safeguards
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI. This includes, at minimum: AES-256 encryption of PHI at rest; TLS 1.2 or higher encryption in transit; access controls limiting PHI access to authorized personnel; audit logging of PHI access; and regular security risk assessments in compliance with 45 C.F.R. § 164.308(a)(1). Session audio recordings are not retained beyond the period necessary to generate clinical notes, after which they are deleted from Business Associate systems.
2.4 Mitigation
Business Associate agrees to mitigate, to the extent practicable, any harmful effect resulting from a use or disclosure of PHI by Business Associate in violation of this BAA.
2.5 Reporting — Security Incidents and Breaches
2.5.1 Security Incidents. Business Associate shall report to Covered Entity any Security Incident or non-permitted use or disclosure of PHI no later than three (3) business days after becoming aware of such incident, via the contact information Covered Entity provided at account registration or at hipaa@therapyscribe.ai.
2.5.2 Breach of Unsecured PHI. If a reportable Breach of Unsecured PHI occurs, Business Associate shall provide written notice to Covered Entity without unreasonable delay and no later than thirty (30) calendar days after discovery, consistent with 45 C.F.R. § 164.410(c). Business Associate shall cooperate with Covered Entity in meeting notification obligations under the HITECH Act. Covered Entity shall have sole control over timing and method of notifying affected individuals, the Secretary, and media as required. Business Associate shall reimburse Covered Entity for reasonable costs of breach notification.
2.6 Access to Books and Records
Business Associate agrees to make its internal practices, books, and records relating to use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA. Business Associate shall notify Covered Entity of any government requests for such information, except to the extent prohibited by law.
2.7 Access and Amendment of PHI
To the extent Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall, within fifteen (15) days of a request by Covered Entity, make PHI available for inspection, copying, or amendment to enable Covered Entity to fulfill obligations under 45 C.F.R. §§ 164.524 and 164.526. If PHI is maintained electronically, Business Associate shall provide it in the electronic format requested by Covered Entity where readily reproducible.
2.8 Accounting of Disclosures
To the extent Business Associate maintains a Designated Record Set, Business Associate shall, within thirty (30) days of a request, make available the information required to provide an accounting of disclosures to enable Covered Entity to fulfill obligations under 45 C.F.R. § 164.528.
2.9 Subcontractors
Business Associate shall require each Subcontractor that creates, receives, maintains, or transmits PHI on its behalf to execute a Business Associate Agreement imposing the same restrictions and requirements that apply to Business Associate under this BAA. Business Associate represents that executed BAAs are currently in place with Amazon Web Services, Microsoft Azure, and Deepgram, Inc.
2.10 Minimum Necessary
Business Associate shall, to the extent practicable, limit its use or disclosure of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure, consistent with 45 C.F.R. § 164.502(b).
Article III — Obligations of Covered Entity
3.1 Covered Entity shall notify Business Associate of any limitations in Covered Entity's Notice of Privacy Practices that would affect Business Associate's use or disclosure of PHI.
3.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect Business Associate's permitted uses or disclosures.
3.3 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
3.4 Covered Entity is responsible for obtaining any required client or patient consent prior to recording sessions using the Service, consistent with applicable state and federal law.
Article IV — Term and Termination
4.1 Term. This BAA is effective upon Covered Entity's acceptance of the TherapyScribe Terms of Service and remains in effect until the TherapyScribe account is terminated or this BAA is otherwise terminated as provided herein.
4.2 Termination for Cause. Upon either party's knowledge of a material breach of this BAA by the other, the non-breaching party shall provide written notice and ten (10) business days to cure. If the breach is not cured within that period, the non-breaching party may immediately terminate this BAA. If the breach cannot be cured, immediate termination is permitted upon written notice.
4.3 Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI it maintains on behalf of Covered Entity within thirty (30) days. Covered Entity may request export of notes and records prior to account closure. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the retained PHI for as long as it is retained and limit further uses to those that make destruction infeasible.
Article V — Miscellaneous
5.1 Amendment. This BAA shall be deemed amended to incorporate any mandatory obligations arising from changes to HIPAA, the HITECH Act, or implementing regulations. The parties agree to take such action as necessary to amend this BAA from time to time to maintain compliance.
5.2 Indemnification. Each party agrees to indemnify and hold harmless the other, its affiliates, officers, directors, employees, and agents from and against any fines, penalties, damages, claims, or expenses (including reasonable attorney's fees) arising from that party's violation of HIPAA, the HITECH Act, or their obligations under this BAA.
5.3 No Third-Party Beneficiaries. Nothing in this BAA shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.
5.4 Relationship of Parties. Business Associate is an independent contractor and not an agent of Covered Entity under this BAA.
5.5 Governing Law. This BAA shall be governed by applicable federal law and the laws of the state in which Your Life Consulting, LLC is organized, without regard to conflict of law provisions.
5.6 Survival. The obligations of Sections 4.3 and 5.2 shall survive termination of this BAA.
5.7 Notices. Notices under this BAA shall be sent to Business Associate at hipaa@therapyscribe.ai. Notices to Covered Entity shall be sent to the email address on file with the TherapyScribe account.
Execution
This BAA is entered into by acceptance of the TherapyScribe Terms of Service. Covered Entity's creation of a TherapyScribe account and acceptance of the Terms of Service constitutes electronic agreement to the terms of this BAA, with the effective date being the date of account creation.
Covered Entity
The licensed mental health professional or healthcare organization that created a TherapyScribe account and accepted the Terms of Service. Electronic acceptance constitutes a legally binding signature under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).
Need a countersigned copy?
Group practices, health systems, and compliance officers who require a separately signed and countersigned BAA for internal audit or vendor risk assessment purposes may request one by emailing hipaa@therapyscribe.ai. The countersigned agreement reflects the same terms set forth above — there are no gaps in coverage for users operating under the standard Terms of Service acceptance.
© 2026 Your Life Consulting, LLC. All rights reserved.