LEGAL
HIPAA Business Associate Agreement
Last Updated
HIPAA Business Associate Agreement
Version 2.0
Effective Date: February 23, 2026
BETWEEN:
Syntari AI, Inc.
(the "Business Associate")
AND:
[Covered Entity Legal Name]
(the "Covered Entity")
Table of Contents
● 1. Definitions
● 2. Permitted Uses and Disclosures of PHI
● 2.1 Business Associate Obligations
● 2.2 Safeguards for PHI
● 2.3 Syntari-Specific Security Measures
● 2.4 Use Restrictions
● 2.5 Disclosure Restrictions
● 2.6 Breach Notification
● 2.7 Subcontractors
● 2.8 Business Associate Contracts
● 2.9 Availability and Access to PHI
● 2.10 AI Feature HIPAA Restrictions
● 2.11 AI Provider Healthcare Addendums
● 2.12 Minimum Necessary for AI Processing
● 3. Covered Entity Rights
● 4. Termination
● 5. Administrative Provisions
● Schedule A - Subprocessors with Access to PHI
● Schedule B - Data Processing Addendum
DEFINITIONS
The following terms have the meanings assigned to them in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E), the Security Rule (45 CFR Parts 160 and 164, Subparts A and C), and the Breach Notification Rule (45 CFR Parts 160 and 164, Subpart D):
● "Breach" means the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) that compromises the security or privacy of such information.
● "Business Associate" (BA) means Syntari AI, Inc., which creates, receives, maintains, or transmits PHI on behalf of the Covered Entity.
● "Covered Entity" (CE) means a healthcare provider, health plan, or healthcare clearinghouse that is subject to HIPAA regulations.
● "Minimum Necessary" means the limited PHI reasonably needed to accomplish the intended purpose of the use, disclosure, or request.
● "Protected Health Information" (PHI) means any information in a medical record or health plan that can be used to identify an individual.
● "Security Incident" means the unauthorized access, use, or disclosure of ePHI that compromises the security or privacy of such information.
● "Subcontractor" or "Subprocessor" means any entity that Business Associate permits to receive, access, or use PHI while assisting with services provided under this Agreement.PERMITTED USES AND DISCLOSURES OF PHI
2.1 Business Associate Obligations
Business Associate shall not use or disclose PHI except as necessary to perform the functions, activities, or services specified in the underlying service agreement for which the PHI is provided, or as required by law. Business Associate shall limit its uses and disclosures to those necessary to accomplish the purpose of the service agreement.
2.2 Safeguards for PHI
Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of PHI received, maintained, or transmitted on behalf of the Covered Entity.
These safeguards shall include:
● Encryption of ePHI at rest using AES-256 or equivalent
● Encryption of ePHI in transit using TLS 1.2 or higher
● Access controls limiting PHI access to authorized personnel only
● Multi-factor authentication for all systems containing ePHI
● Audit logging and monitoring of all ePHI access
● Regular security risk assessments and vulnerability testing
● Employee training on HIPAA privacy and security requirements
● Business continuity and disaster recovery planning
2.3 Syntari-Specific Security Measures
In addition to the general safeguards outlined in Section 2.2, Syntari AI implements the following security measures:
● ISO 27001 certification for information security management
● SOC 2 Type 2 audit compliance
● Dedicated security operations center (SOC) monitoring ePHI
● Data residency restrictions with US-only processing
● Immutable audit logs with 7-year retention for compliance
● Quarterly penetration testing by independent third parties
● Encryption key management with hardware security modules (HSM)
● Network segmentation isolating HIPAA-compliant systems
2.4 Use Restrictions
Business Associate shall not use PHI for any purpose other than:
● Performance of services specified in the underlying service agreement
● Healthcare operations, including quality improvement and compliance
● De-identified data analysis (where PHI has been properly de-identified)
● Compliance with legal requirements and law enforcement requests
Business Associate shall not use PHI for marketing, fundraising, or any commercial purpose without explicit prior written authorization from the Covered Entity.
2.5 Disclosure Restrictions
Business Associate shall not disclose PHI except:
● To Covered Entity or its authorized representatives
● As required by law or court order
● To subcontractors who have been vetted and entered into Business Associate Agreements
● As authorized in writing by the Covered Entity
● In response to a valid subpoena, discovery request, or court order (with notice to Covered Entity)
2.6 Breach Notification
Business Associate shall notify the Covered Entity of a Security Incident or Breach within 48 hours of discovery or reasonable suspicion of a Breach. The notification shall include:
● Date and time of the Breach
● Date and time of discovery
● Description of the PHI involved (types and approximate volume)
● Number of individuals whose PHI was affected
● Description of the Breach (how it occurred, unauthorized access/use/disclosure)
● Mitigation steps taken to secure PHI
● Contact information for further questions
Business Associate shall provide continuing updates as information becomes available. For Breaches affecting more than 500 individuals, notification shall be provided within 24 hours of discovery.
2.7 Subcontractors
Business Associate shall not contract with any subcontractor or subprocessor to receive, access, or use PHI unless:
● The subcontractor agrees in writing to comply with terms consistent with this Agreement
● The subcontractor is listed in Schedule A - Subprocessors
● Security controls and safeguards are verified through third-party audits
Business Associate shall be responsible for ensuring all subcontractors comply with HIPAA regulations and this Agreement.
2.8 Business Associate Contracts with Subcontractors
Business Associate shall require all subcontractors with access to PHI to enter into written agreements that include:
● HIPAA compliance obligations equivalent to this Agreement
● Limitations on uses and disclosures of PHI
● Safeguard and security requirements
● Breach notification obligations (within 48 hours)
● Availability of PHI for access and amendment requests
● Termination and return/destruction of PHI clauses
● Third-party audit provisions
2.9 Availability and Access to PHI
Business Associate shall:
● Make PHI available for access and amendment by Covered Entity as required by the Privacy Rule
● Provide the Covered Entity with access to PHI within 5 business days of request
● Maintain PHI in accessible formats
● Provide a complete accounting of disclosures as required by HIPAA
● Retain audit logs for minimum of 7 years
2.10 AI Feature HIPAA Restrictions
Business Associate acknowledges that not all AI features are designed for or suitable for processing Protected Health Information. The following restrictions apply:
● PHI may only be processed through AI features explicitly designated as "HIPAA-Compliant" by Syntari AI
● Covered Entity shall not input PHI into non-HIPAA-compliant AI features, generative models, or services
● Business Associate shall maintain and provide a current list of HIPAA-compliant AI features
● Business Associate shall prominently display which features are and are not HIPAA-compliant in its documentation and user interface
● Non-HIPAA-compliant features may include: general analytics, content generation, data visualization, and third-party integrations
Covered Entity is responsible for ensuring users only input PHI into designated HIPAA-compliant features. Business Associate is not liable for Breaches resulting from Covered Entity's failure to comply with these restrictions.
2.11 AI Provider Healthcare Addendums
Business Associate relies on third-party AI providers for certain AI features and analytics. Syntari AI maintains healthcare addendums with applicable providers that include:
● HIPAA compliance obligations
● Data processing restrictions specific to PHI
● Encryption and security requirements
● Breach notification obligations
● Data retention and destruction requirements
Provider-specific restrictions on PHI processing are disclosed in Schedule A. Covered Entity is responsible for reviewing these restrictions before processing any PHI through Syntari AI services.
2.12 Minimum Necessary for AI Processing
Business Associate shall configure all AI features to process only the Minimum Necessary PHI required to accomplish the specified healthcare purpose. Implementation includes:
● PHI data fields are limited to those explicitly required for the AI feature
● De-identification techniques applied where feasible (removing age, dates of service, patient identifiers)
● Aggregation of data when individual records are not necessary
● Automated filters preventing unnecessary PHI transmission to AI providers
● Configuration options allowing Covered Entity to specify data field restrictions
Covered Entity shall review and approve the Minimum Necessary configuration prior to processing any PHI.
3. COVERED ENTITY RIGHTS
3.1 Right to Audit and Inspection
Covered Entity has the right to:
● Audit Business Associate's books, records, and security controls
● Conduct inspections of facilities where PHI is stored or processed
● Interview Business Associate personnel regarding HIPAA compliance
● Review third-party audit reports (SOC 2, ISO 27001)
● Request security incident reports and breach notifications
3.2 Right to Terminate
Covered Entity may terminate this Agreement without cause upon 30 days' written notice. Covered Entity may terminate immediately if Business Associate breaches any material term of this Agreement and fails to cure within 30 days of written notice.
3.3 Return or Destruction of PHI
Upon termination of the underlying service agreement, Business Associate shall:
● Return all PHI to Covered Entity in usable electronic format within 30 days, or
● Securely destroy all PHI if return is infeasible (with written certification of destruction)
● Ensure all subcontractors return or destroy PHI on the same timeline
● Retain audit logs for a minimum of 7 years for compliance verification
4. TERMINATION
4.1 Termination for Cause
Covered Entity may terminate this Agreement immediately upon written notice if:
● Business Associate materially breaches any provision of this Agreement
● Business Associate fails to timely cure a breach within 30 days of written notice
● Business Associate is found in violation of HIPAA regulations
● Business Associate experiences a material Security Incident or Breach
● Business Associate's security certifications (ISO 27001, SOC 2) are revoked or significantly downgraded
4.2 Termination Without Cause
Covered Entity may terminate this Agreement at any time without cause upon 30 days' written notice to Business Associate.
4.3 Obligations Upon Termination
Upon termination, Business Associate shall:
● Cease all uses and disclosures of PHI
● Return all PHI to Covered Entity in usable electronic format within 30 days
● Destroy all copies of PHI not returned (with written certification)
● Provide a final accounting of all disclosures
● Ensure all subcontractors comply with these termination obligations
If return or destruction is infeasible, Business Associate shall extend all protections to the retained PHI and limit its use to purposes that prevent its return.
5. ADMINISTRATIVE PROVISIONS
5.1 Effective Date and Duration
This Agreement is effective as of February 23, 2026, and shall continue until terminated by either party in accordance with Section 4.
5.2 Amendment
Covered Entity may amend this Agreement to comply with changes in HIPAA regulations upon 30 days' written notice. Business Associate shall comply with amendments to maintain HIPAA compliance. If Business Associate cannot comply with amendments, Covered Entity may terminate without penalty.
5.3 Notices
All notices under this Agreement shall be in writing and delivered by:
● Personal delivery
● Overnight courier (FedEx, UPS)
● Certified mail, return receipt requested
● Email with read receipt (for non-legal notices)
5.4 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the United States and applicable state laws where Covered Entity is located, without regard to conflict of law principles.
5.5 Entire Agreement
This Agreement, together with the underlying service agreement and all schedules and exhibits, constitutes the entire agreement between the parties regarding the use and disclosure of PHI and supersedes all prior negotiations, representations, and agreements.
5.6 Severability
If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
5.7 Waiver
No waiver of any provision of this Agreement shall be effective unless in writing and signed by the waiving party. A waiver of any breach shall not constitute a waiver of any subsequent breach.
5.8 Independent Contractors
Business Associate is an independent contractor. Nothing in this Agreement creates a partnership, joint venture, agency, or employment relationship between the parties.
SCHEDULE A - SUBPROCESSORS WITH ACCESS TO PHI
Effective Date: February 23, 2026
The following subprocessors have been authorized to process PHI on behalf of Syntari AI. All subprocessors have executed Business Associate Agreements consistent with HIPAA requirements.
Subprocessor Name Service Description Data Processing Location Security Safeguards Special Restrictions
Anthropic, Inc. (Claude API) AI-powered analytics, content analysis, and text generation United States (multi-region) SOC 2 Type 2 certified, AES-256 encryption, TLS 1.2+ Only HIPAA-compliant API tier. No training or fine-tuning on PHI.
OpenAI, LLC AI-powered analytics and content generation United States SOC 2 Type 2 certified, AES-256 encryption, TLS 1.2+ Requires signed Healthcare Addendum. No model training on PHI.
Google LLC (Gemini API) AI-powered analytics and content analysis United States (multi-region) ISO 27001, SOC 2 Type 2 certified, AES-256 encryption Clinical use restrictions apply. Data retention: 30 days maximum.
Amazon Web Services (AWS) Cloud infrastructure, data storage, and compute United States (configurable regions) SOC 2 Type II, ISO 27001, HIPAA BAA signed HIPAA-eligible services only. Encryption mandatory.
Notes on Subprocessor Selection
● All subprocessors maintain separate Business Associate Agreements with Syntari AI
● Subprocessors undergo annual security audits and risk assessments
● Healthcare Addendums are maintained on file and available upon request
● Any new subprocessor addition requires 30 days' written notice to Covered Entity
● Covered Entity may request removal of a subprocessor with 30 days' notice
● All subprocessors must comply with Minimum Necessary principles
SCHEDULE B - DATA PROCESSING ADDENDUM
This Data Processing Addendum (DPA) applies to the processing of Personal Data (including PHI) under this Business Associate Agreement.
Data Processing Details
● Data Controller: Covered Entity
● Data Processor: Syntari AI, Inc.
● Processing Purpose: Healthcare operations, analytics, and service delivery
● Data Categories: Patient demographics, medical history, clinical notes, diagnoses, medications, lab results
● Data Subject Categories: Patients of Covered Entity
● Duration: Term of underlying service agreement
Security Measures
Business Associate implements the following technical and organizational measures:
● Encryption: AES-256 at rest, TLS 1.2+ in transit
● Access Control: Role-based access control (RBAC), multi-factor authentication
● Monitoring: 24/7 security operations center monitoring
● Incident Response: 24-hour security incident response team
● Backup: Daily encrypted backups with tested recovery
● Audit: Quarterly vulnerability assessments, annual penetration testing
● Personnel: Background checks, HIPAA training, confidentiality agreements
Data Subject Rights
Business Associate shall:
● Provide assistance to Covered Entity in fulfilling data subject access requests
● Provide corrections, deletions, and data portability upon request
● Document all data subject requests and Covered Entity responses
● Provide accounting of disclosures as required by HIPAA
Subprocessor Management
Business Associate shall:
● Maintain updated list of all subprocessors (Schedule A)
● Obtain prior written authorization before engaging new subprocessors
● Impose equivalent data protection obligations on subprocessors
● Remain liable for subprocessor compliance
Data Deletion and Return
Upon termination or Covered Entity request, Business Associate shall:
● Return PHI to Covered Entity within 30 days in usable electronic format
● Securely delete all copies of PHI (with written certification)
● Provide attestation of deletion from all subprocessors
● Retain only audit logs required for compliance verification
Compliance and Audit
Business Associate shall:
● Maintain SOC 2 Type 2, ISO 27001, and HIPAA compliance certifications
● Provide audit reports to Covered Entity upon request
● Submit to Covered Entity audits and inspections
● Report security incidents within 48 hours of discovery
● Maintain audit logs for minimum 7 years