Business Associate Agreement
This Business Associate Agreement ("BAA") applies when a clinic that is a HIPAA covered entity uses RelyCare to create, receive, maintain, or transmit protected health information ("PHI"). The clinic is the Covered Entity. Adham Yasser, trading as RelyCare, is the Business Associate.
Scope
This BAA is intended to sit alongside the RelyCare Terms of Service and Privacy Policy. If this BAA conflicts with those documents for HIPAA-regulated PHI, this BAA controls.
1. Definitions
Terms such as Breach, Designated Record Set, Individual, Minimum Necessary, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, Use, and Disclosure have the meanings given to them in the HIPAA Rules at 45 CFR Parts 160 and 164.
2. Permitted Uses and Disclosures
RelyCare may use and disclose PHI only as necessary to provide the RelyCare service, comply with this BAA and the Terms, support clinic instructions, maintain and secure the platform, perform legally permitted health care operations support, and as Required by Law.
RelyCare will not use or disclose PHI in a way that would violate the HIPAA Privacy Rule if done by the clinic, except for uses permitted to business associates under HIPAA, including proper management and administration and legal responsibilities of RelyCare.
3. Safeguards
RelyCare will use appropriate administrative, technical, and physical safeguards designed to prevent uses or disclosures of PHI other than those permitted by this BAA. For electronic PHI, RelyCare will comply with applicable requirements of the HIPAA Security Rule.
- Role-based access and per-clinic data separation.
- HTTPS/TLS in transit and infrastructure encryption at rest.
- Application-level encryption for retained clinical SOAP notes, evidence artifacts, and AI traces.
- Audit logging for key clinic actions, including exports and agreement acceptance.
- Raw audio deletion after session finalization, with transcripts and finalized clinical records retained according to the clinic record lifecycle.
4. Reporting
RelyCare will report to the clinic any use or disclosure of PHI not permitted by this BAA, including a Breach of Unsecured PHI, without unreasonable delay after discovery. RelyCare will also report Security Incidents as required by HIPAA; routine unsuccessful security events such as automated scans may be reported in aggregate or through security notices unless they materially affect PHI.
5. Subcontractors
RelyCare may use subprocessors and subcontractors to provide infrastructure, storage, AI processing, monitoring, communications, and other service functions. RelyCare will require subcontractors that create, receive, maintain, or transmit PHI on RelyCare's behalf to agree to restrictions and safeguards that are no less protective than those required by this BAA.
6. Individual Rights and Clinic Assistance
RelyCare will make PHI in a Designated Record Set available to the clinic as necessary for the clinic to satisfy access obligations under 45 CFR 164.524. RelyCare will support amendment, accounting of disclosures, restriction, and other HIPAA obligations to the extent RelyCare holds the relevant PHI and the clinic requests reasonable assistance.
Patient or caregiver requests received directly by RelyCare will normally be directed back to the clinic unless the clinic has instructed RelyCare otherwise or the law requires a different response.
7. Access by HHS
RelyCare will make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required to determine HIPAA compliance.
8. Return or Destruction
At termination of the service relationship, RelyCare will return or destroy PHI where feasible and as required by this BAA, the Terms, and applicable law. If return or destruction is not feasible, RelyCare will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.
9. Clinic Responsibilities
The clinic remains responsible for its HIPAA compliance program, patient notices and authorizations, minimum necessary policies, workforce access decisions, professional record retention, and review of AI-generated documentation before finalization or disclosure.
10. Term and Termination
This BAA begins when an authorised clinic representative accepts it electronically or otherwise signs it. Either party may terminate this BAA if the other party materially breaches it and fails to cure the breach within a reasonable period after written notice. RelyCare may suspend PHI processing if continued processing creates a legal or security risk.
11. Electronic Signature
A clinic owner or authorised representative may accept this BAA electronically in RelyCare. By checking the BAA acceptance box and completing the action, the signer confirms authority to bind the clinic and adopts that action as an electronic signature. RelyCare records the agreement version, signer account, timestamp, IP address, and user agent.
12. Contact
Legal review
This document is based on HIPAA business associate contract requirements and should be reviewed with counsel for your clinic's jurisdiction, payer obligations, and operating model.