Business Associate Addendum for Therapy Scribe
Last Updated: 7th September 2025
This Business Associate Agreement ("BAA") is entered into by and between LEFT EQUALS RIGHT PTY. LTD. ("Business Associate", "we", "our", or "us") and you or the entity you represent ("Covered Entity"), and is effective as of the date you accept the Therapy Scribe Terms of Service (the "Effective Date"). By agreeing to the Terms of Service, this BAA is automatically incorporated and does not require separate execution. If your organization needs a signed copy for records, you may request one by contacting us at hello@therapyscribe.app. WHEREAS, the parties have entered into the Terms of Service under which the Business Associate provides certain services to the Covered Entity that may involve the use or disclosure of Protected Health Information ("PHI"); WHEREAS, pursuant to such Terms of Service, the Business Associate may qualify as a "business associate" of the Covered Entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and the regulations promulgated thereunder (collectively, the “HIPAA Regulations”); WHEREAS, the parties seek to ensure the privacy and security of PHI in compliance with the HIPAA Regulations; NOW, THEREFORE, in consideration of the mutual covenants herein and the services provided under the Terms of Service, the parties agree as follows:
1. Definitions
Unless otherwise defined herein, capitalized terms shall have the meanings assigned in the HIPAA Regulations (45 C.F.R. Parts 160, 162, and 164).
- "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Regulations which compromises the security or privacy of the PHI.
- "De-Identified Data" means health information that has been de-identified in accordance with 45 C.F.R. § 164.514.
- "Discovery" means the first day on which a Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known.
- "Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services.
2. Permitted Uses and Disclosures by Business Associate
a. General Use and Disclosure. The Business Associate may use or disclose PHI only as necessary to perform the services set forth in the Terms of Service, as permitted or required by this BAA, or as required by law.
b. Specific Uses. The Business Associate may use PHI: (i) for its proper management and administration; (ii) to carry out its legal responsibilities; or (iii) to provide data aggregation services relating to the health care operations of the Covered Entity, if requested.
c. De-Identification. The Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514 and may use or disclose such De-Identified Data for any lawful purpose, as it is no longer PHI.
d. Prohibited Uses. The Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Regulations if done by the Covered Entity, except as expressly permitted herein.
3. Obligations of Business Associate
a. Safeguards. The Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, in compliance with the HIPAA Security Rule (45 C.F.R. § 164.302 et seq.).
b. Subcontractors. The Business Associate shall ensure that any subcontractor to whom it provides PHI agrees in writing to restrictions and conditions substantially similar to those in this BAA.
c. Reporting. The Business Associate shall report to the Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, including Breaches of Unsecured PHI, without unreasonable delay and in no case later than ten (10) business days after Discovery. Such report shall include, to the extent available: the nature of the incident, the PHI involved, the individuals affected, and corrective actions taken.
d. Mitigation. The Business Associate shall mitigate, to the extent practicable, any harmful effects from a use or disclosure of PHI in violation of this BAA.
e. Access to PHI. At the request of the Covered Entity, the Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity or, as directed, to an Individual, in the time and manner specified, to meet the requirements of 45 C.F.R. § 164.524.
f. Amendment of PHI. The Business Associate shall make amendments to PHI in a Designated Record Set as directed by the Covered Entity, in the time and manner specified, to meet the requirements of 45 C.F.R. § 164.526.
g. Accounting of Disclosures. The Business Associate shall maintain and make available information required for the Covered Entity to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
h. Availability of Books and Records. The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Regulations.
i. Minimum Necessary. The Business Associate shall limit its requests, uses, and disclosures of PHI to the minimum necessary to accomplish the intended purpose.
j. Breach Notification. In the event of a Breach of Unsecured PHI, the Business Associate shall notify the Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after Discovery, providing information required under 45 C.F.R. § 164.410.
4. Obligations of Covered Entity
a. Notice of Privacy Practices. The Covered Entity shall provide the Business Associate with its notice of privacy practices and notify the Business Associate of any changes that affect the Business Associate’s use or disclosure of PHI.
b. Permissions and Restrictions. The Covered Entity shall notify the Business Associate of any changes in, or revocation of, authorization by an Individual, or any restriction agreed to under 45 C.F.R. § 164.522, that affects the Business Associate’s permitted uses or disclosures.
c. Permissible Requests. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by the Covered Entity.
5. Term and Termination
a. Term. This BAA shall commence on the Effective Date and continue until all PHI provided to the Business Associate is destroyed or returned to the Covered Entity, or, if return or destruction is infeasible, protections are extended in accordance with this Section.
b. Termination for Cause. Upon either party's knowledge of a material breach by the other, the non-breaching party shall provide an opportunity to cure the breach within thirty (30) days. If the breach is not cured, the non-breaching party may terminate this BAA and the Terms of Service.
c. Automatic Termination. This BAA shall terminate automatically upon termination of the Terms of Service.
d. Effect of Termination. Upon termination, the Business Associate shall return or destroy all PHI, including copies, and certify such action. If return or destruction is infeasible (e.g., due to legal requirements), the Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes making return or destruction infeasible. This provision survives termination.
6. Regulatory Changes and Amendments
The parties agree to negotiate in good faith to amend this BAA as necessary to comply with changes in the HIPAA Regulations or other applicable laws. If agreement cannot be reached within thirty (30) days, either party may terminate this BAA upon written notice.
7. Miscellaneous
a. No Third-Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the parties and their successors any rights, remedies, obligations, or liabilities.
b. Interpretation. Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Regulations. References to sections of the HIPAA Regulations include such sections as amended and in effect.
c. Entire Agreement. This BAA, together with the Terms of Service, constitutes the entire agreement regarding PHI and supersedes prior understandings.
d. Severability. If any provision is held invalid, the remainder shall continue in effect.
e. Governing Law. This BAA shall be governed by the laws of the State of Delaware, without regard to conflicts of laws principles, and applicable federal law, including the HIPAA Regulations.
f. Notices. Notices shall be sent to the addresses provided in the Terms of Service or via email to hello@therapyscribe.app for the Business Associate.
By accepting the Terms of Service, the Covered Entity agrees to the terms of this BAA.