Aimé
Join early access

Legal

Business Associate Agreement

Last updated: April 16, 2026

Effective Date: April 16, 2026
Last Updated: April 16, 2026

This Business Associate Agreement (the “BAA”) is entered into by and between (i) the healthcare provider, health plan, healthcare clearinghouse, business associate, organization, or other entity agreeing to this BAA (“Covered Entity”) and (ii) AidMi Health, Inc., a Delaware corporation (“Business Associate”, “we”, “us”, or “our”).

This BAA supplements and is incorporated into the Terms of Service, order form, services agreement, or other written agreement governing Covered Entity’s use of Aimé (the “Underlying Agreement”). This BAA is intended to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”).

This BAA applies only to the extent Business Associate creates, receives, maintains, or transmits PHI on behalf of Covered Entity in providing the Service.

1. Definitions

Capitalized terms not defined in this BAA have the meanings given to them in the HIPAA Rules.

  • Breach” has the meaning in 45 C.F.R. Section 164.402.
  • Designated Record Set” has the meaning in 45 C.F.R. Section 164.501.
  • ePHI” means PHI transmitted by or maintained in electronic media.
  • PHI” means Protected Health Information as defined in 45 C.F.R. Section 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • Security Incident” has the meaning in 45 C.F.R. Section 164.304.
  • Service” means the Aimé platform and related services described in the Underlying Agreement, including the web application, Chrome Extension, Ask Aimé, transcription, clinical documentation, EHR workflow, and related support.
  • Subcontractor” means a subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate.
  • Unsecured PHI” has the meaning in 45 C.F.R. Section 164.402.

2. Permitted Uses and Disclosures by Business Associate

Business Associate may use and disclose PHI only as permitted or required by this BAA, the Underlying Agreement, Covered Entity’s written instructions, or law.

Business Associate may use and disclose PHI as necessary to:

  • provide, operate, maintain, secure, support, troubleshoot, and improve the Service for Covered Entity;
  • perform recording or audio capture when initiated or directed by Covered Entity or its authorized users;
  • transmit audio, transcripts, prompts, patient context, and related information for transcription, diarization, clinical-note generation, Ask Aimé answers, citation-backed evidence retrieval, draft generation, documentation support, billing or audit suggestions, EHR field detection, and EHR note-filling workflows;
  • store and retrieve transcripts, notes, session metadata, patient context, documents, chat messages, citations, audit logs, and related Service records;
  • provide customer support, security monitoring, incident response, account administration, backup, disaster recovery, and technical operations;
  • perform data aggregation services relating to Covered Entity’s healthcare operations, if applicable;
  • de-identify PHI in accordance with 45 C.F.R. Section 164.514(a)-(c);
  • carry out Business Associate’s proper management and administration or legal responsibilities, subject to the limits in the HIPAA Rules.

Business Associate may use or disclose PHI as required by law.

If Business Associate receives a subpoena, court order, warrant, or other legal process seeking PHI maintained on behalf of Covered Entity, and where legally permitted and reasonably practicable, Business Associate will make reasonable efforts to notify Covered Entity before disclosing the requested PHI so Covered Entity may seek a protective order, move to quash, or pursue another available remedy. Business Associate may disclose PHI without prior notice if notice is legally prohibited, if the legal process requires immediate disclosure, or if Business Associate reasonably believes notice would create a risk of harm, fraud, security compromise, or legal violation.

Business Associate will not:

  • use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except for uses and disclosures specifically permitted for Business Associate’s management, administration, legal responsibilities, or data aggregation;
  • sell PHI;
  • use PHI for advertising or cross-context behavioral advertising;
  • use PHI, Customer Content, raw audio, transcripts, clinical notes, prompts, chat messages, patient context, or clinical narratives to train first-party or third-party AI models without Covered Entity’s explicit, opt-in written authorization;
  • permit Subcontractors to use PHI or Customer Content to train their general-purpose models for their own purposes.

3. Obligations of Business Associate

Business Associate agrees to:

  • Limit uses and disclosures. Not use or disclose PHI other than as permitted or required by this BAA, the Underlying Agreement, Covered Entity’s written instructions, or law.
  • Safeguards. Use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this BAA.
  • Security Rule compliance. Comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI.
  • Minimum necessary. Apply the minimum-necessary standard to uses, disclosures, and requests for PHI to the extent required by the HIPAA Rules.
  • Reporting. Report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which Business Associate becomes aware, any Security Incident of which Business Associate becomes aware, and any Breach of Unsecured PHI as described in Section 5.
  • Mitigation. Mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of this BAA.
  • Subcontractors. Ensure that Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.
  • Access. Make PHI in a Designated Record Set maintained by Business Associate available to Covered Entity, or at Covered Entity’s direction to an individual or designee, as necessary for Covered Entity to satisfy its obligations under 45 C.F.R. Section 164.524.
  • Amendment. Make PHI in a Designated Record Set available for amendment and incorporate amendments as directed by Covered Entity, as required by 45 C.F.R. Section 164.526.
  • Accounting of disclosures. Maintain and make available information required for Covered Entity to provide an accounting of disclosures, as required by 45 C.F.R. Section 164.528.
  • Covered Entity obligations. To the extent Business Associate carries out a Covered Entity obligation under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Covered Entity in performing that obligation.
  • HHS access. Make Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of HHS for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

Business Associate acknowledges that routine unsuccessful security events, such as pings, port scans, unsuccessful login attempts, denial-of-service noise, or similar events, occur regularly. Business Associate is not required to report each such unsuccessful event unless it results in unauthorized access, use, disclosure, modification, or destruction of ePHI or otherwise constitutes a reportable Security Incident or Breach under this BAA.

4. Security Safeguards

Business Associate will implement and maintain reasonable and appropriate safeguards designed to protect ePHI, including where applicable:

  • encryption in transit using TLS or equivalent safeguards;
  • encryption at rest for production storage systems where ePHI is stored;
  • role-based access controls, unique user IDs, least-privilege policies, and session controls;
  • authentication controls, including support for OAuth-based flows and additional controls where available;
  • tenant and organization separation controls;
  • audit logging for access to and actions involving PHI-sensitive resources;
  • logging and error-handling controls designed to reduce PHI exposure;
  • restrictions designed to keep analytics payloads free of PHI;
  • backup, disaster-recovery, incident-response, vulnerability-management, and security-monitoring procedures;
  • controls for AI, transcription, and model-processing infrastructure used with PHI, including appropriate contractual protections with applicable Subcontractors.

Business Associate will periodically review and update safeguards as reasonably necessary to address risks, vulnerabilities, or changes in the Service.

5. Breach Notification

Business Associate will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay, targeting notification within ten (10) business days after discovery where reasonably practicable, and in all cases no later than fifteen (15) business days after discovery by Business Associate and no later than sixty (60) calendar days after discovery, unless a law-enforcement delay applies.

To the extent reasonably available, Business Associate’s notice will include:

  • identification of each individual whose Unsecured PHI was or is reasonably believed to have been involved;
  • a description of the Breach, including the date of the Breach and discovery if known;
  • the types of PHI involved;
  • steps individuals should take to protect themselves, if applicable;
  • a description of what Business Associate has done or is doing to investigate, mitigate harm, and prevent recurrence;
  • any other information reasonably required for Covered Entity to meet its notification obligations under the HIPAA Rules.

Business Associate will cooperate with Covered Entity’s breach investigation and notification obligations. Covered Entity remains responsible for determining whether notice to individuals, HHS, media, regulators, or others is required unless the parties separately agree in writing that Business Associate will provide some or all notices on Covered Entity’s behalf.

6. Covered Entity Responsibilities

As the licensed professional, healthcare organization, or business associate with the direct patient relationship or customer relationship, Covered Entity is best positioned to manage the following obligations. Business Associate will support Covered Entity through the Service, documentation, and reasonable cooperation as described in this BAA.

Covered Entity agrees to:

  • use the Service only in accordance with the Underlying Agreement, this BAA, the HIPAA Rules, and applicable law;
  • obtain and document all required patient consents, authorizations, notices, and restrictions for recording, transcription, AI processing, EHR workflows, and other Service uses;
  • notify Business Associate of limitations in Covered Entity’s notice of privacy practices to the extent they may affect Business Associate’s use or disclosure of PHI;
  • notify Business Associate of changes in, or revocation of, permission by an individual to use or disclose PHI to the extent they may affect Business Associate’s use or disclosure of PHI;
  • notify Business Associate of any restriction on use or disclosure of PHI that Covered Entity has agreed to or is required to follow to the extent it may affect Business Associate’s use or disclosure of PHI;
  • not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except for uses and disclosures specifically permitted for Business Associate’s management, administration, legal responsibilities, or data aggregation;
  • determine whether Customer Content is subject to 42 C.F.R. Part 2, state mental-health privacy laws, psychotherapy-note restrictions, substance-use-disorder confidentiality requirements, minor-consent rules, reproductive-health privacy rules, or other specially protected-information laws, and provide required instructions or restrictions before submitting such information to the Service;
  • configure user access, EHR access, browser extension use, third-party systems, and organization settings appropriately.

Business Associate will process specially protected information according to Covered Entity’s documented instructions, this BAA, and the Underlying Agreement. Business Associate does not promise that the Service automatically detects or segregates every category of Part 2, psychotherapy-note, minor, state-law, or other specially protected information unless a specific written agreement or product configuration expressly says so.

7. De-Identification, Aggregated Data, and Model Training

Business Associate may de-identify PHI in accordance with 45 C.F.R. Section 164.514(a)-(c), using a permitted method such as Safe Harbor or Expert Determination. Once information has been properly de-identified under HIPAA, it is no longer PHI. Business Associate may use and disclose de-identified or aggregated information for internal analytics, security, operations, quality improvement, product improvement, research, development, and other lawful purposes, provided Business Associate does not attempt to re-identify the information except as permitted by law.

Business Associate’s de-identification rights are limited by the no-training covenant in Section 2. Business Associate will not use de-identified behavioral-health narratives, therapy transcripts, clinical notes, prompts, patient context, or other clinical Customer Content to train first-party or third-party AI models unless Covered Entity gives explicit, opt-in written authorization.

Business Associate will not sell, license, publish, or externally share de-identified behavioral-health narratives, therapy transcripts, clinical notes, prompts, patient context, or patient-level clinical insights as clinical research or commercial data products without Covered Entity’s explicit, opt-in written authorization. This does not prevent Business Associate from using operational telemetry, performance data, error data, security signals, usage patterns, or aggregate workflow information for internal Service improvement, security, reliability, and compliance purposes.

Raw audio is temporary processing data for transcription, diarization, and note-generation workflows and is deleted or discarded after transcription or note generation unless Covered Entity enables an audio-storage feature, gives a documented instruction requiring retention, or retention is required for legal hold, security investigation, support troubleshooting with appropriate permission, or similar compliance need.

8. Subcontractors

Business Associate may use Subcontractors to provide hosting, storage, transcription, AI/model processing, authentication, security, monitoring, support, analytics, payment, communications, and other services. Business Associate will ensure Subcontractors that create, receive, maintain, or transmit PHI on Business Associate’s behalf agree to restrictions and conditions at least as protective as those required by this BAA.

Covered Entity may request a current list of applicable Subcontractors by emailing team@aime.med with the subject line “Subprocessor List Request”.

9. Access, Amendment, and Accounting Requests

Covered Entity is responsible for receiving and responding to individual requests for access, amendment, restriction, confidential communications, and accounting of disclosures unless the parties agree otherwise in writing.

Business Associate will reasonably cooperate with Covered Entity to fulfill such requests to the extent Business Associate maintains responsive PHI in a Designated Record Set and the request is required by the HIPAA Rules.

If Business Associate receives a request directly from an individual regarding PHI maintained on behalf of Covered Entity, Business Associate may direct the individual to Covered Entity unless otherwise required by law or instructed by Covered Entity.

10. Term and Termination

This BAA is effective when Covered Entity accepts it, executes an order form incorporating it, or first uses the Service in a way that causes Business Associate to create, receive, maintain, or transmit PHI on Covered Entity’s behalf. It remains in effect for as long as Business Associate maintains PHI on behalf of Covered Entity.

Either party may terminate this BAA and, if applicable, the Underlying Agreement for cause if the other party materially breaches this BAA and fails to cure the breach within 30 days after written notice, unless cure is not reasonably possible.

Upon termination of this BAA or the Underlying Agreement, Business Associate will, at Covered Entity’s written election, return or destroy PHI in Business Associate’s possession or control, to the extent feasible and legally permitted. If return or destruction is not feasible, or if retention is required for backup integrity, audit logs, security logs, legal obligations, dispute resolution, or Business Associate’s management and administration, Business Associate will extend the protections of this BAA to retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible or legally required.

Where Covered Entity makes a written election to return or destroy PHI after termination, Business Associate will complete return or destruction within ninety (90) days of that written election to the extent feasible and legally permitted, except for PHI retained for legal hold, security investigation, backup integrity, audit logs, security logs, dispute resolution, legal obligations, compliance obligations, or Business Associate’s management and administration. Business Associate will return or destroy retained PHI promptly after the applicable obligation or infeasibility ends, subject to technical limits and legal requirements.

Business Associate’s obligations regarding PHI survive termination for as long as Business Associate retains PHI.

11. Miscellaneous

11.1 Regulatory References

Any reference to a section of HIPAA, HITECH, or the HIPAA Rules means the section as in effect or as amended.

11.2 Amendment

This BAA will be deemed automatically amended to the extent necessary to comply with changes in the HIPAA Rules. The parties will take such further action as necessary to amend this BAA for compliance with applicable law.

11.3 Interpretation

Any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules.

11.4 No Third-Party Beneficiaries

Except as required by HIPAA, this BAA does not create third-party beneficiary rights.

11.5 Order of Precedence

If there is a conflict between this BAA and the Underlying Agreement regarding PHI, this BAA controls. If there is a conflict between this BAA and HIPAA, HIPAA controls to the extent required by law.

11.6 Governing Law

This BAA is governed by federal law to the extent applicable and, to the extent state law applies and is not preempted, by the laws of the State of California.

11.7 Liability

Each party is responsible for its own acts and omissions under the HIPAA Rules. Any limitation of liability, indemnification, or disclaimer in the Underlying Agreement is subject to HIPAA and may not limit either party’s obligations under this BAA to the extent prohibited by law.

12. How to Obtain a Copy or Countersigned BAA

Covered Entity may request a copy of this BAA, including an executed or countersigned version where required for its records or procurement process:

  • Email: team@aime.med
  • Subject: BAA Copy or Countersignature Request - [Your Practice Name]
  • Company: AidMi Health, Inc.
  • Mail: 320 High St, Palo Alto, CA 94301