Aimé
Join early access

Legal

Business Associate Agreement

Last updated: June 4, 2026

Effective Date: June 4, 2026

Aimé was built for behavioral-health work, where confidentiality is not a feature — it is part of the care relationship.

This Business Associate Agreement (“BAA”) is one way that promise takes legal form. It describes our commitments when Aimé handles Protected Health Information on your behalf — what we may do, the safeguards we keep, and what we will not do.

This BAA is entered into by and between AidMi Health, Inc. (“Business Associate”, “Aimé”, “AidMi”, “Company”, “we”, “us”, or “our”) and the customer or organization using the Service as a covered entity or business associate under HIPAA (“Covered Entity”, “you”, or “your”). This BAA is incorporated into the applicable services agreement, order form, pilot agreement, subscription agreement, online Terms of Service, or other agreement between the parties governing use of the Service (the “Underlying Agreement”).

If this BAA applies and there is a conflict between this BAA and the Underlying Agreement regarding PHI, this BAA controls.

1. Definitions

Terms used but not otherwise defined in this BAA have the meanings given to them in HIPAA, HITECH, and their implementing regulations, including 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”).

“Business Associate” means AidMi Health, Inc. to the extent it creates, receives, maintains, or transmits PHI on behalf of Covered Entity in connection with the Service.

“Connected System” means a third-party system, application, website, EHR, calendar, inbox, payer tool, clearinghouse, storage system, or other workflow tool that Covered Entity or its authorized users connect to, open, select, or direct the Service to use.

“Covered Entity” means the customer, practice, organization, or other party using the Service that is a covered entity or business associate under the HIPAA Rules and has entered into the Underlying Agreement.

“PHI” means Protected Health Information, as defined by the HIPAA Rules, that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity through the Service.

“Service” means the Aimé services provided by Business Associate to Covered Entity under the Underlying Agreement, which may include the Aimé web application, Aimé Chrome Extension, Ask Aimé, voice and recording features, transcription, clinical documentation, patient-context features, supported EHR/browser workflows, connected practice-context features, workflow records, support, and related services, in each case as made available and configured for Covered Entity.

“Subcontractor” means a subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate.

2. Permitted Uses and Disclosures by Business Associate

Business Associate may use and disclose PHI only as permitted or required by this BAA, the Underlying Agreement, or law.

Business Associate may use and disclose PHI to provide, secure, support, maintain, and improve the Service for Covered Entity, including to process recordings, transcripts, notes, patient context, limited source context, workflow records, supported EHR/browser workflows, scheduling or follow-up workflows, claim-readiness or billing-support workflows, and related support, security, compliance, and audit functions, where those features are made available and configured for Covered Entity.

Business Associate may use and disclose PHI to:

  • perform obligations under the Underlying Agreement;
  • provide transcription, documentation, patient-context, Ask Aimé, voice, recording, supported EHR/browser workflow, and practice-coordination features;
  • host, store, retrieve, transmit, and display PHI as needed to provide the Service;
  • generate, edit, maintain, export, or fill clinical notes, summaries, documentation, workflow records, and related artifacts at Covered Entity’s direction;
  • process limited source context, page context, browser/EHR state, or connected-system context where needed for supported workflows;
  • prepare, route, or complete supported workflow actions as directed by Covered Entity or its authorized users and subject to applicable product controls;
  • maintain audit logs, workflow records, security logs, support logs, and compliance records;
  • provide customer support, troubleshooting, account administration, security, abuse prevention, and service-integrity functions;
  • de-identify PHI in accordance with HIPAA;
  • use PHI for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities, provided such use or disclosure is permitted by HIPAA and this BAA;
  • disclose PHI to Subcontractors that agree to restrictions and conditions at least as protective as those in this BAA;
  • disclose PHI as required by law.

Business Associate will not sell PHI. Business Associate will not use PHI for marketing or advertising except as permitted by HIPAA and the Underlying Agreement. Business Associate will not use PHI to train first-party or third-party AI models without explicit written opt-in from Covered Entity.

3. Obligations of Business Associate

Business Associate agrees to:

  1. not use or disclose PHI other than as permitted or required by this BAA, the Underlying Agreement, or law;
  2. use appropriate safeguards and comply with the applicable requirements of the HIPAA Security Rule with respect to electronic PHI;
  3. report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by HIPAA, and any Security Incident of which Business Associate becomes aware;
  4. ensure that Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI;
  5. make PHI available to Covered Entity as reasonably necessary for Covered Entity to meet access obligations under HIPAA, to the extent Business Associate maintains the PHI in a Designated Record Set for Covered Entity;
  6. make PHI available for amendment and incorporate amendments as reasonably directed by Covered Entity, to the extent Business Associate maintains the PHI in a Designated Record Set for Covered Entity;
  7. make available information required to provide an accounting of disclosures, to the extent required by HIPAA;
  8. to the extent Business Associate carries out one or more of Covered Entity’s obligations under the HIPAA Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
  9. make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required by HIPAA;
  10. return, destroy, or continue to protect PHI at termination as described in this BAA;
  11. request, use, and disclose only the minimum necessary PHI where required by HIPAA.

4. Security Safeguards

Business Associate will implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI. These safeguards may include, as appropriate:

  • access controls;
  • authentication and authorization controls;
  • encryption in transit and at rest where appropriate;
  • audit logging and monitoring;
  • least-privilege access;
  • environment separation;
  • backup and recovery measures;
  • vendor and Subcontractor review;
  • incident response processes;
  • workforce confidentiality obligations;
  • controls for supported workflow actions, such as confirmation states, workflow records, and source references where available.

Business Associate may update its safeguards over time to reflect changes in the Service, threat landscape, law, and industry practices.

5. Breach Notification

Business Associate will notify Covered Entity following discovery of a Breach of Unsecured PHI as required by HIPAA. Unless a shorter period is required by the Underlying Agreement or applicable law, Business Associate will provide notification without unreasonable delay and in no case later than sixty (60) calendar days after discovery.

The notice will include, to the extent known at the time:

  • the nature of the Breach;
  • the types of PHI involved;
  • the individuals or records affected, if known;
  • steps taken or planned to investigate, mitigate, and remediate;
  • information reasonably needed by Covered Entity to meet its notification obligations.

Business Associate may provide information in phases as the investigation develops.

Business Associate is not required to notify Covered Entity of unsuccessful Security Incidents, such as pings, blocked attacks, port scans, failed login attempts, malware blocked by security tools, or other events that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations. This paragraph constitutes notice of such unsuccessful Security Incidents.

6. Covered Entity Responsibilities

Covered Entity agrees to:

  • use the Service only as permitted by HIPAA, the Underlying Agreement, and applicable law;
  • obtain and maintain any notices, consents, authorizations, or permissions required for use of the Service;
  • configure users, roles, permissions, integrations, connected systems, and workflows appropriately;
  • ensure that users are authorized to access the PHI and Connected Systems they use with Aimé;
  • review and approve or reject outputs and workflow actions as required by professional, clinical, billing, legal, payer, and organizational obligations;
  • notify Business Associate of restrictions, limitations, or changes in permission that affect Business Associate’s use or disclosure of PHI;
  • not request Business Associate to use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity;
  • determine whether Customer Content is subject to additional protections, such as 42 C.F.R. Part 2, psychotherapy-note rules, minor-consent rules, reproductive-health-related privacy rules, or other federal, state, payer, or professional requirements, and configure use of the Service accordingly;
  • maintain its own EHR, calendar, inbox, payer, clearinghouse, and other Connected System credentials, permissions, and security controls.

Covered Entity remains responsible for clinical judgment, patient care, supervision, documentation decisions, coding and billing decisions, payer submissions, patient communications, emergency protocols, and compliance with professional obligations.

7. De-Identification, Aggregated Data, and Model Training

Business Associate may de-identify PHI in accordance with HIPAA and may use and disclose de-identified information as permitted by law. De-identified information is no longer PHI under HIPAA.

Business Associate may create and use aggregated, statistical, or operational information that does not identify Covered Entity’s patients and is not PHI, for purposes such as operating, securing, supporting, measuring, and improving the Service.

Business Associate will not use PHI, Customer Content, raw audio, transcripts, clinical notes, Ask Aimé prompts, chat messages, patient context, or clinical narratives to train first-party or third-party AI models without explicit written opt-in from Covered Entity. Business Associate will not permit AI/model providers to use PHI to train their general-purpose models for their own purposes.

8. Subcontractors

Business Associate may use Subcontractors to provide the Service. Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.

Business Associate remains responsible for the performance of its Subcontractors as required by HIPAA.

Covered Entity may request a current list of applicable Subcontractors by emailing team@aime.med with the subject line “Subprocessor List Request”.

9. Access, Amendment, and Accounting Requests

To the extent Business Associate maintains PHI in a Designated Record Set for Covered Entity, Business Associate will make PHI available to Covered Entity as reasonably necessary for Covered Entity to satisfy access and amendment obligations under HIPAA. Business Associate will also make available information required for Covered Entity to provide an accounting of disclosures, to the extent required by HIPAA.

Covered Entity is responsible for receiving, evaluating, and responding to individual requests unless the parties agree otherwise in writing.

10. Term and Termination

This BAA begins on the earlier of the date Covered Entity accepts it, uses the Service in a manner that involves PHI, or enters into the Underlying Agreement that incorporates this BAA. It remains in effect for as long as Business Associate creates, receives, maintains, or transmits PHI on behalf of Covered Entity.

Upon termination of the Underlying Agreement, Business Associate will return or destroy PHI if feasible and as required by HIPAA, the Underlying Agreement, and applicable law. If return or destruction is not feasible, Business Associate will continue to protect the PHI in accordance with this BAA and limit further uses and disclosures to those purposes that make return or destruction infeasible.

If Covered Entity determines that Business Associate has violated a material term of this BAA, Covered Entity may terminate this BAA and, to the extent applicable, the Underlying Agreement. If Covered Entity gives Business Associate an opportunity to cure, Covered Entity may terminate if Business Associate does not cure the violation within the time specified by Covered Entity. If termination is not feasible, Covered Entity may report the issue to the Secretary of the U.S. Department of Health and Human Services, as permitted or required by HIPAA.

11. Miscellaneous

11.1 Regulatory References

Any reference to HIPAA, HITECH, or the HIPAA Rules means the applicable law or regulation as in effect or as amended.

11.2 Amendment

This BAA will be deemed automatically amended to the extent necessary to comply with changes in the HIPAA Rules. The parties will take further action as necessary to amend this BAA for compliance with applicable law.

11.3 Interpretation

Any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules.

11.4 No Third-Party Beneficiaries

Except as required by HIPAA, this BAA does not create third-party beneficiary rights.

11.5 Order of Precedence

If there is a conflict between this BAA and the Underlying Agreement regarding PHI, this BAA controls. If there is a conflict between this BAA and HIPAA, HIPAA controls to the extent required by law.

11.6 Governing Law

This BAA is governed by federal law to the extent applicable and, to the extent state law applies and is not preempted, by the laws of the State of California.

11.7 Liability

Each party is responsible for its own acts and omissions under the HIPAA Rules. Any limitation of liability, indemnification, or disclaimer in the Underlying Agreement is subject to HIPAA and may not limit either party’s obligations under this BAA to the extent prohibited by law.

12. How to obtain a copy or countersigned BAA

Covered Entity may request a copy of this BAA, including an executed or countersigned version where required for its records or procurement process:

  • Email: team@aime.med
  • Subject: BAA Copy or Countersignature Request — [Your Practice Name]
  • Company: AidMi Health, Inc.
  • Mail: 320 High St, Palo Alto, CA 94301