Business Associate Agreement

Version 1.0 · Last updated: July 7, 2026

This Business Associate Agreement ("BAA") is entered into between Aclera-AI, Inc. ("Aclera-AI" or "Business Associate") and the customer that accepts it ("Customer"). It sets out the terms required by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 CFR Parts 160 and 164, as amended (the "HIPAA Rules"), that govern Business Associate's creation, receipt, maintenance, and transmission of Protected Health Information on Customer's behalf in connection with CasePanel and related services (the "Services").

1. Parties and Formation

  • This BAA is between Aclera-AI, acting as a Business Associate, and Customer, acting as a Covered Entity or as a business associate of a Covered Entity. If Customer is itself a business associate of a Covered Entity, references to "Covered Entity" in this BAA refer to Customer in that capacity, and Aclera-AI acts as Customer's Subcontractor under 45 CFR §164.502(e)(1)(ii).
  • Customer accepts this BAA by clicking to accept it during account signup. Upon acceptance, this BAA is incorporated into and forms part of the Terms of Service between Customer and Aclera-AI.
  • If Customer and Aclera-AI have separately executed a written business associate agreement covering the Services, that separately signed agreement supersedes and replaces this BAA.
  • This is Version 1.0 of this BAA, effective July 7, 2026.

2. Authority Representation

The individual accepting this BAA represents and warrants that they are:

  • a Covered Entity;
  • a member of the workforce of, or an agent of, a Covered Entity, and authorized to bind that Covered Entity to this BAA; or
  • a business associate of a Covered Entity, with authority to agree to this BAA on behalf of the Customer entity they identify at signup.

Aclera-AI provides the Services in reliance on this representation.

3. Definitions

Capitalized terms used but not otherwise defined in this BAA have the meanings given to them in the HIPAA Rules at 45 CFR Parts 160 and 164, including "Breach," "Designated Record Set," "Electronic Protected Health Information," "Protected Health Information," "Required by Law," "Secretary," "Security Incident," "Subcontractor," and "Unsecured Protected Health Information." In addition:

  • "PHI" means Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Services, including Electronic Protected Health Information.
  • "De-identified Data" means information that has been de-identified in accordance with 45 CFR §164.514(b).

4. Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as follows:

  • To perform the Services. To provide, operate, and support the Services for Covered Entity under the Terms of Service.
  • As Required by Law.
  • Management and administration. For Business Associate's proper management and administration and to carry out Business Associate's legal responsibilities, as permitted by 45 CFR §164.504(e)(4). Business Associate may disclose PHI for these purposes only if the disclosure is Required by Law, or if Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  • Data aggregation. To provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR §164.504(e)(2)(i)(B).
  • De-identification. To create De-identified Data, as set out in Section 5.

Business Associate will make reasonable efforts to limit its uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

5. De-identification and De-identified Data

5.1 Authorization to De-identify

De-identification of PHI is a use of PHI under 45 CFR §164.502(d)(1). Covered Entity authorizes Business Associate to use PHI to create De-identified Data in accordance with the safe harbor de-identification standard at 45 CFR §164.514(b)(2). Under that standard, Business Associate must remove the following identifiers of the individual and of the individual's relatives, employers, and household members:

  1. Names;
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000;
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code, except as permitted by 45 CFR §164.514(c);

and Business Associate must not have actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual who is a subject of the information.

5.2 Status of De-identified Data

Health information that has been de-identified in accordance with 45 CFR §164.514(b) is not Protected Health Information (45 CFR §164.502(d)(2)). De-identified Data is not PHI and is not subject to this BAA or to the HIPAA Rules.

5.3 Ownership and Use

As between the parties, Business Associate owns De-identified Data and may use and disclose it for any lawful purpose, including improving and training its AI models, product development, research, benchmarking, and analytics.

5.4 No Re-identification

Business Associate will not attempt to re-identify De-identified Data, and will not maintain or disclose any code or other means of record identification designed to enable de-identified information to be re-identified except as permitted by 45 CFR §164.514(c). Business Associate will contractually require any recipient of De-identified Data to commit to these same restrictions.

5.5 Ambient Scribe Carve-out

Raw audio recordings captured by the Ambient Scribe feature are never used to create De-identified Data, are never used to train AI models, and are not retained after transcription completes. De-identified transcripts are treated as any other clinical text under this Section 5.

5.6 Survival

De-identified Data contains no PHI, survives termination of this BAA, and is excluded from the return-and-destruction obligations in Section 8.

6. Obligations of Business Associate

Business Associate will:

  • Limited use and disclosure. Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
  • Safeguards. Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA, and comply with the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312, and 164.316) with respect to Electronic Protected Health Information. The Security Rule applies directly to business associates under section 13401 of the HITECH Act.
  • Reporting. Report to Covered Entity: (a) any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware; (b) any Security Incident of which Business Associate becomes aware, except that this Section constitutes notice of the ongoing existence of unsuccessful Security Incidents — such as pings, port scans, and other unsuccessful attempts to penetrate or disrupt Business Associate's systems — for which no further individual reporting is required; Business Associate will report such unsuccessful Security Incidents in aggregate upon Covered Entity's written request; and (c) any Breach of Unsecured Protected Health Information without unreasonable delay and in no case later than 10 business days after discovery, including, to the extent available, the information required by 45 CFR §164.410: the identity of each individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, involved, and a description of the Breach, the types of information involved, the steps individuals should take to protect themselves, and what Business Associate is doing to investigate, mitigate, and prevent recurrence.
  • Mitigation. Mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.
  • Subcontractors. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as restrictive as those that apply to Business Associate under this BAA with respect to that PHI.
  • Individual rights. Make PHI in a Designated Record Set available to Covered Entity as necessary for Covered Entity to satisfy its obligations under 45 CFR §164.524 (individual access) and 45 CFR §164.526 (amendment), and incorporate any amendments as directed by Covered Entity; and document disclosures of PHI, and make such documentation available to Covered Entity, as necessary for Covered Entity to satisfy its obligations under 45 CFR §164.528 (accounting of disclosures). If an individual submits a request for access, amendment, or an accounting directly to Business Associate, Business Associate will forward the request to Covered Entity.
  • Records for the Secretary. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules (45 CFR §164.504(e)(2)(ii)(I)).
  • Carrying out Covered Entity obligations. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation (45 CFR §164.504(e)(2)(ii)(H)).

7. Obligations of Covered Entity

Covered Entity will:

  • Obtain any consents or authorizations that may be required for Business Associate to use and disclose PHI as contemplated by this BAA and the Terms of Service;
  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to under 45 CFR §164.522, any revocation of an individual's authorization to use or disclose PHI, and any limitation in Covered Entity's notice of privacy practices under 45 CFR §164.520, in each case to the extent it may affect Business Associate's permitted uses or disclosures;
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except to the extent Business Associate may use or disclose PHI for data aggregation or for its own management and administration as permitted by this BAA; and
  • Special categories. Not submit to the Services (a) psychotherapy notes (45 CFR §164.508(a)(2)) or (b) records subject to 42 CFR Part 2 (records of federally assisted substance use disorder programs), unless the parties separately agree in writing.

8. Term and Termination

  • Term. This BAA takes effect when Customer accepts it and remains in effect for as long as the Terms of Service remain in effect between the parties. It terminates automatically when the Terms of Service terminate.
  • Termination for breach. Either party may terminate this BAA if the other party materially breaches it and fails to cure the breach within 30 days after receiving written notice of the breach.
  • Return or destruction of PHI. Upon termination of this BAA, Business Associate will return or destroy all PHI that it maintains in any form, if feasible, and retain no copies. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to that PHI for as long as it is maintained and limit further uses and disclosures to those purposes that make return or destruction infeasible (45 CFR §164.504(e)(2)(ii)(J)).
  • De-identified Data. De-identified Data is not PHI and is not subject to return or destruction; Business Associate retains De-identified Data after termination as set out in Section 5.

9. Miscellaneous

  • Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
  • Amendment. The parties agree to amend this BAA to the extent necessary to comply with changes to the HIPAA Rules or other applicable law.
  • No third-party beneficiaries. Nothing in this BAA confers any right, remedy, or claim on any person other than the parties.
  • Order of precedence. With respect to PHI, this BAA controls over any conflicting provision of the Terms of Service.
  • Regulatory references. A reference to a section of the HIPAA Rules or any other law means that section as in effect or as amended or re-designated from time to time.

10. Contact Information

For questions about this BAA, please contact us: