Legal
Business Associate Agreement
This Business Associate Agreement ("BAA") is entered into by and between the Customer identified in the applicable Order Form ("Covered Entity") and Adaptive Agentic Platform LLC ("Business Associate," "Adaptive AI," "we," "our," or "us").
This BAA supplements and is incorporated into the Terms of Service v1.0 ("ToS") and Data Processing Agreement v1.0 ("DPA"). In the event of conflict between this BAA and the ToS or DPA with respect to Protected Health Information, this BAA governs.
This BAA is required before any Protected Health Information is processed through the Platform. See Data Residency & Retention Policy §7 for additional healthcare data requirements.
1. Definitions
All capitalized terms not defined herein have the meanings given in the ToS, DPA, or HIPAA Rules (as defined below).
- "Breach" — has the meaning given in 45 CFR §164.402: the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Rules that compromises the security or privacy of such information.
- "Designated Record Set" — has the meaning given in 45 CFR §164.501.
- "Electronic Protected Health Information" or "ePHI" — Protected Health Information that is transmitted by or maintained in electronic media.
- "HIPAA Rules" — the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended by the HITECH Act (42 USC §§17921–17954).
- "Individual" — the person who is the subject of Protected Health Information, including a person who qualifies as a personal representative under 45 CFR §164.502(g).
- "Protected Health Information" or "PHI" — has the meaning given in 45 CFR §160.103: individually identifiable health information transmitted by or maintained in electronic media or any other form or medium.
- "Required by Law" — has the meaning given in 45 CFR §164.103.
- "Secretary" — the Secretary of the United States Department of Health and Human Services.
- "Security Incident" — has the meaning given in 45 CFR §164.304.
- "Subcontractor" — a person to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.
2. Scope
2.1 Applicability
This BAA applies only where Customer deploys AI Workers in contexts where Protected Health Information may be processed through the Platform. This BAA does not apply to Customer Data that does not constitute PHI.
2.2 Services
Business Associate provides the Adaptive AI Platform to Covered Entity, which may involve the creation, receipt, maintenance, or transmission of PHI in connection with AI Worker interactions on voice, chat, email, SMS, or other channels.
2.3 Relationship to Other Agreements
This BAA operates alongside the DPA. Where Customer processes both PHI and Personal Data subject to the GDPR, both the BAA and DPA apply concurrently, each governing its respective regulatory domain.
3. Obligations of Business Associate
3.1 Permitted Uses and Disclosures
Business Associate will use and disclose PHI only as permitted or required by this BAA, or as Required by Law. Permitted uses include:
- Platform operations: Processing PHI as necessary to provide, maintain, and support the Platform on behalf of Covered Entity.
- Management and administration: Using PHI for Business Associate's proper management and administration, provided that disclosures are Required by Law or Business Associate obtains reasonable assurances from the recipient that PHI will be held confidentially and the recipient will notify Business Associate of any Breach.
- Compliance and legal obligations: Using or disclosing PHI as Required by Law.
3.2 Prohibited Uses
Business Associate will not:
- Use or disclose PHI for marketing purposes without Covered Entity's prior written authorization.
- Sell PHI as defined in 45 CFR §164.502(a)(5)(ii).
- Use PHI to train foundation AI models or improve AI capabilities made available to other customers (consistent with ToS §5.2 and DPA §4.3).
- De-identify PHI for Business Associate's own commercial purposes without Covered Entity's prior written consent. Where de-identification is permitted, Business Associate will use the Safe Harbor method (45 CFR §164.514(b)) or the Expert Determination method (45 CFR §164.514(a)).
3.3 Safeguards
Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards include the technical and organizational measures described in DPA Annex B, and additionally:
- Single-tenant isolation: Covered Entity's ePHI is stored in a dedicated database instance and processed in isolated compute environments not shared with any other customer (ToS §5.10; Privacy Policy §4).
- Encryption: All ePHI encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access controls: Access to ePHI restricted to personnel with a legitimate need; all access logged and auditable; multi-factor authentication required.
- Audit logging: Comprehensive audit trails for all access to, creation of, modification of, and deletion of ePHI, retained for a minimum of 6 years.
3.4 Minimum Necessary
Business Associate will limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, as required by 45 CFR §164.502(b) and §164.514(d).
3.5 Subcontractors
Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.
A current list of Subcontractors is maintained at legal.adaptive.ai/subprocessors. Business Associate will provide at least 30 days' notice before engaging a new Subcontractor that will process PHI (DPA §6.3; ToS §5.6).
3.6 Access to PHI by Individuals
Business Associate will make PHI available to Covered Entity or, at Covered Entity's direction, to an Individual within 15 business days of a request, to enable Covered Entity to fulfill its obligations under 45 CFR §164.524 (access) and §164.526 (amendment).
3.7 Accounting of Disclosures
Business Associate will maintain an accounting of disclosures of PHI as required by 45 CFR §164.528, and will make such accounting available to Covered Entity within 30 days of a request. The accounting will cover at least the 6 years prior to the request.
3.8 Availability of Records
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules.
4. Breach Notification
4.1 Notification Timing
Business Associate will notify Covered Entity without unreasonable delay and in no event later than 30 calendar days after discovery of a Breach of Unsecured PHI (as defined in 45 CFR §164.402), as required by 45 CFR §164.410.
For Security Incidents that do not constitute a Breach (e.g., unsuccessful attempts to access ePHI), Business Associate will provide a summary report to Covered Entity upon request, but is not required to provide individual notice for each unsuccessful attempt.
4.2 Notification Content
Breach notification will include, to the extent known: (a) identification of each Individual whose PHI has been, or is reasonably believed to have been, affected; (b) a description of the Breach, including date(s) of the Breach and date of discovery; (c) the types of PHI involved; (d) steps Individuals should take to protect themselves; and (e) a description of what Business Associate is doing to investigate, mitigate, and prevent future occurrences.
4.3 Cooperation
Business Associate will cooperate with Covered Entity in investigating the Breach and in Covered Entity's obligations to notify Individuals, the Secretary, and the media (where required) under 45 CFR §§164.404–164.408.
4.4 Mitigation
Business Associate will take reasonable steps to mitigate any harmful effects of a Breach to the extent practicable.
4.5 Parallel Obligations
Breach notification under this BAA is in addition to (not in lieu of) the security breach notification obligations in the DPA §8 and ToS §5.7. Where both HIPAA and GDPR apply to the same incident, Business Associate will comply with the notification requirements of both frameworks, applying the shorter timeline (72 hours under GDPR Article 33 vs. 30 days under HIPAA) as the operative deadline.
5. Obligations of Covered Entity
5.1 Covered Entity Responsibilities
Covered Entity warrants that it has the authority to disclose PHI to Business Associate; has obtained any authorizations, consents, or permissions required under the HIPAA Rules and applicable state law; will not request Business Associate to use or disclose PHI in a manner that would violate the HIPAA Rules; and will inform Business Associate of any restrictions on the use or disclosure of PHI or any changes in, or revocation of, authorization by an Individual.
5.2 AI Worker Configuration
Covered Entity is solely responsible for configuring AI Workers to comply with HIPAA requirements, including implementing minimum necessary safeguards in AI Worker knowledge bases and scripts; configuring AI disclosure mechanisms to inform Individuals they are interacting with an AI system (ToS §3.2; Privacy Policy §8); ensuring human escalation paths are operational and adequately staffed for healthcare-related interactions (ToS §3.4); and not uploading PHI to Platform features that are not covered by the safeguards in this BAA without Business Associate's prior written confirmation.
6. Data Retention and Destruction
6.1 Retention of PHI
| Data Type | Minimum Retention (HIPAA) | Default | Configurable |
|---|---|---|---|
| Conversation transcripts containing PHI | 6 years | 6 years | Yes (up to 10 years) |
| Voice recordings containing PHI | 6 years | 6 years | Yes (up to 10 years) |
| ePHI audit logs | 6 years | 6 years | No |
| Breach documentation | 6 years from date of creation or last effective date | 6 years | No |
These retention periods override the shorter defaults in the Data Residency & Retention Policy §3 to the extent required by HIPAA.
6.2 Return or Destruction on Termination
- Business Associate will return or destroy all PHI in its possession within 60 days, as directed by Covered Entity.
- If return or destruction is not feasible (e.g., PHI is commingled with audit logs required for compliance), Business Associate will extend the protections of this BAA to the retained PHI for as long as it is maintained, and will limit further use or disclosure to the purposes that make return or destruction infeasible.
- Business Associate will provide written certification of destruction upon Covered Entity's request (DPA §11.3).
6.3 Survival
The obligations of Business Associate under this Section 6 and Section 3 (to the extent relating to retained PHI) survive termination of this BAA.
7. Term and Termination
7.1 Term
This BAA takes effect on the date it is executed by both parties and remains in force for as long as Business Associate processes PHI on behalf of Covered Entity.
7.2 Termination for Cause
Either party may terminate this BAA immediately upon written notice if the other party materially breaches this BAA and fails to cure within 30 days of written notice of the breach.
7.3 Effect of Termination
Upon termination of this BAA: (a) Business Associate will comply with Section 6.2 (Return or Destruction); (b) if the underlying Agreement (ToS) remains in effect, Customer must cease submitting PHI to the Platform; and (c) Business Associate will continue to protect any retained PHI as described in Section 6.2.
7.4 Relationship to ToS Termination
If the ToS is terminated, this BAA terminates simultaneously, subject to the survival provisions in Sections 6.2, 6.3, and 3.
8. Miscellaneous
8.1 Regulatory Amendments
The parties agree that any amendment to the HIPAA Rules that materially alters the obligations of Business Associates will be automatically incorporated into this BAA to the extent required by law. Business Associate will notify Covered Entity within 30 days of any regulatory change that materially affects this BAA.
8.2 Interpretation
Any ambiguity in this BAA will be resolved in favor of a meaning that permits the parties to comply with the HIPAA Rules.
8.3 No Third-Party Beneficiaries
Nothing in this BAA confers any rights on any Individual or other third party. Individuals may exercise their rights under HIPAA through Covered Entity.
8.4 Governing Law
This BAA is governed by the laws of the State of Delaware, without regard to conflict-of-law principles, to the extent not preempted by HIPAA (ToS §12.5).
8.5 Entire Agreement
This BAA, together with the ToS, DPA, and Order Form, constitutes the entire agreement between the parties with respect to PHI. This BAA supersedes any prior BAA between the parties.
9. Contact
Execution
By executing this BAA, the parties agree to its terms.
| Covered Entity | Business Associate | |
|---|---|---|
| Signature | _________________________ | _________________________ |
| Name | ||
| Title | ||
| Date | ||
| Entity | Adaptive Agentic Platform LLC |
To execute this BAA, contact: admin@adaptiveap.com