Log in     Support     Status

Exciting news!
Request an Account Request a Demo

Business Associate Addendum

Revised and effective: November 25, 2025

This Business Associate Addendum ("BAA") supplements and forms a part of the Agreement found at https://capacity.com/services-agreement/ ("Agreement") between Subscriber and AI Software, LLC (referred to herein as "Capacity" or "Business Associate"). This BAA prevails over any directly conflicting term of the Agreement but does not otherwise modify the Agreement. Terms used herein but not defined herein have the meanings set forth in the Agreement.

WHEREAS, Subscriber is, or provides services to, a Covered Entity that is subject to the Privacy, Security, Breach Notification, Standard Transactions and Enforcement Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") at 45 C.F.R. Parts 160, 162 and 164, the Health Information for Economic and Clinical Health Act ("HITECH Act") and the regulations promulgated under the HIPAA and HITECH Act (collectively the "HIPAA Rules"); and

WHEREAS, Subscriber has engaged Business Associate to perform one or more functions, activities, or services on its behalf which may require Business Associate receipt and/or creation or transmission of Protected Health Information; and

WHEREAS, the Parties are committed to compliance with the HIPAA Rules;

NOW, THEREFORE, in consideration of the foregoing recitals and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

1. Definitions

Capitalized terms used but not otherwise defined in this BAA will have the same meaning as the meaning ascribed to those terms in the HIPAA Rules.

  1. "Business Associate" shall have the same meaning as the term "business associate" in 45 CFR § 160.103.
  2. "Covered Electronic Transactions" shall have the same meaning given the term "transaction" in 45 C.F.R. § 160.103.
  3. "Covered Entity" shall have the same meaning given to the term "covered entity" in 45 C.F.R. §160.103, but limited to an entity for which Business Associate performs services on behalf of Subscriber.
  4. "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 C.F.R. §164.501, but limited to the group of records maintained by Business Associate, which contains Protected Health Information created or received by Business Associate from or on behalf of Subscriber.
  5. "Electronic Protected Health Information" and "EPHI" shall have the same meaning as the term "electronic protected health information" in 45 C.F.R. §160.103, but limited to the information created or received by Business Associate from or on behalf of Subscriber.
  6. "Electronic Transactions Rule" means the final regulations issued by Health and Human Services concerning standard transactions and code sets under the Administration Simplification provisions of HIPAA.
  7. "Individual" shall have the same meaning given the term "individual" in 45 C.F.R. §160.103 and also shall include a person who qualifies as such individual's personal representative under the HIPAA Rules.
  8. "Protected Health Information" and "PHI" have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, but limited to the information created or received by Business Associate from or on behalf of Subscriber, including but not limited to Electronic Protected Health Information.
  9. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of Part 164.
  10. "Secretary" means the Secretary of the U.S. Department of Health and Human Services or his designee.
  11. "Security Rule" means the Security Standards and Implementation Specifications at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
2. Obligations of Business Associate

If and to the extent that it is a "business associate" as defined by HIPAA, Business Associate undertakes the following responsibilities to Subscriber:

  1. Business Associate will not use or further disclose PHI, other than as permitted by this BAA, the Agreement or as Required by Law.
  2. Business Associate will use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of PHI other than as provided for by this BAA.
  3. Business Associate agrees to report to Subscriber any use or disclosure of PHI not provided for by this BAA, including Breaches of Unsecured PHI, and any Security Incident of which it becomes aware. The Parties acknowledge the ongoing existence and occurrence of routine and trivial Security Incidents, such as scans, "pings" and other broadcast attacks that do not pass the firewall, port scans, unsuccessful log-on attempts, and denial of service attacks and agree that this provision serves as sufficient notice to Subscriber of such routine and trivial Security Incidents that do not result in the unauthorized access, use, disclosure, modification or destruction of Electronic Protected Health Information.
  4. Following its discovery of a Breach of Unsecured PHI, Business Associate will provide notification to Subscriber without unreasonable delay and in no case later than thirty (30) days after discovery of the Breach, unless a delay is required under 45 C.F.R. § 164.412. Such notification by Business Associate shall include, to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Breach and any other available information that a Covered Entity would be required to include in a notification to affected individuals under 45 C.F.R. § 164.404(c).
  5. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate through this BAA with respect to such information.
  6. Business Associate shall make its internal practices, books and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
  7. Business Associate agrees to document its disclosures of PHI and the information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to provide such information to Subscriber.
  8. The Parties acknowledge and agree that Business Associate does not maintain PHI in a Designated Record Set for Subscriber.
  9. The Parties acknowledge and agree that Business Associate does not engage in any Covered Electronic Transactions on behalf of Subscriber.
  10. To the extent Subscriber delegates to Business Associate the responsibility to carry out, on Subscriber's behalf, one of more of the Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
3. Permitted Uses and Disclosures
  1. Except as otherwise limited in this BAA, Business Associate may:
    1. Use or disclose PHI to perform functions, activities, or services for the Subscriber as specified in Agreement, provided such use or disclosure of PHI would not violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity, with the exception of the specific uses and disclosures set forth below.
    2. Use PHI for the proper management and administration of Business Associate or to fulfill any present or future legal responsibilities of Business Associate.
    3. Disclose PHI for the proper management and administration of Business Associate or to fulfill any present or future legal responsibilities of Business Associate, provided that such disclosure is either Required by Law or Business Associate obtains reasonable assurances from any person to whom PHI is disclosed that such person will: (a) keep such information confidential; (b) use or further disclose such information only for the purpose for which it was disclosed to such person or as Required by Law; and (c) notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
    4. Use PHI to provide data aggregation services relating to the Health Care Operations of the Covered Entity, as provided in 45 C.F.R. § 164.504(e)(2)(i)(B).
    5. De-identify PHI in accordance with 45 C.F.R. § 164.514.
  2. In its performance of activities and services for Subscriber, Business Associate agrees to use, disclose and request only the minimum necessary PHI, in accordance with the HIPAA Rules.
4. Obligations of the Subscriber
  1. Subscriber will notify Business Associate of any facts or circumstances that affect Business Associate's use or disclosure of PHI. Such facts and circumstances include, but are not limited to: (i) any limitation or change in Covered Entity's Notice of Privacy Practices; (ii) any changes in, or withdrawal of, an authorization provided to the Covered Entity or Subscriber by an Individual pursuant to 45 C.F.R. §164.508; and (iii) any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
  2. Subscriber will not require or request Business Associate to use or disclose PHI in any manner that would not be permissible under the under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity or is not otherwise authorized or permitted under this BAA or the HIPAA Rules.
  3. In the event that Subscriber's engagement of Business Associate's services includes transmission of PHI to any Individual via text message as specified in Agreement, Subscriber will (a) clearly inform each Individual of the security risks of insecure text communications and recommend a secure option; and (b) keep explicit records of all these risk warnings and the written approval from the Individual.
5. Effective Date; Termination
  1. As of the Effective Date of the Agreement, this BAA replaces and supersedes any prior agreement executed between the Parties relating to any provisions of the Agreement specifically intended to address Business Associate's obligations with respect to the HIPAA Rules. However, if any provision set forth in this BAA conflicts with a provision in the Agreement, the provisions of this BAA shall govern.
  2. If Subscriber becomes aware of a material breach or violation of this BAA by the Business Associate, Subscriber will notify Business Associate of the breach or violation in writing and provide Business Associate with a period of at least 30 days to cure the breach or end the violation. If Business Associate is unable to cure the breach within the allotted period, Subscriber may terminate this BAA and the Agreement with Business Associate, if feasible.
  3. Upon termination of this BAA, for any reason, Business Associate shall retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities and will either return to Subscriber or destroy the remaining PHI. For so long as Business Associate maintains any PHI, it shall extend the protections of this BAA to such PHI, and limit further uses and disclosures of the PHI to those purposes that make the return or destruction infeasible.
6. Miscellaneous
  1. Nothing express or implied in this BAA is intended to confer, nor will anything herein confer, upon any person or entity other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
  2. The Parties agree to take such action as necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. This BAA may be amended only by a written instrument agreed to by the Parties.
  3. A reference in this BAA to a section in the HIPAA Rules means that section as amended from time to time; provided that if future amendments change the designation to a section referred to herein, or transfer a substantive regulatory provision referred to herein to a different section, the section references herein will be deemed to be amended accordingly.
  4. Any ambiguity in this BAA will be interpreted as broadly as necessary to permit the Parties to comply with the HIPAA Rules.
  5. The provisions of this BAA will be severable, and if any provision of this BAA will be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA will continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained.