Business Associate Agreement

1.1 Covered Entity: The organization or entity that has executed this Agreement with Business Associate and is subject to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

1.2 Business Associate: RedactLaw, Inc., a Delaware corporation, providing AI-powered document redaction services.

1.3 Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium, including the 18 identifiers specified in 45 CFR § 164.514(b)(2).

1.4 Electronic Protected Health Information (ePHI): PHI that is transmitted by or maintained in electronic media.

1.5 HIPAA Rules: Collectively, the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), and the HIPAA Breach Notification Rule (45 CFR Part 160 and Subparts A and D of Part 164), as amended by the HITECH Act and subsequent regulations.

1.6 Services: The AI-powered document redaction services provided by Business Associate through the RedactLaw platform, including automated detection and redaction of PHI from legal documents.

2.1 Permitted Uses and Disclosures: Business Associate shall use or disclose PHI only as permitted by this Agreement or as required by law. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Rules if used or disclosed by Covered Entity.

2.2 Appropriate Safeguards: Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement, in accordance with the HIPAA Security Rule (45 CFR § 164.308, § 164.310, and § 164.312).

2.3 Reporting: Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Security Incident or Breach of Unsecured PHI, within 24 hours of discovery.

2.4 Subcontractors and Agents: Business Associate shall ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this Agreement.

2.5 Access to PHI: Business Associate shall make PHI available to Covered Entity or to individuals as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 (right of access).

2.6 Amendment of PHI: Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.526.

2.7 Accounting of Disclosures: Business Associate shall document and make available to Covered Entity information required for an accounting of disclosures in accordance with 45 CFR § 164.528.

2.8 Availability of Books and Records: Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

3.1 Services to Covered Entity: Business Associate may use and disclose PHI to perform the Services specified in the underlying services agreement between the parties, provided such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

3.2 Business Associate Operations: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that:

• The disclosure is required by law; or
• Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any breaches of confidentiality.

3.3 De-Identification: Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)-(b). Once de-identified, the information is no longer subject to this Agreement.

3.4 Minimum Necessary: Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

Business Associate implements and maintains safeguards consistent with the HIPAA Security Rule, including but not limited to:

4.1 Technical Safeguards:

• Encryption: All ePHI is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
• Access Controls: Role-based access controls (RBAC) ensure that only authorized users can access ePHI. Multi-factor authentication (MFA) is required for all user accounts.
• Audit Controls: All access to, use of, and disclosure of ePHI is logged with timestamps, user attribution, and action details.
• In-Memory Processing: Documents are processed in ephemeral, isolated containers. No PHI is written to unencrypted disk storage during processing.

4.2 Administrative Safeguards:

• Security Management: Business Associate maintains a comprehensive information security program, including risk assessments, security policies, and incident response procedures.
• Workforce Training: All employees with access to ePHI receive HIPAA training upon hire and annually thereafter.
• Access Authorization: Access to ePHI is granted on a need-to-know basis and reviewed quarterly.

4.3 Physical Safeguards:

• US-Based Infrastructure: All infrastructure is hosted in AWS data centers located in the United States (US-East and US-West regions). ePHI never crosses international borders.
• Facility Access Controls: AWS data centers employ 24/7 security monitoring, biometric access controls, and SOC 2 Type II certified physical security measures.
• Workstation Security: Business Associate employees access systems through encrypted connections with device management and endpoint protection.

5.1 Breach Notification: Business Associate shall notify Covered Entity within 24 hours of discovery of a Breach of Unsecured PHI, as defined in 45 CFR § 164.402. Notification shall include:

• The date of the breach and the date of discovery;
• A description of the types of PHI involved in the breach;
• The identities of the individuals whose PHI has been breached, if known;
• A description of the unauthorized use or disclosure;
• The steps individuals should take to protect themselves;
• A description of Business Associate's investigation, mitigation actions, and corrective measures.

5.2 Security Incidents: Business Associate shall report Security Incidents (as defined in 45 CFR § 164.304) to Covered Entity within 24 hours of discovery. For purposes of this Agreement, routine security incidents such as unsuccessful login attempts, pings, port scans, and denial-of-service attacks are acknowledged and need not be reported individually unless they result in unauthorized access, use, or disclosure of ePHI.

5.3 Cooperation: Business Associate shall cooperate with Covered Entity in investigating and mitigating any breach or security incident, including providing access to relevant logs, records, and personnel.

6.1 Subcontractor Requirements: Business Associate may engage subcontractors to perform functions or services that involve the creation, receipt, maintenance, or transmission of PHI, provided that Business Associate:

• Enters into a written agreement with the subcontractor that imposes the same restrictions and obligations on the subcontractor as are imposed on Business Associate under this Agreement;
• Ensures the subcontractor implements appropriate safeguards to protect PHI;
• Remains responsible for the subcontractor's compliance with this Agreement and the HIPAA Rules.

6.2 AI Processing Infrastructure: Business Associate uses a proprietary AI model for document analysis for automated PHI detection within uploaded documents. PHI contained in document images is temporarily transmitted to the AI processing API for analysis and is processed in accordance with HIPAA-compliant AI processing infrastructure and Business Associate Agreement. The AI infrastructure provider has executed a BAA with Business Associate. Document images are processed transiently and are not stored, logged, or used for model training.

6.3 No Persistent Storage of PHI by Subprocessors: Business Associate ensures that subprocessors, including the AI processing infrastructure, do not persistently store, log, or retain PHI beyond the transient processing required to deliver the Services. All PHI transmitted to subprocessors is encrypted in transit and processed in-memory only.

7.1 Individual Right of Access: To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity or directly to individuals upon Covered Entity's request, in accordance with 45 CFR § 164.524.

7.2 Timeframe: Business Associate shall provide access to PHI within 10 business days of receiving a request from Covered Entity.

7.3 No PHI in Designated Record Sets: Business Associate does not maintain PHI in a Designated Record Set. Documents processed by Business Associate are held temporarily for redaction purposes only and are not part of any medical or billing record maintained by Business Associate. Covered Entity retains control of all original and redacted documents.

8.1 Incorporation of Amendments: To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526 at the direction of Covered Entity.

8.2 Timeframe: Business Associate shall incorporate amendments within 10 business days of receiving a request from Covered Entity.

8.3 No Amendment Obligations: As Business Associate does not maintain PHI in a Designated Record Set, Business Associate has no obligation to amend PHI. All amendments to original or redacted documents remain the responsibility of Covered Entity.

9.1 Documentation of Disclosures: Business Associate shall document all disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 CFR § 164.528.

9.2 Provision of Accounting: Business Associate shall provide to Covered Entity, upon request, information collected in accordance with this Section to permit Covered Entity to respond to an accounting request. Business Associate shall provide such information within 10 business days of receiving Covered Entity's request.

9.3 Limited Disclosures: Business Associate does not disclose PHI except (a) to Covered Entity, (b) to authorized users within Covered Entity's organization, (c) to our AI model transiently for PHI detection, or (d) as required by law. An accounting of disclosures, if requested, will reflect these limited disclosure categories.

10.1 Term: This Agreement shall be effective as of the date of execution and shall remain in effect until terminated in accordance with this Section or until all PHI provided by Covered Entity to Business Associate is destroyed or returned to Covered Entity.

10.2 Termination for Breach: Either party may terminate this Agreement upon 30 days' written notice to the other party if the other party breaches a material term of this Agreement and does not cure the breach within the 30-day notice period.

10.3 Termination by Covered Entity: If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of this Agreement, Covered Entity shall:

• Take reasonable steps to cure the breach or end the violation; or
• Terminate this Agreement and the underlying services agreement if reasonable steps to cure are unsuccessful.

10.4 Effect of Termination: Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity or created or received on behalf of Covered Entity, in accordance with Section 11 below.

11.1 Return or Destruction: Upon termination of this Agreement or upon Covered Entity's request, Business Associate shall:

• Return to Covered Entity all PHI that Business Associate maintains in any form, or
• Destroy all PHI and certify in writing to Covered Entity that all PHI has been destroyed.

11.2 Retention for Legal Requirements: If return or destruction of PHI is not feasible due to legal or regulatory requirements, Business Associate shall:

• Notify Covered Entity in writing of the conditions that make return or destruction infeasible;
• Extend the protections of this Agreement to such PHI;
• Limit further uses and disclosures of PHI to those purposes that make return or destruction infeasible.

11.3 No PHI Stored by Business Associate: Business Associate's architecture is designed to process documents in-memory only. No PHI is persistently stored in Business Associate's databases or file systems. Upon completion of redaction processing:

• Original documents uploaded by Covered Entity are immediately deleted from temporary processing containers;
• Redacted output documents are encrypted and made available to Covered Entity for download;
• Redacted documents are retained only according to Covered Entity's configured retention policy (24 hours, 7 days, 30 days, or manual deletion);
• Upon deletion, files are permanently purged from primary storage and encrypted backups within 24 hours;
• No PHI is stored in Business Associate's application database — only usage metadata (page counts, timestamps) is retained.

11.4 Certification of Destruction: Upon Covered Entity's request, Business Associate shall provide written certification that all PHI has been deleted in accordance with Covered Entity's retention policy and this Agreement.

12.1 Regulatory References: References in this Agreement to sections of the HIPAA Rules include any subsequent amendments or updates to such sections.

12.2 Amendment: The parties agree to amend this Agreement as necessary to comply with changes to the HIPAA Rules or other applicable law. Either party may request amendments to this Agreement in writing.

12.3 Survival: The obligations of Business Associate under Sections 5 (Breach Notification), 9 (Accounting of Disclosures), and 11 (Return or Destruction of PHI) shall survive termination of this Agreement.

12.4 Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. This Agreement shall be interpreted consistent with the underlying services agreement between the parties; however, in the event of a conflict between this Agreement and the services agreement with respect to the use or disclosure of PHI, this Agreement shall control.

12.5 No Third-Party Beneficiaries: Nothing in this Agreement shall confer upon any person other than the parties and their successors or assigns any rights, remedies, obligations, or liabilities.

12.6 Governing Law: This Agreement shall be governed by the laws of the State of Delaware, without regard to its conflict of laws principles, and applicable federal law.

To execute a Business Associate Agreement with RedactLaw, please contact:

For technical questions about our HIPAA safeguards, infrastructure, or security practices, please reference our Security & Compliance page or contact our security team at the email above.