Business Associate Addendum
Last modified: July 19, 2025
This HIPAA Business Associate Addendum (“BAA”) is entered into between Sun PC Solutions LLC, a Texas limited liability company ("Business Associate"), and the customer agreeing to these terms ("Customer" or "Covered Entity"), and supplements and is incorporated into the Services Agreement(s) (defined below).
This BAA will be effective as of the date it is electronically accepted by the Customer (the "BAA Effective Date"). Customer must have an existing, active Services Agreement in place for this BAA to be valid and effective. This BAA, together with the Services Agreement, will govern each party’s respective obligations regarding Protected Health Information (PHI).
You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA in its entirety, and (iii) you agree, on behalf of Customer, to all terms of this BAA. If you do not have the legal authority to bind Customer, or if you do not agree to these terms, you are prohibited from using the Services.
1. Definitions
For purposes of this BAA, any capitalized terms used but not otherwise defined herein shall have the meaning set forth in HIPAA.
a. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
b. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
c. “Covered Services” means the Audio2Note service and any related software, modules, or APIs provided by Business Associate for processing, transcribing, and managing audio files and clinical documentation.
d. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended, including the HITECH Act.
e. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and its implementing regulations.
f. “Protected Health Information” or “PHI” shall have the meaning given to it under HIPAA and, for the purposes of this BAA, is limited to the PHI that Customer or its authorized users create, receive, maintain, or transmit using the Covered Services.
g. “Services Agreement(s)” means the written or electronic agreement(s) entered into between Business Associate and Customer for the provision of the Covered Services, including any terms of service, license agreements, or other agreements.
2. Obligations of Business Associate
a. Use and Disclosure of PHI. Business Associate shall not use or disclose PHI other than as permitted or required by the Services Agreement and this BAA, or as Required by Law. Business Associate shall not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.
b. Safeguards. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this BAA.
c. Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware. Notice shall be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery of a Breach.
d. Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
e. Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make available to Covered Entity such PHI as is necessary for Covered Entity to meet its obligations to provide access to PHI under 45 CFR 164.524.
f. Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make available to Covered Entity such PHI for amendment and incorporate any amendments to PHI as directed by Covered Entity in accordance with 45 CFR 164.526.
g. Accounting of Disclosures. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
h. Obligations to HHS. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.
3. Obligations of Customer (Covered Entity)
a. Permissible Requests. Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.
b. Sole Responsibility for Compliance. Customer is solely responsible for ensuring that its and its end users’ use of the Covered Services complies with all applicable laws, including HIPAA. Customer is responsible for implementing and maintaining appropriate privacy and security safeguards within its own operating environment.
c. User Management. Customer is solely responsible for managing its users and for terminating user access to the Covered Services when appropriate.
d. Data Accuracy and Review. Customer acknowledges that the Covered Services utilize artificial intelligence and are intended as a documentation aid. Customer is solely and exclusively responsible for the clinical accuracy, completeness, and appropriateness of all patient records. Customer agrees that all output from the Covered Services must be thoroughly reviewed, edited, and finalized by a licensed caregiver before being used for any clinical or legal purpose.
4. Term and Termination
a. Term. This BAA shall remain in effect until the termination or expiration of the Services Agreement, at which point it will automatically terminate.
b. Termination for Cause. Upon either party’s knowledge of a material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach. If the breach is not cured within a reasonable time, not to exceed thirty (30) days, the non-breaching party may terminate this BAA and the Services Agreement.
c. Effect of Termination. Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. If such return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction not feasible.
5. Miscellaneous
a. Limitation of Liability. BUSINESS ASSOCIATE'S AGGREGATE LIABILITY FOR ANY AND ALL CLAIMS, LOSSES, OR DAMAGES ARISING OUT OF OR RELATING TO THIS BAA SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID BY CUSTOMER TO BUSINESS ASSOCIATE UNDER THE SERVICES AGREEMENT DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM. IN NO EVENT SHALL BUSINESS ASSOCIATE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES.
b. Indemnification. Customer agrees to indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with any breach of this BAA by Customer or its users, or any negligent or wrongful acts or omissions by Customer or its users in connection with the use of the Covered Services.
c. No Third-Party Beneficiaries. Nothing in this BAA shall be construed to create any rights or remedies in any third parties.
d. Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws principles.
e. Entire Agreement. This BAA, together with the Services Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, whether written or oral. In the event of a conflict between this BAA and the Services Agreement, the terms of this BAA shall prevail.