Business Associate Agreement

This Business Associate Agreement ("BAA") governs Notium's ("Business Associate") handling of Protected Health Information (PHI) on behalf of healthcare providers ("Covered Entity") in compliance with HIPAA and the HITECH Act.

1. Services

Notium provides AI-powered clinical documentation services including voice-to-text transcription using Azure OpenAI Whisper and automated progress note generation using Azure OpenAI GPT-4o. Business Associate will only use or disclose PHI as necessary to perform these services or as required by law.

2. Business Associate Obligations

Business Associate shall:

• Comply with applicable HIPAA Privacy and Security Rules (45 CFR Parts 160 and 164)
• Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Report any breach of unsecured PHI to Covered Entity within 60 days
• Ensure subcontractors (Microsoft Azure) comply with the same HIPAA requirements
• Make PHI available to individuals and HHS for inspection as required by HIPAA
• Return or destroy PHI upon termination of services

3. Security Measures

Business Associate implements the following safeguards:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Azure AD with MFA support and 15-minute session timeouts
• No Audio Storage: Voice recordings are immediately deleted after transcription
• Audit Logging: All PHI access is logged with immutable records
• Access Control: Role-based permissions ensure users only access necessary PHI
• Infrastructure: Microsoft Azure data centers with SOC 2, HIPAA, and ISO 27001 certifications

4. Subcontractors

Business Associate uses Microsoft Azure services (Azure OpenAI, Azure AD, Azure Communication Services, Azure Database for PostgreSQL) for infrastructure and AI processing. Microsoft has executed a HIPAA Business Associate Agreement with Notium and maintains HIPAA-compliant infrastructure.

5. Breach Notification

Business Associate will notify Covered Entity of any breach of unsecured PHI within 60 days of discovery, including: (a) identification of affected individuals, (b) description of the breach, (c) types of PHI involved, (d) mitigation steps taken, and (e) contact information for questions.

6. Term and Termination

This Agreement is effective upon your use of Notium's services and terminates when all PHI is returned or destroyed. Either party may terminate for material breach with 30 days written notice. Upon termination, Business Associate will return or destroy all PHI within 30 days and provide written certification of such.

7. Amendments

This Agreement may be amended to comply with changes in HIPAA regulations. Business Associate will notify Covered Entity of material changes via email with 30 days notice.

8. Contact Information