This Business Associate Agreement ("BAA") is entered into between Sōna ("Business Associate") and the undersigned Covered Entity.
Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). "Business Associate" means Sōna, the platform and its operating entity. "Covered Entity" means the healthcare provider, spa, clinic, or wellness business that has entered into a service agreement with Sōna. "PHI" means Protected Health Information as defined under HIPAA. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Sōna agrees to: a) Not use or disclose PHI other than as permitted or required by this BAA or as required by law. b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA. c) Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any security incident of which it becomes aware. d) In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. e) Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524. f) Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. g) Upon termination of this BAA, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that the Business Associate still maintains in any form.
Business Associate may only use or disclose PHI: a) As necessary to perform the services described in the service agreement between the parties (scheduling, client management, AI-assisted communications). b) As required by law. c) For the proper management and administration of Business Associate or to carry out its legal responsibilities, provided the disclosure is required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially. Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.
Covered Entity agrees to: a) Notify Business Associate of any limitation(s) in the notice of privacy practices that may affect Business Associate's use or disclosure of PHI. b) Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's permitted or required uses and disclosures. c) Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.
This BAA shall be effective as of the date the Covered Entity begins using the Sōna platform and shall terminate when all PHI provided by Covered Entity to Business Associate is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions of this BAA. Either party may terminate this BAA if the other party has breached a material term and has not cured the breach within 30 days of written notice.
This BAA shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules. The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Covered Entity to comply with the HIPAA Rules. This BAA is incorporated into and made part of the service agreement between the parties. In the event of any conflict between this BAA and the service agreement, the terms of this BAA shall control with respect to PHI.
To execute this BAA, email the following to privacy@usesonaai.com from your business email address:
Subject: BAA Execution — [Your Business Name]
Body:
I, [Full Name], authorized representative of [Business Name], agree to the Sōna Business Associate Agreement as published at usesonaai.com/baa as of [today's date]. I confirm this business is a Covered Entity under HIPAA.
We will counter-sign and return a PDF copy within 1 business day.
Questions? Contact privacy@usesonaai.com