Effective July 1, 2026.
This Business Associate Agreement (this “BAA”) supplements the Botdoc Corporate Terms of Service (available at https://botdoc.io/corporate-terms-of-service/) and the Botdoc Data Processing Addendum (available at https://botdoc.io/data-processing-addendum/) (together, the “Agreement”), as applicable between the parties. In the event of any conflict between this BAA, the DPA, and the Corporate Terms of Service, the order of precedence is: (a) this BAA with respect to Protected Health Information; (b) the DPA with respect to Personal Data; (c) the applicable Order Form; and (d) the Corporate Terms of Service.
Under the Agreement, Business Associate will have or may have access to Covered Entity’s Protected Health Information received by Business Associate or created by Business Associate on behalf of Covered Entity (“PHI”). Business Associate operates as a secure digital transportation platform that transmits data through end-to-end encryption protocols. Due to this encryption architecture, Business Associate does not have the ability to access, read, or view the contents of data transmitted through the Services, and therefore cannot independently determine whether transmitted content constitutes Protected Health Information. Covered Entity is solely responsible for determining what data it transmits through the Services and for ensuring that its use of the Services complies with applicable HIPAA requirements. Business Associate’s obligations under this BAA apply to PHI that Covered Entity designates as such and transmits through the Services.
This Business Associate Agreement is incorporated by reference into the Botdoc Corporate Terms of Service and is effective upon Customer’s acceptance of the applicable Order Form or Terms of Service. The current version of this BAA is always available at https://botdoc.io/business-associate-agreement/. The parties agree to be bound by the following terms and conditions in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations (collectively, “HIPAA Rules”), as applicable.
1.1 Breach shall have the meaning given in 45 CFR §164.402.
1.2 Business Associate shall mean ShortSave, Inc., a Colorado corporation doing business as Botdoc.
1.3 Covered Entity shall mean the entity identified as the customer in the applicable Order Form.
1.4 Electronic Protected Health Information or ePHI shall have the meaning given in 45 CFR §160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
1.5 HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
1.6 Protected Health Information or PHI shall have the meaning given in 45 CFR §160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
1.7 Services shall mean the services provided by Business Associate to Covered Entity under the Agreement.
1.8 Unsecured PHI shall have the meaning given in 45 CFR §164.402.
Business Associate agrees to not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
Business Associate agrees to use appropriate safeguards, and comply where applicable with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR §164.410, and any security incident of which it becomes aware.
Business Associate agrees not to directly or indirectly receive remuneration in exchange for PHI of an individual without a valid authorization from such individual, except as otherwise allowed by the HIPAA Rules.
Business Associate shall not use Protected Health Information, or any data derived from Protected Health Information, to train, develop, fine-tune, or improve any artificial intelligence or machine learning model for the benefit of any party other than Covered Entity. This prohibition applies regardless of whether the PHI has been de-identified, aggregated, or anonymized, unless de-identification has been performed in full compliance with 45 CFR §164.514 and the resulting data no longer constitutes PHI under HIPAA. This commitment is consistent with and supplements Business Associate’s obligations under the Botdoc Corporate Terms of Service (available at https://botdoc.io/corporate-terms-of-service/) and Botdoc Data Processing Addendum (available at https://botdoc.io/data-processing-addendum/).
Business Associate agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by the Secretary of Health and Human Services, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an individual, in order to meet the requirements under 45 CFR §164.524.
Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request, and in the time and manner designated, by Covered Entity or an individual.
Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.
Business Associate agrees to make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Covered Entity may audit Business Associate’s compliance with this BAA upon thirty (30) days’ prior written notice, not more than once per twelve (12) month period, at Covered Entity’s sole expense and during normal business hours. Business Associate’s SOC 2 Type II report (refreshed annually) will be accepted in lieu of an on-site audit where available. If an audit identifies a material breach of this BAA by Business Associate, Business Associate will reimburse Covered Entity’s reasonable audit costs. Audits required by a government regulator are not subject to the frequency limit.
Business Associate maintains a current list of subprocessors and agents that have access to PHI, available at https://botdoc.io/botdoc-subprocessors/. This list is updated in real time as changes occur and is available for Covered Entity’s review at any time without prior notice from Business Associate. Covered Entity is responsible for periodically reviewing the subprocessor list to stay informed of any changes. Business Associate’s primary infrastructure subprocessor is Microsoft Azure (Central US by default), which is subject to a separate Business Associate Agreement between Business Associate and Microsoft.
Business Associate shall, at least once every twelve (12) months, verify that it has deployed the technical safeguards required by the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312, and 164.316) to protect electronic Protected Health Information. Such verification is conducted through Business Associate’s annual SOC 2 Type II audit performed by an independent third-party auditor. Upon Covered Entity’s written request, Business Associate shall provide a copy of its most recent SOC 2 Type II audit report, subject to appropriate confidentiality protections. For the avoidance of doubt, Business Associate’s SOC 2 Type II report is the sole verification document available for this purpose. There is no separate HIPAA-specific audit report. The SOC 2 Type II report addresses the security controls relevant to Business Associate’s obligations under this BAA and should be reviewed in that context.
Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
Covered Entity is solely responsible for determining what data it transmits through the Services and for ensuring that its use of the Services for the transmission of PHI complies with all applicable HIPAA requirements. Business Associate cannot independently verify the nature or sensitivity of transmitted content due to end-to-end encryption.
Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that: (a) disclosures are required by law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Consistent with the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy (45 CFR §164.502(a)(5)(iii), effective June 25, 2024), Business Associate shall not use or disclose Protected Health Information for any of the following purposes:
To conduct an investigation into, or impose liability on, any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care
To identify any person for the purpose of initiating such an investigation or imposing such liability
In response to any request for PHI where Business Associate has reasonably determined that the request is made for one of the above prohibited purposes
Business Associate shall require any attestation submitted in connection with a request for PHI potentially related to reproductive health care to comply with the requirements of 45 CFR §164.509 before disclosing such PHI.
The Term of this BAA shall be effective as of the date of execution and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this section.
Business Associate authorizes termination of this BAA by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the BAA and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.
(a) Except as provided in paragraph 5.3(b) below, upon termination of this BAA for any reason, Business Associate shall return or destroy, at Covered Entity’s option and expense, all PHI in Business Associate’s possession. Covered Entity shall have thirty (30) days following the effective date of termination to export or retrieve any data accessible through the Services before Business Associate proceeds with deletion, consistent with the Botdoc Corporate Terms of Service (available at https://botdoc.io/corporate-terms-of-service/). Business Associate shall ensure compliance with this requirement by its subcontractors, if any. Any such destruction shall comply with the applicable guidance of HHS in effect at the time of such destruction and Business Associate shall provide to Covered Entity a certification attesting to such compliance.
(b) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Business Associate agrees to notify Covered Entity without undue delay and in any event within seventy-two (72) hours after discovery of a Breach of Unsecured PHI, consistent with Business Associate’s obligations under the Botdoc Corporate Terms of Service (https://botdoc.io/corporate-terms-of-service/) and the Botdoc Data Processing Addendum (https://botdoc.io/data-processing-addendum/). Notification shall include, to the extent possible:
The identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the breach
A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
A description of the types of Unsecured PHI that were involved in the breach
Any steps individuals should take to protect themselves from potential harm resulting from the breach
A brief description of what Business Associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches
Contact procedures for individuals to ask questions or learn additional information
Business Associate acknowledges that notification under this section does not relieve Covered Entity of its own HIPAA breach notification obligations to affected individuals, the Secretary of HHS, and, where applicable, the media.
With respect to Electronic PHI, Business Associate shall:
Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity
Ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of Business Associate agree to implement reasonable and appropriate safeguards to protect it
Report to Covered Entity any Security Incident of which it becomes aware, within the timeframe specified in Section 6
Security Program: Business Associate’s information security program includes the following measures to protect ePHI:
Encryption of data in transit using strong cipher suites (TLS) and at rest (AES-256)
Multi-factor authentication with RSA, SecurID, or a digital certificate, as well as Active Directory integration
Network security including auto-scaling firewalls, DDoS protection, traffic filtering, and penetration testing
Access controls including access rights, permissions, and ethical walls based on users and groups
Static and dynamic application scans, comprehensive logging, and adherence to programming best practices (OWASP Top Ten, etc.)
Annual SOC 2 Type II and SOC 2+ audits based on standards set by the AICPA, conducted by an independent third-party auditor
ISO 27002:2013 and ISO/IEC 27017:2015 certification through Microsoft Azure
PCI DSS compliance maintained in accordance with the current version of the Payment Card Industry Data Security Standard as overseen by the Payment Card Industry Security Standards Council (PCI SSC)
GLBA and FTC Safeguards Rule (16 CFR Part 314) compliance for financial institution and automotive dealership customers
A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act, Public Law 104-191.
The respective rights and obligations of Business Associate under Section 5.3 of this BAA shall survive the termination of this BAA.
Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the HIPAA Rules. The parties agree that any inconsistency between this BAA and the Agreement, as it relates to PHI, shall be resolved in favor of this BAA.
Nothing in this BAA shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.
This BAA shall be governed by and construed in accordance with the laws of the State of Colorado, without giving effect to any choice or conflict of law provision or rule.
This BAA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral, between the parties with respect to the subject matter hereof.
All formal notices under this BAA shall be delivered in writing to:
ShortSave, Inc., a Colorado corporation doing business as Botdoc
Attn: Legal — HIPAA / BAA Matters
1909 Woodmoor Drive
Monument, Colorado 80132
Email: support@botdoc.io
Notices to Covered Entity shall be sent to the contact information provided in the applicable Order Form or as otherwise designated in writing by Covered Entity. Notices are effective upon receipt when delivered by email with confirmation, or upon delivery when sent by overnight courier or certified mail.
End of Business Associate Agreement, Version 2026.2.