Last updated: February 14, 2026
This Business Associate Agreement ("Agreement") is entered into by and between the customer agreeing to the Therassist Terms of Service ("Covered Entity") and Therassist, Inc. ("Business Associate"). By accepting the Terms of Service, the Covered Entity also agrees to this Agreement. Capitalized terms not defined when first used herein shall have the meanings ascribed to them in the Regulations.
A. Covered Entity and Business Associate are parties to a Terms of Services Agreement through which Business Associate provides certain software services ("Services") to Covered Entity (the "Underlying Agreement"). During the course of performance of the Underlying Agreement, Business Associate may receive from Covered Entity, or may receive or create on behalf of Covered Entity, certain confidential health or medical information ("Protected Health Information").
B. Covered Entity and Business Associate intend to protect the privacy and provide for the security of Protected Health Information ("PHI") as defined in the Regulations, described below, disclosed to Business Associate in the course of the Parties' performance under the Underlying Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (the "HIPAA Act"), the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"), and regulations (the "Regulations") promulgated under the HIPAA Act and the HITECH Act by the U.S. Department of Health and Human Services ("HHS") and other applicable federal and state laws. The HIPAA Act, the HITECH Act, and the Regulations, as amended from time to time, are collectively referred to as "HIPAA."
C. HIPAA requires Covered Entity to enter into a contract containing specific requirements with Business Associate as set forth in, but not limited to Title 45, Sections 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal Regulations ("CFR") and contained in this Agreement.
In consideration of the mutual covenants set forth below and the exchange of information pursuant to this Agreement, the Parties agree as follows:
All capitalized terms used but not otherwise defined herein shall have the meanings attributed to them in HIPAA and are incorporated herein by reference.
2.1 Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of Covered Entity in connection with Business Associate's performance under the Underlying Agreement (collectively "Contracted Services"); provided that such use or disclosure would not violate 45 CFR 164 if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
2.2 Business Associate may use PHI if necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities.
2.3 Business Associate may disclose PHI if necessary for its proper management and administration or to carry out its legal responsibilities; provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
2.4 Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(1).
During the term of this Agreement, Business Associate agrees to comply with the following obligations:
3.1 Use and Disclosure Limitations. Business Associate shall not use or further disclose PHI except for the purpose of performing its Services, as permitted by this Agreement, or as required by law, consistent with HIPAA.
3.2 Minimum Necessary Standard. Business Associate's use, disclosure, or request of PHI from Covered Entity shall utilize a limited data set if practicable, or otherwise, the minimum necessary PHI to accomplish the intended result.
3.3 Safeguards. Business Associate agrees to maintain and use appropriate safeguards and comply, where applicable, with Subpart C of 45 CFR 164 (i.e., the Security Rule) with respect to electronic protected health information ("ePHI"), to prevent the use or disclosure of PHI other than as set forth in this Agreement.
3.4 Breach Reporting. Business Associate agrees to report to Covered Entity any of the following of which it becomes aware: (i) the use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 CFR 164.410; (ii) a security incident (as defined in 45 CFR 164.304); or (iii) any "breach of the security of the system" of unencrypted "personal information," as required and as these terms are defined under Chapter 19.255 RCW or Chapter 42.56 RCW. Business Associate shall report immediately following discovery any breach of "Unsecured Protected Health Information" as required by 45 CFR 164.410. The report must include the identity (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the breach.
3.5 Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 45 CFR 164.308(b)(2), Business Associate shall ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI or ePHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate, enter into a written contract providing satisfactory assurances in accordance with 45 CFR 164.314(a), and comply with the applicable requirements of Subpart C of 45 CFR 164.
3.6 Access to PHI. Business Associate shall, at the request of Covered Entity, make available PHI maintained by Business Associate or its agents or subcontractors in Designated Record Sets, if any, to Covered Entity for inspection and copying within ten (10) days of receipt of such request to enable Covered Entity to fulfill its obligations under 45 CFR 164.524.
3.7 Amendment of PHI. Business Associate shall make available PHI maintained in Designated Record Sets, if any, to Covered Entity for amendment and incorporate any such amendment within ten (10) days of receipt of such a request, to enable Covered Entity to fulfill its obligations under 45 CFR 164.526. If any Individual submits a request for an amendment of PHI directly to Business Associate or its agents or subcontractors, Business Associate must notify Covered Entity in writing within five (5) days of the request. Any denial of amendment shall be the responsibility of Covered Entity.
3.8 Accounting of Disclosures. Within ten (10) days of notice by Covered Entity, Business Associate shall make available the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 CFR 164.528 and the HITECH Act where applicable. As set forth in, and as limited by, 45 CFR 164.528, Business Associate shall not be required to provide an accounting of disclosures: (i) to carry out treatment, payment or health care operations as set forth in 45 CFR 164.502, except as otherwise required by the HITECH Act; (ii) to Individuals of PHI about them; (iii) incident to a use or disclosure otherwise permitted; (iv) pursuant to an authorization as provided in 45 CFR 164.508; (v) for a facility directory or to persons involved in the Individual's care or other notification purposes as set forth in 45 CFR 164.510; (vi) for national security or intelligence purposes as set forth in 45 CFR 164.512(k)(2); (vii) to correctional institutions or law enforcement officials as set forth in 45 CFR 164.512(k)(5); or (viii) as part of a Limited Data Set in accordance with 45 CFR 164.514(e). Business Associate agrees to implement a process that allows for an accounting to be collected and maintained for at least six (6) years prior to the request (or three (3) years under HITECH Act Section 13405(c)), but not before the compliance date under HIPAA. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name and, if known, address of the entity or person who received the PHI; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of purpose of the disclosure, or a copy of the Individual's written authorization or the written request for disclosure. If a request for an accounting is delivered directly to Business Associate, it shall be forwarded to Covered Entity in writing within five (5) days. If Covered Entity directs Business Associate to make a disclosure that would require an accounting, the Covered Entity shall specifically notify Business Associate; failure to do so shall relieve the Business Associate of the requirement to account for such disclosure.
3.9 Covered Entity Obligations. To the extent Business Associate is carrying out Covered Entity's obligations under 45 CFR 164.504, Business Associate will comply with the requirements that apply to Covered Entity in the performance of such obligations.
3.10 Audit and Review. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with Subpart E of 45 CFR 164 within ten (10) days of such request. Covered Entity has the right, at any time, to monitor, audit, and review activities of Business Associate in implementing this Agreement. All requests shall be reasonable and for appropriate business purposes.
3.11 Security Standards. Business Associate will comply with the applicable requirements of Subpart C of 45 CFR 164 (i.e., Security Standards for the Protection of ePHI).
4.1 Covered Entity shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy, and security of PHI transmitted to Business Associate pursuant to this Agreement, in accordance with the standards and requirements of HIPAA, until such PHI is received by Business Associate.
4.2 Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
4.3 Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
4.4 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.520, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
This Agreement shall become effective immediately upon execution and, except as hereinafter provided, shall remain in force and effect until the last of the PHI is returned to Covered Entity or destroyed. Notwithstanding the foregoing, the rights and obligations provided by Sections 3, 4, 7, and 8 of this Agreement shall survive indefinitely.
6.1 If Covered Entity determines in good faith that Business Associate has violated a material term of this Agreement, Covered Entity shall either:
6.2 Effect of Termination. Except as provided below, upon termination of this Agreement or the Contracted Services for any reason, Business Associate shall retain no copies of PHI and shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI in the possession of subcontractors or agents of Business Associate. In the event that returning or destroying the PHI is not feasible, Business Associate shall continue to extend the protections of this Agreement to such PHI for so long as Business Associate maintains it.
Business Associate agrees to indemnify, defend, and hold Covered Entity harmless from any and all liability, loss, claims, or damages, including reasonable attorneys' fees and costs resulting from or relating to the acts or omissions of Business Associate in connection with the representations, duties, and obligations of Business Associate under this Agreement. Without limiting the foregoing, Business Associate shall indemnify the Covered Entity for costs associated with any breach notification required under HIPAA, the HITECH Act, the implementing regulations, and/or state law, resulting from Breach of Unsecured Protected Health Information required to be reported to Covered Entity by Business Associate under Section 3.4 of this Agreement.
Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
9.1 A reference in this Agreement to a section in the HIPAA Act, the HITECH Act, or the Regulations means the section as in effect or as amended. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA (or applicable state laws relating to security and privacy, if more stringent). Any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA.
9.2 The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary to comply with the requirements of HIPAA or other laws.
By accepting the Therassist Terms of Service, you also accept and agree to this Business Associate Agreement. No separate signature is required. This Agreement is binding upon your acceptance of the Therassist Terms of Service.
For questions about this Agreement, contact us at: info@therassist.ai
For support, contact us at: support@therassist.ai or call (866) 722-4313
See also: Terms of Service | Privacy Policy | Pricing