HIPAA Business Associate Agreement
Last Modified: April 29, 2026
Table of Contents
- 1. Purpose
- 2. Definitions
- 3. Permitted Uses and Disclosures by Business Associate
- 4. Prohibited Uses and Disclosures
- 5. Safeguards
- 6. AI and Third-Party Processing
- 7. Reporting of Impermissible Uses, Disclosures, Security Incidents, and Breaches
- 8. Subcontractors
- 9. Access to PHI
- 10. Amendment of PHI
- 11. Accounting of Disclosures
- 12. Covered Entity Obligations
- 13. Minimum Necessary
- 14. De-Identification and Aggregated Data
- 15. Availability of Books and Records
- 16. Term and Termination
- 17. Return or Destruction of PHI
- 18. Clinical Responsibility and AI Output
- 19. Data Location and Cross-Border Processing
- 20. Indemnification
- 21. Limitation of Liability
- 22. No Third-Party Beneficiaries
- 23. Interpretation
- 24. Notices
- 25. Governing Law
- 26. Entire Agreement; Amendment
- 27. Acceptance and Signatures
- Exhibit A. Description of Services
- Exhibit B. Security Measures
- Exhibit C. Subcontractors / Subprocessors
- Exhibit D. Product-Specific PHI Handling Commitments
This Business Associate Agreement (this "BAA") is entered into by and between the Customer accepting the RadiusMD.Ai Legal, Terms of Service or other applicable subscription agreement ("Covered Entity") and RadiusMD.Ai Inc., an S-CORP organized under the laws of Nevada, with its principal place of business at 1344 Disc Dr., Sparks, NV 89436-0684 ("Business Associate"). Covered Entity and Business Associate may each be referred to as a "Party" and collectively as the "Parties."
For purposes of this BAA, the "Customer" or "Covered Entity" is the legal entity identified in the applicable account, order form, subscription, billing profile, or other purchasing record. If an individual accepts the Terms of Service on behalf of an organization, that acceptance binds the organization and this BAA applies to that organization and its authorized users.
This BAA supplements and is incorporated into the agreement, order form, subscription terms, services agreement, Terms of Service, or other written arrangement governing Covered Entity’s use of RadiusMD.Ai’s products and services (the "Underlying Agreement"). The Effective Date of this BAA is the date Covered Entity first accepts the Underlying Agreement or first uses the Services for PHI-related workflows, whichever occurs first. If there is a conflict between this BAA and the Underlying Agreement regarding Protected Health Information, this BAA controls.
1. Purpose
Covered Entity may disclose Protected Health Information to Business Associate, or Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity, in connection with Business Associate’s provision of AI-assisted medical reporting, radiology workflow support, reporting automation, OCR-assisted documentation, template management, and related services (the "Services").
The Parties intend this BAA to satisfy applicable requirements of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
2. Definitions
Breach. Has the same meaning as in 45 C.F.R. § 164.402.
Designated Record Set. Has the same meaning as in 45 C.F.R. § 164.501.
Electronic Protected Health Information or ePHI. Has the same meaning as in 45 C.F.R. § 160.103.
HIPAA. Means the Health Insurance Portability and Accountability Act of 1996, as amended, and all implementing regulations.
Protected Health Information or PHI. Has the same meaning as in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
Security Incident. Has the same meaning as in 45 C.F.R. § 164.304.
Subcontractor. Means any person or entity to whom Business Associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entity.
Unsecured PHI. Has the same meaning as in 45 C.F.R. § 164.402.
Capitalized terms not defined in this BAA have the meanings given to them under HIPAA.
3. Permitted Uses and Disclosures by Business Associate
Business Associate may use or disclose PHI only as permitted or required by this BAA, the Underlying Agreement, or as Required by Law.
Business Associate may use and disclose PHI to perform the Services for Covered Entity, including:
- AI-assisted generation, editing, structuring, or formatting of medical reports;
- Processing text, OCR-derived content, voice-derived text, screenshots, clinical instructions, templates, prompts, or report drafts supplied by Covered Entity or its authorized users;
- Importing, exporting, copying, routing, or transforming report-related content as configured by Covered Entity;
- Providing technical support, troubleshooting, security monitoring, and system maintenance;
- Maintaining audit logs, security records, and operational records necessary to provide and secure the Services;
- Performing de-identification, aggregation, or analytics only as permitted by this BAA and HIPAA; and
- Any other purpose expressly authorized in writing by Covered Entity and permitted by HIPAA.
Business Associate may use PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure for such purposes is Required by Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be kept confidential, used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.
Business Associate may use PHI to provide Data Aggregation services relating to Covered Entity’s health care operations, only if authorized under the Underlying Agreement or other written instructions from Covered Entity.
4. Prohibited Uses and Disclosures
Business Associate shall not:
- Use or disclose PHI other than as permitted by this BAA, the Underlying Agreement, or Required by Law;
- Use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except for uses expressly permitted for Business Associate’s management and administration or Data Aggregation;
- Sell PHI;
- Use PHI for advertising, marketing, model training, product benchmarking, or unrelated analytics unless expressly authorized in writing by Covered Entity and permitted by HIPAA;
- Use PHI to develop, improve, or train third-party AI models unless expressly authorized in writing by Covered Entity and permitted by HIPAA;
- Disclose PHI to any Subcontractor unless the Subcontractor has entered into a written agreement imposing substantially the same restrictions, conditions, and safeguards that apply to Business Associate under this BAA;
- Use PHI in a way that is inconsistent with the minimum necessary standard; or
- Store PHI in logs, analytics tools, support systems, crash reports, or other systems unless such storage is necessary to provide the Services and protected by appropriate safeguards.
5. Safeguards
Business Associate shall use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided by this BAA.
For ePHI, Business Associate shall comply with applicable requirements of the HIPAA Security Rule, including safeguards designed to protect the confidentiality, integrity, and availability of ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
Business Associate’s safeguards shall include, as applicable and reasonable based on the Services:
- Access controls and role-based permissions;
- Unique user identification for workforce members with administrative access;
- Multi-factor authentication for administrative accounts;
- Encryption of ePHI in transit;
- Encryption of stored ePHI where technically feasible and appropriate;
- Audit logging for access to systems containing ePHI;
- Workforce access management and termination procedures;
- Secure software development and change management practices;
- Vulnerability management and security patching;
- Incident response procedures;
- Backup and disaster recovery procedures where RadiusMD stores ePHI;
- Secure deletion or return procedures at termination; and
- Reasonable safeguards to prevent PHI from being included in unnecessary application logs, AI request logs, analytics systems, or support records.
6. AI and Third-Party Processing
Business Associate may use third-party service providers, including cloud infrastructure providers, AI model providers, OCR providers, speech-to-text providers, database providers, logging providers, and related subprocessors, only as necessary to provide the Services and only where appropriate safeguards and contractual protections are in place.
Where a third-party provider creates, receives, maintains, or transmits PHI on behalf of Business Associate, Business Associate shall enter into a written business associate agreement or equivalent downstream agreement with that provider, as required by HIPAA.
Business Associate shall not knowingly transmit PHI to an AI model provider for a PHI-related workflow unless Business Associate has a valid business associate agreement or other HIPAA-appropriate written arrangement with that provider covering the applicable service.
Business Associate shall use reasonable efforts to minimize PHI sent to AI services and to avoid sending direct patient identifiers where such identifiers are not necessary for the intended reporting or documentation function.
Business Associate shall not permit third-party AI providers to train foundation models on Covered Entity’s PHI unless expressly authorized in writing by Covered Entity and permitted by HIPAA.
7. Reporting of Impermissible Uses, Disclosures, Security Incidents, and Breaches
Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA, any Security Incident involving ePHI, and any Breach of Unsecured PHI, in each case following discovery and without unreasonable delay.
For a Breach of Unsecured PHI, Business Associate shall notify Covered Entity without unreasonable delay and in no case later than five business days after discovery, unless a shorter period is required by law or the Underlying Agreement.
Business Associate’s notice shall include, to the extent known at the time:
- A description of what happened, including the date of the Breach and the date of discovery;
- The types of PHI involved;
- The identity of affected individuals, if known;
- The steps Business Associate has taken or will take to investigate, mitigate harm, and prevent recurrence;
- Any recommended steps Covered Entity or affected individuals should take; and
- A contact person for follow-up.
Business Associate may provide information in phases as investigation develops.
The Parties acknowledge that unsuccessful Security Incidents, such as routine firewall pings, port scans, blocked malware, or unsuccessful login attempts, may occur frequently. Unless otherwise required by the Underlying Agreement, Business Associate may report such unsuccessful Security Incidents in summary form upon request or through periodic security documentation.
Covered Entity is responsible for determining whether notifications to individuals, HHS, media, regulators, or other parties are required, unless the Parties agree otherwise in writing.
8. Subcontractors
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions, conditions, and safeguards at least as protective as those imposed on Business Associate under this BAA.
Business Associate remains responsible for the acts and omissions of its Subcontractors to the extent required by HIPAA and applicable law.
Upon request, Business Associate shall provide Covered Entity with a current list of Subcontractors that may create, receive, maintain, or transmit PHI in connection with the Services, subject to reasonable confidentiality and security restrictions.
9. Access to PHI
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity as reasonably necessary for Covered Entity to satisfy its obligations under 45 C.F.R. § 164.524.
If an individual requests access directly from Business Associate, Business Associate shall, unless otherwise required by law, forward the request to Covered Entity and shall not respond directly except as instructed by Covered Entity.
10. Amendment of PHI
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity for amendment and shall incorporate amendments as reasonably directed by Covered Entity in accordance with 45 C.F.R. § 164.526.
If an individual requests amendment directly from Business Associate, Business Associate shall, unless otherwise required by law, forward the request to Covered Entity.
11. Accounting of Disclosures
Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528.
Business Associate shall provide such information to Covered Entity upon reasonable request.
The Parties acknowledge that certain disclosures for treatment, payment, and health care operations may not be required to be included in an accounting under HIPAA, except as otherwise required by law.
12. Covered Entity Obligations
Covered Entity shall:
- Notify Business Associate of any limitation in Covered Entity’s notice of privacy practices that may affect Business Associate’s use or disclosure of PHI;
- Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent such changes may affect Business Associate’s Services;
- Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to follow, to the extent such restriction may affect Business Associate’s Services;
- Use the Services in accordance with HIPAA, the Underlying Agreement, and RadiusMD’s documentation;
- Ensure that Covered Entity’s users are authorized to upload, transmit, process, and disclose PHI through the Services;
- Avoid sending PHI to functions, vendors, integrations, or workflows not approved for PHI processing; and
- Be responsible for the accuracy, clinical appropriateness, and final approval of medical reports, diagnoses, impressions, and clinical documentation generated, edited, or assisted by the Services.
Covered Entity shall not request Business Associate to use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.
13. Minimum Necessary
Business Associate shall make reasonable efforts to use, disclose, and request only the minimum PHI necessary to accomplish the intended purpose, except where HIPAA does not require application of the minimum necessary standard.
Covered Entity is responsible for configuring workflows, prompts, templates, screenshots, OCR regions, integrations, and user permissions to minimize unnecessary PHI disclosure.
14. De-Identification and Aggregated Data
Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514 and may use and disclose de-identified information for lawful purposes, including improving the Services, security, analytics, and product performance, provided that such information does not identify Covered Entity’s patients and there is no reasonable basis to believe the information can be used to identify an individual.
Business Associate may create and use aggregated operational data that does not identify individuals and is not PHI, including system performance metrics, security telemetry, feature usage metrics, and generalized workflow analytics.
Business Associate shall not use PHI for model training or product improvement unless the data has been de-identified in accordance with HIPAA or Covered Entity has expressly authorized such use in writing and such use is permitted by HIPAA.
15. Availability of Books and Records
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.
16. Term and Termination
This BAA begins on the Effective Date and remains in effect until terminated in accordance with this section.
This BAA terminates when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is returned, destroyed, or protected in accordance with Section 17, unless termination earlier occurs under this BAA or the Underlying Agreement.
Covered Entity may terminate this BAA and the Underlying Agreement if Business Associate materially breaches this BAA and fails to cure the breach within 30 days after receiving written notice, if cure is possible. Covered Entity may terminate immediately if cure is not possible or if required by law.
Business Associate may terminate this BAA and the Underlying Agreement if Covered Entity repeatedly or materially requests Business Associate to use or disclose PHI in a way that violates HIPAA or this BAA and fails to cure after written notice.
17. Return or Destruction of PHI
Upon termination of this BAA or the Underlying Agreement, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
Business Associate may retain copies of PHI only as Required by Law, for legitimate archival or backup purposes, or as necessary for legal, compliance, security, or dispute-resolution purposes, provided such retained PHI remains protected under this BAA.
18. Clinical Responsibility and AI Output
Covered Entity acknowledges that RadiusMD’s Services are intended to assist with medical reporting and workflow efficiency and are not a substitute for professional clinical judgment.
Covered Entity and its authorized clinicians remain responsible for reviewing, validating, editing, approving, and signing all medical reports, impressions, findings, recommendations, and clinical documentation before use in patient care.
Business Associate does not independently diagnose patients, order treatment, or make final clinical decisions.
19. Data Location and Cross-Border Processing
Business Associate may process PHI in the United States, Canada, or other jurisdictions where Business Associate or its approved Subcontractors operate, subject to the safeguards and contractual obligations described in this BAA and the Underlying Agreement.
If Covered Entity requires PHI to remain in a specific jurisdiction, such requirement must be expressly stated in the Underlying Agreement or an applicable order form.
20. Indemnification
Each Party shall indemnify, defend, and hold harmless the other Party from and against third-party claims, damages, penalties, fines, costs, and expenses, including reasonable attorneys’ fees, arising from the indemnifying Party’s material breach of this BAA, violation of HIPAA, gross negligence, willful misconduct, or unauthorized use or disclosure of PHI.
21. Limitation of Liability
Except for breaches of confidentiality, unauthorized use or disclosure of PHI, indemnification obligations, gross negligence, willful misconduct, or violations of law, each Party’s liability under this BAA shall be subject to the limitation of liability in the Underlying Agreement.
The Parties may agree to a separate liability cap for HIPAA, PHI, security, or breach-related claims in the Underlying Agreement.
22. No Third-Party Beneficiaries
Nothing in this BAA is intended to create any rights in any person or entity other than the Parties and their permitted successors and assigns.
23. Interpretation
This BAA shall be interpreted as broadly as necessary to comply with HIPAA. Any ambiguity shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
References to laws and regulations include any amendments, replacements, or successor provisions.
24. Notices
Notices under this BAA shall be sent to the contacts below or to any updated notice address provided by a Party in writing.
Covered Entity Notice Contact
Name and title: the primary legal or administrative contact listed in Covered Entity’s account, order form, or other purchasing record.
Email: the email address associated with Covered Entity’s billing, legal, or administrator profile unless another notice address is provided in writing.
Address: the mailing address, if any, supplied by Covered Entity in its account or purchasing record.
Business Associate Notice Contact
Name: Azmat Zuberi
Title: CTO
Email: azmat@radiusmd.ai
Address: 1344 Disc Dr., Sparks, NV 89436-0684
Security or Breach notices should also be sent to info@radiusmd.ai.
25. Governing Law
This BAA shall be governed by the laws specified in the Underlying Agreement, except to the extent preempted by HIPAA or other applicable federal law.
26. Entire Agreement; Amendment
This BAA, together with the Underlying Agreement, constitutes the agreement between the Parties regarding PHI. This BAA may be amended only in writing signed by both Parties, except that the Parties shall cooperate in good faith to amend this BAA as necessary to comply with changes in HIPAA or other applicable law.
27. Acceptance and Signatures
Covered Entity accepts and agrees to this BAA by accepting the Underlying Agreement, clicking to accept the Terms of Service, executing an order form that references this BAA, or using the Services for PHI-related workflows. Electronic acceptance is deemed the legal equivalent of a manual signature.
Covered Entity
The legal entity identified in the applicable account, order form, subscription, billing profile, or other purchasing record.
Authorized representative: the individual accepting the Underlying Agreement on Covered Entity’s behalf.
Effective date: the date of acceptance or first PHI-related use, whichever occurs first.
Business Associate
RadiusMD.Ai Inc.
By: Azmat Zuberi
Name: Azmat Zuberi
Title: CTO
Exhibit A. Description of Services
Business Associate provides software and related services that may include:
- AI-assisted radiology and medical report generation;
- Report editing, summarization, structuring, and formatting;
- Template and prompt management;
- Voice-derived text processing;
- OCR-derived text processing from user-selected screen regions;
- Import/export workflow automation with radiology reporting systems, PACS/RIS-adjacent workflows, or other medical software as configured by Covered Entity;
- Multi-instance AI assistant workflows across sites, locations, desktops, or reporting contexts;
- Administrative dashboards, audit logs, and organization management features;
- Technical support, troubleshooting, security monitoring, and maintenance; and
- Other related services described in the Underlying Agreement.
Exhibit B. Security Measures
Business Associate shall maintain a written information security program appropriate to the nature of the Services and the PHI processed.
Security measures may include:
- Encryption in transit using industry-standard TLS;
- Encryption at rest for databases, storage, backups, and local caches where technically feasible and applicable;
- Role-based access controls;
- MFA for administrative access;
- Audit logging of administrative access and key PHI-related actions;
- Least-privilege access for workforce members;
- Secure credential and API key management;
- Secure development practices and code review;
- Vulnerability scanning and dependency monitoring;
- Incident response procedures;
- Backup and recovery procedures where Business Associate stores PHI;
- Workforce HIPAA/security training for personnel with access to PHI;
- Vendor review for subprocessors that may access PHI;
- Logging controls designed to avoid unnecessary PHI in application logs, crash logs, analytics tools, and support tickets; and
- Electron application hardening measures where applicable, including secure update processes, controlled local storage, and safeguards for screenshots/OCR-derived content.
Exhibit C. Subcontractors / Subprocessors
Business Associate may use approved Subcontractors to provide the Services. Business Associate shall maintain a current list of Subcontractors that may create, receive, maintain, or transmit PHI on behalf of Covered Entity.
| Subcontractor | Purpose | PHI Access | BAA / Contract Status |
|---|---|---|---|
| OpenAI, LLC / applicable OpenAI entity | AI model processing | Yes, if enabled for PHI workflows | BAA required before PHI use |
| Google Cloud Platform | Application hosting / infrastructure | Yes / Possible | BAA required |
| MongoDB | Database hosting | Yes / Possible | BAA required if PHI stored |
| Google Cloud Platform | Security and operations monitoring | Avoid PHI / Possible | BAA required if PHI possible |
| Google Workspace | Support and notices | Avoid PHI / Possible | BAA required if PHI possible |
Business Associate may update this list from time to time, provided that any Subcontractor handling PHI is bound by appropriate written obligations.
Exhibit D. Product-Specific PHI Handling Commitments
For RadiusMD workflows involving AI or automation:
- Business Associate shall use reasonable efforts to avoid sending unnecessary direct patient identifiers to AI services.
- Business Associate shall not intentionally store full AI prompts and outputs containing PHI in long-term logs unless configured by Covered Entity or necessary to provide the Services.
- Business Associate shall provide, where technically feasible, organization-level settings to control AI processing, data retention, audit logs, and support access.
- Business Associate shall not use Covered Entity’s PHI to train third-party foundation AI models unless expressly authorized in writing by Covered Entity and permitted by HIPAA.
- Covered Entity remains responsible for configuring templates, prompts, OCR regions, screenshots, workflows, integrations, and user access in a HIPAA-compliant manner.
- Covered Entity’s clinicians remain responsible for final medical review and approval of all outputs before use in patient care.