✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care
✦ Smarter Notes. Faster Care

Business Associate Agreement

Healthcare Privacy Agreement

Meet the team

Smiling man with short dark hair wearing a blue polo shirt and sunglasses on collar against blue background.

Dr. Furquan Waseem, MD

Founder & CEO

Portrait of a woman wearing a beige hijab and dark sweater with a neutral expression.

Dr. Sana Kang

Co-Founder & COO

Reviewer avatar

Zeeshan Waseem

Chief Operating Officer (COO)

Reviewer avatar

M. Shahbaz Nawaz

Senior Backend Engineer

Reviewer avatar

Ms. Sumyia Yaseen

Senior Mobile App Developer

Reviewer avatar

Abbas Ali Akhtar

Frontend Developer

Reviewer avatar

Zafar Iqbal

Senior Digital Marketing Specialist

Reviewer avatar

Ms. Sehrish Mukhtar

Web and Graphics Designer

Reviewer avatar

Muhammad Shah Nawaz

QA Engineer - Associate

Effective Date: Date Covered Entity first accesses or uses the Service
Last Updated: March 05, 2026

Recitals

This Business Associate Agreement ("Agreement" or "BAA") is entered into by and between the healthcare provider or healthcare organization that registers for or uses the DocuMed AI Service (the "Covered Entity") and DocuMed AI LLC, a Missouri limited liability company with its principal place of business at 1528 Woodroyal East Dr, Chesterfield, MO 63017 (the "Business Associate").

WHEREAS, Covered Entity is a "Covered Entity" as defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191("HIPAA"), and the regulations promulgated there under, including the Standards for Privacy of Individually Identifiable Health Information (the"Privacy Rule") at 45 CFR Parts 160 and 164, and the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") at 45 CFR Parts 160 and 164; and

WHEREAS, Business Associate provides AI-powered medical scribe services, clinical documentation automation, transcription, coding assistance, and related technology services to Covered Entity through its platform accessible via web application and mobile application (the "Service"); and

WHEREAS, in the course of providing the Service, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity; and

WHEREAS, the parties wish to establish the terms and conditions under which Business Associate will handle PHI in compliance with HIPAA, the HITECH Act (Title XIII of the American Recovery and Reinvestment Act of 2009), the Omnibus Final Rule, and all applicable implementing regulations (collectively, the "HIPAA Rules");

NOW,THEREFORE, in consideration of the mutual promises and obligations set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. Definitions

All capitalized terms used in this Agreement and not otherwise defined herein shall have the meanings assigned to them under the HIPAA Rules, including but not limited to 45 CFR 160.103 and 164.501. The following terms shall have the meanings set forth below:

2. Purpose and Scope

2.1 Purpose

The purpose of this Agreement is to establish the terms and conditions under which Business Associate may create, receive, maintain, use, or disclose PHI in connection with the Service provided to Covered Entity, and to ensure compliance with the HIPAA Rules.

2.2 Scope of Services

BusinessAssociate provides the following services that involve the creation, receipt,maintenance, or transmission of PHI on behalf of Covered Entity:

2.3 Applicability

This Agreement applies to all PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in the performance of the Service. This Agreement supplements and is incorporated into the Terms and Conditions of Service between the parties.

2.4 Clinical Responsibility

Covered Entity acknowledges that the Service provides transcription, documentation assistance, and AI-generated suggestions, and that Covered Entity remains solely responsible for reviewing, editing, approving, and ensuring the accuracy and completeness of all clinical documentation and medical decision-making. Business Associate does not provide medical advice and does not practice medicine.

3. Obligations of Business Associate

3.1 Permitted Uses and Disclosures

Business Associate agrees to use and disclose PHI only as follows:

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted under this Agreement.

3.2 Safeguards

Business Associate agrees to implement and maintain appropriate administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of ePHI. These safeguards include but are not limited to:

3.3 Minimum Necessary Standard

Business Associate agrees to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR 164.502(b) and 164.514(d).

3.4 Reporting Obligations

Business Associate agrees to report to Covered Entity the following:

3.5 Mitigation

In the event of a use or disclosure of PHI in violation of this Agreement, or a Breach of Unsecured PHI, Business Associate agrees to take prompt and reasonable steps to mitigate, to the extent practicable, any harmful effects ofsuch use, disclosure, or Breach that are known to Business Associate. Business Associate shall cooperate with Covered Entity in the investigation and resolution of any Breach.

3.6 Subcontractors

Business Associate agrees that it shall not disclose PHI to any Subcontractor without first entering into a written agreement with such Subcontractor that contains substantially the same restrictions, conditions, and requirements as those set forth in this Agreement with respect to PHI, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2). Business Associate shall ensure that each Subcontractor agrees to implement reasonable and appropriate safeguards to protect PHI. Business Associate remains responsible for the acts or omissions of its Subcontractors that result in a violation of this Agreement.

Business Associate shall maintain an up-to-date list of Subcontractors that have accessto PHI and shall make this list available to Covered Entity upon reasonable written request. Nothing in this section shall limit Business Associate's rightto seek indemnification, contribution, or other recourse against any Subcontractor for losses arising from that Subcontractor's acts or omissions.

Business Associate shall provide such Subcontractor list no more than once annually unless otherwise required by applicable law or requested in connection with a documented Security Incidentor Breach.

3.7 Access to PHI

Business Associate agrees to make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements of 45 CFR 164.524. Business Associate shall respond to any such request within thirty (30) days of receipt of the request, unless a longer period is permitted under applicable law. If PHI is maintained in electronic form, Business Associate shall provide such information in the electronic form and format requested by the Individual, if it is readily producible in such form and format, or in a readable electronic form and format as agreed to by the parties.

3.8 Amendment of PHI

Business Associate agrees to make PHI in a Designated Record Set available to Covered Entity for amendment and to incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR 164.526. Business Associate shall complete such amendments within thirty (30) days of receipt of the request, unless a longer period is permitted under applicable law.

3.9 Accounting of Disclosures

Business Associate agrees to document disclosures of PHI only to the extent required under 45 CFR 164.528, and to make such information available to Covered Entity or an Individual as necessary for Covered Entity to comply with the HIPAARules. Business Associate agrees to document and make available to Covered Entity or an Individual the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain records of all disclosures of PHI for a minimum of six (6) years from the date of the disclosure. Business Associate shall provide the requested accounting within thirty (30) days of a request.

3.10 HHS Access

Business Associate agrees to make its internal practices, books, and records relating tothe use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's and Business Associate's compliance with the HIPAA Rules. This obligation shall survive the termination of this Agreement.

3.11 Prohibition on Sale of PHI

Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except as permitted under 45 CFR 164.502(a)(5)(ii). Business Associate does not sell, license, or otherwise monetize PHI or data derived from PHI.

3.12 AI Training Restrictions

Business Associate shall not use identifiable PHI to train, develop, or improve its artificial intelligence models, algorithms, or machine learning systems without the prior, express, written consent of Covered Entity. Any use of de-identified data for such purposes shall comply strictly with the HIPAA de-identification standards set forth in 45 CFR 164.514(a) and (b), using either the Safe Harbor method or Expert Determination method.

Notwithstanding the foregoing, Business Associate may use de-identified and/or aggregated information derived from PHI, in compliance with 45 CFR 164.514, for purposes of improving the Service, enhancing performance, developing analytics, quality improvement, security monitoring, and internal product development, provided that such information does not identify Covered Entity or any Individual.

4. Obligations of Covered Entity

4.1 Notice of Privacy Practices

To the extent that Covered Entity maintains a Notice of Privacy Practices in accordance with 45 CFR 164.520, Covered Entity agrees to provide Business Associate with a copy of such Notice, including any limitations therein that may affect Business Associate's use or disclosure of PHI. If Covered Entity is an individual healthcare professional who does not maintain a formal Notice of Privacy Practices, Covered Entity shall notify Business Associate of any specific restrictions or limitations on the use or disclosure of PHI that Business Associate should observe.

4.2 Changes in Authorization

Covered Entity agrees to notify Business Associate promptly of any changes in, or revocation of, the authorization provided by an Individual pursuant to 45 CFR164.508 concerning the use or disclosure of PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

4.3 Restrictions on Use or Disclosure

Covered Entity agrees to notify Business Associate of any restrictions on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR 164.522, to the extent that such restrictions may affect Business Associate's use or disclosure of PHI.

4.4 Patient Consent for Recording

Covered Entity acknowledges and agrees that it is solely responsible for obtaining all necessary patient consents and authorizations required by applicable federal, state, and local laws before using the Service to record clinical encounters. This includes compliance with two-party consent states and any state-specific laws governing audio recording of medical encounters. Business Associate is not responsible for ensuring patient consent for recordings.

4.5 General Legal Compliance

Covered Entity is solely responsible for ensuring that its use of the Service complies with all applicable federal, state, and local laws, regulations, and professional standards, including but not limited to HIPAA, state privacy laws, medical practice acts, and any applicable recording consent statutes. Business Associate shall not be liable for any claims, penalties, or damages arising from Covered Entity's failure to comply with such laws and regulations in connection with its use of the Service.

4.6 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as expressly permitted under Section 3.1 of this Agreement.

5. Data Ownership and Retention

5.1 Data Ownership

All PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, remains the sole property of Covered Entity. Business Associate acquires no rights to PHI other than those expressly granted in this Agreement.

Notwithstanding the foregoing, Business Associate retains all rights, title, and interest in and to theService, including its software, platform, user interface, templates,workflows, system architecture, algorithms, and all intellectual property, trade secrets, and know-how associated therewith, except to the extent such materials constitute PHI.

5.2 Data Retention

Business Associate shall retain PHI only for as long as necessary to fulfill its obligations under this Agreement and the Terms and Conditions of Service, or as Required by Law. Business Associate shall maintain PHI in a secure environment throughout the retention period.

5.3 Data Export

Covered Entity may export its clinical documentation from the Service at any time during the term of this Agreement through the copy/export functionality provided within the Service.

6. Term and Termination

6.1 Term

This Agreement shall be effective as of the date Covered Entity first accesses or uses the Service (the "Effective Date") and shall remain in effect for the duration of Covered Entity's use of the Service, unless earlier terminated as provided herein.

6.2 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) calendar days after receiving written notice specifying the nature of the breach. If the breach is not reasonably capable of cure, the non-breaching party may terminate this Agreement immediately upon written notice.

6.3 Termination for Regulatory Changes

Either party may terminate this Agreement upon thirty (30) days' written notice if changes to HIPAA or other applicable law materially alter the obligations of the parties and the parties are unable to agree on amended terms within that period.

6.4 Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall:

6.5 Survival

The obligations of Business Associate under Section 6.4 shall survive the termination of this Agreement. Additionally, Sections 1, 3.9, 3.10, 5.1, 7, and8 shall survive termination.

7. Indemnification and Liability

7.1 Indemnification by Business Associate

7.2 Limitation of Liability

Except for liability arising from willful misconduct or fraud, in no event shall either party’s total aggregate liability arising out of or relating to this agreement exceed the total amount of fees paid by covered entity to business associate for the service during the twelve(12) months preceding the event giving rise to the claim. In no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits or revenue, even if advised of the possibility of such damages.

7.3 Cooperation

In the event of any Breach, each party shall cooperate in good faith with the other party to investigate, remediate, and resolve the Breach, and to comply with all applicable notification requirements.

8. General Provisions

8.1 Amendment

This Agreement may be amended only by a written instrument signed by both parties. The parties agree to negotiate in good faith to amend this Agreement to comply with any changes to the HIPAA Rules or other applicable law that affect the obligations of the parties.

8.2 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Missouri, without regard to conflict of laws principles. To the extent that any provision of this Agreement conflicts with the HIPAA Rules, the HIPAA Rules shall control.

8.3 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the intent of the parties.

8.4 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person or entity not a party to this Agreement any rights, remedies, obligations, or liabilities whatsoever, except that an Individual shall be deemed a third-party beneficiary to the extent necessary to enforce their rights under the HIPAA Rules.

8.5 Entire Agreement

This Agreement, together with the Terms and Conditions of Service and the Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral, relating to the handling of PHI.

8.6 Notices

All notices required or permitted under this Agreement shall be in writing and shall be deemed given when: (a) delivered personally; (b) sent by certified mail, return receipt requested; or (c) sent by email to the recipient email address listed below (or on file during account registration), in which case notice shall be deemed given upon transmission. Notices shall be addressed as follows:

To Business Associate: DocuMed AI LLC 1528 Woodroyal East Dr, Chesterfield, MO 63017
Email: support@documedai.com
Phone:(+1) 314-568-5619

To Covered Entity: At the address and email provided during account registration.

8.7 Waiver

The failure of either party to enforce any provision of this Agreement shall not constitute a waiver of that party's right to enforce that provision or any other provision in the future.

8.8 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both parties to comply with the HIPAA Rules. In the event of a conflict between this Agreement and the HIPAA Rules, the HIPAA Rules shall prevail. References to sections of the HIPAA Rules shall mean those sections as in effect or as amended from time to time.

8.9 Electronic Acceptance

Covered Entity acknowledges and agrees that acceptance of this Agreement may be made electronically at the time of account registration for the Service. Such electronic acceptance shall have the same legal force and effect as a handwritten signature.

9. Signatures

IN WITNESS WHEREOF, the parties hereto have executed this Business Associate Agreement as of the Effective Date.

COVERED ENTITY

________________________________________
Authorized Signature

________________________________________
Printed Name

________________________________________
Title

________________________________________
Organization Name

________________________________________
Date


BUSINESS ASSOCIATE — DOCUMED AI LLC

________________________________________
Authorized Signature

________________________________________
Printed Name

________________________________________
Title

________________________________________
Date