Get your team on TryCaSIE

BUSINESS ASSOCIATE AGREEMENT

Version 2.0 — Effective March 2026

This Business Associate Agreement ("BAA") is entered into by and between the undersigned Covered Entity (or authorized representative of the Covered Entity) ("Covered Entity" or "You") and TryCaSIE, Inc. ("Business Associate" or "TryCaSIE"), collectively referred to as the "Parties."

This BAA is effective as of the date of electronic acceptance through the TryCaSIE platform and governs the use and protection of Protected Health Information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in connection with the Services.

By accepting this BAA through the TryCaSIE platform, You acknowledge that electronic acceptance constitutes a binding agreement with the same legal force and effect as a handwritten signature, pursuant to the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.) and applicable state Uniform Electronic Transactions Acts.


1. DEFINITIONS

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164), as amended from time to time.

"Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information, as defined in 45 CFR 164.402.

"Business Associate" shall have the same meaning as the term "business associate" in 45 CFR 160.103.

"Covered Entity" shall have the same meaning as the term "covered entity" in 45 CFR 160.103.

"Designated Record Set" means a group of records maintained by or for a Covered Entity, as defined in 45 CFR 164.501.

"Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.

"HIPAA Rules" collectively means the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and the implementing regulations at 45 CFR Parts 160 and 164, including the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule, as amended from time to time.

"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

"Protected Health Information" or "PHI" means any information, whether oral or recorded in any form or medium, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, as defined in 45 CFR 160.103.

"Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.

"Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.

"Services" means the case note management, audio transcription, AI-assisted note structuring, and related services provided by Business Associate to Covered Entity through the TryCaSIE platform, as described in Section 2.

"Subcontractor" means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of Business Associate.

"Unsecured PHI" means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary, as defined in 45 CFR 164.402.


2. SERVICES DESCRIPTION

Business Associate provides the following Services to Covered Entity through the TryCaSIE platform:

(a) Case note creation, editing, and management for human services professionals, including typed and voice-recorded input.

(b) Audio transcription using enterprise speech-to-text services. Audio is processed in transit and is not permanently stored by the transcription service. No audio data is retained after transcription is complete.

(c) AI-assisted note structuring using enterprise AI services. Note content is processed in transit to generate structured output. No data is retained by the AI service, and no data is used for model training or improvement.

(d) Encrypted storage of case notes and associated metadata in a HIPAA-eligible managed database service.

(e) Analytics, audit logging, and account management functions necessary to support the Services.


3. OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to:

(a) Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.

(b) Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 (the Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA. These safeguards include, but are not limited to:

  - Encryption at rest (AES-256) for all stored data
  - TLS encryption for all data in transit
  - Network isolation via private virtual network with no public database access
  - Secrets management via a dedicated vault service accessible only through private endpoints
  - Role-based access controls
  - Immutable audit logging of all access to and modifications of PHI

(c) Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410, and any Security Incident of which it becomes aware.

Notification of a Breach shall be made without unreasonable delay, and in no event more than seventy-two (72) hours after Business Associate's discovery of the Breach. Such notification shall include, to the extent known: (i) the nature of the Breach, including the types of PHI involved; (ii) the individuals whose PHI was or is believed to have been involved; (iii) the date of the Breach and the date of its discovery; (iv) a description of what Business Associate is doing to investigate, mitigate, and prevent future Breaches; and (v) contact information for Covered Entity to direct questions.

For purposes of this Section, "Unsuccessful Security Incidents" mean, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, acquisition, use, or disclosure of PHI. Notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given.

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, as further described in Section 5.

(e) Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524, as further described in Section 7.

(f) Make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526, as further described in Section 7.

(g) Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528, as further described in Section 7.

(h) To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164 (the Privacy Rule), comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

(j) Make reasonable efforts to use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose of such use, disclosure, or request, in accordance with 45 CFR 164.502(b).

(k) Not use or disclose PHI for marketing or advertising purposes, nor sell PHI, as those terms are defined in the HIPAA Rules.

(l) Maintain an audit trail of all access to and modifications of PHI within the platform. Audit records shall be retained for a minimum of six (6) years in accordance with HIPAA documentation requirements.

(m) Implement a data protection policy under which notes are never permanently deleted ("soft deletes") during the applicable retention period, ensuring recoverability and compliance with record retention requirements.


4. PERMITTED USES AND DISCLOSURES

(a) Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this BAA and the Terms of Service, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

(b) Business Associate may use or disclose PHI as Required by Law.

(c) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosure may occur only if: (i) Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the person notifies Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

(d) Business Associate shall not use or disclose PHI for any purpose other than the purposes expressly permitted or required by this BAA.

(e) If Business Associate de-identifies PHI in accordance with 45 CFR 164.514, such de-identified information is no longer PHI and is not subject to the terms of this BAA.


5. SUBCONTRACTORS

(a) Business Associate uses Microsoft Azure as its primary infrastructure Subcontractor. Business Associate has executed a Business Associate Agreement with Microsoft Corporation covering all HIPAA-eligible Azure services in General Availability that are used to provide the Services, including managed database, AI, speech transcription, secrets management, and compute services.

(b) Business Associate shall require all Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree in writing to the same or more stringent restrictions and conditions that apply to Business Associate under this BAA, to appropriately safeguard the PHI, and to comply with the applicable requirements of the Security Rule.

(c) Business Associate remains responsible for its Subcontractors' compliance with obligations under this BAA.

(d) Business Associate shall notify Covered Entity of any material change to its Subcontractors that process PHI. A current summary of infrastructure Subcontractors is maintained on the TryCaSIE Trust & Security page.


6. COVERED ENTITY RESPONSIBILITIES

(a) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, unless such use or disclosure is expressly permitted for a Business Associate under the HIPAA Rules.

(b) Covered Entity is responsible for obtaining any necessary consents, authorizations, or permissions from individuals whose PHI will be created, received, maintained, or transmitted through the Services.

(c) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

(d) Covered Entity is responsible for determining that its use of the Services is appropriate under its own HIPAA compliance program and organizational policies. If signing on behalf of an organization, the signer represents that they have the authority to bind the organization to the terms of this BAA.

(e) Covered Entity shall use reasonable safeguards to protect its account credentials and prevent unauthorized access to the platform, including using strong passwords and not sharing account credentials.

(f) Covered Entity shall not include PHI in support communications (email, chat, or feedback submissions) directed to Business Associate outside of the platform, unless Business Associate provides a secure mechanism for such communications.


7. INDIVIDUAL RIGHTS

(a) Access. Business Associate shall, within fifteen (15) business days of a request from Covered Entity, make available PHI in a Designated Record Set to Covered Entity for purposes of satisfying Covered Entity's obligations under 45 CFR 164.524 (Right of Access).

(b) Amendment. Business Associate shall, within fifteen (15) business days of a request from Covered Entity, make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set for purposes of satisfying Covered Entity's obligations under 45 CFR 164.526 (Right to Amendment).

(c) Accounting of Disclosures. Business Associate shall, within thirty (30) days of a request from Covered Entity, make available to Covered Entity such information as is required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR 164.528.


8. DATA RETENTION AND DESTRUCTION

(a) Business Associate shall retain PHI for as long as Covered Entity maintains an active account on the platform.

(b) Notes that are deleted by Covered Entity within the platform are soft-deleted (marked as deleted but retained) in accordance with Business Associate's data protection policy. Soft-deleted data remains recoverable during the applicable retention period.

(c) Audit logs recording all access to and modifications of PHI are retained for a minimum of six (6) years from the date of creation, in accordance with HIPAA documentation retention requirements (45 CFR 164.316(b)(2)(i) and 164.530(j)(2)).

(d) Business Associate maintains geo-redundant backups with a thirty-five (35) day point-in-time recovery window to ensure data availability and disaster recovery.

(e) Upon termination of this BAA, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, in accordance with Section 9(e). If return or destruction is not feasible (for example, PHI contained in backups or audit logs subject to retention requirements), Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible for the duration of the retention.


9. TERM AND TERMINATION

(a) This BAA shall be effective as of the date of electronic acceptance through the TryCaSIE platform.

(b) This BAA shall remain in effect for as long as Covered Entity maintains an active account on the platform, unless earlier terminated as provided herein, or until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

(c) Either Party may terminate this BAA upon written notice if the other Party is in material breach of any obligation under this BAA. The non-breaching Party shall provide the breaching Party with thirty (30) calendar days from receipt of notice to cure the breach. If the breach is not cured within such period, the non-breaching Party may immediately terminate this BAA.

(d) Either Party may immediately terminate this BAA if the breach is of a nature that cannot reasonably be cured.

(e) Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall complete such return or destruction within sixty (60) days of termination. If return or destruction is not feasible, the provisions of Section 8(e) shall apply.

(f) The obligations of Business Associate under Sections 3, 5, 8, and this Section 9 shall survive the termination of this BAA with respect to any PHI retained by Business Associate.


10. DATA PROTECTION COMMITMENT

Regardless of who accepted this agreement, Business Associate shall treat all data stored within the platform as Protected Health Information (PHI) and shall apply HIPAA-compliant administrative, physical, and technical safeguards to protect such data. This commitment applies uniformly to all users and accounts, ensuring a consistent standard of protection across the entire platform.


11. GOVERNING LAW

(a) This BAA shall be interpreted consistently with the Parties' intent to comply with the HIPAA Rules.

(b) This BAA shall be governed by and construed in accordance with applicable federal law, including the HIPAA Rules. To the extent that state law applies, the laws of the State of Delaware shall govern without regard to its conflict of laws principles.


12. ELECTRONIC ACCEPTANCE

(a) Acceptance of this BAA through the TryCaSIE platform constitutes a valid and binding agreement between the Parties. Electronic acceptance has the same legal force and effect as a handwritten signature pursuant to the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.) and applicable state Uniform Electronic Transactions Acts.

(b) Business Associate maintains a record of each acceptance, including the date and time of acceptance, the identity of the accepting party, the signing type (individual or organization), and the organization name if applicable. This record is retained in the platform's audit log.


13. MISCELLANEOUS

(a) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the HIPAA Rules. No amendment to this BAA shall be effective unless agreed to in writing by both Parties or accepted electronically through the platform.

(b) Entire Agreement. This BAA, together with the Terms of Service, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, whether written or oral, relating to such subject matter.

(c) Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, and shall be enforced to the greatest extent permitted by law.

(d) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

(e) No Agency Relationship. Nothing in this BAA shall be construed to create an agency, partnership, joint venture, or employment relationship between the Parties. Neither Party is an agent of the other, and neither Party has the authority to bind the other.

(f) Survival. The respective rights and obligations of Business Associate under Sections 3, 5, 7, 8, 10, and this Section 13 shall survive the termination of this BAA.

(g) Notices. Any notices required or permitted under this BAA shall be delivered to the email addresses on file for each Party within the platform. Covered Entity is responsible for keeping its contact information current.

(h) Waiver. The failure of either Party to enforce any provision of this BAA shall not constitute a waiver of that Party's right to enforce that provision or any other provision in the future. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.

(i) Interpretation. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA. The term "including" means "including without limitation."


Version 2.0 — TryCaSIE, Inc.