Skip to content
M
Mediyn
HIPAA Business Associate Agreement

Business Associate Agreement

Last Updated: March 1, 2026

1. Preamble

This HIPAA Business Associate Agreement ("Agreement" or "BAA") is entered into by and between the entity or individual who has accepted the Mediyn Terms of Service or executed a subscription agreement with Mediyn, Inc. ("Covered Entity"), and Mediyn, Inc., a Delaware corporation ("Business Associate" or "Mediyn"), collectively referred to as the "Parties."

This Agreement supplements, and is made a part of, the Terms of Service (the "Service Agreement") between the Parties. This Agreement is intended to ensure that the Business Associate will establish and implement appropriate safeguards for the protection of Protected Health Information ("PHI") that the Business Associate may create, receive, maintain, or transmit on behalf of the Covered Entity in the course of performing services under the Service Agreement.

This Agreement shall be effective as of the date the Covered Entity accepts the Terms of Service, creates an account on the Mediyn platform, or executes a subscription agreement with Mediyn, whichever occurs first (the "Effective Date").

2. Definitions

The following terms shall have the meanings set forth below for purposes of this Agreement. All capitalized terms used but not otherwise defined in this Agreement shall have the meanings ascribed to them under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164, as amended from time to time.

2.1 Business Associate

"Business Associate" shall have the meaning given to such term under 45 CFR 160.103, and in reference to this Agreement shall mean Mediyn, Inc.

2.2 Covered Entity

"Covered Entity" shall have the meaning given to such term under 45 CFR 160.103, and in reference to this Agreement shall mean the customer (therapist, clinician, practice, or organization) that has entered into a Service Agreement with Mediyn.

2.3 Protected Health Information (PHI)

"Protected Health Information" or "PHI" shall have the meaning given to such term under 45 CFR 160.103, and shall include, without limitation, individually identifiable health information that is created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity.

2.4 Electronic Protected Health Information (ePHI)

"Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term under 45 CFR 160.103 and shall refer to PHI that is transmitted or maintained in electronic media.

2.5 Designated Record Set

"Designated Record Set" shall have the meaning given to such term under 45 CFR 164.501, and shall include the medical records, billing records, and any other records used by Covered Entity to make decisions about Individuals that are maintained by Business Associate on behalf of Covered Entity.

2.6 Breach

"Breach" shall have the meaning given to such term under 45 CFR 164.402, and shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. The term "Breach" excludes the exceptions set forth in 45 CFR 164.402(1).

2.7 Security Incident

"Security Incident" shall have the meaning given to such term under 45 CFR 164.304, and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2.8 Unsecured PHI

"Unsecured PHI" shall have the meaning given to such term under 45 CFR 164.402, and shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS in guidance issued under 42 U.S.C. 17932(h)(2).

2.9 Required by Law

"Required by Law" shall have the meaning given to such term under 45 CFR 164.103.

2.10 Secretary

"Secretary" shall mean the Secretary of the United States Department of Health and Human Services ("HHS") or the Secretary's designee.

2.11 Individual

"Individual" shall have the meaning given to such term under 45 CFR 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). For purposes of this Agreement, "Individual" refers to the patient whose PHI is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2.12 Subcontractor

"Subcontractor" shall have the meaning given to such term under 45 CFR 160.103, and shall mean a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of Business Associate.

3. Obligations of Business Associate

3.1 Limitations on Use and Disclosure

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. Business Associate shall comply with the minimum necessary standard as set forth in 45 CFR 164.502(b) and 164.514(d) when using, disclosing, or requesting PHI.

3.2 Appropriate Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). Such safeguards shall include, but not be limited to:

  • On-device PHI processing and de-identification (patent-pending), which ensures that raw audio recordings from therapy sessions are processed locally on the clinician's device and that PHI is redacted before any data is transmitted to Mediyn's servers
  • Encryption of ePHI at rest using AES-256 encryption and in transit using TLS 1.3
  • Role-based access controls with automatic session timeouts to prevent unauthorized access
  • Immutable audit trails that log all access to, creation of, modification of, and deletion of PHI
  • Regular workforce training on HIPAA compliance and security best practices

For a comprehensive description of Mediyn's security measures, please refer to Section 9 of this Agreement and Mediyn's Security & Trust Center.

3.3 Breach and Security Incident Reporting

Business Associate shall report to Covered Entity any Breach of Unsecured PHI or any Security Incident of which Business Associate becomes aware. Such report shall be made without unreasonable delay and in no event later than five (5) business days after discovery of the Breach or Security Incident. Reporting obligations are described in further detail in Section 8 of this Agreement.

3.4 Subcontractor Obligations (Flow-Down Provisions)

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees to the same restrictions, conditions, and requirements that apply to the Business Associate under this Agreement with respect to such PHI. Business Associate shall enter into a written agreement with each Subcontractor that complies with 45 CFR 164.504(e) and, to the extent applicable, 45 CFR 164.314(a). Business Associate shall remain responsible for the acts and omissions of its Subcontractors as if such acts or omissions were those of the Business Associate.

3.5 Access to PHI

Business Associate shall make PHI maintained in a Designated Record Set available to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 CFR 164.524 (Individual's right of access). Business Associate shall respond to any such request from the Covered Entity within ten (10) business days. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.

3.6 Amendment of PHI

Business Associate shall make PHI maintained in a Designated Record Set available to the Covered Entity for amendment and shall incorporate any amendments to PHI as directed by the Covered Entity, in accordance with 45 CFR 164.526. Business Associate shall respond to any such amendment request from the Covered Entity within fifteen (15) business days.

3.7 Accounting of Disclosures

Business Associate shall make available to the Covered Entity the information required for the Covered Entity to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall provide such information within thirty (30) days of a request from the Covered Entity. Business Associate shall maintain records of disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures for a period of six (6) years.

3.8 Governmental Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's and Business Associate's compliance with the HIPAA Rules.

3.9 HITECH Act and Omnibus Rule Compliance

Business Associate shall comply with all applicable requirements of the HITECH Act (Public Law 111-5, Title XIII), the HIPAA Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013), and any subsequent amendments to the HIPAA Rules, to the extent that such requirements are applicable to business associates. Without limiting the foregoing, Business Associate acknowledges that it is directly subject to the HIPAA Security Rule, certain provisions of the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule, as required by the HITECH Act and the Omnibus Rule.

3.10 Audit Trail

Business Associate shall maintain an immutable audit trail of all access to, creation of, modification of, and deletion of PHI within the Mediyn platform. The audit trail shall include, at a minimum, the identity of the user, the date and time of access, the nature of the access (e.g., read, write, delete), and the specific data accessed. Audit logs shall be retained for a minimum of six (6) years.

4. Permitted Uses and Disclosures

4.1 Service Performance

Business Associate may use or disclose PHI as necessary to perform the services set forth in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by the Covered Entity, except as otherwise permitted in this Section 4.

4.2 Management and Administration

Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (a) such disclosures are Required by Law, or (b) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

4.3 De-Identified Data

Business Associate may use and disclose de-identified data derived from PHI, provided that the de-identification complies with the requirements of 45 CFR 164.514(a) and (b). Business Associate may use de-identified data for product improvement, analytics, machine learning model training, research, and other lawful purposes. De-identified data is not subject to the restrictions of this Agreement. Business Associate's patent-pending de-identification engine removes or generalizes all eighteen (18) HIPAA identifiers as defined in 45 CFR 164.514(b)(2) prior to any use of data for the purposes described in this Section.

4.4 Data Aggregation

Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B). All data aggregation services shall be performed using de-identified data only, in compliance with 45 CFR 164.514.

4.5 Disclosures Required by Law

Business Associate may use or disclose PHI as Required by Law, provided that the use or disclosure complies with and is limited to the relevant requirements of such law. Business Associate shall notify Covered Entity of any such required disclosure promptly and, where practicable, prior to making such disclosure.

5. Obligations of Covered Entity

5.1 Consents and Authorizations

Covered Entity shall obtain any consents, authorizations, or other permissions that may be required under applicable federal or state law prior to furnishing PHI to Business Associate. This includes, without limitation, any patient consents or authorizations required for the recording of therapy sessions, the use of AI-assisted clinical documentation tools, and the transmission of de-identified data for the purposes described in this Agreement.

5.2 Notice of Restrictions

Covered Entity shall notify Business Associate, in writing, of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI under this Agreement.

5.3 Changes to Notice of Privacy Practices

Covered Entity shall notify Business Associate, in writing, of any changes in, or revocation of, the permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. Covered Entity shall also notify Business Associate of any amendment to, or change in, its Notice of Privacy Practices that the Covered Entity provides to Individuals in accordance with 45 CFR 164.520, to the extent that such amendment or change affects Business Associate's obligations under this Agreement.

5.4 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity, except as expressly permitted in Sections 4.2 and 4.3 of this Agreement.

6. Term and Termination

6.1 Term

This Agreement shall become effective as of the Effective Date and shall remain in effect for the duration of the Service Agreement between the Parties, unless earlier terminated as provided herein. This Agreement is co-terminous with the Service Agreement.

6.2 Termination for Material Breach

Either Party may terminate this Agreement upon thirty (30) days' prior written notice to the other Party if the other Party materially breaches any provision of this Agreement and fails to cure such breach within the thirty (30) day notice period. If the breach is not reasonably capable of cure, the non-breaching Party may terminate this Agreement immediately upon written notice to the breaching Party.

6.3 Automatic Termination

This Agreement shall automatically terminate, without further action by either Party, upon the termination or expiration of the Service Agreement between the Parties. The provisions of Sections 7 (Effect of Termination) and 11.2 (Survival) shall survive such termination.

6.4 Survival of Obligations

The obligations of Business Associate under this Agreement with respect to the protection of PHI shall survive termination of this Agreement for so long as Business Associate retains any PHI received from, or created or received by Business Associate on behalf of, the Covered Entity.

7. Effect of Termination

7.1 Return or Destruction of PHI

Upon termination of this Agreement for any reason, Business Associate shall, at the direction of the Covered Entity, return or destroy all PHI received from, or created or received by Business Associate on behalf of, the Covered Entity, within thirty (30) days of the effective date of termination. This provision shall apply to PHI that is in the possession of Business Associate or its Subcontractors. Business Associate shall not retain any copies of the PHI except as provided in Section 7.2.

7.2 Infeasibility of Return or Destruction

In the event that Business Associate determines that the return or destruction of PHI is not feasible (for example, because PHI is embedded in backup systems or archives that cannot be practicably segregated), Business Associate shall (a) provide to Covered Entity notification of the conditions that make return or destruction infeasible, (b) extend the protections of this Agreement to such PHI for as long as it is retained, and (c) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible.

7.3 Data Export

Business Associate shall provide the Covered Entity with the ability to export all PHI maintained in the Mediyn platform for a period of ninety (90) days following the effective date of termination. Data export shall be provided in a commonly used electronic format, and Business Associate shall provide reasonable assistance to Covered Entity in completing the data export. After the ninety (90) day period, Business Associate shall destroy all remaining PHI in accordance with Section 7.1, unless the exceptions in Section 7.2 apply.

7.4 Certification of Destruction

Upon request by the Covered Entity, Business Associate shall certify in writing that all PHI has been returned or destroyed in accordance with this Section 7, except as provided in Section 7.2. Such certification shall be provided within thirty (30) days of the Covered Entity's request.

8. Breach Notification

8.1 Notification Obligation

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than five (5) business days after discovery of such Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which it is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of Business Associate.

8.2 Content of Notification

The notification required under Section 8.1 shall include, to the extent known or reasonably determinable at the time of notification:

  • The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach
  • A description of the nature and circumstances of the Breach, including the date of the Breach and the date of its discovery
  • A description of the types of PHI involved in the Breach (e.g., full name, date of birth, diagnosis, treatment information, Social Security number, financial information)
  • Recommended steps that affected Individuals should take to protect themselves from potential harm resulting from the Breach
  • A description of the corrective actions taken or proposed to be taken by Business Associate to investigate the Breach, mitigate harm to affected Individuals, and protect against further Breaches

If Business Associate is unable to provide all of the information described above at the time of notification, Business Associate shall provide such information promptly as it becomes available.

8.3 Cooperation

Business Associate shall cooperate with Covered Entity in the investigation, mitigation, and remediation of any Breach and shall provide reasonable assistance to Covered Entity in connection with the Covered Entity's obligations to notify affected Individuals, the Secretary, and, if applicable, the media, in accordance with 45 CFR 164.404, 164.406, and 164.408.

8.4 Mitigation

Business Associate shall take prompt and reasonable steps to mitigate, to the extent practicable, any harmful effects of any Breach of PHI or Security Incident of which Business Associate becomes aware. Such mitigation efforts shall include, without limitation, conducting a thorough forensic investigation, remediating identified vulnerabilities, and implementing additional safeguards as necessary to prevent recurrence.

9. Security Measures

Without limiting the generality of Section 3.2, Business Associate represents and warrants that it has implemented, and shall maintain throughout the term of this Agreement, the following security measures to protect ePHI:

9.1 On-Device Processing and PHI De-Identification

Business Associate utilizes patent-pending on-device processing technology to ensure that raw audio recordings from therapy sessions are processed locally on the clinician's device. PHI is redacted and de-identified before any data is transmitted to Mediyn's servers. This approach minimizes the attack surface by ensuring that identifiable patient information is never transmitted in its raw form. Where on-device processing is not supported by the clinician's device, an encrypted fallback mechanism is used to transmit data securely for server-side processing.

9.2 Encryption

All ePHI is encrypted at rest using AES-256 encryption and in transit using TLS 1.3, in accordance with the requirements of 45 CFR 164.312(a)(2)(iv) and 164.312(e)(1). Encryption keys are managed using industry-standard key management practices.

9.3 Access Controls

Business Associate implements role-based access controls ("RBAC") that limit access to ePHI to authorized personnel on a need-to-know basis. All user sessions are subject to automatic timeouts after a period of inactivity. Multi-factor authentication ("MFA") is required for all access to systems containing ePHI.

9.4 Audit Trails

Business Associate maintains immutable audit trails that record all access to, creation of, modification of, and deletion of ePHI. Audit logs are retained for a minimum of six (6) years and are available for review by Covered Entity and the Secretary upon request.

9.5 SOC 2 Type II Compliance

Business Associate maintains SOC 2 Type II compliance, which provides independent assurance regarding the design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and privacy.

9.6 Penetration Testing

Business Associate engages qualified third-party security firms to conduct regular penetration testing of its systems and applications. Testing is performed at least annually, and identified vulnerabilities are remediated in accordance with Business Associate's vulnerability management policy.

9.7 Risk Assessments

Business Associate conducts comprehensive risk assessments at least annually, in accordance with 45 CFR 164.308(a)(1)(ii)(A), to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Risk assessment findings are documented and used to inform the Business Associate's ongoing security program.

9.8 Additional Information

For a comprehensive description of Mediyn's security architecture, certifications, and compliance posture, please visit our Security & Trust Center.

10. Amendments

10.1 Amendment to Comply with Law

The Parties acknowledge that applicable federal and state laws relating to the privacy and security of PHI may change from time to time. The Parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of HIPAA, the HITECH Act, and any other applicable law relating to the security or privacy of PHI.

10.2 Notice of Material Amendments

Business Associate shall provide Covered Entity with at least thirty (30) days' prior written notice of any material amendment to this Agreement. Such notice shall describe the nature of the amendment and the effective date. Material amendments that reduce the protections afforded to PHI under this Agreement shall not become effective with respect to a Covered Entity unless the Covered Entity affirmatively consents to such amendment.

10.3 Non-Material Amendments

Non-material amendments, including administrative or clarifying changes that do not reduce the protections afforded to PHI, may be made by Business Associate by posting the updated Agreement on the Mediyn website. Such amendments shall be effective upon posting unless a later effective date is specified.

11. Miscellaneous

11.1 Regulatory References

All terms used in this Agreement but not otherwise defined herein shall have the meanings ascribed to them under 45 CFR Parts 160 and 164, as amended from time to time. Any reference to a specific section of the HIPAA Rules shall be deemed to include any successor provisions thereto.

11.2 Survival

The respective rights and obligations of Business Associate under Sections 3 (Obligations of Business Associate), 7 (Effect of Termination), 8 (Breach Notification), and 9 (Security Measures) of this Agreement shall survive the termination or expiration of this Agreement for as long as Business Associate retains any PHI.

11.3 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities whatsoever, except that Individuals whose PHI is subject to this Agreement shall be considered third-party beneficiaries to the extent required by the HIPAA Rules, including but not limited to the right to request access to, amendment of, and an accounting of disclosures of their PHI.

11.4 Governing Law

This Agreement shall be governed by and construed in accordance with federal HIPAA regulations, including the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. To the extent that any provision of this Agreement is not governed by federal HIPAA regulations, such provision shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles.

11.5 Entire Agreement

This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof (i.e., the protection of PHI) and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. This Agreement supplements, and does not replace, the Terms of Service and the Privacy Policy between the Parties. In the event of a conflict between this Agreement and the Terms of Service or Privacy Policy with respect to the protection of PHI, this Agreement shall control.

11.6 Severability

If any provision of this Agreement is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

11.7 Waiver

No failure or delay by either Party in exercising any right, power, or privilege under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any right, power, or privilege preclude the exercise of any other right, power, or privilege.

12. Electronic Acceptance

This Agreement is accepted electronically upon the Covered Entity's creation of an account on the Mediyn platform and acceptance of the Terms of Service. No physical signature is required. The Covered Entity acknowledges and agrees that electronic acceptance of this Agreement constitutes a valid and binding agreement, enforceable against the Covered Entity to the same extent as if the Covered Entity had executed a physical copy of this Agreement.

The Effective Date of this Agreement shall be the date on which the Covered Entity creates an account on the Mediyn platform or accepts the Terms of Service, whichever occurs first. Business Associate shall maintain records of the Covered Entity's electronic acceptance, including the date and time of acceptance, the IP address from which acceptance was made, and the version of this Agreement that was accepted.

13. Contact

For questions or concerns regarding this Business Associate Agreement, HIPAA compliance, or the handling of PHI by Mediyn, please contact:

Mediyn, Inc.
HIPAA Privacy Officer
Email: privacy@mediyn.com

You may also reach us through our Contact page.