Business Associate Agreement
BAA execution is available on the Enterprise tier only. The Enterprise tier deploys CommunicaAI on isolated HIPAA-eligible infrastructure with the safeguards listed below. Email [email protected] to receive the BAA PDF for counter-signature.
This Business Associate Agreement ("BAA") supplements the CommunicaAI Terms and applies whenever Customer is a Covered Entity or another Business Associate under HIPAA and uses the Services to create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of the Customer.
1. Definitions
Terms used in this BAA have the meanings given in 45 C.F.R. §§ 160.103 and 164.501, including "Covered Entity," "Business Associate," "Designated Record Set," "PHI," "Required by Law," and "Unsecured PHI."
2. Permitted uses and disclosures
CommunicaAI will use or disclose PHI only:
- To provide the Services per Customer's instructions;
- As permitted by 45 C.F.R. § 164.504(e)(2);
- To carry out our legal obligations;
- For data aggregation services related to the Services, where requested.
3. Safeguards (Enterprise tier)
- Isolated voice infrastructure (dedicated SIP, dedicated STT/TTS endpoints).
- AES-256 encryption at rest; TLS 1.2+ in transit; quarterly key rotation.
- Role-based access; mandatory MFA for our staff with PHI access.
- Audit log retention 6 years (HIPAA-aligned).
- HIPAA workforce training for any staff with PHI access; annual refresher.
- Annual third-party security assessment.
4. Subcontractors
We will obtain written assurance from each subcontractor that it agrees to the same restrictions and conditions that apply to us with respect to PHI. Current HIPAA-relevant subcontractors:
- Twilio — SIP telephony (HIPAA-eligible)
- Deepgram — STT (HIPAA BAA available)
- Anthropic / Groq — selected models with BAA where available; otherwise local inference fallback
- ElevenLabs — TTS (audio only, no PHI in metadata)
- OVH / Hetzner — hosting (HIPAA-eligible region)
5. Reporting
We will report to Customer:
- Any Security Incident (defined in 45 C.F.R. § 164.304) within 24 hours;
- Any Breach of Unsecured PHI without unreasonable delay and in any event within 5 business days of discovery (HIPAA permits up to 60 days; we commit to 5).
6. Access, amendment, accounting
- We will provide access to PHI in a Designated Record Set within 15 business days of request.
- We will incorporate amendments within 15 business days.
- We will document and provide an accounting of disclosures as required by 45 C.F.R. § 164.528.
7. Books and records
We make our internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Customer's compliance with HIPAA.
8. Termination
On termination, we return or destroy all PHI received from Customer that we still maintain in any form and retain no copies, unless return or destruction is infeasible — in which case the protections of this BAA are extended to the PHI for as long as we retain it.
9. Effect
This BAA prevails over any conflicting provision in the underlying Terms with respect to PHI.