Business Associate Agreements (BAA)
Business Associate Agreements (BAA)
What Is a BAA?
A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA (the Health Insurance Portability and Accountability Act) whenever a healthcare organization — called a Covered Entity — shares Protected Health Information (PHI) with a vendor or service provider — called a Business Associate.
Because MediMic processes spoken and written PHI (patient speech, translations, transcripts), MediMic is a Business Associate under HIPAA. You are a Covered Entity (or a Business Associate of one) if you use MediMic in a clinical setting.
The BAA is not optional. If you use MediMic to process PHI without a signed BAA, both you and MediMic are in violation of HIPAA.
Who Needs a BAA with MediMic?
You need a BAA with MediMic if you are:
- A physician, nurse, therapist, or other clinical provider using MediMic with real patients
- A clinic, hospital, or health system deploying MediMic for staff
- A healthcare IT vendor or intermediary that uses MediMic's API to process PHI on behalf of a Covered Entity
- A Business Associate of a Covered Entity who processes PHI through MediMic
You do NOT need a BAA if:
- You are only evaluating MediMic with synthetic/test data (no real patient PHI)
- You are using MediMic in a purely non-clinical context (e.g., general translation between non-patients)
Getting a BAA with MediMic
Individual & Team Plans
Individual and Team plan subscribers receive a standard click-through BAA. To execute it:
- Sign in at
portal.medimic.ai. - Go to Billing → Compliance → Business Associate Agreement.
- Review the BAA terms.
- Click I Agree and Sign — this constitutes your electronic signature.
- Download the executed BAA PDF for your records.
The click-through BAA satisfies HIPAA §164.504(e) requirements. No negotiation is required for standard terms.
Enterprise Plans
Enterprise customers receive a negotiated BAA reviewed and signed by both parties. The process:
- Contact [email protected] or your dedicated account manager.
- We'll send a draft BAA for your legal team to review.
- Agreed changes are incorporated.
- Both parties sign (electronic signatures accepted).
- Fully executed copies are exchanged.
Enterprise BAA review typically takes 5–10 business days.
What the MediMic BAA Covers
The MediMic BAA includes all elements required by 45 CFR §164.504(e)(2):
| Requirement | MediMic BAA Coverage |
|---|---|
| Permitted uses and disclosures of PHI | Defined: service provision, operations, legal requirements only |
| Prohibition on unauthorized use | Explicit prohibition on use beyond stated purposes |
| Safeguards obligation | MediMic's security commitments, including E2E encryption |
| Subcontractor BAA requirement | MediMic's obligations with its own vendors (Azure, Stripe, etc.) |
| PHI access for individual rights | Support for patient access requests |
| Breach notification | 60-day notification obligation |
| Return or destruction of PHI at termination | Data deletion/export on contract end |
| HITECH compliance | Covers updated obligations from the HITECH Act |
Subcontractors
MediMic itself uses a small number of sub-processors that may touch PHI:
| Vendor | Role | BAA in Place? |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, database hosting | Yes (covered by Microsoft HIPAA BAA) |
| Stripe | Payment processing (billing data only — no PHI) | N/A — no PHI processed |
MediMic does not share session content or transcripts with any advertising, analytics, or third-party AI training services.
BAA and the Free Trial
The Free Trial plan does not include a BAA. Free Trial access is for evaluation purposes using only synthetic or test data. Do not use the Free Trial plan to process real patient PHI.
If you are evaluating MediMic for a production clinical deployment, contact [email protected] to arrange a paid pilot with BAA coverage.
Frequently Asked Questions
We are a covered entity. Is MediMic's BAA legally sufficient? Yes. The MediMic BAA covers all required elements under 45 CFR §164.504(e)(2) and includes HITECH Act updates. It has been reviewed by HIPAA compliance counsel.
We are a Business Associate of a hospital. Do we need a BAA with MediMic? Yes. Business Associates who engage sub-processors that handle PHI must execute BAAs with those sub-processors. Your organization would be the Covered Entity (or upstream BA) and MediMic would be your sub-BA.
Can we negotiate custom BAA terms? Enterprise customers can negotiate custom terms. Individual and Team plan customers receive the standard BAA, which covers all HIPAA requirements without modification.
What happens to PHI if we cancel our subscription? The BAA remains in effect for the duration of data retention. After the retention period, PHI is securely deleted. You may also request early deletion — contact [email protected].
Does the BAA cover our entire organization automatically? Yes. The BAA covers all users under your Organization account. If you create sub-organizations (Enterprise plan), they are all covered under the same BAA umbrella.