Business Associate Agreement
Hello executes a HIPAA BAA with every healthcare practice Client before processing any Protected Health Information. As a healthcare AI voice platform, this agreement establishes our obligations under HIPAA and ensures compliant handling of patient data across all AI-powered communications.
About this Agreement: This Business Associate Agreement ("BAA") is entered into between Hello, Inc. ("Business Associate" or "Hello") and the healthcare practice Client ("Covered Entity" or "Client") that has executed a service agreement with Hello. This BAA supplements and is incorporated into the applicable service agreement and Terms of Service.
1. Definitions
Capitalized terms used in this BAA that are not otherwise defined have the meanings set forth in the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), and the HITECH Act (42 U.S.C. § 17921 et seq.), as amended.
1.1 Protected Health Information (PHI)
"Protected Health Information" or "PHI" means individually identifiable health information, in any form or medium, that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in connection with the Services. PHI includes information relating to the past, present, or future physical or mental health of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
1.2 Electronic Protected Health Information (ePHI)
"Electronic Protected Health Information" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic media, including call recordings, transcripts, scheduling data, and any patient information processed through the Hello AI voice agent platform.
1.3 Services
"Services" means the AI voice agent, conversation management, scheduling, payment processing, analytics, and related services provided by Business Associate to Covered Entity under the applicable service agreement.
1.4 Security Incident
"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined under 45 CFR § 164.304.
1.5 Breach
"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined under 45 CFR § 164.402. Breach excludes the exceptions set forth in 45 CFR § 164.402(1).
1.6 Subcontractor
"Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entity. This includes, but is not limited to, cloud infrastructure providers, telephony providers, and AI/LLM providers that process PHI.
2. Obligations of Business Associate
2.1 Use and Disclosure Limitations
Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the applicable service agreement, or as required by law. Business Associate shall use and disclose PHI only for the purposes of performing the Services and in compliance with each applicable requirement of 45 CFR Part 164.
2.2 Safeguards
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, including ePHI. These safeguards shall comply with the requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C).
| Safeguard Category | Measures |
|---|---|
| Administrative | Workforce training and security awareness programs; designated security and privacy officers; documented policies and procedures; regular risk assessments; sanction policy for workforce violations; contingency planning and disaster recovery procedures |
| Physical | Secure data center facilities with access controls; workstation use and security policies; device and media controls for hardware containing ePHI; visitor management at physical locations |
| Technical | encryption at rest with post-quantum-ready key management for all stored ePHI; TLS 1.2+ encryption in transit; unique user identification and role-based access controls; multi-factor authentication for administrative access; automatic session termination; comprehensive audit logging and monitoring; intrusion detection and anomaly alerting |
2.3 Reporting
Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Security Incident or Breach. Business Associate shall report any such event promptly and in no case later than the timeframes described in Section 4: Breach Notification.
2.4 Subcontractors
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA. Business Associate shall enter into a written agreement with each such Subcontractor that contains terms no less protective than those in this BAA, in accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2).
Business Associate shall maintain a current list of Subcontractors with access to PHI and shall make this list available to Covered Entity upon written request.
2.5 Access to PHI
Business Associate shall make PHI maintained by Business Associate or its Subcontractors available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 (Individual Access). Business Associate shall respond to such requests within 15 business days. If PHI is maintained in a Designated Record Set, Business Associate shall provide access in the form and format requested by the individual, if readily producible, or in a mutually agreed-upon alternative format.
2.6 Amendment of PHI
Business Associate shall make PHI available for amendment and shall incorporate any amendments to PHI as directed by Covered Entity, in accordance with 45 CFR § 164.526. Business Associate shall complete amendments within 15 business days of receiving a request from Covered Entity.
2.7 Accounting of Disclosures
Business Associate shall maintain an accounting of disclosures of PHI as required by 45 CFR § 164.528 and shall make such accounting available to Covered Entity within 30 business days of a request. The accounting shall cover the six-year period preceding the request (or such shorter period as specified in the request) and shall include the date of disclosure, the name and address of the recipient, a description of the PHI disclosed, and the purpose of the disclosure.
2.8 Minimum Necessary Standard
Business Associate shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d). Hello AI voice agents are configured to collect only the information required to fulfill the caller's request, such as scheduling an appointment, answering a question, or collecting a deposit.
2.9 Government Access
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining Covered Entity's compliance with HIPAA, in accordance with 45 CFR § 164.504(e)(2)(ii)(I).
3. Permitted Uses and Disclosures
3.1 Service Performance
Business Associate may use and disclose PHI as necessary to perform the Services described in the applicable service agreement, including operating AI voice agents, processing appointment bookings, facilitating payment collection, generating call transcripts, and providing analytics to Covered Entity.
3.2 Business Associate Operations
Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that any disclosure for such purposes is required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
3.3 De-identification
Business Associate may de-identify PHI in accordance with the standards set forth in 45 CFR § 164.514(a)-(c). Once properly de-identified, such information is no longer PHI and is not subject to the restrictions of this BAA. De-identification must meet either the Expert Determination method or the Safe Harbor method as defined under HIPAA.
3.4 Aggregate Data
Business Associate may use PHI to create aggregated data from which all individual identifiers have been removed, in accordance with 45 CFR § 164.514. Such aggregate data may be used by Business Associate for analytics, benchmarking, product improvement, and reporting purposes, provided that the data cannot reasonably be used to identify any individual or Covered Entity.
No sale of PHI: Business Associate shall not sell PHI or use PHI for marketing purposes without the prior written authorization of the individual and Covered Entity, as required by 45 CFR § 164.508 and the HITECH Act.
4. Breach Notification
4.1 Discovery and Timeline
Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach, in accordance with 45 CFR § 164.410. A Breach is considered "discovered" as of the first day on which it is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.
4.2 Content of Notification
The Breach notification shall include, to the extent available at the time of notification:
- The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
- A brief description of what happened, including the date of the Breach and the date of its discovery
- A description of the types of Unsecured PHI involved in the Breach (e.g., full name, date of birth, Social Security number, diagnosis, treatment information)
- Any steps individuals should take to protect themselves from potential harm resulting from the Breach
- A brief description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches
- Contact procedures for individuals to ask questions, including a toll-free telephone number, email address, website, or postal address
4.3 Cooperation
Business Associate shall cooperate with Covered Entity in the investigation, mitigation, and remediation of any Breach. Business Associate shall provide Covered Entity with all information and assistance reasonably necessary for Covered Entity to fulfill its own notification obligations under 45 CFR §§ 164.404, 164.406, and 164.408, including notifications to affected individuals, the Secretary of HHS, and the media (if applicable).
4.4 Mitigation
Business Associate shall take prompt corrective action to mitigate any harmful effects of a Breach, Security Incident, or unauthorized use or disclosure of PHI. Mitigation efforts may include, as appropriate:
- Containing the Breach and securing affected systems
- Conducting a thorough risk assessment to evaluate the probability that PHI has been compromised
- Implementing additional safeguards to prevent recurrence
- Providing credit monitoring or identity protection services to affected individuals, if warranted
- Documenting the Breach, investigation findings, and corrective actions taken
5. Term and Termination
5.1 Effective Date
This BAA is effective as of the date of the applicable service agreement between Business Associate and Covered Entity ("Effective Date") and shall remain in effect for the duration of the service agreement, unless terminated earlier in accordance with this section.
5.2 Termination for Cause
Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within 30 calendar days after receiving written notice specifying the nature of the breach. If cure is not reasonably possible, the non-breaching party may terminate this BAA immediately upon written notice.
If Business Associate determines that Covered Entity has materially breached this BAA, Business Associate shall provide written notice to Covered Entity. If Covered Entity does not cure the breach or end the violation within 30 calendar days, Business Associate may terminate the applicable service agreement.
5.3 Effect of Termination
Upon termination of this BAA for any reason, Business Associate shall comply with the provisions of Section 6: Return and Destruction of PHI. Termination of this BAA shall also result in termination of the applicable service agreement to the extent it involves the use or disclosure of PHI.
5.4 Survival
The obligations of Business Associate under Sections 2 (Obligations), 4 (Breach Notification), and 6 (Return and Destruction of PHI) shall survive termination of this BAA to the extent necessary to fulfill the purposes described in each section.
6. Return and Destruction of PHI
6.1 Timeline
Within 60 calendar days following termination of this BAA or the applicable service agreement, Business Associate shall return to Covered Entity or destroy all PHI in its possession or in the possession of its Subcontractors, including all copies in any form or medium.
6.2 Destruction Methods
When destruction is elected or directed, Business Associate shall destroy PHI using methods consistent with NIST Special Publication 800-88 ("Guidelines for Media Sanitization"), Revision 1, including:
- Electronic media: Cryptographic erasure (rendering encryption keys unrecoverable), secure overwrite, or physical destruction of storage media
- Paper records: Cross-cut shredding or incineration
- Cloud-hosted data: Verified deletion from all primary storage, backup systems, and disaster recovery environments, with confirmation from cloud service providers
6.3 Exceptions
If return or destruction of PHI is not feasible, Business Associate shall:
- Notify Covered Entity in writing of the specific reasons why return or destruction is not feasible
- Extend the protections of this BAA to such PHI for as long as it is retained
- Limit further uses and disclosures of such PHI to the purposes that make return or destruction infeasible
- Not use or disclose the retained PHI for any other purpose
Retention may be required by law, regulation, or contractual obligation (e.g., audit trail retention requirements under the HIPAA Security Rule).
6.4 Written Certification
Upon completion of the return or destruction of PHI, Business Associate shall provide Covered Entity with a written certification confirming that all PHI has been returned or destroyed in accordance with this section, including the method of destruction used and the date of completion. If any PHI is retained under the exceptions in Section 6.3, the certification shall identify the specific PHI retained and the reason for retention.
7. Miscellaneous
7.1 Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles. To the extent this BAA conflicts with HIPAA or the HITECH Act, the more protective provision shall apply.
7.2 Amendment
This BAA may not be amended or modified except in writing signed by authorized representatives of both parties. The parties agree to negotiate in good faith any amendments necessary to ensure compliance with changes to HIPAA, the HITECH Act, or implementing regulations. If regulatory changes require modifications to this BAA, Business Associate shall notify Covered Entity in writing and propose updated terms within 60 calendar days of the effective date of such regulatory changes.
7.3 Interpretation
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits both parties to comply with HIPAA, the HITECH Act, and applicable regulations. In the event of a conflict between this BAA and the applicable service agreement or Terms of Service, this BAA shall control with respect to the use and disclosure of PHI.
7.4 No Third-Party Beneficiaries
Nothing in this BAA shall confer upon any person other than the parties hereto and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities. Individuals whose PHI is subject to this BAA are not third-party beneficiaries of this agreement.
7.5 Entire Agreement
This BAA, together with the applicable service agreement, the Terms of Service, and the Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and representations relating to the protection of PHI.
7.6 Notices
All notices under this BAA shall be in writing and delivered to the addresses specified in the applicable service agreement. Notices to Business Associate regarding compliance, breach, or termination matters should be directed to compliance@usehello.ai. Notices are deemed received upon confirmed delivery via email or upon receipt if sent by certified mail.
Business Associate mailing address: Hello, Inc., Attn: Compliance, Denver, CO, United States.
8. Contact and BAA Requests
To request a copy of the Hello BAA, inquire about our HIPAA compliance program, or report a compliance concern, please contact us through the following channels:
- BAA requests and compliance: compliance@usehello.ai
- Privacy inquiries: privacy@usehello.ai
- Security incidents: security@usehello.ai
- Phone: (314) 972-3674
- Mail: Hello, Inc., Attn: Compliance, Denver, CO, United States
BAA execution: Hello provides a BAA to every healthcare practice Client as part of the onboarding process. The BAA is executed before any PHI is processed through the Hello platform. If you are an existing Client and have not received a signed BAA, please contact compliance@usehello.ai immediately.
We respond to compliance and BAA inquiries within 5 business days. For urgent security incidents, we aim to acknowledge reports within 24 hours.
Related policies: Privacy Policy · Terms of Service · Data Processing Agreement · Security · Business Continuity and SLA
Compliance Verified. Ready to Move Forward?
You've done your due diligence. Hello executes a BAA with every healthcare practice client before processing any PHI. Enterprise-grade security, 99.99% uptime SLA, done-for-you implementation.