Back
ABAIQ

Business Associate Agreement

Version 1.0 · Effective on the date you accept this Agreement electronically during registration

Notice of clickwrap acceptance. By checking the box during account registration that includes the statement "I have read, understand, and agree to be legally bound by the Terms of Service, Privacy Policy, Security Policy, and Business Associate Agreement," you electronically execute this Business Associate Agreement. ABAIQ retains a record of your acceptance including timestamp, IP address, user agent, and the version of this Agreement accepted.

Preamble

This Business Associate Agreement (this "Agreement" or "BAA") is entered into between HYBREU DIGITAL LLC, a Florida limited liability company doing business as ABAIQ, with its principal place of business at 12555 Biscayne Boulevard, Unit 1236, North Miami, Florida 33181 ("ABAIQ"), and the individual or legal entity that accepts the terms of this Agreement by clicking the "I agree" checkbox during account registration or otherwise affirmatively manifests assent ("Customer").

ABAIQ and Customer are each a "Party" and together the "Parties." This Agreement is incorporated into and made part of the ABAIQ Terms of Service entered between the Parties (together, the "Services Agreement"). Where this Agreement and the Services Agreement conflict regarding the handling of Protected Health Information, this Agreement controls.

1. Purpose and Applicability

1.1 Background

Customer is either a "covered entity" or a "business associate" under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder (collectively, "HIPAA"). In providing the Services, ABAIQ may create, receive, maintain, or transmit Protected Health Information on behalf of Customer and is therefore a business associate of Customer under HIPAA.

1.2 Services Description

ABAIQ provides a software-as-a-service platform consisting of a Chrome browser extension and supporting backend infrastructure that assists licensed clinical professionals practicing Applied Behavior Analysis—including Board Certified Behavior Analysts (BCBAs), Board Certified Assistant Behavior Analysts (BCaBAs), Registered Behavior Technicians (RBTs), and other qualified personnel—in generating clinical documentation through artificial intelligence. Such documentation may include session notes, Behavior Intervention Plan (BIP) extractions, supervision notes, caregiver training notes, and related clinical content (collectively, the "Services").

1.3 Scope

This Agreement applies only to Protected Health Information that Customer transmits to, processes through, or causes to be processed by the Services. This Agreement does not apply to information that is not Protected Health Information, to data submitted outside the Services, or to Customer's use of any third-party products or integrations not provided by ABAIQ.

2. Definitions

Capitalized terms not defined below have the meanings given to them in HIPAA.

  • Breach means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of such information, as defined at 45 C.F.R. § 164.402.
  • Protected Health Information or "PHI" means individually identifiable health information, as defined at 45 C.F.R. § 160.103, that ABAIQ creates, receives, maintains, or transmits on behalf of Customer through the Services. References to PHI include electronic Protected Health Information ("ePHI") where applicable.
  • Secretary means the Secretary of the United States Department of Health and Human Services or any officer or employee to whom the Secretary has delegated authority.
  • Security Incident has the meaning given at 45 C.F.R. § 164.304. Unsuccessful Security Incident means attempted but unsuccessful events of a trivial and routine nature, including without limitation port scans, pings, denial-of-service attempts that do not affect service availability, invalid login attempts, and similar broadcast events that do not result in actual compromise of PHI.
  • Subprocessor means any third-party service provider engaged by ABAIQ that, in the course of providing services to ABAIQ, creates, receives, maintains, or transmits PHI on ABAIQ's behalf.
  • Upstream Customer means an individual or entity for whom Customer acts as a business associate.
  • Workforce has the meaning given at 45 C.F.R. § 160.103.

3. Permitted and Prohibited Uses and Disclosures by ABAIQ

3.1 Permitted Uses and Disclosures

ABAIQ may create, receive, maintain, use, and disclose PHI solely as follows:

  • To provide and operate the Services for Customer in accordance with the Services Agreement and this Agreement;
  • For the proper management and administration of ABAIQ, provided that any such use or disclosure outside ABAIQ requires either (i) that the disclosure be required by law, or (ii) that ABAIQ obtain from the recipient written assurances that the PHI will be kept confidential, used only for the purpose disclosed or as required by law, and that any breach of confidentiality will be reported promptly to ABAIQ;
  • To carry out ABAIQ's legal responsibilities, subject to the same conditions in the preceding subsection;
  • To report to appropriate federal or state authorities violations of law that ABAIQ becomes aware of, consistent with 45 C.F.R. § 164.502(j)(1); and
  • As otherwise required by law.

3.2 Prohibited Uses and Disclosures

ABAIQ will not:

  • Use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if such use or disclosure were made by Customer;
  • Use or disclose PHI for marketing purposes as defined at 45 C.F.R. § 164.501;
  • Sell PHI within the meaning of 45 C.F.R. § 164.502(a)(5)(ii);
  • Use Customer's PHI to train, fine-tune, develop, evaluate, benchmark, or improve any artificial intelligence or machine learning model, including any large language model, owned or operated by ABAIQ or by any third party, except as ephemeral inputs and outputs strictly necessary to deliver the response to Customer's request in real time. ABAIQ has configured its primary artificial intelligence subprocessors under Zero Data Retention terms, meaning such subprocessors do not retain Customer's inputs or outputs beyond the duration of the request.

3.3 Minimum Necessary

ABAIQ will use, disclose, and request only the minimum amount of PHI reasonably necessary to perform the Services. The Parties acknowledge and agree that the PHI transmitted by Customer through the Services constitutes the minimum necessary for ABAIQ to perform the Services as configured by Customer.

4. Safeguards

4.1 Administrative, Physical, and Technical Safeguards

ABAIQ will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, consistent with the HIPAA Security Rule at 45 C.F.R. Part 164, Subpart C.

4.2 Specific Safeguards Implemented

Without limiting the generality of the foregoing, ABAIQ currently maintains the following safeguards:

  • Encryption in transit. All PHI transmitted between Customer's browser, ABAIQ's backend services, and ABAIQ's subprocessors is encrypted using Transport Layer Security version 1.2 or higher.
  • HIPAA-eligible infrastructure. ABAIQ's backend services are hosted on Amazon Web Services infrastructure designated by AWS as HIPAA-eligible, pursuant to a Business Associate Addendum that ABAIQ has accepted with AWS.
  • Zero Data Retention with AI subprocessors. ABAIQ has configured Zero Data Retention with its primary artificial intelligence subprocessors so that PHI inputs and outputs are not retained beyond the duration of the request.
  • Access controls. ABAIQ implements role-based access controls, requires strong authentication for administrative access, and logs access to systems handling PHI.
  • No persistent storage of generated documentation. Generated clinical notes are not stored on ABAIQ's servers after delivery to Customer's browser, other than transient processing artifacts.

5. Customer Obligations

5.1 Permitted Submissions Only

Customer represents and warrants that Customer has all necessary authorizations, consents, and legal rights to disclose to ABAIQ any PHI Customer submits to the Services.

5.2 Qualified Personnel

Customer represents and warrants that the Services will be used only by personnel who hold the licenses, certifications, registrations, or other authorizations required under applicable state and federal law to perform the clinical activities for which the Services are used (including without limitation BCBAs, BCaBAs, RBTs, and other duly qualified clinical staff).

5.3 Customer Maintains Designated Record Set

The Parties acknowledge and agree that ABAIQ does not maintain PHI in a Designated Record Set on Customer's behalf. Customer is solely responsible for maintaining its own Designated Record Set in its electronic medical records system, and for responding to individuals' requests regarding access, amendment, accounting, and restrictions concerning their PHI.

5.4 Prohibited Submissions

Customer will not include PHI in:

  • Customer support tickets, email correspondence, or feedback submissions to ABAIQ;
  • The user profile fields, practice name, billing information, or any other registration or account-management field;
  • Screenshots, videos, or other documentation submitted to ABAIQ for technical support or feedback purposes; or
  • Any field, communication channel, or component of the Services not specifically designed to process PHI.

5.5 No Substitution for Clinical Judgment

Customer acknowledges that the Services use artificial intelligence to assist in generating clinical documentation drafts. Customer represents that its qualified personnel will review, edit, and verify all output of the Services prior to incorporating such output into the Customer's clinical records, regulatory submissions, or billing. ABAIQ does not provide clinical advice, diagnoses, or treatment recommendations. The Services are not a medical device and are not intended to substitute for the professional judgment of duly licensed clinical practitioners.

5.6 Transparency to Upstream Customers

To the extent Customer provides any output of the Services to an Upstream Customer or to a third party, Customer will not represent that such output was generated solely by a human or that no artificial intelligence was used in its preparation.

5.7 State Law Compliance

Customer is responsible for ensuring its use of the Services complies with all applicable state laws, including without limitation the Florida Information Protection Act, Fla. Stat. § 501.171, and any state laws more restrictive than HIPAA regarding the use, disclosure, or breach notification of identifiable health information.

6. Reporting

6.1 Breach Notification

ABAIQ will notify Customer of any Breach of Unsecured PHI without unreasonable delay following discovery by ABAIQ, and in no event later than thirty (30) calendar days after discovery by ABAIQ. Where the Breach is first reported to ABAIQ by a Subprocessor, ABAIQ will forward such notification to Customer within five (5) business days after ABAIQ's receipt of the Subprocessor's notification, recognizing that the originating Subprocessor's notification timeline (which may extend up to sixty (60) calendar days under the Subprocessor's own Business Associate Addendum with ABAIQ) may affect the total elapsed time between the underlying event and Customer's receipt of notice.

Each Breach notification will include, to the extent then known to ABAIQ: a description of what happened including the date of the Breach and date of discovery; a description of the types of Unsecured PHI involved; the identification of each affected individual; steps individuals should take to protect themselves; what ABAIQ is doing to investigate and mitigate; and contact procedures for further inquiry.

6.2 Reporting of Non-Breach Unauthorized Uses

ABAIQ will report to Customer any use or disclosure of PHI not permitted by this Agreement of which ABAIQ becomes aware, but which does not rise to the level of a Breach, within fifteen (15) business days after discovery by ABAIQ.

6.3 Reporting of Security Incidents

ABAIQ will report to Customer Security Incidents (other than Unsuccessful Security Incidents) of which ABAIQ becomes aware that involve PHI without unreasonable delay following discovery. Where the Security Incident is reported to ABAIQ by a Subprocessor, the reporting cadence will match the cadence ABAIQ receives from the Subprocessor, which may be on a quarterly basis. Notice of Unsuccessful Security Incidents is hereby given by this provision and ABAIQ has no further obligation to report them individually.

6.4 Mitigation

ABAIQ will take reasonable steps to mitigate, to the extent practicable, any harmful effect known to ABAIQ of a use or disclosure of PHI in violation of this Agreement.

7. Subprocessors

ABAIQ engages Subprocessors only where ABAIQ has entered into a written agreement with the Subprocessor obligating the Subprocessor to restrictions and conditions at least as protective of PHI as those imposed on ABAIQ under this Agreement. As of the effective date of this version, ABAIQ maintains executed Business Associate Agreements with all Subprocessors that create, receive, maintain, or transmit PHI on its behalf, including its artificial intelligence and cloud infrastructure providers. A current list of ABAIQ's Subprocessors — identifying each provider, the service it performs, and its BAA status — is available to Customers upon request by contacting support@abaiq.ai.

ABAIQ will provide Customer with notice of material changes to its Subprocessor list at least thirty (30) days in advance of the change taking effect, except where shorter notice is necessary to address emergency circumstances, security concerns, or to comply with applicable law.

8. Individual Rights

Because ABAIQ does not maintain PHI as a Designated Record Set on Customer's behalf, ABAIQ has no independent obligation to provide access, amendment, or accounting to individuals. If ABAIQ receives such a request directly, ABAIQ will promptly forward it to Customer. ABAIQ will document any disclosures of PHI it makes for purposes other than treatment, payment, or healthcare operations that are reportable under 45 C.F.R. § 164.528, and make such records available to Customer within ten (10) business days of written request.

9. HHS Access

ABAIQ will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary, in the time and manner designated by the Secretary, for the purpose of determining Customer's or ABAIQ's compliance with HIPAA. Nothing in this Section waives any privilege or protection available under applicable law, including with respect to trade secrets and confidential commercial information.

10. Term and Termination

10.1 Term

This Agreement is effective on the date Customer accepts it electronically and continues in effect until terminated as provided herein.

10.2 Termination for Material Breach

A Party may terminate this Agreement for the other Party's material breach, provided that the non-breaching Party first gives the breaching Party written notice and a period of thirty (30) days to cure. If the breach is not cured within the cure period, or if the breach is not capable of cure, the non-breaching Party may terminate.

10.3 Effect of Termination

Upon termination, Customer will cease transmitting PHI to the Services. ABAIQ will, within thirty (30) calendar days following termination, return to Customer or destroy all PHI maintained by ABAIQ on Customer's behalf and retain no copies, except where return or destruction is infeasible. Where infeasible, ABAIQ will extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as ABAIQ retains the PHI. Upon Customer's written request, ABAIQ will provide a written certification that PHI has been returned, destroyed, or extended under continuing protection.

11. Liability and General Provisions

11.1 Limitation of Liability

Except for breaches of Sections 3.1, 3.2, 5.4, or arising from a Party's gross negligence or willful misconduct, neither Party will be liable to the other under this Agreement for indirect, incidental, special, consequential, exemplary, or punitive damages. ABAIQ's total aggregate liability arising under or in connection with this Agreement will not exceed the greater of (i) ten thousand United States dollars ($10,000), or (ii) twelve (12) times the monthly fees paid by Customer to ABAIQ in the twelve (12) months immediately preceding the event giving rise to the liability.

11.2 Indemnification

Customer will indemnify and hold ABAIQ harmless from any third-party claim, demand, action, fine, or penalty arising out of Customer's submission of PHI in violation of Section 5.4, use of the Services by personnel who do not qualify as qualified personnel under Section 5.2, or failure to obtain authorizations or consents required under Section 5.1.

11.3 Amendment Upon Regulatory Change

If HIPAA or its implementing regulations are amended in a manner that requires modification of this Agreement, the Parties will cooperate in good faith to amend. If the Parties cannot agree on an amendment within sixty (60) days, either Party may terminate upon thirty (30) days' written notice.

11.4 Electronic Acceptance and Signatures

Customer's affirmative click of the acceptance checkbox during registration, or other electronic manifestation of assent, constitutes Customer's electronic signature under the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq., and the Florida Electronic Signature Act, Fla. Stat. § 668.50, and is enforceable to the same extent as a handwritten signature. ABAIQ retains records of Customer's electronic acceptance including timestamp, IP address, user agent, and the version of this Agreement accepted.

11.5 Notices

Notices to ABAIQ must be sent in writing to:

HYBREU DIGITAL LLC
Attn: Privacy Officer
12555 Biscayne Boulevard, Unit 1236
North Miami, Florida 33181
Email: admin@abaiq.ai

Notices to Customer will be sent to the email address and physical address provided by Customer during registration or as subsequently updated by Customer in account settings.

11.6 Governing Law

This Agreement is governed by the laws of the State of Florida, without regard to its conflict-of-laws principles, except to the extent preempted by federal law including HIPAA.

11.7 No Third-Party Beneficiaries; No Agency

This Agreement is for the benefit of the Parties and does not create rights in any third party. Nothing in this Agreement makes either Party the agent of the other.

11.8 Severability

If any provision of this Agreement is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision will be reformed to the minimum extent necessary to render it valid and enforceable.

11.9 Entire Agreement

This Agreement, together with the Services Agreement, constitutes the entire agreement between the Parties regarding the subject matter of this Agreement and supersedes all prior or contemporaneous agreements regarding the same subject matter.

11.10 Interpretation

Any ambiguity in this Agreement will be resolved in favor of an interpretation that allows the Parties to comply with HIPAA.

12. Related Policies

Please also review:

13. Contact

For questions regarding this Agreement:

HYBREU DIGITAL LLC (dba ABAIQ)
Email: admin@abaiq.ai