Mentera Inc. - Business Associate Agreement

This Business Associate Agreement (“BAA”) is between the healthcare provider or HIPAA-covered entity that has accepted the Mentera Inc. Terms of Service (“Covered Entity”) and Mentera Inc., a Delaware corporation (“Business Associate” or “Mentera”).

This BAA supplements the Mentera Terms of Service (the “Terms”). Where this BAA and the Terms conflict regarding the protection of Protected Health Information, this BAA controls.

Covered Entity uses Mentera’s platform for practice management, clinical documentation, communications, and related operations. These services may involve the creation, receipt, maintenance, or transmission of Protected Health Information. The parties wish to ensure this occurs in compliance with HIPAA, the HITECH Act, and their implementing regulations (collectively, the “HIPAA Rules”).

1. Definitions

Capitalized terms not defined here have the meanings given in the HIPAA Rules (45 CFR Parts 160 and 164): Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (“PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

“ePHI” means PHI in electronic form (45 CFR 160.103).

“Services” means all services Mentera provides under the Terms, including AI-powered documentation, transcription, communication tools, scheduling, marketing features, and any other functionality involving PHI.

A reference to a HIPAA Rules section means that section as currently in effect or as amended.

2. Business Associate Obligations

2.1 Use and Disclosure

• Use or disclose PHI only as permitted by this BAA, the Terms, or as Required By Law.
• Apply the Minimum Necessary standard when using, disclosing, or requesting PHI.

2.2 Safeguards

• Implement administrative, physical, and technical safeguards that comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect ePHI. At a minimum, this includes encryption in transit and at rest, role-based access controls, audit logging, regular risk assessments, and workforce training.

2.3 Breach and Security Incident Reporting

• Report any unauthorized use or disclosure of PHI to Covered Entity without unreasonable delay, and no later than thirty (30) calendar days after discovery.
• Include in breach notifications: the affected Individuals (if known), a description of what happened, the types of PHI involved, recommended protective steps, and remediation actions taken.
• Report Security Incidents promptly. For unsuccessful incidents (e.g., failed login attempts, blocked port scans), provide a summary upon Covered Entity’s reasonable request, no more than quarterly.

2.4 Subcontractors

Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on Mentera’s behalf agrees to the same restrictions and safeguards required by this BAA. This includes cloud providers, AI model providers, telephony providers, and other downstream processors.

2.5 Individual Rights

• Access. Make PHI in a Designated Record Set available to Covered Entity within fifteen (15) business days of a request, to support Individual access rights under 45 CFR 164.524.
• Amendment. Incorporate amendments to PHI as directed by Covered Entity under 45 CFR 164.526, within fifteen (15) business days.
• Accounting. Maintain records of disclosures for six (6) years and make them available to support Covered Entity’s obligations under 45 CFR 164.528.

2.6 Government Access

Make internal practices, books, and records related to PHI available to the Secretary of HHS for compliance determination purposes.

2.7 Mitigation

Take reasonable steps to mitigate any harmful effect of an unauthorized use or disclosure of PHI.

3. Permitted Uses and Disclosures

• Service Delivery. Use and disclose PHI as necessary to provide the Services.
• Management. Use PHI for Business Associate’s proper management and legal responsibilities, provided any third-party disclosures are either Required By Law or subject to confidentiality assurances.
• Data Aggregation. Use PHI for Data Aggregation related to Covered Entity’s Health Care Operations (45 CFR 164.504(e)(2)(i)(B)).
• De-Identification. De-identify PHI per 45 CFR 164.514(a)-(c) using the Expert Determination or Safe Harbor method. Once de-identified, data is no longer PHI and may be used for product improvement, AI model training, analytics, and benchmarking.

4. Covered Entity Obligations

• Notify Business Associate of any limitations in its Notice of Privacy Practices, changes to Individual permissions, or agreed-upon restrictions under 45 CFR 164.522 that affect Business Associate’s use of PHI.
• Obtain all necessary consents and authorizations from Individuals before transmitting PHI through the Services, including recording consent where required by law.
• Not request Business Associate to use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity.

5. AI-Specific Provisions

• AI Processing. Business Associate may process PHI through AI and machine learning systems to deliver the Services. All such processing is subject to this BAA’s safeguards and use limitations.
• Third-Party AI Providers. Where Business Associate uses third-party AI model providers or cloud services that may access PHI, those providers must be bound by agreements consistent with the Subcontractor requirements in Section 2.4.
• Data Retention. Business Associate will not retain raw audio or unprocessed PHI beyond the period needed to deliver the output, unless a longer period is specified in the subscription plan, Required By Law, or authorized in writing by Covered Entity.
• No Sale of PHI. Business Associate will not sell PHI or use it for marketing, except as authorized by Covered Entity in writing and in compliance with the HIPAA Rules.

6. Term and Termination

6.1 Term

This BAA takes effect when Covered Entity first transmits PHI through the Services and remains in effect for the duration of the Terms.

6.2 Termination for Cause

Either party may terminate this BAA if the other materially breaches any provision and fails to cure within thirty (30) days of written notice. If cure is not feasible, the non-breaching party may terminate immediately.

6.3 Effect of Termination

Upon termination, Business Associate shall:

• Stop all uses and disclosures of PHI not Required By Law.
• Return or destroy all PHI within sixty (60) days and provide written certification of destruction.
• If return or destruction is infeasible (e.g., PHI in backup systems), extend the protections of this BAA to that PHI and limit further use to the purposes making return or destruction infeasible.

De-identified data is not subject to the return or destruction requirement. The obligations in this Section and Section 2 survive termination for any retained PHI.

7. General Provisions

• Indemnification. Each party shall indemnify the other against claims arising from the indemnifying party’s material breach of this BAA or the HIPAA Rules, except to the extent caused by the indemnified party’s negligence or misconduct.
• Liability. The liability limitations in the Terms apply to this BAA. Neither party’s liability is limited for unauthorized PHI disclosures caused by willful misconduct or gross negligence.
• Amendment. The parties will amend this BAA as needed for HIPAA compliance. Mentera may propose amendments with thirty (30) days written notice. If Covered Entity does not object in writing within that period, the amendment takes effect.
• Interpretation. Any ambiguity shall be interpreted to permit HIPAA compliance.
• No Third-Party Beneficiaries. No third-party beneficiaries exist under this BAA, except that Individuals who are subjects of PHI may enforce their HIPAA rights.
• Governing Law. Delaware law governs, except where preempted by federal law including the HIPAA Rules.
• Notices. All notices shall be in writing. To Business Associate: support@mentera.ai. To Covered Entity: the email on file with Mentera.
• Acceptance. By creating a Mentera account and agreeing to the Terms of Service, Covered Entity accepts this BAA. Mentera logs the date, time, and account associated with acceptance.