Business Associate Agreement

Version: 1.0 Effective Date: December 1, 2025

Parties

This Business Associate Agreement ("Agreement") is entered into between:

  • "Covered Entity" - The individual or organization using ParrotPadMD services who is subject to HIPAA regulations
  • "Business Associate" - Problem Solver Software LLC, a company organized under the laws of the State of Georgia, doing business as ParrotPadMD

1. Definitions

For purposes of this Agreement, the following terms shall have the meanings set forth below:

1.1 "HIPAA"

The Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations at 45 CFR Parts 160-164.

1.2 "Protected Health Information" (PHI)

Individually identifiable health information that is transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.

1.3 "Electronic Protected Health Information" (ePHI)

Protected Health Information that is transmitted or maintained in electronic media, as defined in 45 CFR § 160.103.

1.4 "Services"

The voice-to-text transcription services provided by Business Associate through the ParrotPadMD browser extension and related systems.

1.5 "Security Incident"

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

2.2 Appropriate Safeguards

Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, including:

  • Processing audio in memory only, with immediate deletion after transcription
  • No storage of transcribed text on Business Associate systems
  • TLS 1.3 encryption for all data in transit
  • SOC 2 Type II compliant cloud infrastructure (Google Cloud Platform)
  • No training of AI models on PHI

2.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Security Incident or Breach, within seventy-two (72) hours of becoming aware of such incident.

2.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement. Business Associate's current subcontractors include:

  • Google Cloud Platform (infrastructure and speech-to-text services) - BAA in place
  • Stripe, Inc. (payment processing) - No PHI shared

2.5 Access to PHI

Business Associate shall make available PHI in accordance with 45 CFR § 164.524 to the extent Business Associate maintains such PHI. Note: Business Associate does not store transcribed PHI and therefore cannot provide access to such information.

2.6 Amendment of PHI

Business Associate shall make any amendment(s) to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526, to the extent Business Associate maintains such PHI.

2.7 Accounting of Disclosures

Business Associate shall document and make available information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

3. Obligations of Covered Entity

3.1 Permissions

Covered Entity shall obtain any consent, authorization, or permission that may be required under applicable law prior to furnishing PHI to Business Associate.

3.2 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.

3.3 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.

4. Term and Termination

4.1 Term

This Agreement shall be effective as of the date Covered Entity accepts these terms and shall remain in effect until terminated as provided herein.

4.2 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) days of receiving written notice of the breach.

4.3 Effect of Termination

Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI.

5. Data Processing Details

For transparency, Business Associate provides the following details about how the Services process PHI:

5.1 Audio Processing

  • Audio is captured by the browser extension on Covered Entity's device
  • Audio is transmitted via TLS 1.3 encrypted connection to Google Cloud Speech-to-Text API
  • Audio is processed in memory and immediately discarded after transcription
  • No audio files are stored on any Business Associate systems

5.2 Transcription Output

  • Transcribed text is returned directly to the browser extension
  • Text is inserted into Covered Entity's application at the cursor position
  • Business Associate does not store, log, or retain any transcribed text

5.3 Usage Data

  • Business Associate collects only aggregate usage metrics (minutes used, not content)
  • No PHI is included in usage tracking or analytics

6. Miscellaneous

6.1 Amendment

The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with HIPAA and other applicable law.

6.2 Survival

The obligations of Business Associate under Sections 2 and 4.3 shall survive the termination of this Agreement.

6.3 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA.

6.4 Governing Law

This Agreement shall be governed by the laws of the State of Georgia, without regard to its conflict of laws provisions, except to the extent preempted by federal law.

6.5 Contact Information

For questions about this Agreement or to report a security incident:

Problem Solver Software LLC
Email: compliance@parrotpadmd.com
Privacy Officer: privacy@parrotpadmd.com

7. Acceptance

By clicking "Accept and Continue" in the ParrotPadMD application, Covered Entity acknowledges that they have read, understood, and agree to be bound by the terms of this Business Associate Agreement.

Electronic acceptance of this Agreement shall have the same legal effect as a physical signature.