Cymbiose AI logo

Business Associate Agreement

Understanding our commitment to protecting your patients health information

Last Updated: July 2025

HIPAA Business Associate Agreement (BAA)

This Business Associate Agreement ("Agreement") is entered into by and between Cymbiose AI, Inc. ("Cymbiose AI," "we," "our," or "Business Associate") and the subscribing organization or user ("you," "your," or "Covered Entity") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended.

This Agreement supplements and is incorporated into our Subscription Agreement and Terms of Service.

1. Definitions

The following terms have the meanings set forth in 45 CFR §160.103 and 45 CFR §164.501:

Business Associate refers to Cymbiose AI.
Covered Entity refers to you, the subscribing healthcare provider or organization.
HIPAA Rules include the Privacy, Security, Breach Notification, and Enforcement Rules.

All other capitalized terms not defined here shall retain their meanings under HIPAA.

2. Responsibilities of Cymbiose AI

We agree to:

  • Limit Use and Disclosure: Use or disclose Protected Health Information ("PHI") only as required to fulfill our service obligations or as permitted by law.
  • Safeguard PHI: Use appropriate administrative, technical, and physical safeguards (including Subpart C of 45 CFR Part 164) to protect PHI.
  • Report Incidents: Promptly notify you of any unauthorized use, disclosure, breach, or security incident involving PHI as required by 45 CFR §164.410.
  • Subcontractor Compliance: Ensure any subcontractors that handle PHI on our behalf agree in writing to the same protections and restrictions required of us.
  • Support Individual Rights:
    • • Provide access to PHI when requested (45 CFR §164.524),
    • • Support amendments to PHI (45 CFR §164.526),
    • • Provide accounting of disclosures (45 CFR §164.528).
  • Compliance Cooperation: Make our HIPAA-related policies and records available to the Secretary of HHS for compliance reviews.

3. Permitted Uses and Disclosures

Cymbiose AI may:

  • Use or disclose PHI to provide the services described in our Terms of Service.
  • Use PHI for our internal operations (e.g., legal compliance, auditing, or customer support) when necessary and allowed under HIPAA.
  • De-identify PHI in accordance with 45 CFR §164.514 and use aggregated, non-identifiable data to improve our services.
  • Disclose PHI as required by law, or with reasonable assurances of confidentiality from recipients when used for permissible purposes.

4. Covered Entity Responsibilities

You agree to:

  • Notify us of any limitations, restrictions, or revocations related to an individual's PHI that may affect our permitted use or disclosure.
  • Not request or require that we use or disclose PHI in ways that would violate HIPAA.

5. Term and Termination

Term: This Agreement is effective upon execution and remains in force unless terminated under this section.
Termination for Cause: If you determine we have materially breached this Agreement, you may notify us and provide an opportunity to cure the breach. If not cured within ten (10) business days, you may terminate this Agreement.
Obligations Upon Termination:
  • • Retain only the minimum PHI necessary for legal obligations or internal operations.
  • • Destroy all other PHI in our possession.
  • • Continue to safeguard any retained PHI.
  • • Refrain from any new uses or disclosures unless legally required.

6. Survival

Sections concerning the protection and proper use of PHI (including Section 6) shall survive termination of this Agreement.

Questions or Compliance Inquiries?

Contact us at privacy@cymbiose.ai