Business Associate Agreement

Last Updated: 01/21/2026

This HIPAA Business Associate Agreement ("BAA") supplements and is incorporated into the Services Agreement between Joyera Inc. ("Joyera", "we", "us", or "our") and the customer ("Customer", "you", or "your").

1. Definitions

Any capitalized terms used but not otherwise defined in this BAA will have the meaning given to them in either (i) HIPAA and the HITECH Act or (ii) the Services Agreement(s).

Business Associate: has the definition given to it under HIPAA at 45 CFR § 160.103.
Breach: has the definition given to it under HIPAA at 45 CFR § 164.402. A Breach will not include an acquisition, access, use, or disclosure of PHI with respect to which Joyera has determined in accordance with 45 C.F.R. § 164.402 that there is a low probability that the PHI has been compromised.
Covered Entity: has the definition given to it under HIPAA at 45 CFR § 160.103.
Designated Record Set: has the definition given to it under HIPAA at 45 CFR § 164.501.
HIPAA: means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended, including the Privacy Rule, the Breach Notification Rule and the Security Rule, and amendments to HIPAA made by the HITECH Act.
HIPAA Implementation Guide: means the informational guide that Joyera makes available describing how the Services may be configured by Customer in connection with Customer's HIPAA compliance efforts. The HIPAA Implementation Guide is available at https://joyera.ai/hipaa-compliance.
HITECH Act: means the Health Information Technology for Economic and Clinical Health Act.
Privacy Rule: means the HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164.
Protected Health Information (PHI): has the definition given to it under HIPAA at 45 CFR § 160.103, and for purposes of this BAA is limited to PHI within Customer Data to which Joyera has access through the Services.
Required by Law: has the definition given to it under HIPAA at 45 CFR § 160.103.
Security Incident: has the definition given to it under HIPAA at 45 CFR § 164.304.
Security Rule: means the HIPAA Security Rule, 45 CFR parts 160 and 164, subparts A and C.
Services: means Joyera's AI-powered healthcare services including automated documentation, billing support, clinical note summarization, and workflow optimization.
Services Agreement(s): means the written agreement(s) entered into between Joyera and Customer for provision of the Services.

2. APPLICABILITY OF THIS BAA

This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via the Services and to the extent Joyera, as a result, is acting as a Business Associate or Subcontractor of Customer under HIPAA. This BAA does not apply to PHI that Customer creates, receives, maintains, or transmits outside of the Services.

3. PERMITTED AND REQUIRED USE AND DISCLOSURE OF PHI

(a) Performance of the Agreement

Except as otherwise limited by this BAA, Joyera may only use and disclose PHI for or on behalf of Customer as permitted or required by the Services Agreement, this BAA, or as Required by Law.

Joyera will NOT:

Use PHI for marketing or sales
Sell PHI to third parties
Use identifiable PHI to train AI models. (Note: De-identified and blinded data may be used to support medical research and improve billing outcomes.)

(b) Management, Administration, and Legal Responsibilities

Joyera may use and disclose PHI for the proper management and administration of Joyera's business and/or to carry out Joyera's legal responsibilities, provided that any disclosure of PHI by Joyera for such purposes may only occur if: (i) Required by Law; or (ii) Joyera takes appropriate measures to ensure that any person to whom PHI will be disclosed is bound by written obligations that provide the same material level of protection for PHI as this BAA.

4. JOYERA RESPONSIBILITIES WITH RESPECT TO PHI

When Joyera is acting as a Business Associate under this BAA, Joyera will fulfill the following obligations:

(a) Appropriate Safeguards

Joyera will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, and as otherwise required under HIPAA. Joyera will implement all requirements of the HIPAA Security Rule with regard to electronic PHI.

(b) Reporting and Related Obligations

(i) Security Incident and Breach Reporting: Joyera will promptly notify Customer of (i) any Security Incident of which Joyera becomes aware, subject to Section 4(b)(iii); and (ii) any Breach that Joyera discovers, provided that any notice for Breach will be made promptly and without unreasonable delay. (ii) Notification: Joyera will send notifications to the notification email address provided by Customer in the Services Agreement or via direct communication with Customer. (iii) Unsuccessful Attempts: This Section 4(b)(iii) will be deemed as notice to Customer that Joyera periodically receives unsuccessful attempts (including pings, unsuccessful log-on attempts, denial of service attacks, port scans) for unauthorized access, use, disclosure, modification, or destruction of information.

(c) Subcontractors

Joyera will take appropriate measures to ensure that any Subcontractors used by Joyera that require access to PHI are bound by written obligations that provide the same material level of protection for PHI as this BAA. Joyera will remain responsible for their performance as if performed by Joyera.

(d) Access and Amendment

Customer acknowledges that Customer is solely responsible for the form and content of PHI maintained within the Services, including whether Customer maintains such PHI in a Designated Record Set. The parties acknowledge that Joyera does not maintain PHI in a Designated Record Set for Customer. Joyera will provide Customer with access to Customer's PHI via the Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals' rights of access and amendment.

(e) Accounting of Disclosures

When requested by Customer, Joyera will document disclosures of PHI by Joyera and provide an accounting of such disclosures to Customer as required of a Business Associate under HIPAA.

(f) Secretary's Access to Records

Joyera will make its internal practices, books, and records concerning the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with this BAA to the extent required by law.

(g) Return/Destruction of Information

On termination of the Services Agreement, Joyera will return or destroy all PHI received from Customer, or created or received by Joyera on behalf of Customer; provided, however, that if such return or destruction is not feasible, Joyera will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

(h) Performance of Covered Entity's Obligations

To the extent Joyera agrees in writing to carry out a Covered Entity's obligation under the Privacy Rule, Joyera shall comply with the requirements applicable to such obligation.

5. CUSTOMER RESPONSIBILITIES WITH RESPECT TO PHI

(a) Impermissible Requests

Customer will not request that Joyera use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate.

(b) Use of Service Controls

Customer will use controls available within the Services, including those detailed in the HIPAA Implementation Guide, to ensure its use of PHI complies with HIPAA. Customer acknowledges that the HIPAA Implementation Guide is provided solely as an optional, informational guide and that Customer is solely responsible for ensuring compliance with HIPAA and the HITECH Act.

(c) Appropriate Safeguards

Customer will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, and as otherwise required under HIPAA.

6. TERM AND TERMINATION

(a) Term

The term of this BAA will begin on the Effective Date and end on the earlier of (i) termination in accordance with Section 6(b), or (ii) the expiration or termination of all Services Agreements.

(b) Termination for Breach

If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 30 days' written notice to the breaching party unless the breach is cured within that period. If a cure is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible, the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

(c) Use of Services After Termination

If this BAA is terminated earlier than the Services Agreement, Customer may continue to use the Services on the condition that, before the end of the 30-day notice period, Customer deletes any PHI it maintains in the Services and immediately upon termination ceases to further create, receive, maintain, or transmit such PHI to Joyera.

7. MISCELLANEOUS

(a) Survival

Sections 4(g) (Return/Destruction of Information) and 7 (Miscellaneous) will survive termination or expiration of this BAA.

(b) Effects of BAA

To the extent this BAA conflicts with the Services Agreement(s), this BAA will govern. This BAA is subject to the laws of New York State. Except as expressly modified or amended under this BAA, the terms of the Services Agreement(s) remain in full force and effect.

(c) No Third Party Beneficiaries

This BAA does not give any person other than Customer and Joyera, and their respective successors or assigns, any rights or obligations under this BAA.

(d) Amendments

This BAA may be amended by Joyera upon thirty (30) days' prior written notice to Customer via email to the address associated with Customer's account. Material changes that reduce Customer's privacy protections or expand Joyera's permitted uses of PHI will require Customer's affirmative consent. Continued use of the Services after the notice period constitutes acceptance of the amended BAA. If Customer does not agree to the amended terms, Customer may terminate the Services Agreement and this BAA in accordance with Section 6.

8. COMMUNICATION TEMPLATES AND PATIENT CONSENT

This section addresses the use of email and SMS communication templates within the Services, including patient consent requirements and Customer's responsibilities for template content and legal compliance.

(a) Nature of Communication Templates

Joyera provides email and SMS communication templates as a convenience tool to assist Customer in communicating with patients. These templates are generic starting points and are not tailored to Customer's specific practice, jurisdiction, patient population, or specialty. Templates are provided 'as is' without any warranty of legal compliance with HIPAA, TCPA, CAN-SPAM Act, state privacy laws, or professional licensing board requirements. Customer must: (i) have legal counsel review all templates before use; (ii) customize templates to meet specific legal and operational needs; (iii) monitor changes in applicable laws and update templates accordingly; and (iv) obtain all required patient consents before sending communications.

(b) Customer Responsibility for Template Content

Customer is solely responsible for: (i) reviewing, customizing, and approving all email and SMS content before it is sent to patients; (ii) ensuring all communications comply with applicable laws, including but not limited to HIPAA, TCPA, CAN-SPAM Act, and state-specific requirements; (iii) ensuring all information in communications is accurate, current, and appropriate for the intended recipient; and (iv) all liability arising from communications sent using the Services, including claims for unauthorized disclosure of PHI, violation of patient privacy rights, unsolicited marketing communications, misleading or inaccurate information, or failure to honor opt-out requests.

(c) Patient Consent Management

Customer is solely responsible for obtaining all required patient consents and authorizations before using email, SMS, or other electronic communications. Required consents may include HIPAA authorization for communications containing PHI via unsecured channels, TCPA express written consent for SMS/text messages, consent for marketing communications, and state-specific communication consents. Joyera provides tools within the Services to help Customer manage patient communication preferences (storage of consent records, tracking of consent dates and types, patient portal interface for preference management, flags and alerts for patients without valid consent), but Joyera does NOT obtain consent on behalf of Customer. Customer must use its own forms, processes, and legal guidance to obtain valid patient consent.

(d) Conservative PHI Policy in Default Templates

Joyera's default communication templates are designed with a conservative PHI policy to minimize compliance risk. Default templates include only: (i) Provider name (without specialty designation); (ii) Appointment date and time; (iii) Practice location/address; and (iv) Practice contact information. Default templates do NOT include provider specialty (e.g., 'psychiatrist,' 'substance abuse counselor'), service type (e.g., 'therapy session,' 'medication management'), treatment type or procedure, diagnosis or condition, or any information that could reasonably reveal the nature of the patient's medical condition.

(e) Customer Responsibility for All Communications

Customer assumes full responsibility and liability for all content in communications sent through the Platform, regardless of whether Customer uses default templates as-is or customizes them. Templates are provided as a convenience tool only; Customer must review and approve all communications before sending. If Customer adds provider specialty, service type, or other PHI to templates, such additions may require: (i) more specific patient consent; (ii) compliance with 42 CFR Part 2 (substance use disorder confidentiality); (iii) compliance with state mental health confidentiality laws; and (iv) additional safeguards such as encrypted email. Customer should consult legal counsel before sending any communications. Practices providing mental health services, behavioral health services, substance use disorder treatment, HIV/AIDS treatment, reproductive health services, or services to minors should exercise particular caution and seek legal counsel.

(f) Opt-Out Compliance

Customer agrees to: (i) honor all patient opt-out requests promptly (immediately for TCPA, within 10 business days for CAN-SPAM); (ii) confirm opt-out to the patient; (iii) not send further communications after opt-out except as permitted by law; and (iv) train staff on opt-out procedures. For SMS/text messages, Customer must include clear opt-out instructions (e.g., 'Reply STOP to unsubscribe') and process opt-out requests immediately and automatically.

(g) Indemnification for Communication Features

Customer agrees to indemnify, defend, and hold harmless Joyera from any claims, damages, or liabilities arising from: (i) Customer's failure to obtain required patient consents; (ii) Customer's customization of email or SMS templates; (iii) Customer's violation of HIPAA, TCPA, CAN-SPAM, or other applicable laws related to communications; or (iv) Customer's use of communication features in a manner inconsistent with this BAA.

Contact Information

For questions about this BAA, contact us at support@joyera.ai