HIPAA Business Associate Agreement

Effective date: 2026-05-29 · Last updated:2026-05-29 · Version 1.0 (Template)

This Business Associate Agreement (“BAA”) supplements the Acts 2 Terms of Service and Data Processing Addendum where the Customer is a HIPAA Covered Entity (45 CFR section 160.103) or a HIPAA Business Associate acting on behalf of a Covered Entity, and the Services involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI) as defined under HIPAA.

This template is provided on this page so prospective clinical customers may review it before signing. To execute a BAA, email contact@acts2.iowith subject “BAA Execution.” A PDF copy is available on request.

1. Parties

This BAA is between iKingdom LLC d/b/a Acts 2(“Business Associate”) and the customer entity identified in the relevant order form or account record (“Covered Entity”). It is effective on the latest signature date.

2. Definitions

Capitalised terms not defined here have the meaning given to them in the HIPAA Rules at 45 CFR Parts 160 and 164. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, Subparts A, C, D, and E. “PHI” means Protected Health Information as defined at 45 CFR section 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity under the underlying Acts 2 agreement.

For the avoidance of doubt, when a patient's voice is captured, cloned, or synthesised in the course of providing the Services to a Covered Entity, that voice recording and any derived voiceprint or cloned-voice model are PHI.

3. Permitted uses and disclosures of PHI

Business Associate may use or disclose PHI only as follows (45 CFR section 164.504(e)(2)):

• To perform the functions, activities, and services for, or on behalf of, Covered Entity under the underlying Acts 2 agreement (transcription, translation, voice cloning, dubbing, and live broadcast of clinical audio);
• As Required by Law (45 CFR section 164.103);
• For Business Associate's proper management and administration, provided that disclosures to third parties are made only as Required by Law, or with reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any breach;
• To provide Data Aggregation services relating to the health care operations of Covered Entity if requested in writing.

Business Associate will not use or disclose PHI for any other purpose, including training, fine-tuning, or improving any foundation voice or language model, without separate written authorization signed by the Covered Entity (or, where required by 45 CFR section 164.508, by the individual whose PHI is involved).

Business Associate will not sell PHI (45 CFR section 164.502(a)(5)(ii)) and will not use or disclose PHI for marketing purposes.

4. Safeguards

Business Associate will implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 CFR section 164.504(e) and Subpart C of 45 CFR Part 164 (the Security Rule). These include:

• Administrative safeguards (45 CFR section 164.308): documented security management process, designated security officer, workforce security and training, access management, incident response, contingency plan, periodic evaluation.
• Physical safeguards (45 CFR section 164.310): facility access controls at the underlying cloud regions, device and media controls.
• Technical safeguards (45 CFR section 164.312): unique user IDs, MFA, automatic logoff, AES-256 encryption at rest, TLS 1.2+ encryption in transit, audit logs, integrity controls.
• Voice-AI-specific safeguards: tenant isolation for clinical workloads, US-only data residency, model-training opt-out enforced at the API layer, watermarked Outputs for evidentiary provenance.

5. Reporting

Business Associate will report to Covered Entity:

• Any use or disclosure of PHI not provided for by this BAA, including any Breach of Unsecured PHI (45 CFR section 164.410), without unreasonable delay and in no case later than 30 calendar days after discovery (tighter than the 60-day HIPAA outer limit at 45 CFR section 164.410(b));
• Any Security Incident of which it becomes aware (45 CFR section 164.314(a)(2)(i)(C)). Unsuccessful security incidents (e.g., pings, port scans, log-in attempts) need not be reported individually but will be reflected in periodic security reports.

A breach notification will include, to the extent then known: a brief description of what happened, the date of the breach and discovery, the types of PHI involved, the identification of each individual affected (or a description of the categories and approximate number), and the steps Business Associate has taken to mitigate harm.

6. Subcontractor BAA flow-down

Business Associate will, in accordance with 45 CFR sections 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.

Acts 2 maintains BAA flow-down with the subset of subprocessors that process PHI in clinical workflows. Covered Entity will be informed of the relevant subprocessors before clinical onboarding.

7. Compliance with individual rights (45 CFR Part 164 Subpart E)

Business Associate will, within 30 days of Covered Entity's written request:

• Provide access to PHI in a Designated Record Set as needed to meet Covered Entity's obligation under 45 CFR section 164.524;
• Make amendments to PHI to meet Covered Entity's obligation under 45 CFR section 164.526;
• Document and account for disclosures of PHI as needed to meet Covered Entity's obligation under 45 CFR section 164.528;
• Make Business Associate's internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules.

8. Term and termination

This BAA is effective on the latest signature date and remains in effect until the underlying Acts 2 agreement terminates or expires and Business Associate has returned or destroyed all PHI in accordance with Section 9, whichever is later.

Either party may terminate this BAA on written notice if the other party has materially breached this BAA and failed to cure within 30 days, or, if cure is not possible, immediately.

9. Return or destruction of PHI

Within 30 daysof termination of the underlying Acts 2 agreement, Business Associate will return to Covered Entity or, at Covered Entity's direction, destroy all PHI in its possession or in the possession of any Subcontractor, and retain no copies, except as Required by Law. Business Associate will provide a written certification of destruction, including cryptographic attestation where feasible.

If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI for so long as it is retained, and limit further uses and disclosures to those purposes that make return or destruction infeasible (45 CFR section 164.504(e)(2)(ii)(J)).

10. Indemnification

Each party will indemnify the other for damages, fines, and reasonable attorneys' fees arising from its own breach of this BAA, subject to the limitation-of-liability provisions of the underlying Acts 2 agreement. [verify with counsel — HIPAA-specific indemnity carve-outs are common.]

11. General

• Regulatory references. A reference to a section of the HIPAA Rules means the section as in effect or as amended.
• Amendment for compliance. The parties will amend this BAA from time to time as necessary for Business Associate or Covered Entity to comply with the requirements of the HIPAA Rules.
• Survival. Sections 5 (Reporting), 9 (Return or destruction of PHI), and 10 (Indemnification) survive termination.
• Interpretation. Any ambiguity in this BAA will be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
• Order of precedence. In the event of conflict between this BAA and the underlying Acts 2 agreement with respect to PHI, this BAA controls.

12. Execution

Covered Entities may request an executable PDF copy of this BAA by emailing contact@acts2.iowith subject “BAA Execution” and including the legal entity name, address, signatory name and title, and the Acts 2 account or order-form number.

Acts 2 / iKingdom LLC — Delaware, United States
Email: contact@acts2.io