Business Associate Agreement.

This Business Associate Agreement (“BAA”) supplements the Master Subscription Agreement between Syntax Voice LLC (“Business Associate”) and the Customer (“Covered Entity”). It establishes the obligations governing the handling of Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act (collectively, “HIPAA”).

This BAA applies to all workspaces where PHI may transit the Syntax Voice infrastructure, including but not limited to patient intake calls, consultation bookings, Non-Emergency Medical Transportation (NEMT) dispatch, and Specialist escalations involving protected health data.

Capitalized terms used but not otherwise defined herein shall have the meaning given to them under 45 C.F.R. §§ 160.103 and 164.501, including:

• Protected Health Information (PHI). Individually identifiable health information transmitted or maintained in any form that is received, created, or transmitted by Business Associate on behalf of the Covered Entity.
• Electronic PHI (ePHI). PHI that is transmitted by or maintained in electronic media.
• Breach. The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.
• Security Incident. The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Business Associate may use and disclose PHI only as necessary to perform the services set forth in the Master Subscription Agreement, or as otherwise required by law. Specifically, Business Associate:

• Shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.
• Shall not use PHI for any secondary commercial purpose, including training foundation models, advertising, analytics unrelated to the routing service, or profiling.
• Shall apply the Minimum Necessary standard (45 C.F.R. § 164.502(b)) to all internal uses, including Specialist access, support troubleshooting, and audit review.
• May disclose PHI to Subcontractors only when those Subcontractors have signed downstream agreements providing at least the same restrictions and conditions that apply to Business Associate under this BAA.

Business Associate maintains a documented HIPAA Security Program that implements the administrative, physical, and technical safeguards required under 45 C.F.R. §§ 164.308, 164.310, and 164.312, including:

• Encryption. AES-256 for ePHI at rest; TLS 1.3 for ePHI in transit.
• Access Controls. Role-based access control (RBAC) with unique user identification, automatic logoff, and emergency access procedures for Syntax Specialist terminals.
• Audit Logging. Immutable, timestamped audit trails for every PHI read/write event, retained for a minimum of six (6) years pursuant to 45 C.F.R. § 164.316.
• Medical Term Scrubbing. Automated redaction of PHI from error reports, observability pipelines, and system logs prior to durable storage.
• Workforce Training. All Business Associate personnel with potential PHI access receive annual HIPAA training and sign a written confidentiality attestation.

Business Associate shall report any Breach of Unsecured PHI to the Covered Entity without unreasonable delay, and in no case later than seventy-two (72) hours after discovery — substantially faster than the sixty (60) day statutory ceiling under 45 C.F.R. § 164.410, and aligned with the breach-notification timeline in our Data Processing Agreement. Each notification shall include, to the extent known at the time of the report, (a) the identification of individuals whose PHI was involved, (b) a description of the nature of the Breach, (c) the steps Business Associate has taken or will take to investigate and mitigate harm, and (d) guidance sufficient to assist the Covered Entity in fulfilling its own notification obligations under 45 C.F.R. §§ 164.404 and 164.406.

For lower-severity Security Incidents that do not rise to the level of a Breach (e.g., attempted but unsuccessful unauthorized access attempts), Business Associate will aggregate and summarize such events in a quarterly security report available through the workspace dashboard.

Upon termination of the Master Subscription Agreement for any reason, Business Associate shall, if feasible, return or destroy all PHI received from, created by, or received on behalf of the Covered Entity. Where return or destruction is not feasible (e.g., retention required by law), Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible, for so long as Business Associate maintains the PHI.

Covered Entities may also initiate a PHI Destruction Request at any time via the workspace dashboard. Destruction is completed within 72 hours on active systems, and within 30 days on encrypted backups.