Business Associate Addendum
Last revised: May 26, 2026
This BAA is available by request only.
Vistaly executes Business Associate Agreements with healthcare Customers who require HIPAA compliance commitments. This document is published for transparency and counsel review. It is not automatically applied to any Vistaly account. To request a BAA, contact legal@vistaly.com.
This Business Associate Addendum ("BAA") is entered into by and between the Customer identified in the Agreement ("Covered Entity") and Vistaly, Inc., a Delaware corporation ("Business Associate"). This BAA supplements and, once counter-executed by Business Associate, is incorporated into the Agreement (defined below).
Covered Entity and Business Associate may be referred to herein individually as a "Party" and collectively as the "Parties."
Recitals
WHEREAS, the Parties have entered into the Agreement pursuant to which Business Associate provides certain Services to Covered Entity, which may involve the creation, receipt, maintenance, or transmission of Protected Health Information from or on behalf of Covered Entity, subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"), and related regulations promulgated by the Secretary ("HIPAA Regulations"); and
WHEREAS, Business Associate qualifies as a "business associate" (as defined by the HIPAA Regulations) and, as such, has certain responsibilities with respect to Protected Health Information; and
WHEREAS, this BAA supplements the Vistaly Data Processing Addendum with respect to Protected Health Information; in the event of conflict between this BAA and the DPA on HIPAA-specific obligations, this BAA controls; and
WHEREAS, in light of the foregoing and the requirements of HIPAA, the HITECH Act, and the HIPAA Regulations, Business Associate and Covered Entity agree to be bound by the following terms and conditions.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. Definitions
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
In addition, the following terms shall have the meanings set forth below:
(a) "Agreement" means any present or future agreements, written or oral, between Covered Entity and Business Associate under which Business Associate provides Services to Covered Entity that involve the use or disclosure of Protected Health Information, including the applicable Terms of Service or Master Subscription Agreement.
(b) "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402.
(c) "Electronic Protected Health Information" or "ePHI" shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103, limited to information that Business Associate creates, receives, maintains, or transmits from or on behalf of Covered Entity.
(d) "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
(e) "Individual" shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
(f) "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164.
(g) "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
(h) "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103.
(i) "Secretary" shall mean the Secretary of the Department of Health and Human Services or their designee.
(j) "Security Rule" shall mean the Security Standards at 45 CFR Part 160 and Part 164.
(k) "Services" shall have the meaning set forth in the Agreement.
(l) "Subcontractor" shall have the same meaning as the term "subcontractor" in 45 CFR § 160.103.
(m) "Unsecured Protected Health Information" shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402.
Any capitalized term used but not otherwise defined in this BAA shall have the meaning given to that term by HIPAA, the HITECH Act, or the HIPAA Regulations, as in effect and as may be amended from time to time.
2. Obligations and Activities of Business Associate
(a) Use and Disclosure. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Agreement, this BAA, or as Required By Law. Business Associate shall comply with all present and future provisions of HIPAA, the HITECH Act, and the HIPAA Regulations applicable to Business Associate. To the extent Business Associate carries out one or more of Covered Entity's obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
(b) Appropriate Safeguards. Business Associate agrees to use appropriate safeguards and comply with the Security Rule to prevent use or disclosure of Protected Health Information other than as provided for by this BAA. Business Associate's safeguards are described in the Vistaly Security Policy. Without limiting the foregoing, Business Associate will:
- implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information as required by the Security Rule; and
- ensure that any Subcontractor to whom Business Associate provides Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards to protect such Electronic Protected Health Information.
(c) Reporting. Business Associate agrees to promptly report to Covered Entity: (i) any use or disclosure of Protected Health Information not permitted by this BAA of which Business Associate becomes aware; and (ii) any Security Incident of which Business Associate becomes aware. Covered Entity is hereby notified that unsuccessful security attempts (such as pings, port scans, unsuccessful login attempts, and similar routine intrusion attempts) occur routinely and Business Associate shall have no obligation to report such unsuccessful attempts individually.
Business Associate agrees to notify Covered Entity without unreasonable delay, and in no event more than seventy-two (72) hours following discovery, of a Breach of Unsecured Protected Health Information. This timing is consistent with Vistaly's general data breach notification commitments under the Agreement and Vistaly's Privacy Policy. Any notice shall include, to the extent known: (i) identification of each Individual whose PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed; (ii) a description of the nature of the Breach; (iii) the date of the Breach and the date of discovery; and (iv) a description of Business Associate's response steps. Notices shall be directed to Covered Entity as set forth in the Agreement.
(d) Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or its Subcontractors in violation of this BAA.
(e) Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate enters into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2). A current list of Business Associate's material Subcontractors that may have access to Protected Health Information is set forth in Exhibit A (Sub-Processors), which may be updated by Business Associate from time to time as described in the Vistaly Sub-Processors page.
(f) Access to Designated Record Sets. To the extent Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access to such PHI to Covered Entity upon request, to enable Covered Entity to fulfill its obligations under HIPAA Regulations. If an Individual makes a request directly to Business Associate, Business Associate shall notify Covered Entity within five (5) business days of receipt.
(g) Amendments to Designated Record Sets. To the extent Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make amendments to PHI as directed by Covered Entity pursuant to HIPAA Regulations. If an Individual makes a request for amendment directly to Business Associate, Business Associate shall notify Covered Entity within five (5) business days of receipt.
(h) Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary, at a time and in a manner designated by the Secretary, for purposes of determining Covered Entity's compliance with the Privacy Rule.
(i) Accountings of Disclosures. Business Associate agrees to document disclosures of Protected Health Information and related information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures under HIPAA. Business Associate agrees to provide such information to Covered Entity within thirty (30) days of request. If an Individual makes such a request directly to Business Associate, Business Associate shall notify Covered Entity within five (5) business days of receipt.
3. Permitted Uses and Disclosures by Business Associate
(a) Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities, or Services for or on behalf of Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate HIPAA Regulations if done by Covered Entity.
(b) Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities.
(c) Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that: (i) such disclosures are Required by Law; or (ii) Business Associate obtains reasonable assurances from the recipient that the information will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.
(d) Business Associate is authorized to de-identify Protected Health Information in accordance with 45 CFR § 164.514(a)-(c) and to use and disclose such de-identified information to the extent permitted by applicable law, including for product improvement, analytics, and development of Business Associate's services.
(e) Business Associate may provide data aggregation services relating to the health care operations of Covered Entity.
4. Obligations of Covered Entity
(a) Privacy Notice. Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices under 45 CFR § 164.520 to the extent such limitation may affect Business Associate's use or disclosure of Protected Health Information. Vistaly's general privacy practices are described in the Vistaly Privacy Policy.
(b) Changes in Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent such changes may affect Business Associate's use or disclosure of Protected Health Information.
(c) Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to under 45 CFR § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of Protected Health Information.
(d) Permissible Requests. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
(e) Accuracy and Legality. Covered Entity is solely responsible for the accuracy, quality, and legality of (i) the Protected Health Information provided to Business Associate; (ii) the means by which Covered Entity acquired such PHI; and (iii) the instructions it provides to Business Associate under this BAA.
5. Term and Termination
(a) Term. This BAA shall be effective as of the date of Business Associate's counter-execution under Section 8 and shall remain in effect until all Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or until protections are extended to such information as provided in this Section.
(b) Termination for Cause. Either Party may terminate this BAA upon thirty (30) days written notice to the other Party in the event of a material breach of this BAA, provided that the breaching Party has not cured such breach to the reasonable satisfaction of the non-breaching Party within such thirty (30)-day period.
(c) Effect of Termination. Upon termination of this BAA for any reason, Business Associate shall, at Covered Entity's election, return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, including copies held by Subcontractors. Business Associate shall retain no copies of such PHI. If return or destruction is infeasible, Business Associate shall provide written notice to Covered Entity of the conditions making return or destruction infeasible and shall extend the protections of this BAA to such PHI for so long as Business Associate maintains it, limiting further uses to those purposes that make return or destruction infeasible.
6. Coordination of the Parties
The Parties shall reasonably cooperate and coordinate with each other in: (a) the investigation of any violation of this BAA or any Security Incident or Breach; and (b) the preparation of any reports or notices to Individuals, regulatory bodies, or third parties required under HIPAA, the HIPAA Regulations, the HITECH Act, or any applicable Federal or State law.
7. Miscellaneous
(a) Regulatory References. A reference in this BAA to a section of HIPAA, the HIPAA Regulations, or the HITECH Act means such section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
(b) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as required for compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.
(c) Survival. The rights and obligations of Business Associate under Section 5(c) and the Parties under Sections 6 and 7 of this BAA shall survive termination of the Agreement and this BAA.
(d) Interpretation. Any ambiguity in this BAA shall be resolved to permit both Parties to comply with HIPAA, the HIPAA Regulations, and the HITECH Act.
(e) Limitation of Liability. The liability of Business Associate under this BAA is subject to, and not in addition to, the limitations set forth in the Agreement. Where the Agreement provides for an Enhanced Cap applicable to data protection obligations, such Enhanced Cap shall apply to this BAA.
(f) Exclusion of Consequential Damages. In no event shall Business Associate have any liability to Covered Entity or any third party for any lost profits, loss of data, loss of use, or for any indirect, special, incidental, punitive, or consequential damages, however caused and under any theory of liability, whether or not Business Associate has been advised of the possibility of such damage. Where state law does not permit exclusion or limitation of certain damages, Business Associate's liability shall be limited to the maximum extent permitted by applicable law.
(g) Entire Agreement. This BAA, together with the Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior business associate agreement between the Parties. In the event of a conflict between the terms of this BAA and the terms of the Agreement, the terms of this BAA shall prevail with respect to HIPAA compliance obligations. Terms of the Agreement not modified by this BAA remain in full force and effect.
(h) Governing Law. This BAA shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without regard to its conflict of law rules, consistent with the governing law provisions of the Agreement and the Data Processing Addendum.
(i) Counterparts. This BAA may be executed in counterparts, each of which shall constitute an original. Electronic and PDF signatures shall be deemed original signatures for all purposes.
8. Execution and Effectiveness
This BAA does not take effect automatically. To request a BAA, Customer must contact Vistaly at legal@vistaly.com. This BAA becomes effective only when Business Associate counter-executes (electronically or in writing) and provides Covered Entity with a copy reflecting that counter-execution. Until such counter-execution occurs, no provision of this BAA modifies the Agreement, and Covered Entity's account is not treated by Business Associate as a Covered Entity relationship under HIPAA.
Exhibit A — Sub-Processors
The current authoritative list of all Vistaly sub-processors is maintained at vistaly.com/sub-processors and is incorporated herein by reference. For AI-specific data flows, retention, and safeguards, see vistaly.com/ai-subprocessors.
The Sub-Processors set forth below are those that may have access to Protected Health Information in connection with Business Associate's provision of Services to Covered Entity, and with each of whom Business Associate maintains a Business Associate Agreement. AI inference is performed by Claude models hosted within Amazon Bedrock under Amazon Web Services' Business Associate Agreement; PHI is not transmitted to Anthropic's systems. Business Associate will provide reasonable advance notice to Covered Entity of material changes to this list, in accordance with the notice mechanism described on the Sub-Processors page.
| Sub-Processor | Purpose | Location | Data Type |
|---|---|---|---|
| Amazon Web Services, Inc. | We use AWS to host our entire application infrastructure, including servers, databases, and backups. AWS also provides AI inference via Amazon Bedrock, running Claude models within AWS's infrastructure. AWS enables us to provide secure, scalable, and reliable services, including data storage, processing, AI inference, and disaster recovery solutions to ensure high availability and durability for our application. | 410 Terry Ave N, Seattle, WA, 98109-5210 United States | ePHI — storage, encryption, and AI inference via Amazon Bedrock (encrypted at rest and in transit) |
| AssemblyAI, Inc. | We use AssemblyAI for speech-to-text transcription in our beta Vistaly product. AssemblyAI is not used by app.vistaly.com (Vistaly V1). | 2261 Market Street #4577, San Francisco, CA 94114 United States | ePHI within interview audio/video recordings submitted for transcription; encrypted in transit |