Business Associate Agreement

The following terms have the meanings ascribed to them under HIPAA and the HITECH Act, as amended, and their implementing regulations at 45 C.F.R. Parts 160 and 164:

• "Covered Entity" means the customer that is a covered entity as defined under HIPAA.
• "Business Associate" means raipii, acting as a business associate by performing functions or activities involving the use or disclosure of Protected Health Information on behalf of the Covered Entity.
• "Protected Health Information" or "PHI" has the meaning given in 45 C.F.R. § 160.103, limited to PHI that raipii creates, receives, maintains, or transmits on behalf of the Covered Entity.
• "Electronic PHI" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.
• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
• "Services" means the raipii PII detection and sanitization API and related platform.

raipii may use or disclose PHI only as necessary to perform the Services on behalf of the Covered Entity, and as permitted or required by this BAA or applicable law. Specifically, raipii may:

• Use PHI to detect and identify PHI entities within text submitted by the Covered Entity
• Process PHI to produce sanitized text with PHI replaced by tokens or synthetic substitutes
• Temporarily store session token maps to enable restoration of original PHI values
• Use PHI as necessary for the proper management and administration of raipii
• Use PHI to carry out the legal responsibilities of raipii

raipii will not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity, except as permitted under this BAA.

raipii will not use PHI for marketing purposes, sell PHI, or use PHI to train machine learning models.

raipii will implement and maintain appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this BAA, in accordance with 45 C.F.R. § 164.308, § 164.310, and § 164.312.

Technical safeguards include: encryption of ePHI at rest and in transit; access controls limiting PHI access to authorised personnel; session data automatic deletion on expiry; and audit logging of all API access (metadata only — no PHI values stored in logs).

When HIPAA mode is enabled, all PHI detection runs entirely within the Covered Entity's designated region. No PHI is transmitted to external services for detection.

raipii will ensure that any sub-contractor or agent to whom it provides PHI on behalf of the Covered Entity agrees to the same restrictions, conditions, and requirements that apply to raipii under this BAA, by entering into a written agreement with such sub-contractor.

raipii will report to the Covered Entity, without unreasonable delay and in no case later than 5 business days after discovery:

• Any use or disclosure of PHI not provided for by this BAA
• Any Security Incident (as defined in 45 C.F.R. § 164.304)
• Any Breach of Unsecured PHI (as defined in 45 C.F.R. § 164.402)

Breach notification will include, to the extent known at the time: the identity of individuals whose PHI was involved; a description of the PHI involved; the date of the breach; steps individuals should take to protect themselves; and steps raipii is taking to investigate, mitigate, and prevent recurrence.

To the extent that raipii maintains PHI in a Designated Record Set, raipii will make such PHI available to the Covered Entity within 15 days of a written request to enable the Covered Entity to fulfil access and amendment rights under 45 C.F.R. §§ 164.524 and 164.526.

Given the nature of the Service (PHI is held transiently in session token maps and deleted on session expiry), raipii does not typically maintain PHI in a Designated Record Set beyond the session TTL.

raipii will make available to the Covered Entity the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528 within 15 days of a written request.

raipii will request, use, and disclose only the minimum necessary PHI to accomplish the intended purpose of the request, use, or disclosure, in accordance with 45 C.F.R. § 164.502(b).

This BAA is effective upon execution and remains in effect for the duration of the Services agreement between the parties.

Either party may terminate this BAA if the other party materially breaches a provision and fails to cure the breach within 30 days of written notice.

Upon termination, raipii will, at the Covered Entity's election, return or destroy all PHI received from or created on behalf of the Covered Entity that raipii maintains in any form. If return or destruction is infeasible, raipii will extend the protections of this BAA to the PHI and limit further use or disclosure.

To the extent raipii carries out a Covered Entity's obligations under the HIPAA Privacy Rule, raipii will comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations.

raipii will comply with 45 C.F.R. § 164.522 regarding requests for restrictions on disclosure to the extent applicable to the Services.

Amendment. The parties agree to amend this BAA as necessary to comply with changes in applicable law, including changes to the HIPAA Rules.

Interpretation. Any ambiguity in this BAA will be resolved to permit the parties to comply with the HIPAA Rules.

Survival. The obligations of raipii under sections 3, 5, 6, 7, and 9 survive termination of this BAA.

Governing law. This BAA is governed by the laws of the State of Delaware, consistent with the Terms of Service.

To request a countersigned BAA for your organisation, email hello@raipii.com with the subject line BAA Request and the following information:

• Organisation legal name
• Signatory name and title
• Signatory email address

A countersigned copy will be returned within 2 business days. The BAA is available at no additional charge on the Business tier.