Back to PT Documentation AI

Business Associate Agreement

Effective Date: March 1, 2025 · Last Updated: March 11, 2026

Important: This Business Associate Agreement (BAA) is entered into automatically between Pluto Biz Solutions ("Business Associate") and you, the subscribing healthcare provider or organization ("Covered Entity"), upon your acceptance of our Terms of Service and commencement of a paid subscription. By subscribing, you acknowledge and agree to the terms of this BAA.

1. Definitions

Terms used but not otherwise defined in this BAA shall have the meanings given to them in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and their implementing regulations (collectively, "HIPAA Rules").

  • "Covered Entity" means the subscribing healthcare provider, practice, or organization.
  • "Business Associate" means Pluto Biz Solutions, operator of PT Documentation AI.
  • "Protected Health Information" (PHI) has the meaning given in 45 CFR § 160.103.
  • "Services" means the PT Documentation AI platform and related services.

2. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law.
  • Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any Security Incident of which it becomes aware.
  • In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
  • Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524.
  • Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA Rules.
  • Upon termination of this BAA, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity.

3. Permitted Uses and Disclosures by Business Associate

Business Associate may use or disclose PHI only as follows:

  • As necessary to perform the Services described in the Terms of Service, including transcribing audio recordings and generating clinical documentation.
  • As required by law.
  • For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed.
  • Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(b) and use de-identified data to improve the Service.

4. Obligations of Covered Entity

Covered Entity agrees to:

  • Notify Business Associate of any limitation(s) in the Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
  • Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI.
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA Rules if done by Covered Entity.
  • Obtain any consent or authorization necessary to permit Business Associate to perform the Services.

5. Security Safeguards

Business Associate implements the following safeguards to protect electronic PHI:

  • Encryption in transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
  • Encryption at rest: PHI stored in our database and file storage is encrypted at rest.
  • Access controls: PHI is accessible only to authenticated and authorized users. Each user's data is logically isolated.
  • Audit logging: Access to PHI is logged for audit purposes.
  • Subcontractor agreements: We maintain data processing agreements with all subcontractors who may access PHI (including cloud hosting and AI transcription providers).

6. Term and Termination

This BAA is effective upon your acceptance of the Terms of Service and shall remain in effect for the duration of your subscription. Either party may terminate this BAA upon 30 days' written notice if the other party has materially breached a provision of this BAA and has not cured such breach within the notice period. Upon termination, Business Associate shall return or destroy all PHI as described in Section 2.

7. Miscellaneous

This BAA is incorporated into and made part of the Terms of Service. In the event of a conflict between this BAA and the Terms of Service with respect to PHI, this BAA shall control. This BAA shall be governed by the laws of the State of Texas. Any ambiguity in this BAA shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA Rules.

8. Contact for HIPAA Matters

HIPAA Privacy Officer

Pluto Biz Solutions

Email: [email protected]

To report a potential breach or request a copy of this BAA as a signed document, please contact us at the email above.

Privacy PolicyTerms of Service