Pursuant to 45 CFR §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316 (HIPAA Security Rule); as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
This BAA applies exclusively to US-licensed Covered Entities (as defined under 45 CFR §160.103) who subscribe to AITACS CRM and who create, receive, maintain, or transmit Protected Health Information (PHI) in connection with the Service.
By continuing to use AITACS CRM after receiving this Agreement, the Covered Entity acknowledges and agrees to its terms. If you are not a US Covered Entity subject to HIPAA, this document does not apply to you; your applicable data agreement is the Data Processing Agreement (DPA).
Non-US users: This BAA is provided as a supplementary compliance instrument. GDPR obligations are separately addressed in the DPA.
Unless otherwise specified, all capitalized terms in this Agreement shall have the meanings ascribed to them under HIPAA, the HIPAA Privacy Rule (45 CFR Part 164, Subparts A and E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), and the HITECH Act.
The User / Subscriber
A licensed mental health professional subscribing to AITACS CRM who is subject to HIPAA as a Covered Healthcare Provider (45 CFR §160.103).
The CE is responsible for all PHI entered into or processed through the Service on behalf of their patients and End Clients.
Artem Chukov / AITACS CRM
Sole proprietor, registered in the State of Israel (עוסק פטור 345086623).
The BA performs functions and activities on behalf of the CE that involve the use or disclosure of PHI, as described herein, and agrees to comply with the applicable requirements of the HIPAA Rules.
2.1. This Agreement is entered into between the Covered Entity (each individual subscriber) and the Business Associate (Artem Chukov / AITACS CRM). By activating or continuing to use the Service after the effective date of this Agreement, the Covered Entity represents that it has read, understood, and agrees to this Agreement.
2.2. This Agreement supplements and is incorporated into the Terms of Service and the Data Processing Agreement (DPA). In the event of any conflict between this Agreement and those documents with respect to HIPAA-regulated PHI, this Agreement shall control.
3.1.1. The Business Associate may use or disclose PHI only as permitted or required by this Agreement, or as Required By Law. The Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by the Covered Entity.
3.1.2. The Business Associate is authorized to use and disclose PHI for the following purposes only:
3.2.1. The Business Associate shall not:
3.3.1. The Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). See Section 9 (Security Requirements) and User Security Requirements for full details.
3.3.2. The Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule in accordance with 45 CFR §164.316.
3.4.1. Breach Notification. The Business Associate shall notify the Covered Entity without unreasonable delay and no later than sixty (60) calendar days after discovery of a Breach of Unsecured PHI, in accordance with 45 CFR §164.410. Full notification procedures, required content, timing details, and the four-factor breach risk assessment framework are set forth in Section 6 of this Agreement, which governs breach notification in its entirety.
3.4.2. Security Incidents. The Business Associate shall, in accordance with 45 CFR §164.314(a)(2)(i)(C), report to the Covered Entity any Security Incident of which it becomes aware, including patterns of unsuccessful unauthorized access attempts. Such reports shall be provided in the Business Associate's periodic security summary communications or, in the case of a material incident, within thirty (30) days of discovery.
3.4.3. Unpermitted Uses or Disclosures. The Business Associate shall report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, as required by 45 CFR §164.504(e)(2)(ii)(C), within ten (10) business days of discovery.
3.5.1. The Business Associate shall make reasonable efforts to use, disclose, and request only the Minimum Necessary PHI to accomplish the purpose of any given use, disclosure, or request, in accordance with 45 CFR §164.502(b). The Business Associate shall maintain and apply a minimum necessary policy across all technical systems, workforce members, and subcontractors.
3.6.1. Access. The Business Associate shall provide the Covered Entity with access to PHI maintained in a Designated Record Set within fifteen (15) days of a written request by the CE, to enable the CE to fulfill its obligations to provide individuals with access to their PHI under 45 CFR §164.524.
3.6.2. Amendment. The Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR §164.526, within fifteen (15) days of a written request.
3.6.3. Accounting of Disclosures. The Business Associate shall document disclosures of PHI and information related to such disclosures as required by 45 CFR §164.528, and provide the CE with information collected in accordance with this section within thirty (30) days of a written request, to permit the CE to respond to an individual's request for an accounting of disclosures.
3.6.4. Data Portability. Upon termination of this Agreement or upon a CE's written request, the Business Associate shall provide an export of all PHI held on behalf of the CE in a machine-readable format (JSON/CSV) within thirty (30) days. The BA shall retain no copies of PHI following completion of a verified deletion request, except as Required By Law.
3.7.1. The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the Covered Entity available to the Secretary of HHS for purposes of determining the Covered Entity's compliance with the HIPAA Rules, as required by 45 CFR §164.504(e)(2)(ii)(H).
In order for the Business Associate to perform its obligations under this Agreement, the Covered Entity agrees to:
5.1. In accordance with 45 CFR §164.504(e)(1)(ii) and the HITECH Act, the Business Associate shall ensure that any Subcontractor who creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply through this Agreement with respect to such PHI.
5.2. The following table identifies all current Subcontractors involved in processing PHI or potentially receiving PHI, their HIPAA status, and applicable safeguards. For the complete list of all subprocessors (including those who do not process PHI), see the Subprocessor List.
The following infrastructure components operate without a HIPAA Business Associate Agreement with their respective vendors. This is a known gap that US Covered Entities must evaluate in the context of their own HIPAA compliance program before using the affected features for PHI-bearing activities. Specific mitigations are described in the table below.
| Subcontractor | Function | PHI Risk | HIPAA BAA | Safeguards / Mitigation |
|---|---|---|---|---|
| Hetzner Online GmbH Nuremberg, Germany 🇩🇪 |
Primary data center (server hosting, database, file storage) | HIGH — ePHI at rest | EU DPA (GDPR Art. 28); no US HIPAA BAA | IMPORTANT WARNING: Hetzner Online GmbH is the primary storage location for all ePHI (the MySQL database containing session notes, client records, and clinical data). Hetzner operates under a GDPR-compliant DPA (Art. 28) but does not provide a HIPAA Business Associate Agreement. Data is encrypted at rest (AES-256) and in transit (TLS 1.3); the datacenter is ISO 27001 certified; data remains in the EU (Germany). US Covered Entities must assess, under their own HIPAA risk management program (45 CFR §164.308(a)(1)), whether storage of ePHI on a non-BAA EU host constitutes an acceptable residual risk. The HIPAA Security Rule does not prohibit storing ePHI internationally if appropriate technical safeguards are in place, but the absence of a BAA with the infrastructure host is a known compliance gap that should be documented in the CE's risk analysis. |
| OpenAI LLC — GPT-4 API San Francisco, USA 🇺🇸 |
AI-assisted session analysis (structured session notes → AI insights) | MEDIUM — de-identified session data | OpenAI Enterprise API BAA available; standard API: no BAA | Session data is de-identified before transmission (client pseudonym, coded categories). No direct identifiers transmitted. Zero-retention API configuration. CE should verify de-identification meets HIPAA safe harbor (45 CFR §164.514(b)). |
| OpenAI LLC — Whisper API San Francisco, USA 🇺🇸 |
Real-time audio transcription (voice recording → text) | HIGH — raw audio may contain PHI (voice biometric + clinical content) | NO HIPAA BAA for standard Whisper API | MANDATORY WARNING: Raw audio (voice) is transmitted to OpenAI for transcription. Voice is a biometric identifier; if the recording contains patient-identifying speech or clinical content, it constitutes PHI. OpenAI's standard API operates under a zero-retention policy (audio is not stored after processing) but does not provide a HIPAA BAA. US CEs should disable audio transcription features or use ELIA's local/browser-based transcription mode if available. This feature is not recommended for PHI without independent legal review. |
| Daily.co, Inc. San Francisco, USA 🇺🇸 |
WebRTC video session infrastructure (live therapist–client video calls) | HIGH — real-time audio/video streams; session content is inherently PHI | NO HIPAA BAA | MANDATORY WARNING: Daily.co does not offer a HIPAA BAA on standard plans. Live video sessions between a therapist and patient transmit real-time audio/video that constitutes PHI under HIPAA (45 CFR §164.501 — "health information" relating to the provision of healthcare). US Covered Entities must NOT conduct HIPAA-regulated therapy sessions over the AITACS CRM integrated video feature unless they have independently verified HIPAA BAA availability directly with Daily.co. For HIPAA-compliant video, CE should use a separately contracted HIPAA BAA video provider (e.g., Zoom for Healthcare, Doxy.me, VSee). |
| Google LLC — Firebase Mountain View, USA 🇺🇸 |
Authentication, user session management | LOW — authentication tokens only; no clinical PHI | Google Cloud HIPAA BAA available (Google Workspace); Firebase covered under Google Cloud BAA for qualifying configurations | Firebase stores only authentication state (UID, email, session tokens). Clinical PHI is not stored in Firebase. Risk is low; BA monitors Google Cloud BAA coverage. |
| Google LLC — Calendar API Mountain View, USA 🇺🇸 |
OAuth-based calendar sync — session scheduling metadata exported to CE's own Google Calendar | MEDIUM — appointment times, client names in calendar events (if CE chooses to include them) | Google Cloud HIPAA BAA available; however, PHI risk depends entirely on what the CE includes in calendar event fields | The BA exports scheduling metadata via the CE's own authorized Google account. The CE is the Google account holder and controls what data is written to calendar events. CEs should not include clinical details or full client names in Google Calendar event descriptions. Covered under Google Cloud HIPAA BAA for CEs who subscribe to Google Workspace for Healthcare. |
| PayPal Holdings, Inc. San Jose, USA 🇺🇸 |
Subscription payments (AITACS CRM); one-time purchases (ELIA); referral affiliate payouts | NONE — billing data only; no clinical PHI | No HIPAA BAA required (payment processor; no PHI involved) | PayPal processes payment card and billing information only. No clinical, diagnostic, or patient identifying information is transmitted to PayPal. |
| Paddle.com Market Limited Dublin, Ireland 🇮🇪 |
Merchant of Record for NEVY Navigator subscription payments | NONE — billing data only; no clinical PHI | No HIPAA BAA required (Merchant of Record; no PHI involved) | Paddle acts as Merchant of Record and processes payment data on behalf of the BA. No clinical or patient-identifying information is transmitted to Paddle. |
5.3. The Business Associate shall notify the Covered Entity of any material changes to the subcontractor landscape that affect PHI handling, consistent with the notice requirements in the Subprocessor List. The BA shall provide at least thirty (30) days' prior notice of new Subcontractors who will process PHI.
5.4. Where a Subcontractor does not offer a HIPAA BAA (as disclosed above), the BA shall: (a) ensure Minimum Necessary data transmission; (b) apply de-identification or pseudonymization where technically feasible; (c) document the risk and implement compensating controls; and (d) provide this disclosure to the Covered Entity for independent risk assessment.
6.1. Discovery. A Breach shall be treated as discovered by the Business Associate as of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any workforce member, agent, or officer of the Business Associate, as provided in 45 CFR §164.410(a)(2).
6.2. Timing. Notice shall be provided to the Covered Entity no later than sixty (60) calendar days after discovery of the Breach, as required by 45 CFR §164.410(b). Where possible, the BA shall provide preliminary notification within ten (10) business days of discovery, with a full report following within the 60-day window.
6.3. Content of Notification. Each notification shall include, to the extent possible at the time of notification:
6.4. CE Notification to Individuals and HHS. The Covered Entity bears responsibility for notifying affected individuals and (where applicable) HHS and the media, pursuant to 45 CFR §§164.404, 164.406, and 164.408, based on the information provided by the Business Associate. The BA shall cooperate fully with the CE in preparing such notifications.
6.5. Breach Risk Assessment. Not every Security Incident constitutes a reportable Breach. The Business Associate shall apply the four-factor risk assessment prescribed by 45 CFR §164.402 (nature and extent of PHI, who accessed or could access it, degree of re-identification risk, extent to which risk has been mitigated) and document the assessment for each incident.
6.6. Subcontractor Breaches. The BA shall ensure that Subcontractors report any Breach of Unsecured PHI to the BA in a timely manner so that the BA can meet its 60-day notification obligation to the CE under 45 CFR §164.410.
The following table maps each data flow that may involve PHI within the AITACS CRM platform:
| Flow | Data Type | Source → Destination | PHI? | Safeguard |
|---|---|---|---|---|
| 1. Session note entry | Text (clinical notes, pseudonym) | CE's browser → Hetzner DB | Yes (if identifiable) | TLS in transit; AES-256 at rest; CE to use pseudonyms |
| 2. AI session analysis | De-identified session categories | Hetzner → OpenAI GPT-4 API | Low (de-identified) | Identifiers removed before API call; zero-retention config |
| 3. Audio transcription | Raw audio recording | CE's device → OpenAI Whisper API | Potentially YES (voice biometric + speech) | ⚠ No HIPAA BAA with Whisper; zero-retention claim only; CE advised to disable or use local transcription |
| 4. Video session | Live audio/video stream | CE's device ↔ Daily.co ↔ Client device | YES (clinical communication) | ⚠ No HIPAA BAA with Daily.co; US CEs must not use for PHI-bearing sessions without independent legal review |
| 5. Calendar sync | Appointment metadata (date, time, CE-defined event title) | Hetzner → Google Calendar API (CE's own account) | Depends on CE's event naming | CE controls what data is in event fields; advised not to include clinical content |
| 6. Authentication | UID, email, session token | Browser → Firebase | No clinical PHI | Firebase auth tokens only; covered under Google Cloud BAA if applicable |
| 7. Payment | Billing data (name, card, address) | Browser → PayPal / Paddle | No | PCI DSS Level 1 processors; no PHI involved |
| 8. File storage | Attached documents, uploaded files | CE's browser → Hetzner file storage | Potentially YES (if CE uploads PHI-bearing documents) | TLS in transit; AES-256 at rest; CE responsible for content |
8.1. Required By Law. The Business Associate may use or disclose PHI to the extent such use or disclosure is Required By Law, provided that the BA complies with the requirements of the law mandating the use or disclosure, and notifies the CE of such disclosure as soon as reasonably practicable.
8.2. Public Health. If authorized to do so by a Covered Entity, the Business Associate may use or disclose PHI for public health activities, in accordance with 45 CFR §164.512(b).
8.3. Judicial and Administrative Proceedings. The Business Associate may disclose PHI in the course of any judicial or administrative proceeding, in accordance with and as limited by 45 CFR §164.512(e), in response to a court order, subpoena, or other lawful process.
8.4. Law Enforcement. The Business Associate may disclose PHI for law enforcement purposes to the extent, and in the circumstances, permitted by 45 CFR §164.512(f).
8.5. Serious Threat to Health or Safety. The Business Associate may use or disclose PHI consistent with 45 CFR §164.512(j) if the Business Associate, in good faith, believes that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
9.1. The Business Associate shall implement reasonable and appropriate administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312, 164.316), including the following minimum controls:
For CE-side security obligations, see the User Security Requirements.
10.1. Term. This Agreement shall be effective as of the date the Covered Entity first uses the Service and shall remain in effect for the duration of the Service relationship between the Parties, and for so long as the Business Associate retains any PHI from or on behalf of the Covered Entity.
10.2. Termination for Cause. If either Party learns of a material breach by the other Party of its obligations under this Agreement, it shall: (a) notify the breaching Party in writing; (b) provide a reasonable opportunity, not to exceed thirty (30) days, to cure the breach; (c) if the breach is not cured, terminate the Agreement and the underlying Service agreement immediately upon written notice. Where a cure is not possible, the non-breaching Party may terminate immediately. (45 CFR §164.504(e)(2)(iii))
10.3. Effect of Termination. Upon termination of this Agreement or the underlying Service agreement, the Business Associate shall (a) where feasible, return or destroy all PHI received from or created or received on behalf of the Covered Entity, and retain no copies; or (b) if return or destruction is not feasible, continue to extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI, as required by 45 CFR §164.504(e)(2)(ii)(J).
10.4. Survival. Sections 3 (Obligations of the Business Associate), 6 (Breach Notification), 9 (Security Requirements), and this Section 10 shall survive termination of this Agreement with respect to any PHI retained by the Business Associate after termination.
10.5. Automatic Termination. This Agreement shall automatically terminate upon the permanent termination of the Service, subject to the survival provisions above.
11.1. Amendment. This Agreement may be amended by the Business Associate upon thirty (30) days' prior written notice to the Covered Entity. Continued use of the Service after such notice period constitutes acceptance of the amended Agreement. Material amendments that reduce privacy protections shall require affirmative consent.
11.2. No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights, remedies, or claims upon any third party, including any patient, End Client, or individual whose PHI is processed under this Agreement. Individuals may only exercise their HIPAA rights through the Covered Entity, not directly against the Business Associate.
11.3. Entire Agreement. This Agreement, together with the Terms of Service and the Data Processing Agreement, constitutes the entire agreement between the Parties with respect to HIPAA compliance and supersedes any prior oral or written agreements on the same subject. In the event of any conflict, this Agreement shall control with respect to HIPAA-regulated PHI.
11.4. Severability. If any provision of this Agreement is found to be unenforceable or invalid under applicable law, such provision shall be modified to the minimum extent necessary to make it enforceable, and all remaining provisions shall remain in full force and effect.
11.5. Governing Law. This Agreement shall be governed by the laws of the United States as they pertain to HIPAA, HITECH, and applicable federal regulations. To the extent state law is implicated, the CE's state law of licensure shall apply to the CE's HIPAA obligations. The BA's general contractual obligations are governed by the laws of the State of Israel, consistent with the Terms of Service.
11.6. Non-Waiver. Failure by either Party to enforce any provision of this Agreement shall not constitute a waiver of that Party's right to enforce such provision in the future.
11.7. Force Majeure. Neither Party shall be liable for delays or failures in performance caused by events beyond its reasonable control, provided that the Business Associate shall not be excused from its breach notification obligations under Section 6.
11.8. Electronic Acceptance. This Agreement may be executed or accepted electronically. Electronic acceptance by a Covered Entity (including by continued use of the Service after notice of this Agreement) shall be deemed legally equivalent to a handwritten signature for all purposes under applicable law, including the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA).
11.9. HITECH Compliance. The Parties acknowledge that the HITECH Act (enacted February 17, 2009) extended HIPAA obligations directly to Business Associates and their Subcontractors. This Agreement incorporates HITECH requirements, including enhanced enforcement, breach notification obligations, and restrictions on sale and marketing uses of PHI.
11.10. State Mental Health Laws. The Parties acknowledge that many U.S. states impose additional or more restrictive confidentiality requirements on mental health records beyond HIPAA (e.g., California Mental Health Services Act; New York Mental Hygiene Law §33.13; Texas Health and Safety Code Ch. 611). It is the Covered Entity's sole responsibility to identify and comply with applicable state law. This Agreement does not alter or substitute for state-law obligations.
Artem Chukov — Business Associate / Privacy Contact
Email: aitacs@skillbuilder.club
Web: skillbuilder.club
For breach notifications, suspected security incidents, privacy inquiries, PHI access or amendment requests, or requests for an accounting of disclosures, please contact the Privacy Contact in writing via the email address above. The Business Associate shall respond within ten (10) business days of receipt.
| Version | Date | Changes |
|---|---|---|
| 1.0 | Feb 20, 2026 | Initial publication. Core BAA pursuant to 45 CFR §164.504(e)(2). Covers AITACS CRM primary service. Subcontractors: Hetzner, Firebase, OpenAI GPT-4, PayPal. |
| 1.1 | May 25, 2026 | Major update. Added §5 subcontractor table with honest HIPAA gap disclosures for Daily.co (no BAA — ⚠ video sessions) and OpenAI Whisper (no BAA — ⚠ audio transcription). Added PHI Data Flow Map (Annex A, §7). Added Google Calendar API and Google Firebase BAA coverage note. Added Paddle.com (no PHI). Updated HITECH §11.9 and state mental health law §11.10 provisions. Updated PayPal scope to include ELIA and referral payouts. Clarified Daily.co contradiction from prior Privacy Policy — no HIPAA BAA exists with Daily.co; ToS §6.5 was correct; Privacy Policy statement has been corrected in v2.1 of that document. |
Terms of Service · Privacy Policy · Data Processing Agreement (DPA) · Subprocessor List · User Security Requirements · Informed Consent Template · Incident Response Policy