Legal / HIPAA

Business
Associate
Agreement

Effective date: January 1, 2026  ·  Version 1.0

Signed automatically. When you execute a Praxis AI subscription agreement, this BAA is incorporated by reference and takes effect immediately. No separate signature is required. Contact legal@itspraxis.ai if you require a countersigned copy.

Recitals

This Business Associate Agreement ("BAA") is entered into by and between the dental practice or other HIPAA-covered entity identified in the Praxis AI subscription agreement ("Covered Entity") and Praxis AI, Inc., a Florida corporation ("Business Associate"), collectively the "Parties."

Covered Entity is a Covered Entity as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"). Business Associate performs certain functions and activities on behalf of Covered Entity that require Business Associate to create, receive, maintain, or transmit Protected Health Information ("PHI"). The Parties enter into this BAA to satisfy the requirements of HIPAA.

Definitions

Unless otherwise defined in this BAA, capitalised terms have the meanings assigned in HIPAA (45 C.F.R. Parts 160 and 164), including:

  • Breach — as defined in 45 C.F.R. § 164.402.
  • Business Associate — as defined in 45 C.F.R. § 160.103.
  • Covered Entity — as defined in 45 C.F.R. § 160.103.
  • Electronic Protected Health Information (ePHI) — PHI that is transmitted by or maintained in electronic media.
  • Protected Health Information (PHI) — as defined in 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • Security Incident — as defined in 45 C.F.R. § 164.304.
  • Subcontractor — as defined in 45 C.F.R. § 160.103.
  • Unsecured PHI — as defined in 45 C.F.R. § 164.402.

Permitted Uses & Disclosures of PHI

Services

Business Associate may use and disclose PHI as necessary to perform the following functions for Covered Entity:

  • Operating and improving the Voice Agent, including processing call recordings and transcripts to schedule appointments and respond to patient inquiries.
  • Operating the SEO Agent, to the limited extent that practice data relevant to services offered may incidentally include PHI.
  • Operating the Smile Simulator to process patient images and generate smile preview outputs.
  • Providing technical support, data management, and analytics services related to the above.

Management & legal obligations

Business Associate may use PHI for its proper management and administration, and to carry out its legal responsibilities, provided any disclosure for such purposes is either required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential.

Minimum necessary

Business Associate will make reasonable efforts to use or disclose only the minimum amount of PHI necessary to accomplish the intended purpose.

Prohibited Uses & Disclosures

Business Associate will not:

  • Use or disclose PHI other than as permitted or required by this BAA or as required by law.
  • Use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.
  • Sell PHI or use PHI for marketing purposes without authorisation.

Safeguards

Business Associate will implement and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of PHI, including ePHI, in accordance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). These safeguards include, but are not limited to:

  • AES-256 encryption for PHI at rest and TLS 1.2+ for PHI in transit.
  • Role-based access controls and multi-factor authentication for systems processing ePHI.
  • Comprehensive audit logging of access to ePHI.
  • Annual risk analyses and risk management programmes.
  • Workforce training on HIPAA policies and procedures.
  • Documented incident response and breach notification procedures.

Subcontractors

Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees to the same restrictions and conditions as those imposed on Business Associate under this BAA, by entering into a written agreement with such Subcontractor that complies with HIPAA.

Breach Notification

Business Associate will notify Covered Entity without unreasonable delay, and in no case later than 60 calendar days after discovery of a Breach of Unsecured PHI, as required by 45 C.F.R. § 164.410. The notification will include, to the extent reasonably available:

  • A description of the Breach, including the date of the Breach and the date of discovery.
  • A description of the types of Unsecured PHI involved.
  • The identity of each individual whose PHI was involved, if known.
  • A brief description of steps taken to investigate and mitigate the Breach.
  • Steps individuals should take to protect themselves, if applicable.

Business Associate will report to Covered Entity, on a quarterly basis, any Security Incidents of which it becomes aware that did not constitute a Breach.

Individual Rights

Business Associate agrees to:

  • Provide access to PHI in a Designated Record Set to Covered Entity (or, at Covered Entity's direction, the individual) within 30 days of a request, as required by 45 C.F.R. § 164.524.
  • Amend PHI in a Designated Record Set upon direction from Covered Entity, as required by 45 C.F.R. § 164.526.
  • Make available the information required to provide an accounting of disclosures to Covered Entity within 60 days of a request, as required by 45 C.F.R. § 164.528.
  • Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with HIPAA.

Obligations of Covered Entity

Covered Entity agrees to:

  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
  • Not request Business Associate to use or disclose PHI in a manner that would not be permissible under HIPAA if done by Covered Entity.
  • Obtain any necessary authorisations from patients prior to directing Business Associate to use or disclose PHI beyond what is otherwise permitted under this BAA.

Term & Termination

This BAA is effective as of the commencement of Business Associate's Services to Covered Entity and will terminate upon termination of the underlying subscription agreement, unless terminated earlier as provided herein.

Either Party may terminate this BAA if the other Party materially breaches a provision of this BAA and fails to cure such breach within 30 days of written notice.

Upon termination, Business Associate will, at the direction of Covered Entity, either return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.

Miscellaneous

Regulatory references. Any reference in this BAA to a regulatory provision means that provision as currently in effect or as amended, and includes the most current guidance issued by HHS.

Amendment. The Parties agree to amend this BAA as necessary to comply with any changes to HIPAA.

No third-party beneficiaries. Nothing in this BAA confers any rights or remedies upon any third party, including patients.

Entire agreement. This BAA, together with the Praxis AI subscription agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements and understandings.

Governing law. This BAA is governed by the laws of the State of Florida and applicable federal law.

Questions

For questions about this BAA or to request a countersigned copy, contact legal@itspraxis.ai.