business associate agreement

this business associate agreement governs coya ai’s handling of protected health information on behalf of your practice. it establishes the permitted uses, safeguards, and responsibilities that apply whenever coya processes, stores, or transmits phi as part of delivering the ai receptionist service.

covered entity refers to the healthcare practice that subscribes to coya ai. business associate refers to coya ai, inc. protected health information means any individually identifiable health information transmitted or maintained by coya in the course of providing the service. electronic phi refers to phi in electronic form.

coya may use or disclose phi only as necessary to perform the ai receptionist service as described in the service agreement. this includes processing inbound calls, conducting structured intake, generating provisional treatment plans, booking appointments, and sending appointment reminders. coya will not use or disclose phi for any other purpose without written authorization from the covered entity.

coya maintains administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of phi. these include aes 256 encryption at rest and tls 1.2 or higher in transit, role based access controls, complete audit logging, dedicated phi vault isolated from operational data, and regular security assessments.

coya ensures that all subprocessors and third party service providers that create, receive, maintain, or transmit phi on behalf of the covered entity are bound by written agreements that impose obligations equivalent to those in this baa. current subprocessors include cloud infrastructure, telephony, and sms delivery providers.

coya will notify the covered entity within 72 hours of discovering a breach of unsecured phi. the notification will include the nature of the breach, the types of information involved, steps taken to mitigate harm, and recommended actions for the covered entity. coya will cooperate fully with the covered entity’s breach response and reporting obligations.

coya will cooperate with the covered entity to fulfill individual rights requests under hipaa, including access to phi, amendment of phi, accounting of disclosures, and restrictions on uses or disclosures. coya will respond to covered entity requests related to individual rights within 10 business days.

upon termination of the service agreement, coya will return all phi to the covered entity in a standard, machine readable format within 14 business days. following successful export confirmation, coya will permanently destroy all copies of phi within 30 days. if return or destruction is not feasible for specific data, coya will extend the protections of this baa to that data indefinitely.

this agreement is effective for the duration of the service agreement between the covered entity and coya ai. the obligations of coya with respect to phi will survive termination of this agreement for as long as coya retains any phi. either party may terminate this agreement for cause if the other party materially breaches and fails to cure within 30 days of notice.

every coya practice receives a business associate agreement as part of the onboarding process. the baa is executed before any phi is transmitted to or processed by coya. if you have questions about the baa or need a copy for your records, contact hello@getcoya.ai.