Business Associate Agreement

"Protected Health Information" (PHI) has the meaning set forth in 45 C.F.R. § 160.103, limited to information Kaila creates, receives, maintains, or transmits on behalf of the Covered Entity.

"Business Associate Services" means the AI-powered dental documentation, transcription, note generation, and related services provided by Kaila under the Master Subscription Agreement.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system containing PHI.

Kaila may use and disclose PHI only as permitted or required by this BAA or as required by law. Specifically, Kaila may:

• Use and disclose PHI as necessary to perform the Business Associate Services
• Use PHI for the proper management and administration of Kaila's business
• Use PHI to report violations of law to appropriate authorities
• De-identify PHI in accordance with 45 C.F.R. § 164.514(b) for service improvement purposes

Kaila will not:

• Use or disclose PHI for any purpose not permitted by this BAA or applicable law
• Use PHI for marketing or commercial purposes without authorization
• Sell PHI without written authorization from the Covered Entity
• Use PHI to train AI models without complete de-identification

Kaila will implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI, including:

• AES-256 encryption at rest via AWS KMS with automatic key rotation every 365 days
• SSL/TLS encryption in transit on all connections
• Hardware Security Modules (HSMs) for master key protection
• Multi-factor authentication and role-based access controls
• MITE NLP de-identification processing before any secondary use
• Dedicated GPU transcription servers that do not persist session data
• Full audit logging of all PHI access, modification, and deletion events

Kaila will ensure that any subcontractors who create, receive, maintain, or transmit PHI on Kaila's behalf agree to restrictions and conditions at least as stringent as those in this BAA. Kaila maintains Business Associate Agreements with all covered subcontractors, including AWS and Google Cloud for infrastructure services.

Kaila will notify the Covered Entity of a Breach of Unsecured PHI:

• Initial notification within one (1) business day of confirming a breach, with the nature, scope, and containment steps
• Full breach assessment completed within 10 calendar days
• Formal HIPAA breach notification within 60 calendar days if the breach qualifies
• Post-incident report archived for six (6) years

To the extent Kaila maintains PHI in a Designated Record Set, Kaila will cooperate with the Covered Entity to:

• Provide individuals with access to their PHI upon request
• Amend PHI upon direction of the Covered Entity
• Provide an accounting of disclosures as required by HIPAA
• Restrict uses and disclosures as directed by the Covered Entity

Active PHI records are retained for a minimum of 90 days. Upon termination of the Agreement, all PHI will be securely destroyed within 30 days using the following methods:

• DynamoDB records removed via confirmed delete operations with deletion logs
• Local and client-side caches wiped with multi-pass overwrite
• Encryption keys for anonymized data revoked to render residual ciphertext undecryptable
• All destruction actions timestamped in an append-only audit log

Written certification of destruction is available upon request.

Kaila will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA, as required by 45 C.F.R. § 164.504(e)(2)(ii)(I).

This BAA is effective upon Customer's execution of the Master Subscription Agreement and remains in effect until the Agreement terminates or expires. Either party may terminate this BAA if the other materially breaches its obligations and fails to cure within 30 days of written notice.

In the event of a breach by Kaila that cannot be cured, Covered Entity may immediately terminate the Agreement and this BAA.

The obligations of confidentiality and data protection in this BAA survive termination of the Agreement for as long as Kaila retains PHI and until all PHI is destroyed or returned in accordance with Section 8.

For HIPAA and BAA-related inquiries, contact support@hellokaila.com with subject line: BAA Inquiry.