This Business Associate Agreement (“BAA”) is entered into by and between the law firm or legal organization using the Services (“Covered Entity” or “Firm”) and Verdica LLC (“Business Associate” or “Verdica”), and is incorporated into and made part of the Verdica Terms of Service (“Agreement”).
This BAA governs the use and disclosure of Protected Health Information (“PHI”) by Verdica in connection with the Services it provides to the Firm. By accepting the Terms of Service or using the Services, the Firm agrees to the terms of this BAA without the need for a separate signature.
1. Definitions
Capitalized terms used but not defined in this BAA have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations (collectively, “HIPAA”), or in the Verdica Terms of Service.
1.1“Breach” has the meaning set forth in 45 C.F.R. § 164.402.
1.2“Designated Record Set” has the meaning set forth in 45 C.F.R. § 164.501.
1.3“Electronic Protected Health Information” or “ePHI” has the meaning set forth in 45 C.F.R. § 160.103.
1.4“Individual” means the person who is the subject of PHI, as defined in 45 C.F.R. § 160.103.
1.5“Protected Health Information” or “PHI” has the meaning set forth in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Verdica on behalf of the Firm.
1.6“Required by Law” has the meaning set forth in 45 C.F.R. § 164.103.
1.7“Security Incident” has the meaning set forth in 45 C.F.R. § 164.304.
1.8“Services” means the Verdica web-based platform, APIs, AI-powered tools, integrations, and any related support or professional services made available by Verdica, as described in the Terms of Service.
1.9“Subcontractor” means a person or entity to whom Verdica delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.
1.10“Unsecured PHI” has the meaning set forth in 45 C.F.R. § 164.402.
2. Obligations of Business Associate
2.1 Permitted Uses and Disclosures
Verdica shall use and disclose PHI only as necessary to perform its obligations under the Agreement, as permitted or required by this BAA, or as Required by Law. Verdica shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Firm.
2.2 Prohibited Uses
Verdica shall not:
- Use or disclose PHI for marketing purposes without the Firm’s prior written authorization;
- Sell PHI as defined by 45 C.F.R. § 164.502(a)(5)(ii);
- Use PHI to train, fine-tune, or otherwise improve artificial intelligence or machine learning models without the Firm’s explicit written consent; or
- Use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
2.3 Minimum Necessary Standard
Verdica shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b) and the minimum necessary policies and procedures of the HIPAA Privacy Rule.
2.4 Safeguards
Verdica shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, as required by Subpart C of 45 C.F.R. Part 164 (the “Security Rule”). Such safeguards include, without limitation:
- Encryption — All ePHI is encrypted in transit using TLS and at rest using AES-256-GCM authenticated encryption managed by the cloud infrastructure provider.
- Access Controls — Role-based access controls and multi-tenant firm-scoped data isolation ensure that Authorized Users may access only the PHI associated with their Firm. All platform queries are scoped to the authenticated Firm’s identifier at the data access layer.
- Audit Controls — Immutable audit logs record all access to, creation of, modification of, and deletion of PHI within the platform, including the identity of the user performing the action and timestamp.
- Authentication — Session-based authentication with JSON Web Tokens and token-based authentication for external-facing portal links.
- Transmission Security — Transactional communications (email notifications) are designed to exclude PHI from message payloads; notifications contain only generic content with authenticated links directing users to access information within the platform.
2.5 Subcontractors
Verdica shall enter into written agreements with any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Verdica, ensuring that each Subcontractor agrees to the same restrictions and conditions that apply to Verdica under this BAA. Verdica’s current Subcontractors that may process PHI include:
| Subcontractor | Purpose | PHI Involvement |
|---|---|---|
| Microsoft Azure | Cloud hosting, storage, and AI processing | Yes — all platform data including PHI |
| Stripe | Payment processing | N/A — payment processing exemption; no PHI in payment payloads |
| YoCierge | Medical record retrieval services | Yes — retrieves and transmits medical records containing PHI on behalf of client firms |
Verdica will provide the Firm with notice of material changes to its list of Subcontractors that process PHI.
2.6 Reporting
Verdica shall promptly report to the Firm any use or disclosure of PHI not permitted by this BAA of which Verdica becomes aware, including any Security Incident or Breach of Unsecured PHI.
2.7 Access to PHI
Verdica shall make PHI maintained in a Designated Record Set available to the Firm within a reasonable time following a written request, to enable the Firm to fulfill its obligations under 45 C.F.R. § 164.524. The Firm may access and export its data through the platform’s available export functionality at any time during the active service plan.
2.8 Amendment of PHI
Verdica shall make PHI maintained in a Designated Record Set available for amendment and shall incorporate amendments directed by the Firm, as necessary for the Firm to meet its obligations under 45 C.F.R. § 164.526.
2.9 Accounting of Disclosures
Verdica shall make available to the Firm the information required for the Firm to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528. The platform’s immutable audit logs support this obligation by recording all PHI access events with sufficient detail for disclosure accounting.
2.10 Government Access
Verdica shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining the Firm’s and Verdica’s compliance with HIPAA.
2.11 Mitigation
Verdica shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Verdica of a use or disclosure of PHI by Verdica or its Subcontractors in violation of this BAA.
3. Breach Notification
3.1 Discovery and Notification
Following the discovery of a Breach of Unsecured PHI, Verdica shall notify the Firm without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach.
3.2 Content of Notification
The notification shall include, to the extent reasonably available:
- A description of the Breach, including the date of the Breach and the date of discovery;
- A description of the types of Unsecured PHI involved in the Breach (e.g., names, dates of birth, medical record numbers, diagnoses);
- The identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
- A description of what Verdica is doing to investigate the Breach, mitigate harm, and protect against further Breaches; and
- Contact information for the Verdica representative coordinating the response.
3.3 Firm Responsibility for Individual Notice
The Firm is responsible for providing notification to affected Individuals and to the Secretary of HHS in accordance with 45 C.F.R. §§ 164.404 and 164.408, unless the parties agree otherwise in writing.
3.4 Cooperation
Verdica shall cooperate with the Firm in investigating any Breach and shall provide reasonable assistance in the Firm’s efforts to comply with its notification obligations.
4. Permitted Uses and Disclosures by Business Associate
4.1 Service Performance
Verdica may use and disclose PHI as necessary to perform its obligations under the Agreement, including but not limited to:
- Processing and storing case data, medical records, and related documents;
- Generating AI-powered analyses, summaries, entity extraction, and suggestions; and
- Maintaining audit trails and compliance logs.
4.2 Management and Administration
Verdica may use PHI for its proper management and administration and to fulfill any legal responsibilities of Verdica, provided that any disclosure for such purposes is Required by Law or Verdica obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or disclosed only as Required by Law or for the purposes for which it was disclosed.
4.3 De-Identification
Verdica may use PHI to create de-identified information in accordance with 45 C.F.R. § 164.514(a)–(c), provided that the de-identification meets the requirements of the Safe Harbor or Expert Determination method.
4.4 Aggregate Data
Verdica may use PHI to create aggregated data from which all direct and indirect identifiers have been removed, provided that the aggregated data cannot be used to identify any Individual.
4.5 No AI Model Training
Consistent with Section 5.4 of the Terms of Service, Verdica will not use PHI to train, fine-tune, or otherwise improve AI models without the Firm’s explicit written consent.
5. Obligations of Covered Entity
5.1 Permissible Requests
The Firm shall not request that Verdica use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Firm.
5.2 Authorizations and Consents
The Firm is responsible for obtaining any necessary authorizations, consents, or permissions from Individuals required under HIPAA or applicable state law prior to submitting PHI to the Services.
5.3 Minimum Necessary
The Firm shall limit the PHI provided to Verdica to the minimum necessary to accomplish the purposes of the Services.
5.4 Notice of Privacy Practices
The Firm shall notify Verdica of any limitations in its Notice of Privacy Practices that may affect Verdica’s use or disclosure of PHI, and of any changes in or revocation of authorization by an Individual regarding the use or disclosure of PHI.
5.5 Compliance
The Firm is responsible for its own compliance with HIPAA, including the Privacy Rule, Security Rule, and Breach Notification Rule, in connection with its use of the Services.
6. Data Retention and Return or Destruction of PHI
6.1 During Service Plan Term
Verdica retains PHI in accordance with its data retention policies for as long as necessary to provide the Services to the Firm. Medical records are subject to a default retention period of seven (7) years after the date the case was created on the platform, consistent with HIPAA record-retention requirements, unless a different retention period is configured by the Firm.
6.2 Upon Termination
Upon termination of the Agreement, Verdica shall retain PHI for a transition period not to exceed ninety (90) days to allow for data export. Following the transition period, Verdica shall destroy or return all PHI in its possession or control, including PHI held by Subcontractors, and shall retain no copies except as required by applicable law.
6.3 Retention Required by Law
If return or destruction is not feasible due to legal obligations, Verdica shall extend the protections of this BAA to any PHI retained and shall limit further use or disclosure to the purposes that make return or destruction infeasible.
6.4 Deletion Process
When PHI is deleted pursuant to retention policies or Firm request, Verdica shall:
- Permanently delete the encrypted PHI data from storage;
- Record the deletion event in the immutable audit trail, including the reason for deletion; and
- Retain audit metadata sufficient for compliance reporting without retaining the underlying PHI.
6.5 Firm Data Export
The Firm may export its data from the Services at any time during the active service plan using available export functionality. Verdica will cooperate with reasonable data export requests.
7. Term and Termination
7.1 Term
This BAA is effective as of the date the Firm accepts the Terms of Service or begins using the Services and remains in effect for the duration of the Agreement, and for so long as Verdica retains any PHI on behalf of the Firm.
7.2 Termination for Cause
Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within thirty (30) days of written notice. If cure is not possible, the non-breaching party may terminate this BAA immediately upon written notice.
7.3 Effect on Agreement
Termination of this BAA for Verdica’s material breach shall constitute a material breach of the Agreement, entitling the Firm to terminate the Agreement.
7.4 Survival
The obligations of Verdica under Sections 2.4 (Safeguards), 3 (Breach Notification), 6 (Data Retention and Return or Destruction of PHI), and 8 (General Provisions) shall survive termination of this BAA.
8. General Provisions
8.1 Regulatory References
Any reference in this BAA to a section of HIPAA means the section as in effect or as amended from time to time, and any regulations promulgated thereunder.
8.2 Amendment
The parties agree to negotiate in good faith to amend this BAA to the extent necessary to comply with any changes to HIPAA or other applicable law that affect the obligations of the parties under this BAA. Verdica may update this BAA upon at least thirty (30) days’ prior written notice. The Firm’s continued use of the Services after the effective date of any modification constitutes acceptance of the updated terms.
8.3 Interpretation
This BAA shall be interpreted consistently with HIPAA and its implementing regulations. Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA.
8.4 No Third-Party Beneficiaries
Nothing in this BAA confers any rights on any Individual whose PHI is processed by Verdica or on any other third party. Individuals may not enforce the terms of this BAA.
8.5 Governing Law
This BAA is governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws provisions, except to the extent preempted by HIPAA.
8.6 Entire BAA
This BAA, which is part of the Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements and understandings relating to the protection of PHI.
8.7 Notices
Notices under this BAA must be in writing and sent to Verdica at legal@verdicatech.comor to the Firm at the email address on file in the Firm’s account.
Questions about this Business Associate Agreement may be directed to legal@verdicatech.com. This BAA is incorporated by reference into Verdica’s Terms of Service.