This Business Associate Agreement ("BAA" or "Agreement") is entered into between the entity executing this Agreement ("Covered Entity") and New XP Technologies Limited, doing business as VoiceAIWrapper ("Business Associate"), effective as of the date last signed below ("Effective Date").

WHEREAS, Covered Entity is a "covered entity" as defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and is subject to the Administrative Simplification provisions of HIPAA;

WHEREAS, Business Associate provides voice AI platform services ("Services") to Covered Entity that may involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI");

WHEREAS, the parties wish to ensure that Business Associate will appropriately safeguard PHI in accordance with HIPAA requirements;

NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties agree as follows:

1. Definitions

1.1 Business Associate. "Business Associate" means New XP Technologies Limited, doing business as VoiceAIWrapper, providing voice AI platform services to Covered Entity.

1.2 Covered Entity. "Covered Entity" means the healthcare organization that has engaged Business Associate's services and is subject to HIPAA requirements.

1.3 HIPAA. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the regulations promulgated thereunder.

1.4 PHI. "PHI" or "Protected Health Information" shall have the same meaning as the term "protected health information" as defined in 45 CFR § 160.103.

1.5 Services. "Services" means the VoiceAIWrapper platform services provided by Business Associate, including dashboard access, API integrations, user authentication, and platform functionality.

1.6 Subcontractor. "Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service involving PHI.

2. Permitted Uses and Disclosures

2.1 General Use and Disclosure Provisions. Business Associate may use or disclose PHI only as permitted or required by this Agreement, as required by law, or as otherwise authorized in writing by Covered Entity.

2.2 Specific Permitted Uses and Disclosures. Business Associate may use and disclose PHI for the following purposes:

1. To provide the Services as specified in the underlying service agreement;

2. For Business Associate's proper management and administration;

3. To carry out Business Associate's legal responsibilities;

4. As required by law;

5. For data aggregation services relating to the healthcare operations of Covered Entity.

2.3 Platform-Specific Processing. Business Associate may process PHI through the VoiceAIWrapper platform for:

1. User authentication and access control;

2. API data transmission and routing;

3. Dashboard display and reporting;

4. Platform monitoring and logging;

5. Technical support and troubleshooting of platform services.

3. Prohibited Uses and Disclosures

3.1 General Prohibition. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

3.2 No Sale of PHI. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except as permitted by 45 CFR § 164.502(a)(5)(ii).

3.3 Minimum Necessary. Business Associate shall limit its use and disclosure of PHI to the minimum necessary to accomplish the purpose of the use or disclosure.

4. Safeguards and Security

4.1 Safeguards. Business Associate shall implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including administrative, physical, and technical safeguards in accordance with 45 CFR § 164.308, § 164.310, and § 164.312.

4.2 Platform Security Measures. Business Associate maintains the following security measures specific to the VoiceAIWrapper platform:

1. Encryption of PHI in transit using TLS 1.3 or higher;

2. Encryption of PHI at rest using AES-256 encryption;

3. Multi-factor authentication for platform access;

4. Role-based access controls and user authorization;

5. Comprehensive audit logging and monitoring;

6. Regular security assessments and vulnerability testing;

7. SOC 2 Type II certified infrastructure and controls.

4.3 Workforce Training. Business Associate shall ensure that its workforce members who have access to PHI receive appropriate training regarding the requirements of this Agreement and HIPAA.

5. Reporting and Notification

5.1 Incident Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement within 60 days of discovery. Such report shall include:

1. A description of what happened;

2. The date of the incident and the date of discovery;

3. A description of the types of PHI involved;

4. The identification of individuals whose PHI was involved;

5. A description of what Business Associate has done to mitigate harm;

6. A description of what corrective action Business Associate has taken or will take.

5.2 Platform-Specific Incidents. Business Associate shall immediately report any security incidents specifically related to the VoiceAIWrapper platform, including but not limited to:

1. Unauthorized access to the platform;

2. API security breaches;

3. Data transmission failures or exposure;

4. Platform authentication or authorization failures.

6. Access to PHI

6.1 Individual Access. If Business Associate maintains PHI in a designated record set, Business Associate shall provide access to such PHI to Covered Entity or, as directed by Covered Entity, to an individual to meet the requirements of 45 CFR § 164.524.

6.2 Amendment of PHI. Business Associate shall make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526.

6.3 Accounting of Disclosures. Business Associate shall maintain and make available to Covered Entity information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

7. Subcontractors

7.1 Subcontractor Agreements. Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to restrictions and conditions that support Business Associate's obligations under this Agreement.

7.2 Current Subcontractors. Business Associate's current subcontractors include those listed in the VoiceAIWrapper Subprocessors document, available at [Subprocessors Document Link].

7.3 Subcontractor Changes. Business Associate shall provide Covered Entity with 30 days' written notice of any material changes to subcontractors that may affect PHI processing.

8. Covered Entity Obligations

8.1 Permitted Uses and Disclosures. Covered Entity shall inform Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

8.2 Voice AI Provider Compliance. Covered Entity acknowledges and agrees that it is responsible for ensuring that any voice AI providers (including but not limited to Vapi, Retell AI, and ElevenLabs) used in connection with the Services are HIPAA compliant and have executed appropriate Business Associate Agreements.

8.3 Configuration Responsibility. Covered Entity is responsible for configuring its voice AI provider accounts to comply with HIPAA requirements and for ensuring that all voice AI processing occurs in a HIPAA-compliant manner.

9. Term and Termination

9.1 Term. This Agreement shall commence on the Effective Date and shall continue until terminated in accordance with this section.

9.2 Termination for Cause. Either party may terminate this Agreement immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within 30 days of written notice.

9.3 Effect of Termination. Upon termination of this Agreement, Business Associate shall:

1. Return or destroy all PHI received from Covered Entity;

2. Return or destroy all PHI created or received by Business Associate on behalf of Covered Entity;

3. Retain no copies of PHI;

4. Ensure that subcontractors return or destroy all PHI.

9.4 Survival. The obligations of Business Associate under this section shall survive the termination of this Agreement.

10. Miscellaneous

10.1 Regulatory References. A reference in this Agreement to a section in the Code of Federal Regulations means the section as in effect or as amended.

10.2 Amendment. This Agreement may be amended only by written agreement signed by both parties. The parties agree to take such action as is necessary to amend this Agreement to comply with changes in federal law.

10.3 Survival. The respective rights and obligations of Business Associate under this Agreement shall survive the termination of any underlying service agreement.

10.4 Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and its regulations. Any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with HIPAA.

10.5 Governing Law. This Agreement shall be governed by the laws of the jurisdiction in which the Covered Entity is located.

Signature Page

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the date last written below.

Contact Information

For Business Associate:

New XP Technologies Limited

Email: team@newxp.co

Compliance Officer: SP Parasar

Related Documents:

• VoiceAIWrapper Privacy Policy

• VoiceAIWrapper Security Policy

• VoiceAIWrapper HIPAA Compliance

• VoiceAIWrapper Subprocessors

If you need a signed version of our Business Associate Agreement, you can request it here.