Business Associate Agreement

Last Updated: August 2, 2025 This Business Associate Agreement (“Agreement”) is entered into by and between you, the Covered Entity, and SOAPsync, Inc. (“Business Associate”, “SOAPsync”, “we”, “us”, or “our”), and governs the permitted use and limited handling of Protected Health Information (“PHI”) in connection with your use of the SOAPsync platform (“Service”). By accessing or using the Service, you confirm your authority to enter into this Agreement on behalf of a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and agree to the terms set forth herein.

1. Definitions

Business Associate: SOAPsync, Inc., solely to the extent it incidentally or transiently encounters PHI while providing browser-based documentation support tools.
Covered Entity: A licensed healthcare provider, practice, or organization subject to HIPAA.
PHI: Protected Health Information, as defined in 45 CFR §160.103.
HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules set forth in 45 CFR Parts 160 and 164.

2. Description of Service

SOAPsync is a browser-based, AI-powered clinical documentation tool designed for use by mental health professionals. Features may include:

Drafting assistance for clinical notes (e.g., SOAP, DAP);
Editable and customizable form templates;
Export of locally created documentation.

SOAPsync does not provide clinical advice, diagnosis, or treatment. All use of the Service is strictly for clinical documentation support.

3. Scope of PHI Handling & Data Architecture

SOAPsync’s architecture is built on a “no-retention-by-default” model:

No PHI is stored, transmitted, or processed on SOAPsync servers.
All content is processed locally in the user’s browser and is lost unless manually exported or saved by the user.
SOAPsync has no access to clinical records or content unless granted incidentally during authorized support sessions (e.g., via screen share or limited support request).

4. User & Covered Entity Responsibilities

As the Covered Entity, you agree to:

Ensure that all PHI entered into the platform is managed only with valid patient authorization or consent;
Treat SOAPsync solely as a documentation assistant and not as a diagnostic tool or treatment directive source;
Maintain secure backup copies of all PHI generated through the Service, recognizing that data not immediately exported may be lost;
Not require SOAPsync to store, manage, or archive PHI in any persistent way.

5. SOAPsync’s Responsibilities as Business Associate

If and only to the extent that SOAPsync qualifies as a Business Associate under HIPAA, SOAPsync agrees to:

Use or disclose PHI solely as required by law or as explicitly permitted by this Agreement;
Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure;
Report to the Covered Entity any known Security Incident or Breach involving PHI without unreasonable delay;
Ensure that any subcontractors with incidental access to PHI are contractually bound to comply with equivalent HIPAA safeguards;
Provide access to or destroy PHI (if any) upon request, subject to feasibility, recognizing that PHI is not stored on our systems;
Limit any incidental exposure to PHI to the minimum necessary and only during explicitly authorized support interactions.

6. De-Identified Data

SOAPsync may collect and use fully de-identified system usage data (not PHI) for internal purposes such as:

Platform performance optimization;
Statistical analysis;
Service development.

All de-identification shall conform to the safe harbor standards under 45 CFR §164.514.

7. Disclaimers & Clinical Oversight

The platform is designed to support—not replace—the clinical judgment of qualified professionals.
All AI-generated content must be independently reviewed and verified by a licensed clinician.
Users remain solely responsible for patient care decisions.
No content is retained unless manually saved or exported. Users are solely responsible for data preservation.

8. Term and Termination

This Agreement shall remain in effect for as long as the Covered Entity uses SOAPsync.

Either party may terminate this Agreement with written notice upon a material breach not cured within thirty (30) days.
Upon termination, SOAPsync will return or destroy any PHI in its possession, if any exists and if feasible, recognizing that no data is normally retained.

9. No PHI Retention

SOAPsync is intentionally designed to avoid the storage or retention of PHI.

All user-generated content is processed in-browser;
No documentation, PHI, or clinical notes are saved to SOAPsync servers;
Users must manually export or save records—unsaved data may be lost permanently.

SOAPsync assumes no responsibility for data loss due to unsaved content.

10. Limitations of Liability

To the maximum extent permitted by applicable law:

No Liability for Specific Losses:
The Company shall not be liable for any loss of data, loss of revenue, loss of profits, loss of goodwill, or any indirect, incidental, special, exemplary, or consequential damages, whether foreseeable or unforeseeable, arising out of or relating to your access to or use of the platform, even if we have been advised of the possibility of such damages.
No Liability for Decisions or Actions:
All outputs generated by the platform are intended solely as clinical support tools. You acknowledge and agree that any clinical decisions, actions taken, or failures to act based on such outputs are made solely at your discretion and under your professional responsibility. The Company expressly disclaims any liability for the consequences of such decisions or actions.
Cap on Liability:
In no event shall the Company’s total aggregate liability to you for all claims arising out of or related to your use of the platform—regardless of the form of action, whether in contract, tort (including negligence), strict liability, or otherwise—exceed the total amount paid by you to the Company for use of the platform in the twelve (12) months immediately preceding the event giving rise to the claim.
Essential Basis of the Bargain:
You acknowledge that the limitations of liability set forth in this Section are an essential element of the agreement between you and the Company and reflect a fair allocation of risk. Absent such limitations, the terms and pricing of the platform would be substantially different.

11. Governing Law

This Agreement shall be governed by the laws of the State of Maryland, without regard to its conflict of law provisions.

12. Acceptance & Authority

By clicking “I Agree & Continue,” you affirm that:

You are authorized to act on behalf of a HIPAA-Covered Entity;
You understand the structure and limitations of SOAPsync’s role and data architecture;
You accept the terms of this Business Associate Agreement in full.

13. Contact Information

SOAPsync Privacy Officer 📧 Email: privacy@soapsync.com 🌐 Website: https://soapsync.com Appendix A:

BAA Addendum: Use of Validated Psychiatric Scales & Scoring Utilities

Addendum Effective Date: 10-08-2025
Relates to: Business Associate Agreement (the “Agreement”) between SOAPsync, Inc. (“Business Associate”) and the Covered Entity.

1) Purpose and Scope

This Addendum governs the Covered Entity’s use of SOAPsync’s forms and scoring utilities supporting clinician workflows for commonly used psychiatric instruments (collectively, the “Scoring Utilities”), including configuration for risk assessments and symptom severity scoring. The Scoring Utilities may be used to calculate and display scores for instruments selected by the clinician, such as:

PHQ-9 (Depression Severity)
GAD-7 (Anxiety Severity)
C-SSRS / SAFE-T (Suicide Risk)
PCL-5 (PTSD Impact)
MDQ (Mood Disorder Screening)

2) No License, No Permission, No Endorsement by SOAPsync

SOAPsync does not provide, assign, or sublicense any rights to the scales listed above or any other instrument. SOAPsync’s Scoring Utilities are generic computational tools and templates.

SOAPsync does not host, embed, or distribute proprietary instrument content unless supplied by the Covered Entity.
SOAPsync does not represent that any instrument is free of licensing restrictions or that permission is not required.
Inclusion of a calculator or template does not constitute endorsement, validation, or permission to use any particular instrument.

3) Covered Entity/Clinician Responsibilities and Representations

The Covered Entity (and its clinicians/end users) is solely responsible for:
a. Licensing & Permissions. Verifying and securing all rights, permissions, and licenses necessary to use any instrument (including item text, instructions, scoring rules, or translations), whether in clinical or commercial contexts.
b. Instrument Selection & Clinical Judgment. Selecting appropriate instruments, administering them in accord with accepted standards, and exercising independent clinical judgment in interpretation and patient care.
c. Accuracy of Inputs. Ensuring accuracy and legality of any instrument content or patient responses entered into the Service.
d. Regulatory Compliance. Complying with all applicable laws, professional rules, payer rules, and instrument-holder terms.
e. Attribution/Notices. Providing any legally required attribution, copyright notices, or disclaimers associated with each instrument’s permitted use.
f. Risk Communication. Communicating results and risk determinations to patients in accordance with professional standards and applicable law.

4) Mode of Operation (Scoring Utilities)

a. Computation-Only Role. The Scoring Utilities perform score calculations and formatting based on clinician-provided inputs and settings. SOAPsync does not interpret results, render diagnoses, or propose treatment.
b. Configurable Content. Where instrument items or scoring rubrics are protected, the Covered Entity must (i) provide its own licensed content, or (ii) use “Computation-Only” mode that relies on item identifiers and numeric responses without reproducing item wording.
c. Clinician Editability. Clinicians retain full control to edit, annotate, override, or remove any generated text or scores; all changes are attributed to the clinician.
d. No Long-Term Storage. Consistent with the Agreement, SOAPsync does not retain PHI; data and generated outputs may be ephemeral and lost unless immediately copied or exported by the clinician.

5) No Clinical Advice; Risk Is Clinician-Managed

All outputs are for consideration only. Any risk assessment labels or score-based risk strata are tools and do not constitute medical advice, diagnosis, or treatment directives. All decisions and actions (including safety planning, escalation, or documentation) rest solely with the clinician/Covered Entity.

6) Intellectual Property

All intellectual property in the instruments (including items, scoring rules, manuals, translations, and marks) remains with their respective owners. The Covered Entity warrants that it will not upload or use protected instrument content through the Service without lawful rights. SOAPsync retains all rights in the platform, the Scoring Utilities, and generic templates.

7) Indemnification (Instrument Use)

To the maximum extent permitted by law, the Covered Entity shall defend, indemnify, and hold harmless SOAPsync and its officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to:
a. The Covered Entity’s use of any instrument (including without limitation PHQ-9, GAD-7, C-SSRS, SAFE-T, PCL-5, MDQ, or any other tool);
b. Alleged infringement or misuse of third-party intellectual property or proprietary rights in instrument content;
c. Clinical decisions, risk determinations, or patient outcomes based on use of the Scoring Utilities or instrument outputs;
d. Failure to obtain required permissions, licenses, or attributions.

8) Availability; Suspension; Removal

SOAPsync may, in its sole discretion, suspend or remove access to any calculator, template, or mapping if: (i) a reasonable licensing or intellectual property concern arises; (ii) a safety or compliance risk is identified; or (iii) required to do so by law or by an instrument rights holder.

9) Relationship to the Agreement; Limitation of Liability

This Addendum supplements the Agreement. All warranties, disclaimers, and limitations of liability in the Agreement (including the Company’s limitation of liability and “as-is/as-available” provisions) apply in full to the Scoring Utilities and any instrument usage. In the event of a conflict, the most protective terms for SOAPsync shall control to the extent permitted by law.

10) Notices; Versioning

SOAPsync may update this Addendum from time to time. The Covered Entity agrees that an auto-versioned policy log and posted “Last Updated” date constitute effective notice. Continued use following an update constitutes acceptance of the revised Addendum.

11) Acknowledgment and Acceptance

By enabling or using any Scoring Utility, the Covered Entity acknowledges and agrees that:

SOAPsync provides computation and formatting tools only, not instrument licenses;
All licensing, permissions, and compliance obligations remain with the clinician/Covered Entity;
The Covered Entity will maintain independent clinical oversight and retain/export records as needed; and
This Addendum is incorporated by reference into, and governed by, the Agreement’s Governing Law and Dispute Resolution provisions.

You are agreeing to version: 1.1

Full Name *

Email Address *

Title *

Practice / Clinic Name (Optional)

By checking this box, I confirm that I have read, understood, and agree to be bound by the terms of the Business Associate Agreement listed above. *