Business Associate Agreement (BAA)

Effective: 2026-04-17 · Rev 2

This HTML version is a patch-aligned reference. The executed BAA between each Covered Entity and Recovery Network is the binding document. Contact info@recoverynetwork.ai for the executable PDF.

This Business Associate Agreement ("BAA") is entered into between the licensed behavioral-health facility identified in the applicable Master Service Agreement ("Covered Entity") and Recovery Network Inc. ("Business Associate"). This BAA establishes the permitted and required uses and disclosures of Protected Health Information ("PHI") by Business Associate on behalf of Covered Entity under HIPAA (45 CFR Part 160, Part 162, and Part 164) and, where applicable, 42 CFR Part 2.

1. Definitions

Terms used but not otherwise defined have the meanings given in 45 CFR §160.103 and §164.501. "PHI" means Protected Health Information as defined by HIPAA. "Covered Entity" and "Business Associate" have the meanings given in 45 CFR §160.103.

2. Permitted Uses and Disclosures

Business Associate may use and disclose PHI only to provide the services described in the Master Service Agreement to the Covered Entity, and only as permitted by this BAA and applicable law.

Recovery Network processes identifiable PHI solely within each Covered Entity's environment for clinical and operational purposes. Recovery Network does not use identifiable PHI across clients for model training or system optimization. Recovery Network may use de-identified data, in accordance with 45 CFR §164.514, to improve system performance, AI-assisted analysis of patient communications, risk scoring and alert generation, and safety monitoring. Such data is aggregated, non-identifiable, and cannot reasonably be used to re-identify any individual.

3. The Council — AI-Assisted Analysis

Business Associate operates The Council, a multi-doctor AI system that performs AI-assisted analysis of patient communications (including voice and video journal content), wearable biometric signals, and clinical documentation to generate risk scoring and alert generation. Business Associate represents that (a) all Council processing occurs within the Covered Entity's facility_id-scoped environment; (b) Dr. Chen (Compliance Authority) applies an absolute veto gate before any escalation renders clinical output; and (c) all Critical-tier alerts are reviewed by a licensed clinician of Covered Entity before any clinical action is taken.

4. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required by 45 CFR §164.308, §164.310, and §164.312, including encryption in transit and at rest, role-based access controls, audit logging of every clinical action, and facility_id scoping on every data access path.

5. 42 CFR Part 2 — Substance Use Disorder Records

Records that identify an individual as having or having had a substance use disorder ("Part 2 Records") are additionally protected under 42 CFR Part 2. Business Associate acknowledges that:

Part 2 Records will not be disclosed except as permitted by the patient's written consent or by 42 CFR §2.12 through §2.67
Re-disclosure is prohibited except as permitted by Part 2
Business Associate is subject to Part 2 as a "qualified service organization" under 42 CFR §2.11
Any disclosure of Part 2 Records will include the prohibition on re-disclosure required by 42 CFR §2.32

6. Subcontractors

Business Associate will ensure that any agent, including a subcontractor, to whom it provides PHI agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA (45 CFR §164.502(e)(1)(ii)). Current subcontractors include Google Cloud (HIPAA BAA in place for Firestore, Cloud Functions, Cloud Storage, and Speech-to-Text) and Anthropic (where applicable under an executed BAA).

7. Breach Notification

Business Associate will notify Covered Entity of any Breach of unsecured PHI without unreasonable delay and in no case later than the period required by 45 CFR §164.410.

8. Access, Amendment, Accounting

Business Associate will make PHI available to enable Covered Entity to meet its obligations under 45 CFR §164.524 (access), §164.526 (amendment), and §164.528 (accounting of disclosures).

9. Termination

Upon termination, Business Associate will return or destroy all PHI received from, or created or received on behalf of, Covered Entity. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, consistent with 45 CFR §164.504(e)(2)(ii)(J).

10. Miscellaneous

In the event of inconsistency between this BAA and the Master Service Agreement, this BAA controls with respect to PHI. This BAA is effective on the date of Covered Entity's acceptance of the Master Service Agreement and remains in effect for as long as Business Associate retains PHI from Covered Entity.

Contact

Recovery Network Inc.
Attn: Privacy Officer
info@recoverynetwork.ai