Business Associate Agreement, for HIPAA-regulated practices.

Last updated: June 16, 2026

This Business Associate Agreement (“BAA”) governs the use and disclosure of Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) when a United States therapist, group practice, or clinic uses the Citt.ai platform with clients whose information constitutes PHI.

This BAA supplements the Citt.ai Terms of Service, Privacy Policy, and (where applicable) the Joint Controller Agreement and Residual Data Processing Agreement. Where HIPAA requires stricter protections for PHI, this BAA controls for PHI only.

Electronic acceptance during therapist onboarding or when prompted after a material update records your agreement, version, and document hash.

---

1. Parties

• Covered Entity: You — the therapist, group practice, or clinic that accepts this BAA in the Citt.ai product (“Covered Entity” or “you”).

• Business Associate: Citt.ai (operated by the entity identified in the Terms of Service), with privacy contact Declan Ahern — declan@citt.ai (“Business Associate” or “we” / “us”).

2. Definitions

Capitalized terms not defined here have the meanings in HIPAA (45 C.F.R. Parts 160 and 164).

• “BAA” means this Business Associate Agreement.

• “PHI” means Protected Health Information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity through the Citt.ai platform.

• “Services” means the Citt.ai software and related support described in the Terms of Service, limited to features you enable for US clients (including patient messaging, assessments, session transcription, clinical notes, scheduling, and related notifications where PHI may be present).

3. Permitted uses and disclosures

Business Associate may use and disclose PHI only:

(a) to perform the Services for Covered Entity, as permitted by this BAA and Covered Entity’s instructions through normal use of the platform;

(b) to maintain, troubleshoot, and secure the Services (including de-identification, aggregation, or limited analytics only as permitted by HIPAA);

(c) as Required by Law; or

(d) for Business Associate’s proper management and administration, provided any disclosure is Required by Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used only for the stated purpose.

Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except as permitted above.

4. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, consistent with the HIPAA Security Rule and the measures described in the Citt.ai Trust Center.

5. Reporting — security incidents and breaches

Business Associate will notify Covered Entity without unreasonable delay and in any event within ten (10) business days after Business Associate discovers a breach of unsecured PHI affecting PHI processed on behalf of Covered Entity, to the extent Business Associate is acting as a business associate for that PHI. Notification will include, to the extent known: a description of the breach, types of PHI involved, steps individuals should take, mitigation steps taken, and contact information for questions.

Business Associate will also report security incidents involving PHI upon Covered Entity’s reasonable written request or when required to support Covered Entity’s HIPAA obligations.

6. Subcontractors

Business Associate may engage subcontractors that create, receive, maintain, or transmit PHI on Business Associate’s behalf. Business Associate will enter into written agreements with subcontractors requiring substantially the same restrictions and conditions on PHI that apply to Business Associate under this BAA, where required by HIPAA.

Current subprocessors that may handle PHI are listed in the Trust Center. Business Associate will provide reasonable notice of material subprocessor changes (for example via the Trust Center or product notice). Covered Entity may object on reasonable HIPAA-related grounds; if the parties cannot resolve the objection, either party may terminate the affected Services on reasonable notice.

7. Access, amendment, and accounting

To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate will:

• make PHI available to Covered Entity for access by individuals, within a reasonable time and as required by HIPAA;

• incorporate amendments to PHI when directed by Covered Entity, subject to technical feasibility; and

• provide information necessary for Covered Entity to respond to an individual’s request for an accounting of disclosures, where Business Associate’s systems can reasonably produce such information.

8. HHS access

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, subject to attorney–client and other applicable privileges.

9. Minimum necessary

Business Associate will limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose, consistent with HIPAA and the design of the Services.

10. Term and termination

This BAA is effective when you accept it in the product and continues while Business Associate processes PHI on your behalf.

Either party may terminate this BAA if the other party materially breaches it and fails to cure within thirty (30) days of written notice (email to declan@citt.ai from Covered Entity is sufficient).

Upon termination, Business Associate will, at Covered Entity’s choice where feasible, return or destroy PHI in Business Associate’s possession, except where retention is Required by Law. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to retained PHI and limit further uses and disclosures.

11. Covered Entity obligations

Covered Entity represents that:

• it is a covered entity or business associate under HIPAA, or is using the Services in a HIPAA-regulated capacity for which a BAA is required;

• it will not request Business Associate to use or disclose PHI in violation of HIPAA;

• it is responsible for patient notices, authorizations, workforce training, and professional obligations applicable to its practice; and

• it will use the Services consistent with the Trust Center guidance (including not placing PHI in integrations or channels documented as ineligible for PHI processing).

12. Miscellaneous

• Governing law: This BAA is governed by the laws specified in the Terms of Service, except that HIPAA preempts inconsistent state law with respect to PHI.

• Order of precedence: For PHI, this BAA prevails over conflicting terms in other Citt.ai agreements. For non-PHI personal data, the Joint Controller Agreement, Privacy Policy, and Terms of Service apply as described there.

• Amendments: Business Associate may update this BAA on material changes. We will prompt re-acceptance in the product with version and hash tracking. Continued use of PHI-processing features after the effective date of an update requires acceptance of the updated BAA; otherwise you must stop using PHI features or terminate.

• Survival: Sections that by nature should survive termination (safeguards for retained PHI, confidentiality, breach records) survive.

---

Annex A — Description of services (summary)

---

Document hash is verified in product acceptance records. Questions: declan@citt.ai