Version 1.1 — February 27, 2026
This Business Associate Agreement ("BAA") forms part of the agreement between WhisperTyping LLC ("Business Associate", "we", "us") and the healthcare provider or covered entity using WhisperTyping Medical ("Covered Entity", "you"). This BAA is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the regulations promulgated thereunder, including the Privacy Rule, the Security Rule, and the Breach Notification Rule (collectively, the "HIPAA Rules").
By subscribing to or using WhisperTyping Medical (whether on a free trial or paid subscription), you agree to the terms of this BAA. See Section 30 of our Terms of Service for details.
In the event of any conflict between this BAA and the Terms of Service, this BAA shall prevail with respect to the protection of Protected Health Information.
Need a signed copy? If your organisation requires a countersigned BAA, contact and we will provide one.
1. Definitions
Capitalised terms used but not defined in this BAA have the meanings given to them in the HIPAA Rules (45 CFR Parts 160 and 164).
- "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule that compromises the security or privacy of the Protected Health Information, as defined in 45 CFR 164.402.
- "Covered Entity" means a health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a transaction covered by HIPAA.
- "Business Associate" means WhisperTyping LLC, which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity in connection with the Service.
- "Designated Record Set" means a group of records maintained by or for a Covered Entity that includes medical and billing records, enrollment, payment, claims adjudication, and case or medical management record systems.
- "Electronic Protected Health Information" ("ePHI") means Protected Health Information that is transmitted by or maintained in electronic media.
- "Protected Health Information" ("PHI") means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
- "Required by Law" has the meaning given in 45 CFR 164.103.
- "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.
- "Service" means the WhisperTyping Medical dictation service, including speech-to-text transcription, AI text processing, and related features.
- "Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.
2. Permitted Uses and Disclosures
2.1. Business Associate may use or disclose PHI solely as necessary to perform the Service on behalf of Covered Entity, as described in the Terms of Service, and as permitted or required by this BAA or as Required by Law.
2.2. Business Associate may use or disclose PHI as necessary for the proper management and administration of Business Associate, provided that:
- (a) The disclosure is Required by Law; or
- (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
2.3. Business Associate may de-identify PHI in accordance with 45 CFR 164.514(a)-(c). De-identified data is no longer PHI and is not subject to this BAA.
2.4. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by the Covered Entity, except as expressly permitted in this Section 2.
3. Restrictions on Use and Disclosure
3.1. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
3.2. Business Associate shall not use or disclose PHI for marketing purposes or sell PHI, as those terms are defined in the HIPAA Rules.
3.3. Business Associate shall not use PHI to train or improve general-purpose machine learning models. Transcription and AI processing are performed on a per-request basis, and PHI is not retained for model training.
4. Safeguards
4.1. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in compliance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).
4.2. Business Associate shall comply with the applicable requirements of the HIPAA Security Rule with respect to ePHI, including the implementation of administrative safeguards, physical safeguards, technical safeguards, and policies and procedures to protect ePHI.
4.3. The specific security measures implemented by Business Associate are described in Schedule A (Security Measures) of this BAA.
5. Breach Notification
5.1. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Breach of Unsecured PHI as defined in 45 CFR 164.402.
5.2. Business Associate shall report any Breach of Unsecured PHI to Covered Entity without unreasonable delay and in no case later than 30 calendar days after discovery of the Breach.
5.3. The notification shall include, to the extent reasonably available:
- (a) The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
- (b) A brief description of what happened, including the date of the Breach and the date of discovery;
- (c) A description of the types of Unsecured PHI involved (such as full name, date of birth, diagnosis, or other information);
- (d) Any steps individuals should take to protect themselves from potential harm;
- (e) A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches.
5.4. Business Associate shall report any Security Incident of which it becomes aware. For the avoidance of doubt, unsuccessful Security Incidents (such as pings, port scans, unsuccessful log-in attempts, or similar) are acknowledged by the parties and do not require individual notification.
6. Subcontractors
6.1. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially the same restrictions and conditions that apply to Business Associate under this BAA.
6.2. The current list of Subcontractors is set out in Schedule B (Subcontractor List) of this BAA.
6.3. Business Associate shall notify Covered Entity at least 30 days before engaging a new Subcontractor that will have access to PHI, giving Covered Entity the opportunity to object on reasonable grounds.
7. Access to PHI
7.1. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity within 15 business days of a written request, in a form and format reasonably requested by Covered Entity, to enable Covered Entity to fulfil its obligations under 45 CFR 164.524 (individual right of access).
7.2. If an individual makes a request for access directly to Business Associate, Business Associate shall promptly forward the request to Covered Entity.
8. Amendment of PHI
8.1. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and shall incorporate any amendments directed by Covered Entity within 15 business days, in accordance with 45 CFR 164.526.
9. Accounting of Disclosures
9.1. Business Associate shall maintain and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528.
9.2. Business Associate shall provide such information within 30 days of a written request from Covered Entity.
9.3. Business Associate shall maintain records of disclosures for a period of 6 years from the date of the disclosure.
10. Access by HHS
10.1. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining compliance with the HIPAA Rules.
11. Return or Destruction of PHI
11.1. Upon termination of the Service or this BAA, Business Associate shall, if feasible, return or destroy all PHI received from or created or received on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains the PHI.
11.2. Due to the transient nature of audio and transcription processing (as described in Schedule A), most PHI is not retained beyond the duration of each transcription request. Account-level information will be handled in accordance with the data retention periods described in our Privacy Policy.
12. Term and Termination
12.1. This BAA shall be effective for as long as the Covered Entity maintains a WhisperTyping Medical subscription (free trial or paid) and shall terminate when the subscription ends, subject to the survival provisions in Section 11.
12.2. Covered Entity may terminate this BAA immediately if Covered Entity determines that Business Associate has materially breached this BAA.
12.3. If Business Associate knows of a pattern of activity or practice by Covered Entity that constitutes a material breach of the Covered Entity's obligations under this BAA, Business Associate shall notify Covered Entity and provide an opportunity to cure. If the breach is not cured within 30 days, Business Associate may terminate this BAA.
13. Obligations of Covered Entity
13.1. Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI.
13.2. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's permitted uses or disclosures.
13.3. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
13.4. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
14. Liability
14.1. Each party's liability under this BAA shall be subject to the limitations of liability set out in the Terms of Service.
14.2. Nothing in this BAA shall limit either party's liability for a Breach caused by that party's wilful misconduct or gross negligence.
15. General
15.1. Regulatory References. Any reference to a section of the HIPAA Rules shall mean the section as in effect or as amended. The parties shall take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
15.2. Governing Law. This BAA shall be governed by and construed in accordance with the laws specified in the Terms of Service, without prejudice to applicable federal law including HIPAA.
15.3. Severability. If any provision of this BAA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
15.4. Survival. The obligations of Business Associate under Sections 4, 5, 9, 10, and 11 shall survive the termination of this BAA.
Schedule A: Security Measures
Business Associate maintains the following safeguards to protect ePHI in accordance with the HIPAA Security Rule:
Data Handling Architecture
- Transient audio processing: Voice audio is processed in memory (RAM) only and is not stored to disk at any point. Audio data exists only for the duration of the transcription request.
- Transient transcription output: Transcribed text is returned directly to the user's device and is not stored on our servers. Transcriptions remain only on the user's local device.
- Zero data retention with transcription providers: Our transcription sub-processors operate under zero data retention agreements and do not store audio or transcription data after processing.
- No PHI in logs: Usage logs contain only technical metadata (timestamps, feature usage, error codes). Audio content and transcription text are never logged.
Encryption
- TLS 1.2 or higher for all data in transit, including audio transmission and API communications
- AES-256 encryption for data at rest (account and usage data)
Access Controls
- Unique accounts with mandatory two-factor authentication for all staff
- Role-based access control; access limited to personnel who require it for their role
- Regular access reviews
Application Security
- Secure development practices, including code review and controlled deployment procedures
- Secure configuration baselines applied to all systems and services
- Timely patching and vulnerability remediation
Incident Response
- Documented security incident response procedures
- 30-day Breach notification commitment as specified in Section 5 of this BAA
Schedule B: Subcontractors
Business Associate engages Subcontractors in the following categories to deliver the Service:
| Category | Purpose | PHI Involved | Data Retention |
|---|---|---|---|
| Speech-to-text providers | Transcription of voice audio | Voice audio (transient) | Zero data retention; up to 30 days for retry functionality |
| AI text processing provider | AI Modes feature | User text (when AI features used) | Up to 30 days for service reliability |
| Payment processor | Billing and subscriptions | Billing information only (no clinical PHI) | Per processor's retention policy |
| Infrastructure provider | CDN, security, edge computing | Network metadata | Zero data retention |
All Subcontractors are contractually bound to obligations consistent with this BAA. Business Associate maintains agreements with each Subcontractor that include appropriate safeguards for PHI.
A detailed list of Subcontractors (including entity names and processing locations) is available upon request at .