Effective Date: This Business Associate Agreement (“BAA”) is effective upon electronic acceptance during the SpiderLabs onboarding process.
Introduction
This Business Associate Agreement (“Agreement”) is entered into between SpiderLabs AI (“Business Associate”) and the healthcare provider or covered entity (“Covered Entity”) that has subscribed to SpiderLabs AI Receptionist services.
This Agreement supplements and is made part of the SpiderLabs Terms of Service and is intended to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations.
1. Definitions
“Protected Health Information” or “PHI” means any information, whether oral or recorded in any form, that: (i) relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Electronic Protected Health Information” or “ePHI” means PHI that is transmitted or maintained in electronic media.
“Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.
2. Obligations of Business Associate
Business Associate agrees to:
- Safeguards: Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, including implementing the Security Rule requirements with respect to ePHI.
- Reporting: Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, any Security Incident, or any Breach of unsecured PHI as required by 45 CFR 164.410.
- Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate.
- Access: Make available to Covered Entity such information as Covered Entity may require to fulfill its obligations under HIPAA, including the right of individuals to access their PHI.
- Amendment: Make PHI available for amendment and incorporate any amendments to PHI when directed by Covered Entity.
- Accounting: Make available information required to provide an accounting of disclosures as required by 45 CFR 164.528.
- HHS Access: Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.
- Minimum Necessary: Use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose.
3. Permitted Uses and Disclosures
Business Associate may use or disclose PHI only as follows:
- Service Performance: To perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the underlying service agreement, provided such use or disclosure would not violate HIPAA if done by Covered Entity.
- Management and Administration: For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided any disclosures are required by law or Business Associate obtains reasonable assurances from the recipient.
- De-identification: To de-identify PHI in accordance with 45 CFR 164.514(a)-(c).
4. Security Measures
SpiderLabs implements the following security measures to protect PHI:
- Encryption: All PHI is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
- Access Controls: Role-based access controls with multi-factor authentication for all systems handling PHI.
- Audit Logging: Comprehensive audit logging of all access to and modifications of PHI.
- Voice Data: Call recordings are encrypted and stored in HIPAA-compliant infrastructure with automatic retention policies.
- Infrastructure: Protected health information is processed on HIPAA-eligible cloud infrastructure subprocessors under signed Business Associate Agreements with the covered subprocessors that handle PHI.
- Incident Response: Documented incident response procedures with 24-hour breach notification capability.
5. Term and Termination
Term: This Agreement shall be effective upon electronic acceptance and shall terminate when all PHI provided by Covered Entity to Business Associate is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information.
Termination for Cause: Either party may terminate this Agreement if it determines that the other party has violated a material term of the Agreement.
Effect of Termination: Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures.
6. Breach Notification
Business Associate shall report to Covered Entity any Breach of unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of such Breach. The notification shall include:
- Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
- A description of what happened, including the date of the Breach and the date of discovery
- A description of the types of unsecured PHI involved
- Any steps individuals should take to protect themselves
- A description of what Business Associate is doing to investigate, mitigate, and prevent future Breaches
7. Miscellaneous
Amendment: This Agreement may be amended by SpiderLabs with notice to Covered Entity to comply with changes in HIPAA or other applicable law. Continued use of the Services after such amendment constitutes acceptance.
Survival: The obligations of Business Associate under Sections 2 and 5 shall survive termination of this Agreement.
Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
No Third Party Beneficiaries: Nothing in this Agreement shall confer upon any person other than the parties any rights, remedies, obligations, or liabilities.
8. Contact Information
For questions about this BAA or to report a security incident:
SpiderLabs AI
Privacy and Security Team
BAA questions: hipaa@spiderlabs.ai
Report a security incident: security@spiderlabs.ai
Last Updated: January 2026