CharterMD Business Associate Agreement

Last updated: 2026-06-02 · **Draft pending final review by licensed counsel.** Operative for current users; CharterMD will execute an updated BAA if required by law or counsel.

This Business Associate Agreement ("BAA") supplements the CharterMD Terms of Service and governs Protected Health Information ("PHI") that CharterMD LLC ("Business Associate") creates, receives, maintains, or transmits on behalf of the licensed provider or practice using the platform ("Covered Entity", "you"). It is required by the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164). Capitalized terms not defined here have the meanings in 45 CFR §§ 160.103 and 164.501.

By accepting this BAA at sign-up (recorded with its version, the date, and your IP address) you and CharterMD agree as follows.

1. Relationship of the parties

You are the Covered Entity; CharterMD is your Business Associate, handling PHI to provide the platform's scheduling, messaging, records, telehealth, billing-support, and related services. CharterMD's subcontractors — notably Microsoft Azure, which hosts the application, database, email, video, AI, and storage — act as CharterMD's subcontractor Business Associates under a separate Microsoft BAA.

2. Permitted uses and disclosures

CharterMD may use and disclose PHI only: (a) to perform the services in the Terms of Service, consistent with your instructions and law; (b) for CharterMD's proper management and administration or to carry out its legal responsibilities, provided any disclosure is Required by Law or the recipient is bound to protect the PHI and to notify CharterMD of breaches; (c) to provide data-aggregation services relating to your health-care operations as permitted by 45 CFR §164.504(e)(2)(i)(B); and (d) as Required by Law. CharterMD will not use or disclose PHI in a manner that would violate the Privacy Rule if done by you.

3. CharterMD's safeguards and obligations

CharterMD will:

4. Your obligations

You will obtain any consents/authorizations required for the PHI you place in the platform, not request uses/disclosures that would violate HIPAA, and notify CharterMD of any limitation in your Notice of Privacy Practices, individual restriction, or revocation that affects CharterMD's permitted uses.

5. Term and termination

Effective when you accept it and continuing while CharterMD maintains PHI for you. On a known material breach, the non-breaching party will allow an opportunity to cure and, failing cure, may terminate.

6. Effect of termination

On termination CharterMD will, if feasible, return or destroy all PHI it maintains for you and retain no copies. Where infeasible (e.g., legally required retention or backups), CharterMD will extend this BAA's protections to that PHI and limit further use/disclosure to the purposes making return/destruction infeasible. Records you and your patients rely on remain available per the Terms of Service and retention law.

7. Miscellaneous

Regulatory references are to sections as amended. The parties will amend this BAA as needed to comply with changes in law; CharterMD may publish an updated version with a new effective date. Ambiguities are resolved to permit HIPAA compliance. No third-party beneficiaries. Section 6 survives termination.

8. Contact

HIPAA / privacy matters: privacy@chartermd.ai.

Questions? privacy@chartermd.ai