Go to app
User Name
Upgrade Help Center

Product-Specific Business Associate Addendum (“BAA”)

Welcome to Text’s Business Associate Addendum (BAA) for LiveChat. This BAA is specific to LiveChat and governs the Use and Disclosure of ePHI within the Services, provided it is explicitly included and duly executed in the Client’s Order Form with Text, Inc. (the “Provider”). The Client and the Provider are collectively referred to as  the “Parties” or individually as a “Party.” This BAA does not extend to any other Text products unless specifically designated. Please read it carefully.

WHEREAS, the Provider acts as a Business Associate when a Client is a Covered Entity. Whenever a Client is a Business Associate, the Provider acts as a Subcontractor; and

WHEREAS, the Client acknowledges that if additional products or services are included under this BAA, the BAA will be updated accordingly and shall remain valid without requiring a separate signature. The Provider is not liable for any Use and Disclosure of ePHI outside of LiveChat unless explicitly stated in an amended version of this BAA; and 

WHEREAS, by executing this BAA, the Client agrees, for the entire term specified in the Order Form, to properly configure the Services in accordance with the Provider’s Instructions; acknowledges that any Use or Disclosure of ePHI through the Services must comply with the Instructions and applicable regulations; and confirms receipt, review, and understanding of the Instructions, has no objections to them, and deems them sufficient to support its HIPAA compliance.

1. Definitions for use in this BAA

Unless otherwise specified, capitalized terms used but not defined elsewhere in this BAA shall have the same meaning assigned under HIPAA. 

  1. Agreement. This BAA, along with the then-current Terms of Use, Privacy Policy, DPA, as published on the Services’ websites, forms the governing “Agreement” for the designated Services, provided that the DPA applies to ePHI only to the extent it does not conflict with the BAA. Where applicable, the DPA supplements the BAA by addressing areas not explicitly covered therein. The Provider, at its discretion, may update these documents to reflect legal, regulatory, business, or technical changes, which take effect automatically, and the most recent version at the time of use shall govern the Parties’ relationship. The Client is responsible for reviewing and complying with the updated BAA, and continued use of the Services after any update constitutes acceptance of the amendments.

  2. Business Associate. “Business Associate” has the meaning defined under HIPAA and refers to the Provider when performing functions on behalf of the Client involving ePHI. 

  3. Covered Entity. “Covered Entity” has the same meaning defined under HIPAA and refers to the Client entering into this BAA with the Provider.

  4. Disclosure. For the purposes of ePHI under this BAA, “Disclosure" means any release, transfer, divulging in any manner of information, sharing, or access to ePHI outside the entity holding the information. 

  5. HIPAA. “HIPAA” refers to the “Privacy Rule”(45 C.F.R. Parts 160 and 164, Subparts A and E); the “Security Rule” (45 C.F.R. Parts 160 and 164, Subpart C); and the “Breach Notification Rule” (45 C.F.R. Parts 160 and 164, Subpart D), as modified by the HITECH Act.

  6. Minimum Necessary Standard. The Parties acknowledge that “minimum necessary” shall be interpreted in accordance with the HITECH Act. Accordingly, both the Provider and Client will make reasonable efforts to limit the Use and Disclosure of ePHI to the minimum necessary for the Services, except where such limitation is not required by law. The Parties also agree that the Use and Disclosure of ePHI shall be deemed the minimum necessary for the Provider to fulfill its obligations and exercise its rights under the Agreement.

  7. Individuals. “Individuals” also called “End-Users” (as described in Terms of Use), shall have the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative per 45 CFR §164.502(g). 

  8. Instructions. For the purposes of this BAA, “Instructions” refer to the Provider’s guidelines, security settings, and configuration requirements which the Client must self-configure and follow to establish a HIPAA-eligible setup within the designated Services. The most up-to-date version is available at LiveChat Guidelines for BAA Clients and is incorporated hereby by reference. The Provider makes no representations or warranties beyond the guidelines outlined in this BAA.

  9. ePHI. Due to the nature of the Services, ePHI refers to any electronic Protected Health Information (ePHI) processed within the designated Services. The Provider acknowledges that all data and information within the Services, including ePHI, remain the sole property of the Client. Therefore, the Client is solely responsible for ensuring compliance with applicable laws, including HIPAA, and its obligations toward Individuals and third parties. The Provider does not control, limit, or oversee the type, content, form, or volume of information, including ePHI, within the Services.

  10. Required By Law. “Required By Law” shall have the same meaning as “required by law” in 45 CFR § 164.103. 

  11. Secretary. “Secretary” means “the U.S. Department of Health and Human Services” or any other officer or employee of “the U.S. Department of Health and Human Services to whom the authority has been delegated.

  12. Services. This BAA applies exclusively to the Use and Disclosure of ePHI within the LiveChat at the time of execution. Any Use and Disclosure of ePHI through unauthorized means or services not covered by this BAA is the Client’s sole responsibility.

  13. Subcontractor. For the purposes of this BAA, a “Subcontractor” means a company or individual engaged by the Provider to provide services related to the operation of the Services and who is required to implement appropriate security measures to protect ePHI. The Provider is not responsible for unauthorized Use, Disclosure, or Breach of ePHI by Subcontractors, as long as they have signed a Business Associate Subcontractor Agreement (BASA) with the Subcontractor and taken reasonable steps to select and oversee them.

  14. Unsuccessful Security Incidents. This refers to attempted but unsuccessful security incidents that do not result in unauthorized Use and Disclosure of ePH (e.g., routine firewall pings, automated port scans, failed login attempts, denial of Services attempts, and other failed attacks). No additional notice to the Client is required for such incidents.

  15. Use. For the purposes of this BAA, the term “Use" for ePHI means any internal handling of ePHI, including but not limited to the collection, sharing, processing, employment, application, utilization, temporary storage, examination, or analysis of ePHI within an entity that maintains such information.

2. Obligations and activities of the provider

  1. Permitted Use and Disclosure of ePHI. The Provider may Use and Disclosure of ePHI: (i) as necessary to provide the Services under the Agreement, retaining it for the minimum time required, after which ePHI shall be automatically deleted from the Provider’s systems unless otherwise permitted by this BAA; (ii) as required to fulfill contractual obligations or to exercise rights under the Agreement. The Provider’s obligations to delete ePHI applies only to its own systems and does not extend to Subcontractors or third-party integrations used by the Client. 

  2. Prohibition on Unauthorized Use or Disclosure. The Provider shall not Use or Disclosure ePHI, except as permitted or required under this BAA or the Agreement; as Required by Law; as authorized in writing by the Individuals to whom the ePHI relates in compliance with 45 C.F.R. § 164.508; or as otherwise allowed under applicable laws and regulations. The Provider acknowledges that this BAA does not authorize any Use or Disclosure of ePHI in any manner that would violate the HIPAA if done by the Client.

  3. Limitations on Data Use and Control. The Provider is not responsible for monitoring, validating, or verifying how the Client’s Use or Disclosure of ePHI within the Services or for ensuring the accuracy, legality, or compliance of any ePHI, including AI-generated outputs, arising from such Use or Disclosure.

  4. Audit Rights. Upon the Provider’s request, the Client agrees to provide all information necessary to demonstrate compliance with this BAA and the Agreement.

  5. Safeguards. The Provider shall apply and maintain appropriate administrative, technical, and physical safeguards based on the nature of the Services, the size and complexity of the Provider’s operations, the risks involved, and the costs of security measures to protect the privacy and confidentiality of ePHI during the provision of the Services.  

  6. De-identification. The Provider may de-identify ePHI or create information that is not individually identifiable in accordance with 45 C.F.R. § 164.514, after which it is no longer subject to HIPAA restrictions. 

  7. ePHI Processing and Storage. The Client acknowledges and agrees that ePHI is temporarily processed in memory and automatically removed after the limited time required to facilitate the Services. This processing and storage are intended to be transient in nature and solely to enable the Services. The Client further acknowledges that residual ePHI may temporarily exist in the Provider’s system backups as part of routine backup procedures, provided such data will not be actively processed, used, or disclosed and will be automatically overwritten or deleted according to the Provider’s backup policy. Upon completing the Services, retrieving or downloading any ePHI-related records will no longer be possible. As a result, the Client accepts its full responsibility for the secure storage and retention of all ePHI-related records on its own servers or systems, in accordance with HIPAA and the Instructions, to solely meet its obligations to any permissible Use or Disclosure to Individuals, Covered Entity, the Secretary, or any other entity authorized or required by HIPAA. 

  8. Liability. The Provider’s liability arising from or related to this BAA will be subject to the exclusions and limitations of liability outlined in the Terms of Use.

3. Obligations and activities of the client

Unless otherwise limited in this BAA, in addition to any other obligations outlined in the Agreement, the Client agrees to: 

  1. Data Responsibility. The Client assumes full responsibility for all content, phrases, data entries, and AI-generated outputs involving the Use or Disclosure of ePHI within the Services. Specifically, the Client must: (1) ensure all Use or Disclosure of ePHI, including any AI-related activities, comply with applicable laws and regulations (e.g. HIPAA, industry standards, and data privacy regulations) and (2) Prevent unauthorized Use and Disclosure of ePHI, including misuse of AI functionalities. The Provider assumes no responsibility for the Client’s failure to adhere to these obligations. Any response to requests from Individuals and/or Covered Entities (including the Secretary and/or any other entity permitted by applicable law) regarding ePHI shall be the Client’s sole responsibility.

  2. Limitations on Use for Healthcare Activities. The Client acknowledges that AI-generated outputs are probabilistic and should not be solely relied upon for decision-making without human oversight. The Client remains fully responsible for: (i) verifying the accuracy, completeness, suitability, and compliance of all AI-generated content, particularly when involving ePHI; (ii) ensuring AI functionalities used for healthcare activities (especially such as providing health advice, treatment, diagnosis, or other services to Individuals), comply with HIPAA, and any and any resulting Use or Disclosure of ePHI is legally permissible; (ii) informing Individuals about limitations, risks, and uncertainties associated with AI-generated outputs. Additionally, the Client shall restrict the Use and Disclosure of ePHI through AI only to authorized personnel (licensed, trained, or certified users). Failure by the Client to comply with these obligations, or any other restrictions outlined in the BAA, may result in suspension or termination of the Client’s access to the Services and may expose the Client to liability for any resulting damages, penalties, or losses under the Agreement.

  3. Compliance with Instructions. The Provider does not monitor or verify how the Client configures or implements the provided Instructions. The adequacy of Instructions does not transfer any responsibility for HIPAA compliance from the Client to the Provider. The Client remains fully responsible for properly configuring and regularly updating the Services in accordance with the Instructions; ensuring any Use or Disclosure of ePHI remains within the scope of the designated Services. Failure to do so does not relieve the Client of its obligations under this BAA and the Agreement, nor does it impose any liability on the Provider. 

  4. Security and Privacy Standards. The Client shall implement and maintain appropriate administrative, physical, and technical safeguards to comply with HIPAA and protect its data’s confidentiality, privacy, and security, including ePHI until such information is available in the Services. 

  5. Permissions and Authorizations. The Client must maintain all required authorizations (including those under 45 C.F.R. § 164.508) for the Use or Disclosure of ePHI under this BAA and provide documentation of such authorizations upon request to ensure compliance with HIPAA, applicable laws, and the Client’s obligations under the Agreement. Additionally, the Client is solely responsible for informing Individuals about their Use or Disclosure of ePHI as required by applicable laws.

  6. Notice of Privacy Practices. The Client shall provide the Provider with written notice of any limitations in its HIPAA notice of privacy practices under the Privacy Rules that affect the Use and Disclosure of ePHI within the Services. The Client must ensure that no such limitations in its notice of privacy practices interfere with the Provider’s ability to fulfill its obligations or exercise its rights under this BAA and the Agreement. Additionally, the Client shall promptly notify the Provider in writing of any changes or revocations in the Provider’s permitted Use or Disclosure of ePHI if they affect or may affect the Provider’s ability to meet its obligations under the Agreement, including this BAA. 

  7. Permissible Requests for Use or Disclosure. The Client shall not request the Provider for the Use or Disclosure of ePHI in any manner that would not be impermissible under the Privacy Rule if done by the Client.

  8. Liability. The Client bears sole responsibility and liability for any Use or Disclosure of ePHI within the Services as specified in this BAA, including, but not limited to, data breaches, regulatory fines, penalties, and third-party claims( including fines or penalties, enforcement actions imposed on the Provider), arising from the Client’s failure to properly configure the Services in accordance with the Instructions; any misuse of the Services by the Client, its affiliates, Authorized Representatives, or End-Users; non-compliance with HIPAA or any other applicable data protection laws and regulations, including unauthorized Use or Disclosure of ePHI caused by the Client. 

4. Reports and responses to requests

  1. Breach Notification. The Provider shall, without undue delay, notify the Client upon discovering any confirmed unauthorized Use or Disclosure of ePHI within the Services that result in a material breach of security or privacy (“Breach”). The Provider will reasonably cooperate with the Client upon request by providing details regarding the nature and extent of the ePHI involved, the scope of the Breach (e.g., the number of affected Individuals), the date of occurrence, and, if known, the circumstances surrounding it. If required by law enforcement under 45 CFR § 164.412, the Provider may delay notification for the applicable time period. 

  2. Mitigation. The Provider shall take reasonable steps to mitigate, to the extent practicable, any harmful effects known to the Provider of a Breach and must document Security Incidents (defined in 45 C.F.R. § 164.304) for compliance.

  3. Requests for Access and Amendments. The Parties acknowledge and agree that the Provider does not maintain a Designated Record Set for or on behalf of the Client or its End-Users and is not responsible for responding to requests for access or amendment of ePHI. If the Provider receives such a request pursuant to 45 C.F.R. § 164.524, it will promptly forward it to the Client, which remains solely responsible for responding.

5. Termination

  1. Termination for violation. The Client may terminate this BAA if the Provider has materially breached this BAA and fails to cure it within an agreed timeframe or if cure is not possible. Additionally, any corrective action taken to mitigate or address such breach shall not be grounds for termination if it ensures the operation of the Services. Termination for violation will be effective immediately or on a later date specified in the Client’s written notice of termination. 

  2. Termination for cause. The Provider, in its sole discretion, and without any liability to the Client and/or third party, may terminate this BAA if regulatory changes or operational constraints prevent continued provision of the Services or the Client proposes amendments to the Agreement and/or the Services, that affect HIPAA compliance. Termination will be effective immediately or on a later date specified in the Provider’s written notice of termination. 

  3. Effect of termination. Upon termination of this BAA, both Parties’ rights and obligations hereunder cease immediately. Additionally, the Client must immediately stop any Use or Disclosure of ePHI through the Services by any means and ensure its End-Users do the same.

6. Miscellaneous

  1. Severability. If any part of this BAA is found invalid or unenforceable, the remaining provisions shall remain in full force. A Party’s failure or neglect to enforce any of its obligations under this BAA will not be deemed a waiver of that or any other of its rights. 

  2. Relationship of the Parties. The Provider performs all its Services under this BAA as an independent contractor. Nothing in this BAA establishes a partnership, joint venture, or employer-employee relationship between the Parties for purposes of the HIPAA. 

  3. Governing Law. This BAA shall be governed by the laws of the State of Massachusetts.