Legal
Sigmund's HIPAA BAA — accepted when you activate your Sigmund account.
What this means in plain English
Sigmund handles patient health information on your behalf. Federal law (HIPAA) requires a written agreement before we can do that — this is that agreement. By accepting these terms when you activate your Sigmund account, you're confirming you have authority to sign contracts for your practice, and that your practice agrees to these terms.
The short version: we will only use your patients' information to run the Sigmund service. We will never sell it, share it beyond what's necessary, or use it to train AI models. We will tell you promptly if something goes wrong. We will delete or return all patient data when you stop using Sigmund.
This Business Associate Agreement ("Agreement") is entered into between Daystrom Labs, LLC, a Montana limited liability company ("Sigmund" or "Business Associate"), and the Covered Entity identified by the individual who accepts this Agreement upon activation of the Sigmund account ("Covered Entity"), pursuant to the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and the regulations promulgated thereunder at 45 CFR Parts 160 and 164 (collectively, "HIPAA Rules").
All terms used but not otherwise defined in this Agreement shall have the same meaning as in the HIPAA Rules, including but not limited to: Protected Health Information ("PHI"), Electronic Protected Health Information ("ePHI"), Business Associate, Covered Entity, Breach, Security Incident, Subcontractor, Treatment, Payment, and Health Care Operations.
"Services" means the Sigmund platform, including AI-assisted clinical note generation, initial patient analysis, and symptom tracking, as described in the applicable terms of service.
This Agreement is executed by electronic acceptance. When the individual authorized to bind the Covered Entity accepts this Agreement during account activation, that individual: (a) represents and warrants that they have authority to bind the Covered Entity to this Agreement; and (b) agrees, on behalf of the Covered Entity, to the terms of this Agreement as of the date of account activation.
This Agreement becomes effective upon activation of the Covered Entity's Sigmund account and shall remain in effect until terminated pursuant to Section 12.
This Agreement is incorporated into and forms part of the Sigmund Terms of Service. In the event of a conflict between this Agreement and the Terms of Service with respect to PHI, this Agreement controls.
Sigmund may use or disclose PHI only:
Sigmund shall use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 CFR 164.502(b) and 164.514(d).
Sigmund shall not directly or indirectly receive remuneration in exchange for PHI without express authorization from the individual patient, unless an exception under 45 CFR 164.502(a)(5)(ii) applies.
Sigmund shall not use PHI, including de-identified derivatives of PHI, to train, fine-tune, or improve any machine learning model. PHI shall not leave Sigmund's controlled infrastructure environment for any model training or inference purpose. All AI model inference is performed on infrastructure owned and controlled by Daystrom Labs, LLC; PHI is not disclosed to any external large language model service, third-party AI API, or cloud AI provider for any purpose.
Sigmund shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.
Sigmund shall not use or disclose PHI for fundraising or marketing purposes without prior written authorization from Covered Entity and, where required, from the applicable patient.
Sigmund shall not use PHI to create a de-identified dataset under 45 CFR 164.514(b) without prior written authorization from Covered Entity.
Sigmund shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, including ePHI, in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).
Sigmund represents that its security program currently includes the following measures:
All AI model inference performed in connection with the Services runs exclusively on infrastructure owned and controlled by Daystrom Labs, LLC. PHI is not transmitted to any external AI service, large language model API, or third-party cloud AI provider for any inference or processing purpose. This architecture is an affirmative security control: the external-API attack surface for PHI exfiltration is eliminated by design.
Sigmund shall update its security measures as necessary to comply with changes in the HIPAA Security Rule.
Sigmund shall report to Covered Entity any Security Incident of which Sigmund becomes aware within thirty (30) calendar days of discovery. Sigmund shall summarize and report Unsuccessful Security Incidents at least quarterly upon written request from Covered Entity.
Sigmund shall notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery, in accordance with 45 CFR 164.410. Such notice shall include, to the extent reasonably available:
Sigmund shall report to Covered Entity any use or disclosure of PHI not permitted or required by this Agreement of which Sigmund becomes aware without unreasonable delay and in no event later than thirty (30) calendar days of discovery.
In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Sigmund shall ensure that any Subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Sigmund agrees to the same restrictions, conditions, and requirements that apply to Sigmund under this Agreement, by executing a written Business Associate Agreement with such Subcontractor prior to the exchange of PHI.
As of the effective date of this Agreement, Sigmund does not disclose PHI to any third-party large language model service, external AI API, or cloud AI provider. All AI model inference is performed locally on infrastructure owned and controlled by Daystrom Labs, LLC. Sigmund shall not engage any such third-party AI subprocessor without first: (a) notifying Covered Entity in writing no less than thirty (30) calendar days in advance; and (b) executing a Business Associate Agreement with such subprocessor that imposes the same restrictions and conditions as this Agreement.
Covered Entity acknowledges that Sigmund may engage cloud infrastructure providers, database vendors, and security vendors as Subcontractors in connection with the Services. No such Subcontractor shall receive PHI without a written Business Associate Agreement in place. Sigmund shall maintain an updated list of Subprocessors with PHI access and shall make such list available to Covered Entity upon written request.
Sigmund shall make PHI in a Designated Record Set available to Covered Entity within thirty (30) calendar days of a written request, to enable Covered Entity to fulfill its obligations to provide individuals with access to their PHI.
Sigmund shall make PHI in a Designated Record Set available for amendment and shall incorporate any amendments within thirty (30) calendar days of a written request from Covered Entity.
Sigmund shall document and make available to Covered Entity, within thirty (30) calendar days of a written request, information required for an accounting of disclosures.
If an individual patient contacts Sigmund directly to exercise a right under 45 CFR 164.524, 164.526, or 164.528, Sigmund shall promptly forward that request to Covered Entity and shall not respond directly unless authorized in writing by Covered Entity or required by law.
Sigmund shall comply with any restriction on use or disclosure of PHI that Covered Entity notifies Sigmund of in writing, where such restriction has been agreed to by Covered Entity pursuant to 45 CFR 164.522.
To the extent Sigmund carries out one or more of Covered Entity's obligations under HIPAA Subpart E of 45 CFR Part 164, Sigmund shall comply with the requirements of that Subpart that apply to Covered Entity in the performance of such obligations.
Sigmund shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining compliance with the HIPAA Rules, in accordance with 45 CFR 164.504(e)(2)(ii)(H).
Upon termination of this Agreement for any reason, Sigmund shall, at the direction of Covered Entity, either return or destroy all PHI received from, or created, maintained, or received by Sigmund on behalf of, Covered Entity. Sigmund shall retain no copies of such PHI.
If return or destruction is not feasible, Sigmund shall: (a) notify Covered Entity in writing of the reasons destruction or return is infeasible; (b) extend the protections of this Agreement to such PHI for as long as Sigmund maintains it; and (c) limit further use or disclosure of such PHI to those purposes that make return or destruction infeasible.
Upon destruction of PHI, Sigmund shall provide Covered Entity with written certification of destruction within thirty (30) calendar days.
This Agreement is effective upon account activation and shall remain in effect until the Covered Entity's Sigmund account is terminated or this Agreement is otherwise terminated as provided herein.
Either party may terminate this Agreement, and Covered Entity may terminate the Services, if the other party has materially breached a material provision of this Agreement and the breaching party has not cured the breach within thirty (30) calendar days after receiving written notice of such breach.
Notwithstanding Section 12.2, Covered Entity may terminate this Agreement and the Services immediately upon written notice if Sigmund has materially breached this Agreement and cure is not possible.
Termination of this Agreement shall trigger Sigmund's obligations under Section 11. Sections 4, 5, 6, 8, 10, 11, 13, and 14 shall survive termination.
Covered Entity represents and warrants that: (a) the individual accepting this Agreement has authority to bind the Covered Entity; (b) Covered Entity is a "covered entity" as defined under 45 CFR 160.103 or is otherwise legally required to comply with the HIPAA Rules; and (c) Covered Entity shall not request that Sigmund use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity directly.
This Agreement is for the sole benefit of the parties and their permitted successors and assigns. Nothing in this Agreement is intended to confer on any other person, including any patient whose PHI is subject to this Agreement, any legal or equitable right, benefit, or remedy.
This Agreement shall be governed by and construed in accordance with the laws of the State of Montana, without regard to its conflict of law principles, except to the extent preempted by federal law, including the HIPAA Rules.
Sigmund may amend this Agreement by providing at least thirty (30) calendar days' prior written notice to Covered Entity (by email or in-app notification). Continued use of the Services after the effective date of an amendment constitutes acceptance of the amended Agreement. Sigmund shall maintain a version history of all BAA versions at https://sigmunds.ai/baa/.
Neither party may assign this Agreement without prior written consent of the other party, except that Sigmund may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee assumes all obligations in writing.
If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
This Agreement, together with the Sigmund Terms of Service, constitutes the entire agreement between the parties with respect to PHI and supersedes all prior agreements, representations, and understandings relating to PHI.
Written notices under this Agreement shall be sent to:
Standard form · Version 1.0 · Effective June 28, 2026.
