Help CenterDevelopersSecurity
Contact Support | 1(888) 369-0701Login
About Rev
Pricing
Request a DemoTry Rev Free
Product
Back To Menu
Human-Verified & Professional Services
Human Transcription
Expert Human Transcription with 99% Accuracy
Human Captions
Accessible & Compliant Captions for Video Content in English or Spanish
Court Reporting Self-Service
From Instant Drafts To Ready To Certify Transcripts
Global Subtitles
Expand Globally with Accurate Subtitles in 17 Languages
API
The World's Most Accurate Speech-To-Text API
View All Pay-Per-Minute Services
Transcription, captions, & subtitles tailored to your budget & timeline
AI Platform Features
Multi-File Analysis
AI Transcription
AI Notetaker
AI Captions
Rev Mobile App
View All AI Features
Industries
Back To Menu
Legal
Criminal Prosecution
Eliminate Evidence Backlogs, Uncover Critical Details, & Deliver Justice
Criminal Defense
Cut Hours of Review, Catch Inconsistencies, & Build a Stronger Case
Law Enforcement
Get Back In The Field & Increase Close Rates
Civil Law
Build Stronger Cases With AI-powered Legal Transcripts
Court Reporting Agencies
A Trusted Partner from Transcription to Certification
SmartDepo
AI Summaries & Depo Memos With 100% Page-Line Accuracy
Industries
Research & Consulting
Newsrooms & Journalists
Video Distribution & Accessibility
Education
Healthcare
View All Industries
Resources
Back To Menu
Blog
Expert Insights On Legal Tech, AI Workflows, And More
Press
Latest News About Rev's Speech-To-Text Technology
Reports & Guides
Whitepapers, Reports, And Guides To Inform Your Business Decisions
Learning Center
Guides And Tutorials To Help You Get The Most From Rev
Transcript Library
Free Transcripts From Influential Moments In Politics And Media
Case Studies
Discover How Rev Industry Leaders Put Rev To Work
Reviews
Trusted Feedback And Ratings From G2, Mobile App Stores, And More
Apps & Tools
Get Pricing Estimates, Record Your Voice, & More With Our Online Tools & Apps
Partners
Discover Our Bar Association Partners & Learn How To Partner With Rev
Careers
We're Hiring For Ambitious Team Members Across Rev
About Rev
Pricing
Help CenterDevelopersSecurityContact Support | 1(888) 369-0701
Login
Try Rev FreeRequest a Demo

Business associate agreement

Last Updated May 15, 2026

This Business Associate Agreement (“BAA”) forms part of the Rev.com Terms of Service and the Rev.com Master Services Agreement (as applicable to the type of Services Customer has purchased) (the “Agreement”) by and between the entity registering an account on Rev to obtain transcription, video caption, translation, and other related services (“Customer”) and Rev.com, Inc. (“Rev”). Except to the extent otherwise expressly set forth in this BAA, this BAA is governed by the terms and conditions of the Agreement. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. In the event of any inconsistency or conflict between this BAA and the Agreement, the BAA applies.

RECITALS:

  1. Customer is a covered entity or business associate as such terms are defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information.
  2. Business Associate provides to Customer certain services (“Services”) pursuant to the Agreement. In connection with the Services, the parties anticipate that Business Associate may from time to time create and/or receive Protected Health Information for or on behalf of Customer.
  3. By providing services pursuant to the Agreement and creating and/or receiving Protected Health Information for or on behalf of Customer, Business Associate shall become a business associate (or subcontractor business associate, as applicable) of Customer, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Business Associate creates for, or receives from or on behalf of, Customer.
  4. This BAA applies only to the extent the customer identified above is a “covered entity” or “business associate” as those terms are defined by HIPAA.

  1. Definitions
    1. For the purposes of this BAA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.

      “Health Insurance Portability and Accountability Act” or “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder;

      “Health Information Technology for Economic and Clinical Health Act” or “HITECH Act” means the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act;

      “Protected Health Information”       or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.

      “Secretary”       shall refer to the Secretary of the U.S. Department of Health and Human Services.

      “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI. 
  2. Business Associate obligations
    1. Use and Disclosure of PHI.
      1. Business Associate warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the Agreement; (ii) shall not use or disclose PHI other than as permitted or required by this Agreement or required by law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Customer; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes. Customer agrees that Business Associate may rely on Customer’s instructions to determine if uses and disclosures meet this minimum necessary requirement.
      2. Subject to the restrictions set forth in this BAA, Business Associate may use the information received from Customer if necessary for (i) the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of Business Associate.
      3. Subject to the restrictions set forth in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that:
        1. Disclosures are required by law, or

        2. Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
      4. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Customer by Business Associate pursuant to this BAA with PHI, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Customer;
      5. Business Associate may de-identify any and all PHI created or received by Business Associate under this BAA. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer Protected Health Information and no longer subject to this BAA.

    1. Safeguards. Business Associate shall employ appropriate administrative, technical and physical safeguards to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA or the Agreement. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA or the Agreement.
    2. Audits and Records. Business Associate shall, in accordance with HIPAA, make available to the Secretary Business Associate’s internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer for purposes of determining Customer’s compliance with its obligations under HIPAA.
    3. Individuals’ Rights to Their PHI:
      1. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Business Associate, within ten (10) business days upon receipt of written request by Customer, shall make available to Customer such PHI.
        1. In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days.
        2. Customer (or the applicable covered entity) will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as required by law, only Customer (or the applicable covered entity) will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Customer or the applicable covered entity pursuant to 45 CFR Section 164.524, and conveyed to Business Associate by Customer, shall be the responsibility of Customer or the applicable covered entity, including resolution or reporting of all appeals and/or complaints arising from denials.
      2. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer (or the applicable covered entity) to respond to a request by an Individual for an amendment to PHI, Business Associate shall, within ten (10) business days upon receipt of a written request by Customer, make available to Customer such PHI:
        1. In the event that any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days.
        2. Customer (or the applicable covered entity) will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Business Associate will make no such determinations. Any denial of amendment to PHI determined by Customer or the applicable covered entity pursuant to 45 CFR Section 164.526, and conveyed to Business Associate by Customer, shall be the responsibility of Customer or the applicable covered entity, including resolution or reporting of all appeals and/or complaints arising from denials.
        3. Within ten (10) business days of receipt of a request from Customer to amend an individual’s PHI in the Designated Record Set, Business Associate shall incorporate, or make available PHI for Customer to incorporate, any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.

      3. In order to allow Customer (or the applicable covered entity) to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Business Associate shall, within ten (10) business days of a written request by Customer for an accounting of disclosures of PHI about an Individual, make available to Customer such PHI.
      4. At a minimum, Business Associate shall provide Customer with the following information: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of such disclosure.
        1. In the event that any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days.
        2. Customer or the applicable covered entity will be responsible for preparing and delivering an accounting to Individual.
        3. Business Associate shall implement an appropriate record keeping process to enable it to comply with the requirements of this BAA.
      5. Disclosure to Third Parties. Business Associate shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Business Associate for or on behalf of Customer, pursuant to which agreement such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.
      6. Reporting Obligations.
        1. In the event of any actual, alleged or suspected incident of unauthorized or accidental disclosure of or access to any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Customer (“Security Breach”), Business Associate shall promptly report such Security Breach to Customer, but in no event later than ten (10) business days after the date the Security Breach is discovered. Notice of a Security Breach shall include, to the extent such information is available: (1) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Security Breach; (2) the date of the Security Breach, if known, and the date of discovery of the Security Breach; (3) the scope of the Security Breach; and (4) the Business Associate’s response to the Security Breach:
        2. The parties acknowledge that unsuccessful Security Breaches (e.g., pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts) occur within the normal course of business and the parties stipulate and agree that this paragraph constitutes notice by Business Associate to Customer for such unsuccessful Security Breaches.
  4. Customer Obligations
    1. Permissible Requests.
      1. Customer shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Customer.
      2. Customer shall be compliant with all applicable laws and regulations pertaining to PHI Customer sends, or directs to be sent, to Business Associate.
    2. Notifications.
      1. Customer shall notify Business Associate of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
      2. Customer shall notify Business Associate of any changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
      3. Customer shall notify Business Associate of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
  5. Term and Termination.
    1. Material Breach. Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Agreement affected by the breach.
    2. Return or Destruction of PHI. Upon termination of this BAA for any reason, Business Associate shall:
      1. If feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by Business Associate for or on behalf of Customer that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or
      2. If Business Associate determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section 4.2 shall survive the termination of this BAA.
  6. General.
    1. Amendment. If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall cooperate in good faith to amend this BAA to the extent necessary to comply with such amendments or interpretations.
    2. Interpretation. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.
    3. Conflicting Terms. In the event that any terms of this BAA conflict with any terms of the Agreement, the terms of this BAA shall govern and control over the conflicting term in the Agreement. All other nonconflicting terms of the Agreement shall remain valid and enforceable.