Wren
FeaturesPricingHIPAA & PrivacyAboutResourcesSign InStart Free Trial
Start Free Trial|
Back to home

Wren Clinical — Business Associate Agreement

Last Updated: June 3, 2026

This Business Associate Agreement ("BAA") is between Wren Clinical LLC, a Washington limited liability company ("Business Associate" or "Wren Clinical"), and you, the mental health professional or practice entity creating a Wren Clinical account ("Covered Entity").

By creating a Wren Clinical account, Covered Entity agrees to this BAA. This BAA is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder (collectively, "HIPAA"), and is incorporated into and governed by the Wren Clinical Terms of Service.

A1. Definitions

Terms used but not otherwise defined in this BAA have the same meaning as in the HIPAA Rules (45 CFR Parts 160 and 164).

"HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended by the HITECH Act.

"PHI" means Protected Health Information as defined at 45 CFR § 160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Platform.

"ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.

"Breach" has the same meaning as in 45 CFR § 164.402.

"Security Incident" has the same meaning as in 45 CFR § 164.304.

"Subcontractor" means any third party engaged by Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate.

"Client" means an individual who receives mental health services from Covered Entity. "Client" corresponds to the term "individual" as used in the HIPAA Rules (45 CFR Part 164). Where a provision of this BAA references a HIPAA regulation that uses the statutory term "individual," that regulation's language controls for purposes of that provision.

"Platform" means the Wren Clinical web application at app.wrenclinical.com (including its in-app session recorder), the optional Wren Recorder browser extension, and related services. The in-app recorder and Wren Recorder share the same back-end transcription and storage pipeline, and the obligations of this BAA apply identically to recordings made through either surface.

"Session Audio" means audio captured by the Platform — whether through the in-app recorder in the Wren Clinical web application or through the Wren Recorder browser extension — and processed for transcription. The BAA obligations applicable to Session Audio are identical regardless of which surface captured it.

A2. Permitted Uses and Disclosures of PHI

A2.1 Permitted Uses

Business Associate may use PHI only as necessary to provide the Platform services, including: (a) generating AI-assisted clinical documentation drafts via AWS Bedrock; (b) producing transcripts from Session Audio using third-party transcription services (AssemblyAI); (c) storing documents, transcripts, guides, and automatically generated notes saved by or on behalf of Covered Entity; (d) performing administrative functions such as tenant isolation, billing reconciliation, and audit logging; (e) providing customer support directly related to Covered Entity's use of the Platform; (f) accepting voice input from authorized users, transcribing it to text via approved Subcontractors, and holding the resulting text in temporary twenty-four (24) hour storage so that the user can review, edit, and insert it into AI requests; and (g) storing in-progress drafts of AI-assisted guide-editing sessions — which may include working guide text, edit-instruction chat history, and any session transcript the user has attached to the editor for context — for up to eight (8) sliding days from the user's last save.

A2.2 Permitted Disclosures

Business Associate may disclose PHI: (a) as necessary to Subcontractors in accordance with Section A5; (b) as required by law; (c) for the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable written assurances of confidentiality from the recipient; or (d) as directed in writing by Covered Entity.

A2.3 Prohibited Uses

Business Associate shall not: (a) use or disclose PHI for any purpose not expressly permitted by this BAA or required by law; (b) use PHI, including session audio, transcripts, or generated documentation, to train, fine-tune, benchmark, or otherwise improve any AI model; (c) sell PHI or use PHI for marketing or advertising purposes; or (d) use PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity.

A2.4 Minimum Necessary

Business Associate will use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose, consistent with 45 CFR § 164.502(b) and the HITECH Act.

A3. Obligations of Business Associate

A3.1 Safeguards

Business Associate will implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, in compliance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). Specific safeguards include: encryption at rest (AES-256) for all stored ePHI, encryption in transit (TLS) for all ePHI transmissions, logical tenant isolation, least-privilege access controls, and audit logging of administrative actions and data lifecycle events.

A3.2 No Unauthorized Use or Disclosure

Business Associate will not use or disclose PHI other than as permitted or required by this BAA or as required by applicable law.

A3.3 Workforce

Business Associate will ensure that its workforce members who access PHI are trained on and comply with the requirements of this BAA and the HIPAA Rules.

A3.4 Reporting — Security Incidents

Business Associate will report to Covered Entity any Security Incident of which it becomes aware, without unreasonable delay. The parties acknowledge that attempted but unsuccessful Security Incidents occur routinely (e.g., port scans, failed login attempts) and that ongoing notice of such incidents is hereby deemed provided unless Covered Entity requests a specific report.

A3.5 Reporting — Breach

Business Associate will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) days after discovery. For purposes of this Section, a Breach is treated as discovered as of the first day on which the Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate, consistent with 45 CFR § 164.410(a)(2). Notification will include, to the extent reasonably available: (a) identification of individuals whose PHI was or is believed to have been affected; (b) a description of the Breach; (c) the types of PHI involved; (d) steps Covered Entity should take to protect affected individuals; (e) steps Business Associate has taken to investigate and mitigate the Breach; and (f) contact information for Business Associate. Notice to Covered Entity satisfies Business Associate's breach notification obligation; Covered Entity is responsible for notifying affected individuals and HHS as required by HIPAA.

A3.6 Access and Amendment

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make PHI available and will accommodate requests for amendment as necessary for Covered Entity to fulfill its obligations under 45 CFR §§ 164.524 and 164.526.

A3.7 Accounting of Disclosures

Business Associate will maintain and provide to Covered Entity information necessary to fulfill Covered Entity's obligations to provide an accounting of disclosures under 45 CFR § 164.528.

A3.8 HHS Access

Business Associate will make its internal practices, books, and records relating to PHI available to the Secretary of HHS upon request for purposes of determining compliance with HIPAA.

A3.9 Tenant Isolation

Business Associate processes PHI on behalf of multiple covered entities. Business Associate maintains logical separation of PHI between tenants and will not commingle PHI across covered entities.

A3.10 Audit Controls

Consistent with 45 CFR § 164.312(b), Business Associate maintains system-level logs of administrative actions and key data lifecycle events, including transcript saves and deletions, administrative account closures, hard deletions (recorded in a structured audit file with actor identity and reason), and billing reconciliation activities. Logs are retained for compliance review and protected by access controls and, where stored in versioned object storage, by object-version retention.

A4. Obligations of Covered Entity

A4.1 Lawful Instructions

Covered Entity will not request Business Associate to use or disclose PHI in a manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

A4.2 Notice of Privacy Practices

Covered Entity is responsible for maintaining and providing its own Notice of Privacy Practices to Clients as required by 45 CFR § 164.520 (which uses the statutory term "individuals").

A4.3 Client Authorizations and Recording Consents

Covered Entity is responsible for obtaining any required Client authorizations before submitting PHI to the Platform, and for obtaining any consents required by applicable federal, state, and local recording, wiretapping, two-party consent, and telehealth recording laws before capturing Session Audio.

A4.4 Notification of Changes

Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to under 45 CFR § 164.522, to the extent that such restriction affects Business Associate's obligations.

A4.5 Professional Responsibility

Covered Entity acknowledges that AI-generated documentation and third-party-generated transcripts produced by the Platform are drafts only. Covered Entity is solely responsible for the accuracy, completeness, and clinical appropriateness of all documentation before clinical use or submission to any payer, regulator, or other party.

A5. Subcontractors

Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate is bound by written obligations that are at least as restrictive as those in this BAA, consistent with 45 CFR § 164.308(b).

Business Associate's current Subcontractors that process PHI are Amazon Web Services (for compute, storage, and AI model access via Bedrock) and AssemblyAI (for transcription of session audio). Business Associate has executed a HIPAA-compliant Business Associate Agreement with each.

The complete list of Subcontractors, including those that do not process PHI, is maintained at wrenclinical.com/legal/subprocessors. Business Associate will update this list as Subcontractors change and will provide notice to Covered Entity of material changes involving Subcontractors that process PHI.

A6. Data Retention, Return, and Destruction

A6.1 Retention During Term

Business Associate will retain PHI only as long as necessary to provide the Platform services, subject to the retention schedules in the Privacy Policy. In particular, session transcripts are automatically deleted on a per-transcript rolling schedule configured by Covered Entity (2–30 days, default 8 days), and Session Audio is deleted from Subcontractors and Business Associate immediately upon successful transcription; abandoned or failed audio chunks are automatically destroyed within three (3) days by a storage lifecycle rule.

Versioned storage and permanent destruction. Where Business Associate stores PHI in versioned object storage, deleted or superseded versions of PHI are retained for no more than seven (7) days following deletion or supersession, after which they are permanently and irreversibly purged by an automated storage-lifecycle policy. This applies whether PHI is deleted automatically at the end of a retention window, deleted by an authorized user, or destroyed upon account closure or hard-deletion request.

Voice dictations. Dictation audio submitted through the in-app dictate feature is transmitted over TLS to AssemblyAI for transcription, deleted from AssemblyAI immediately upon completion, and is never stored on Business Associate's infrastructure. The resulting transcribed text is stored in DynamoDB and automatically deleted twenty-four (24) hours after creation by a TTL-based purge. Authorized users may also delete individual dictation entries earlier through the Platform interface.

Guide editor drafts. In-progress drafts of AI-assisted guide-editing sessions — which may include working guide text, edit-instruction chat history, and any session transcript the user has attached to the editor for context — are stored in S3 with a sliding eight (8) day retention window. Each save renews the window; if no save occurs within the window, the draft is automatically destroyed by a daily server-side sweep. Authorized users may also discard a draft at any time, in which case it is destroyed immediately. Draft retention runs independently of the per-transcript retention schedule described above — a transcript attached to a draft persists in the draft for up to eight sliding days separately from the lifetime of the underlying transcript record.

A6.2 Return and Destruction Upon Account Closure

Business Associate supports three distinct account closure pathways, each of which satisfies the return or destruction requirement in 45 CFR § 164.504(e)(2)(ii)(J):

  1. Return (Self-Cancel). When Covered Entity closes its account through Platform settings, Business Associate prepares a ZIP export of saved documents, guides, and non-expired transcripts, and provides a secure download link that expires fifteen (15) minutes after generation. After the link expires or is used, all PHI in Business Associate's possession is permanently destroyed.
  2. Return (Administrative Cancel). When Business Associate closes an account for operational or business reasons, Business Associate prepares a ZIP export and sends Covered Entity a secure download link via email that expires seven (7) days after generation. After the link expires or is used, all PHI is permanently destroyed.
  3. Hard Destruction (on Request). Upon Covered Entity's written request emailed from the account's registered address, Business Associate performs complete destruction of all PHI and account identifiers associated with the account, without preparing a return export and without retaining a tombstone record.

If return or destruction of a specific category of PHI is not feasible, Business Associate will extend the protections of this BAA to that PHI for as long as it is retained and will not use or disclose it except as required by law.

A6.3 Data Flows Not Stored by Business Associate

Session Audio is transmitted to Business Associate's infrastructure and to AssemblyAI for transcription; upon successful transcription, Session Audio is deleted immediately from AssemblyAI and from Business Associate's temporary storage. Chat content submitted to AWS Bedrock is not retained by AWS, Anthropic, or Business Associate beyond the processing of the response. Where Covered Entity enables automatic note generation, the notes produced by AWS Bedrock are retained as attachments to the parent transcript in Covered Entity's account storage and inherit that transcript's retention schedule — they are permanently deleted when the transcript is deleted. Dictation audio is similarly transient: it is uploaded over TLS to AssemblyAI for transcription, deleted from AssemblyAI immediately upon completion, and never stored on Business Associate's infrastructure (only the resulting text is stored, subject to the twenty-four (24) hour retention described in Section A6.1).

A7. Term and Termination of BAA

A7.1 Term

This BAA is effective as of the date Covered Entity creates a Wren Clinical account and remains in effect until all PHI in Business Associate's possession has been returned or destroyed, or until terminated as set forth herein.

A7.2 Termination for Cause

Either party may terminate this BAA if the other party has materially violated a term of this BAA and has not cured the violation within thirty (30) days of receiving written notice identifying the violation. Covered Entity may terminate immediately if it determines that cure is not possible.

A7.3 Termination on Platform Discontinuation

If Business Associate discontinues the Platform, this BAA terminates on the date the Platform ceases operation, subject to the data destruction obligations in Section A6.2.

A7.4 Effect of Termination

Sections A1 (Definitions), A2.3 (Prohibited Uses), A3 (Obligations of Business Associate), A5 (Subcontractors), A6 (Data Retention, Return, and Destruction), A7.4 (this Section), and A9 (Miscellaneous) of this BAA survive termination.

A8. Updates to This BAA

Wren Clinical may update this BAA at any time by posting a revised version at wrenclinical.com/legal/baa. For material changes, Wren Clinical will provide at least 30 days' notice by email to the address associated with your account. Non-material changes such as clarifications or corrections take effect upon posting. Continued use of the Platform after the effective date of any update constitutes acceptance. If you do not agree to a material update, your sole remedy is to terminate your account before the effective date of the change. Wren Clinical will update this BAA as necessary to comply with future changes to applicable law, including any regulations adopted pursuant to HIPAA.

A9. Miscellaneous

A9.1 Interpretation. This BAA will be interpreted to permit compliance with the HIPAA Rules. Any ambiguity will be resolved in favor of a meaning that permits HIPAA compliance. In the event of a conflict between this BAA and the Terms of Service with respect to PHI, this BAA controls.

A9.2 Regulatory References. A reference to a section of the HIPAA Rules means the section as in effect or as amended.

A9.3 No Third-Party Beneficiaries. This BAA is for the sole benefit of the parties. Nothing in this BAA creates any rights in any Client or other third party.

A9.4 Governing Law. This BAA is governed by the laws of the State of Washington and applicable federal law, including HIPAA.

A9.5 Entire Agreement as to PHI. This BAA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to PHI and supersedes any prior agreements on the same subject.

Terms of ServicePrivacy PolicyBusiness Associate AgreementSubprocessorsWashington Consumer Health Data

hello@wrenclinical.com

© 2026 Wren Clinical LLC