California CMIA Addendum
Who this applies to. This addendum applies to Customer practices that are located in California or that provide services to patients in California, where the Customer is subject to the California Confidentiality of Medical Information Act (Civil Code §§ 56–56.37, "CMIA"). California practices may contact us to execute a signed copy of this addendum alongside their Business Associate Agreement.
Purpose and scope
This Addendum supplements the Business Associate Agreement ("BAA") and/or Services Agreement between Bespoke Therapist Software Utah LLC ("Bespoke") and the Customer practice ("Customer"). It applies where Customer is subject to the California Confidentiality of Medical Information Act, Civil Code §§ 56–56.37 ("CMIA") — for example, because Customer is located in California or provides services to patients in California.
In the event of a conflict between this Addendum and the BAA with respect to medical information governed by CMIA, the provision that is more protective of the patient's medical information controls. CMIA obligations are in addition to, and do not replace, obligations under HIPAA and the BAA.
Acknowledgment of CMIA status
Bespoke acknowledges that, in providing the Services to a CMIA-covered Customer, Bespoke receives medical information (as defined in Civil Code § 56.05) from Customer in order to assist Customer in the handling of that information. Bespoke acknowledges that it may therefore be treated as a contractor within the meaning of Civil Code § 56.05, and agrees to be bound by the obligations CMIA imposes on a contractor with respect to that medical information.
Use and disclosure of medical information
Bespoke will not use or disclose medical information received from Customer except as permitted by CMIA and the BAA. In particular:
- No disclosure without authorization. Consistent with Civil Code § 56.10, Bespoke will not disclose medical information except as expressly authorized by Customer or the patient, or as otherwise required or permitted by law.
- Limited to providing the Services. Bespoke uses medical information solely to generate the draft requested by the Customer's clinician during a single request, and for no other purpose.
- No sale; no marketing. Bespoke does not sell medical information and does not use it for marketing.
- No further use. Bespoke does not use medical information to train, fine-tune, or improve any artificial intelligence model, and does not create de-identified or aggregated data from it.
Transient processing; no persistent storage
Bespoke's architecture processes medical information transiently and in memory only for the duration of a single generation request, after which it is deleted. Bespoke does not persistently store the images, audio, free text, or generated drafts that contain medical information.
Safeguards
Bespoke will implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality of medical information consistent with CMIA and the safeguards required under the BAA and the HIPAA Security Rule.
Breach and notification
In the event of unauthorized access to, or disclosure of, medical information, Bespoke will notify Customer in accordance with the BAA and applicable law so that Customer can meet its own obligations. The parties acknowledge that CMIA establishes its own liability framework, including statutory damages and a private right of action available to individuals, and that CMIA obligations are independent of HIPAA's breach-notification regime.
Subcontractors / subprocessors
Bespoke uses the subprocessors identified in the BAA and Privacy Policy (Google Cloud — Vertex AI/Gemini, Cloud Run, and Firestore — under a Business Associate Agreement with Google; and Stripe for payment processing, which does not receive medical information). Bespoke will require its subprocessors that handle medical information to adhere to confidentiality protections consistent with CMIA.
Term
This Addendum is effective for so long as the BAA or Services Agreement is in effect and Bespoke provides the Services to a CMIA-covered Customer. Provisions that by their nature should survive termination survive.
Relationship to other agreements
This Addendum is a contractual allocation of CMIA-related obligations between Bespoke and Customer. It supplements and does not supersede the BAA, the Terms of Service, or the Privacy Policy except as expressly stated.
California practices may contact us to execute a signed copy of this addendum alongside their Business Associate Agreement.
Email: Justin@bespoke-therapist-software.com