P Privity
Home Privacy Policy Request access
Legal

California CMIA Addendum

Addendum to the Business Associate Agreement / Services Agreement
Bespoke Therapist Software Utah LLC — Privity
Last Updated: June 8, 2026

Who this applies to. This addendum applies to Customer practices that are located in California or that provide services to patients in California, where the Customer is subject to the California Confidentiality of Medical Information Act (Civil Code §§ 56–56.37, "CMIA"). California practices may contact us to execute a signed copy of this addendum alongside their Business Associate Agreement.

Section 1

Purpose and scope

This Addendum supplements the Business Associate Agreement ("BAA") and/or Services Agreement between Bespoke Therapist Software Utah LLC ("Bespoke") and the Customer practice ("Customer"). It applies where Customer is subject to the California Confidentiality of Medical Information Act, Civil Code §§ 56–56.37 ("CMIA") — for example, because Customer is located in California or provides services to patients in California.

In the event of a conflict between this Addendum and the BAA with respect to medical information governed by CMIA, the provision that is more protective of the patient's medical information controls. CMIA obligations are in addition to, and do not replace, obligations under HIPAA and the BAA.

Section 2

Acknowledgment of CMIA status

Bespoke acknowledges that, in providing the Services to a CMIA-covered Customer, Bespoke receives medical information (as defined in Civil Code § 56.05) from Customer in order to assist Customer in the handling of that information. Bespoke acknowledges that it may therefore be treated as a contractor within the meaning of Civil Code § 56.05, and agrees to be bound by the obligations CMIA imposes on a contractor with respect to that medical information.

Section 3

Use and disclosure of medical information

Bespoke will not use or disclose medical information received from Customer except as permitted by CMIA and the BAA. In particular:

  • No disclosure without authorization. Consistent with Civil Code § 56.10, Bespoke will not disclose medical information except as expressly authorized by Customer or the patient, or as otherwise required or permitted by law.
  • Limited to providing the Services. Bespoke uses medical information solely to generate the draft requested by the Customer's clinician during a single request, and for no other purpose.
  • No sale; no marketing. Bespoke does not sell medical information and does not use it for marketing.
  • No further use. Bespoke does not use medical information to train, fine-tune, or improve any artificial intelligence model, and does not create de-identified or aggregated data from it.
Section 4

Transient processing; no persistent storage

Bespoke's architecture processes medical information transiently and in memory only for the duration of a single generation request, after which it is deleted. Bespoke does not persistently store the images, audio, free text, or generated drafts that contain medical information.

Section 5

Safeguards

Bespoke will implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality of medical information consistent with CMIA and the safeguards required under the BAA and the HIPAA Security Rule.

Section 6

Breach and notification

In the event of unauthorized access to, or disclosure of, medical information, Bespoke will notify Customer in accordance with the BAA and applicable law so that Customer can meet its own obligations. The parties acknowledge that CMIA establishes its own liability framework, including statutory damages and a private right of action available to individuals, and that CMIA obligations are independent of HIPAA's breach-notification regime.

Section 7

Subcontractors / subprocessors

Bespoke uses the subprocessors identified in the BAA and Privacy Policy (Google Cloud — Vertex AI/Gemini, Cloud Run, and Firestore — under a Business Associate Agreement with Google; and Stripe for payment processing, which does not receive medical information). Bespoke will require its subprocessors that handle medical information to adhere to confidentiality protections consistent with CMIA.

Section 8

Term

This Addendum is effective for so long as the BAA or Services Agreement is in effect and Bespoke provides the Services to a CMIA-covered Customer. Provisions that by their nature should survive termination survive.

Section 9

Relationship to other agreements

This Addendum is a contractual allocation of CMIA-related obligations between Bespoke and Customer. It supplements and does not supersede the BAA, the Terms of Service, or the Privacy Policy except as expressly stated.

California practices may contact us to execute a signed copy of this addendum alongside their Business Associate Agreement.

Bespoke Therapist Software Utah LLC
Email: Justin@bespoke-therapist-software.com
P Privity
Justin@bespoke-therapist-software.com
Bespoke Therapist Software Utah LLC
© 2026 · All rights reserved
Privacy Policy Terms of Service California CMIA