HIPAA & the Business Associate Agreement
Which HIPAA role you occupy, which one we occupy, exactly what our BAA commits us to — and why we apply the same safeguards even to customers HIPAA doesn't directly regulate.
- When we handle PHI on your behalf, we act as your business associate under an executed BAA — presented click-through at Self-Service signup and before every Test-a-File upload.
- Many of our customers (PI firms, P&C carriers, workers' comp programs) aren't HIPAA-regulated at all. You get the same safeguards contractually anyway.
- Every subcontractor that can touch PHI — including every AI vendor — signs a BAA with us, with zero-retention inference and no training.
- Breach notice without unreasonable delay: no later than 72 hours after we confirm a breach of unsecured PHI.
- At termination: your PHI is returned or destroyed, with a deletion certificate.
01Where you fit under HIPAA
HIPAA regulates who holds health information, not the information itself. Our customer base spans all three positions, and the paperwork differs by which one you occupy:
Health plans, healthcare clearinghouses, and providers who bill electronically — including IME/QME physicians and evaluation practices that also treat patients or bill health plans. If this is you, HIPAA requires a BAA with us before we touch your PHI. Ours is built into signup.
Organizations serving covered entities with access to PHI — TPAs administering health plans, legal nurse consulting firms, record-retrieval companies, defense counsel engaged by health systems. When you use Medrecords AI on that PHI, we become your subcontractor business associate (45 CFR 164.502(e)); our BAA is written to sit correctly underneath your upstream BAA.
Personal-injury and defense firms receiving records by patient authorization or subpoena, property-casualty carriers and self-insurers, and workers'-compensation insurers and agencies (disclosures to whom HIPAA expressly permits at 45 CFR 164.512(l)) are generally not HIPAA covered entities or business associates. HIPAA still shaped how those records reached you, state medical-privacy laws still apply to them, and your clients and courts expect HIPAA-grade care. So we don't tier it: the identical safeguards, audit logging, breach-notice clocks, and never-train commitments bind us for your data through the BAA-equivalent protections incorporated in the DPA and the BAA you accept at signup.
02Our role
Where we create, receive, maintain, or transmit PHI on your behalf — all Self-Service processing, Test-a-File evaluations, and any support access you grant — AI Health Studio LLC d/b/a Medrecords AI is your business associate (or subcontractor business associate) under HIPAA and HITECH, and the BAA governs that PHI alongside the DPA.
Under AI Enablement and Enterprise On-Prem, records and inference stay in your tenancy or infrastructure; our business-associate role narrows to the functions we actually perform (application orchestration, support access you grant), exactly as scoped in DPA Annex 3. Your cloud provider's BAA (e.g., AWS or Azure) covers the HIPAA-eligible services running under your keys — we architect to keep you inside that boundary, and our platform documentation identifies which services must be enabled for HIPAA eligibility.
03What the BAA commits us to
04How the BAA is executed
- Self-Service: the BAA is presented click-through during signup, before any upload is possible. Acceptance is recorded (who, when, version) and a copy is emailed to you and available in account settings.
- Test a File: the same BAA is presented before the upload control activates. No BAA acceptance, no upload — the sample flow cannot be used around it.
- AI Enablement & Enterprise On-Prem: a countersigned BAA is executed with the Order Form, scoped to the plan's data path (see DPA Annex 3). We accept reasonable redlines and can work from your paper where your compliance program requires it.
- Version control: BAA updates follow the DPA's change rules — never a silent weakening; material changes on 30 days' notice.
05De-identification & the never-train promise
HIPAA permits business associates to de-identify PHI and use the result. Our BAA deliberately does not take that permission. We do not de-identify your records for our own purposes — not for research, not for benchmarks, not for model training. The de-identification tooling in the platform (de-ID export under the §164.514 safe-harbor method) is a customer feature: you run it, you own the output, you decide where it goes.
The same is true of every AI vendor in the processing path: subcontractor BAAs plus written zero-retention, no-training terms. The full commitment is stated contractually in DPA Section 4.4 and Terms Section 8.2.
06Common questions
Because it's the cleanest way to bind us to HIPAA-grade obligations for your clients' records regardless of regulatory status — and because your malpractice carrier, referral partners, and opposing counsel increasingly ask whether your vendors are under one. It costs you nothing and closes questions before they're asked.
Largely, yes — HIPAA expressly permits providers to disclose PHI to workers'-compensation insurers, agencies, and employers to the extent state law provides (45 CFR 164.512(l)), and comp carriers are not covered entities. But state comp statutes impose their own confidentiality duties on that data, which is why our safeguards don't switch off for comp files.
Part 2 records carry consent and redisclosure rules stricter than HIPAA. Flag them when uploading (or instruct us in writing); the platform's access controls and your instructions under DPA Section 4.1 govern their handling, and required redisclosure notices belong on any output you export from them. You remain responsible for the consents that got the records to you.
Yes. The BAA is accepted before the upload control activates, the file gets production-grade safeguards, it's deleted 30 days after your sample is delivered, and it is never used to train anything. Evaluation terms: Terms, Section 6.
No one is — HHS certifies no product. The honest claim is the one we make: HIPAA-eligible architecture, documented Security Rule safeguards, an executed BAA, PHI audit logging, and SOC 2 audit-ready controls documentation, verifiable through the Trust Center security package.
07Request a countersigned BAA
Email [email protected] for a countersigned BAA or DPA, or request the full security package — controls documentation, subprocessor detail, and SOC 2 evidence summary — under NDA from the Trust Center.