HomeLegal CenterHIPAA & BAA
Legal · Document 04

HIPAA & the Business Associate Agreement

Which HIPAA role you occupy, which one we occupy, exactly what our BAA commits us to — and why we apply the same safeguards even to customers HIPAA doesn't directly regulate.

Effective: July 7, 2026 BAA presented at signup & Test a File
The short version — a summary, not a substitute
  • When we handle PHI on your behalf, we act as your business associate under an executed BAA — presented click-through at Self-Service signup and before every Test-a-File upload.
  • Many of our customers (PI firms, P&C carriers, workers' comp programs) aren't HIPAA-regulated at all. You get the same safeguards contractually anyway.
  • Every subcontractor that can touch PHI — including every AI vendor — signs a BAA with us, with zero-retention inference and no training.
  • Breach notice without unreasonable delay: no later than 72 hours after we confirm a breach of unsecured PHI.
  • At termination: your PHI is returned or destroyed, with a deletion certificate.

01Where you fit under HIPAA

HIPAA regulates who holds health information, not the information itself. Our customer base spans all three positions, and the paperwork differs by which one you occupy:

Covered entities
BAA required

Health plans, healthcare clearinghouses, and providers who bill electronically — including IME/QME physicians and evaluation practices that also treat patients or bill health plans. If this is you, HIPAA requires a BAA with us before we touch your PHI. Ours is built into signup.

Business associates
Subcontractor BAA required

Organizations serving covered entities with access to PHI — TPAs administering health plans, legal nurse consulting firms, record-retrieval companies, defense counsel engaged by health systems. When you use Medrecords AI on that PHI, we become your subcontractor business associate (45 CFR 164.502(e)); our BAA is written to sit correctly underneath your upstream BAA.

Not directly covered — most legal & casualty teams
Same safeguards, contractually

Personal-injury and defense firms receiving records by patient authorization or subpoena, property-casualty carriers and self-insurers, and workers'-compensation insurers and agencies (disclosures to whom HIPAA expressly permits at 45 CFR 164.512(l)) are generally not HIPAA covered entities or business associates. HIPAA still shaped how those records reached you, state medical-privacy laws still apply to them, and your clients and courts expect HIPAA-grade care. So we don't tier it: the identical safeguards, audit logging, breach-notice clocks, and never-train commitments bind us for your data through the BAA-equivalent protections incorporated in the DPA and the BAA you accept at signup.

02Our role

Where we create, receive, maintain, or transmit PHI on your behalf — all Self-Service processing, Test-a-File evaluations, and any support access you grant — AI Health Studio LLC d/b/a Medrecords AI is your business associate (or subcontractor business associate) under HIPAA and HITECH, and the BAA governs that PHI alongside the DPA.

Under AI Enablement and Enterprise On-Prem, records and inference stay in your tenancy or infrastructure; our business-associate role narrows to the functions we actually perform (application orchestration, support access you grant), exactly as scoped in DPA Annex 3. Your cloud provider's BAA (e.g., AWS or Azure) covers the HIPAA-eligible services running under your keys — we architect to keep you inside that boundary, and our platform documentation identifies which services must be enabled for HIPAA eligibility.

03What the BAA commits us to

Obligation
Our commitment
Permitted uses & disclosures
PHI is used and disclosed only to provide the Services to you, as required by law, or as you direct in writing — never for our own products, marketing, analytics on record content, or model training.
Minimum necessary
Case-level access control enforces minimum-necessary structurally — our staff and your users see only cases they are assigned, and support access requires your approval.
Safeguards (Security Rule)
Administrative, physical, and technical safeguards per 45 CFR §§164.308–312, implemented as the measures in DPA Annex 2: TLS 1.2+, AES-256, MFA, PHI audit logging, JWT/PASETO sessions, monitoring, and SOC 2 audit-ready documentation.
Breach notification
Notice of any breach of unsecured PHI without unreasonable delay consistent with 45 CFR §164.410 — and in no event later than 72 hours after confirmation, per the DPA — with the details you need for your own §164.404/408 duties, plus mitigation and cooperation. An incident is a breach of the BAA only where it resulted from failure to maintain the agreed safeguards.
Subcontractors
Every subcontractor that can touch PHI — cloud infrastructure and every AI vendor — signs a subcontractor BAA imposing the same restrictions, plus zero-retention inference and no training. See the Subprocessor List.
Individual rights support
The platform's search, export, and audit-log tooling equips you to answer access (§164.524), amendment (§164.526), and accounting-of-disclosures (§164.528) requests; where tooling isn't enough, we assist directly. Individuals who contact us are routed to you per the Privacy Notice, Section 12.
HHS access
Our internal practices, books, and records relating to PHI use are available to the Secretary of HHS for determining compliance.
Return or destruction
At termination, PHI is returned (30-day export window) then destroyed — including backups — with a deletion certificate; if return or destruction is infeasible (e.g., legal hold), protections continue for as long as we hold it.
Documentation
Policies, procedures, and audit-relevant records retained six (6) years per §164.316(b)(2)(i).

04How the BAA is executed

  • Self-Service: the BAA is presented click-through during signup, before any upload is possible. Acceptance is recorded (who, when, version) and a copy is emailed to you and available in account settings.
  • Test a File: the same BAA is presented before the upload control activates. No BAA acceptance, no upload — the sample flow cannot be used around it.
  • AI Enablement & Enterprise On-Prem: a countersigned BAA is executed with the Order Form, scoped to the plan's data path (see DPA Annex 3). We accept reasonable redlines and can work from your paper where your compliance program requires it.
  • Version control: BAA updates follow the DPA's change rules — never a silent weakening; material changes on 30 days' notice.

05De-identification & the never-train promise

HIPAA permits business associates to de-identify PHI and use the result. Our BAA deliberately does not take that permission. We do not de-identify your records for our own purposes — not for research, not for benchmarks, not for model training. The de-identification tooling in the platform (de-ID export under the §164.514 safe-harbor method) is a customer feature: you run it, you own the output, you decide where it goes.

The same is true of every AI vendor in the processing path: subcontractor BAAs plus written zero-retention, no-training terms. The full commitment is stated contractually in DPA Section 4.4 and Terms Section 8.2.

06Common questions

We're a PI firm, not a covered entity. Why sign a BAA at all?

Because it's the cleanest way to bind us to HIPAA-grade obligations for your clients' records regardless of regulatory status — and because your malpractice carrier, referral partners, and opposing counsel increasingly ask whether your vendors are under one. It costs you nothing and closes questions before they're asked.

Does workers' comp really sit outside HIPAA?

Largely, yes — HIPAA expressly permits providers to disclose PHI to workers'-compensation insurers, agencies, and employers to the extent state law provides (45 CFR 164.512(l)), and comp carriers are not covered entities. But state comp statutes impose their own confidentiality duties on that data, which is why our safeguards don't switch off for comp files.

What about 42 CFR Part 2 (substance-use-disorder) records?

Part 2 records carry consent and redisclosure rules stricter than HIPAA. Flag them when uploading (or instruct us in writing); the platform's access controls and your instructions under DPA Section 4.1 govern their handling, and required redisclosure notices belong on any output you export from them. You remain responsible for the consents that got the records to you.

Is Test a File really under the BAA?

Yes. The BAA is accepted before the upload control activates, the file gets production-grade safeguards, it's deleted 30 days after your sample is delivered, and it is never used to train anything. Evaluation terms: Terms, Section 6.

Are you HIPAA "certified"?

No one is — HHS certifies no product. The honest claim is the one we make: HIPAA-eligible architecture, documented Security Rule safeguards, an executed BAA, PHI audit logging, and SOC 2 audit-ready controls documentation, verifiable through the Trust Center security package.

07Request a countersigned BAA

Procurement needs paper? Easy.

Email [email protected] for a countersigned BAA or DPA, or request the full security package — controls documentation, subprocessor detail, and SOC 2 evidence summary — under NDA from the Trust Center.

Visit the Trust Center →