Compliance
Business Associate Agreement(BAA)
HIPAA contract that allows a covered entity to share PHI with a vendor, with required safeguards and breach reporting.
Definition
A Business Associate Agreement (BAA) is a contract required under HIPAA's Privacy Rule (45 CFR §164.504(e)) between a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and a business associate (a vendor that creates, receives, maintains, or transmits Protected Health Information on the covered entity's behalf).
The BAA legally extends a subset of HIPAA's Privacy and Security Rule obligations to the business associate: minimum necessary use of PHI, required safeguards, breach notification within 60 days, subcontractor flow-down, and termination on material breach. Without a BAA in place, transmitting PHI to a vendor can itself be a HIPAA violation, even if the vendor is otherwise secure.
AutoICD signs BAAs with paying customers on Pro and Enterprise tiers and treats every byte of clinical text submitted to /v1/code, /v1/audit, or /v1/anonymize as PHI by default. We do not retain inputs after processing on these tiers; see the security and privacy pages for detail.
When to use
- •Any U.S. healthcare workflow that sends real chart text to AutoICD or any third party.
- •Procurement reviews for any clinical SaaS vendor.
- •Confirming subprocessor flow-down before adding a sub-vendor in your stack.
Try it in AutoICD API
Anonymize PHI before sending to non-BAA infrastructure
curl -X POST https://autoicdapi.com/v1/anonymize \
-H "Authorization: Bearer $AUTOICD_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"text": "John Smith (DOB 1955-04-12) seen in clinic for chest pain."
}'Language: bash. View full API docs · Get an API key.