Business Associate Agreement
If your organization is a HIPAA Covered Entity or works with protected health information, you need a signed BAA before using Authproof Cloud in PHI-adjacent workflows.
What is a BAA?
A Business Associate Agreement (BAA) is a contract required by HIPAA between a Covered Entity — such as a hospital, clinic, health plan, or healthcare clearinghouse — and any vendor that handles Protected Health Information (PHI) on their behalf.
Under 45 CFR § 164.504(e), Covered Entities must obtain satisfactory assurances from Business Associates that PHI will be appropriately safeguarded before sharing it. A signed BAA is that assurance.
Do I need a BAA?
Your organization is a HIPAA Covered Entity or Business Associate, and you intend to use Authproof Cloud to log, verify, or audit AI agent actions that involve PHI — for example, clinical decision agents, patient-facing AI, or healthcare operations automation.
You are using Authproof Cloud exclusively for non-healthcare workflows where no PHI is involved. Authproof Cloud stores cryptographic hashes of authorization data — not raw content — so many healthcare-adjacent workflows may not constitute PHI processing. When in doubt, consult a healthcare attorney.
What the BAA covers
- Permitted uses and disclosures of PHI in connection with the Service
- Prohibition on unauthorized use or disclosure of PHI
- Appropriate administrative, physical, and technical safeguards
- Breach notification within required timeframes (60 days for Unsecured PHI)
- Subcontractor obligations (Supabase, Vercel)
- Individual access and amendment rights
- Accounting of disclosures
- Return or destruction of PHI on termination
- Termination rights for material breach
Request a BAA
Send us your organization name and contact information and we will send you a BAA for review and execution within 2 business days.
Request a BAA →