Skip to content
    Compliance

    Business Associate Agreement

    HIPAA-required · Executed with every client

    1. What Is a BAA?

    A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity (your law firm) and a business associate (VerifyMD) that handles Protected Health Information (PHI) on your behalf. The BAA establishes the permitted uses and disclosures of PHI and requires both parties to implement appropriate safeguards.

    2. VerifyMD as a Business Associate

    When VerifyMD's AI voice agents contact medical providers on your firm's behalf, they handle PHI including patient names, dates of birth, claim numbers, medical record numbers, and billing information. As a business associate, VerifyMD is contractually and legally obligated to protect this information in accordance with HIPAA regulations.

    3. What Our BAA Covers

    Our BAA covers all PHI processed through the VerifyMD platform, including data collected during voice agent calls, verification certificates, call recordings and transcripts, data stored in your dashboard, and any information transmitted between VerifyMD and your case management system via our integrations.

    4. Our Safeguards

    Under our BAA, VerifyMD commits to: encrypting all PHI with 256-bit AES at rest and TLS 1.3 in transit; implementing role-based access controls with full audit logging; maintaining SOC 2 Type II certified infrastructure; conducting regular risk assessments and penetration testing; providing breach notification within the timeframes required by HIPAA; and training all personnel who may access PHI.

    5. Subcontractor Agreements

    VerifyMD maintains BAAs with all subcontractors and infrastructure providers that may process PHI, including our cloud hosting providers, telephony infrastructure, and data storage services. We conduct due diligence on all subcontractors to ensure they meet our security and compliance standards.

    6. Breach Notification

    In the event of a breach of unsecured PHI, VerifyMD will notify your firm without unreasonable delay and no later than 60 days after discovery. Our notification will include the nature of the breach, the types of information involved, recommended steps for affected individuals, and the measures we are taking to investigate and mitigate the breach.

    7. Data Return & Destruction

    Upon termination of services, VerifyMD will return or destroy all PHI in our possession within 30 days, as directed by your firm. Where return or destruction is not feasible, we will extend the protections of the BAA to retained information and limit further uses and disclosures.

    8. Requesting a BAA

    We execute a BAA with every client firm as part of our standard onboarding process — no additional fees, no delays. To request a BAA or discuss our compliance posture, schedule a call with our team or email us at info@verifymd.ai.

    Ready to get started?

    We'll have your BAA ready before onboarding. Schedule a call to discuss your firm's compliance needs.