Trust & compliance
Our Business Associate Agreement
BAA before bytes: we sign a HIPAA Business Associate Agreement with your practice before a single piece of identifiable claim data moves. Here's exactly what that agreement contains and where it comes from.
"BAA before bytes": the rule we don't bend
Built on the HHS model, not invented in-house
Our BAA is built on the U.S. Department of Health & Human Services, Office for Civil Rights' published Sample Business Associate Agreement Provisions (the federal regulator's own model language), and it contains every element a BAA is required to have under 45 CFR 164.504(e)(2). In brief, the agreement:
- defines the permitted and required uses and disclosures of PHI, never broader than what your practice could do itself;
- commits us to use or disclose PHI only as the agreement permits or as required by law;
- requires appropriate safeguards, including compliance with the HIPAA Security Rule for electronic PHI;
- requires us to report any use or disclosure not provided for by the agreement, including breaches of unsecured PHI and security incidents;
- flows the same restrictions down to any subcontractor that creates, receives, maintains, or transmits PHI;
- makes PHI available for patient access requests (45 CFR 164.524);
- makes PHI available for amendment (45 CFR 164.526);
- makes information available for an accounting of disclosures (45 CFR 164.528);
- commits us to comply with the Privacy Rule for any covered-entity obligation we carry out on your behalf;
- makes our internal practices, books, and records available to HHS for compliance review;
- requires PHI to be returned or destroyed at termination, where feasible; and
- authorizes your practice to terminate the agreement if we violate a material term.
Every client signs their own BAA, in minutes
There is no shared boilerplate signed once and stretched across clients. Each practice signs its own BAA with Apex Flow, by e-signature, and it typically takes minutes, not a legal project. The sequence is always the same:
- Free check & conversation. Benchmarks and specialty denial patterns only. No patient data involved at any point.
- NDA + BAA signed. E-signature, minutes. Nothing identifiable has moved yet.
- Secure intake. Your claim export moves through a private, encrypted channel; never email, and never this website. See how the secure upload works.
- The engine runs. Findings come back evidence-first; you keep them either way.
This website never accepts PHI
The website you are reading is a public, informational site. It has no BAA and is not built to receive patient data, so we never accept PHI through it. Our forms collect business contact details only and explicitly ask you not to include patient information. That isn't a limitation we hide; it's the design. Claim files move only through the secure, agreement-covered channel described on the secure upload page, after your BAA is signed.
This page describes our standard practice in plain language; it is informational and is not itself a contract, and it is not legal advice. The signed BAA and services agreement between Apex Flow and your practice are the governing documents. Source for the model language: HHS OCR, Sample Business Associate Agreement Provisions.