Skip to content
A Apex Flow
Services How it works Specialties Denial codes Pricing FAQ Book free audit

Trust & compliance

Our Business Associate Agreement

BAA before bytes: we sign a HIPAA Business Associate Agreement with your practice before a single piece of identifiable claim data moves. Here's exactly what that agreement contains and where it comes from.

"BAA before bytes": the rule we don't bend

No identifiable data moves before the BAA is signed. Ever. Under HIPAA, a company that handles protected health information (PHI) on a practice's behalf is a business associate, and the practice may only share PHI with it under a written Business Associate Agreement (BAA). We treat that as the starting line, not paperwork to catch up on later: the free conversation and the free denial-cost check use no patient data at all, and the moment an engagement involves your real claims, the BAA comes first.

Built on the HHS model, not invented in-house

Our BAA is built on the U.S. Department of Health & Human Services, Office for Civil Rights' published Sample Business Associate Agreement Provisions (the federal regulator's own model language), and it contains every element a BAA is required to have under 45 CFR 164.504(e)(2). In brief, the agreement:

  • defines the permitted and required uses and disclosures of PHI, never broader than what your practice could do itself;
  • commits us to use or disclose PHI only as the agreement permits or as required by law;
  • requires appropriate safeguards, including compliance with the HIPAA Security Rule for electronic PHI;
  • requires us to report any use or disclosure not provided for by the agreement, including breaches of unsecured PHI and security incidents;
  • flows the same restrictions down to any subcontractor that creates, receives, maintains, or transmits PHI;
  • makes PHI available for patient access requests (45 CFR 164.524);
  • makes PHI available for amendment (45 CFR 164.526);
  • makes information available for an accounting of disclosures (45 CFR 164.528);
  • commits us to comply with the Privacy Rule for any covered-entity obligation we carry out on your behalf;
  • makes our internal practices, books, and records available to HHS for compliance review;
  • requires PHI to be returned or destroyed at termination, where feasible; and
  • authorizes your practice to terminate the agreement if we violate a material term.

Every client signs their own BAA, in minutes

There is no shared boilerplate signed once and stretched across clients. Each practice signs its own BAA with Apex Flow, by e-signature, and it typically takes minutes, not a legal project. The sequence is always the same:

  1. Free check & conversation. Benchmarks and specialty denial patterns only. No patient data involved at any point.
  2. NDA + BAA signed. E-signature, minutes. Nothing identifiable has moved yet.
  3. Secure intake. Your claim export moves through a private, encrypted channel; never email, and never this website. See how the secure upload works.
  4. The engine runs. Findings come back evidence-first; you keep them either way.

This website never accepts PHI

The website you are reading is a public, informational site. It has no BAA and is not built to receive patient data, so we never accept PHI through it. Our forms collect business contact details only and explicitly ask you not to include patient information. That isn't a limitation we hide; it's the design. Claim files move only through the secure, agreement-covered channel described on the secure upload page, after your BAA is signed.

This page describes our standard practice in plain language; it is informational and is not itself a contract, and it is not legal advice. The signed BAA and services agreement between Apex Flow and your practice are the governing documents. Source for the model language: HHS OCR, Sample Business Associate Agreement Provisions.

Start with the free check (no patient data needed) Ask us about the BAA
A Apex Flow

Forensic denial-intelligence technology for independent specialty practices. Free to find. Paid to fix.

Explore

Services How it works Specialties Denial codes Pricing FAQ

Get started

Book a free audit billing@apexflowrcm.com (844) 273-9356

Legal & trust

Privacy policy Terms of service Our BAA Secure upload

© Apex Flow Revenue Cycle Solutions LLC. All rights reserved.

← Back to site