Business Associate Agreement (BAA)

What Is a BAA?

A Business Associate Agreement (BAA) is a legally binding contract required under the Health Insurance Portability and Accountability Act (HIPAA). It establishes the responsibilities of a "Business Associate" — any third-party vendor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a "Covered Entity" (such as a healthcare practice).

The BAA ensures that the business associate will appropriately safeguard PHI, comply with HIPAA regulations, and be held accountable for any misuse or unauthorized disclosure of patient data.

NeuroMatic's BAA Commitment

At NeuroMatic, we believe that HIPAA compliance should never be an afterthought. That is why we sign a Business Associate Agreement with every healthcare client from day one — before our AI voice agent handles its first call.

Unlike some vendors who only offer BAAs upon request or at premium tiers, our BAA is included as a standard part of every engagement. Whether you are a solo practitioner or a multi-location health system, you receive the same level of compliance commitment.

• BAA is executed before any PHI is processed
• Included at no additional cost with every plan, including the free pilot
• Covers all services provided by NeuroMatic, including call handling and data storage
• Updated regularly to reflect current regulatory requirements

What Our BAA Covers

Our Business Associate Agreement covers all aspects of how NeuroMatic interacts with patient data on your behalf:

• Permitted uses and disclosures of PHI: Clearly defines how we may access, use, and share patient data strictly within the scope of providing our services.
• Safeguards: Outlines the administrative, physical, and technical safeguards we implement to protect PHI from unauthorized access, use, or disclosure.
• Breach notification obligations: Details our commitment to promptly notify you in the event of any unauthorized access to or disclosure of PHI.
• Subcontractor requirements: Ensures that any subcontractors we engage who may access PHI are also bound by equivalent privacy and security requirements.
• Return or destruction of PHI: Specifies our obligations upon termination of the agreement to return or securely destroy all PHI in our possession.
• Audit and compliance rights: Grants you the right to audit our compliance with the terms of the BAA.

HIPAA Compliance Details

NeuroMatic maintains comprehensive HIPAA compliance across all operations. Our compliance program includes:

• Privacy Rule compliance: We follow strict policies governing how PHI is used, disclosed, and shared, adhering to the minimum necessary standard.
• Security Rule compliance: We implement all required administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
• Breach Notification Rule: We maintain incident response procedures to detect, report, and respond to any potential breaches within the timeframes required by HIPAA.
• Regular risk assessments: We conduct periodic risk analyses to identify and mitigate potential vulnerabilities in our systems and processes.
• Workforce training: All NeuroMatic team members complete HIPAA training upon onboarding and annually thereafter.
• Documentation and policies: We maintain comprehensive written policies and procedures that govern all aspects of PHI handling.

Security Measures

Our security infrastructure is designed to meet and exceed HIPAA requirements:

• 256-bit AES encryption for all data at rest
• TLS 1.2+ encryption for all data in transit
• US-based data centers with SOC 2 Type II compliance
• Role-based access controls with multi-factor authentication
• Continuous monitoring with intrusion detection and prevention systems
• Regular penetration testing and vulnerability assessments
• Automated backups with encrypted off-site disaster recovery
• Audit logging of all access to PHI

How to Request a BAA

Requesting a BAA from NeuroMatic is straightforward. Because we include a BAA with every engagement, the process is built into our standard onboarding:

• During onboarding: Our team will provide the BAA for your review and signature as part of the setup process, before any patient data is processed.
• Existing clients: If you need a copy of your executed BAA or have questions about its terms, contact our compliance team at any time.
• Prospective clients: You can request a copy of our BAA template for review before committing to our services.

To request a BAA or discuss compliance requirements, reach out to our team:

• Email: privacy@neuromatic.com
• Phone: +1 (305) 990-1010
• Contact form: neuromatic.com/contact