BAA Information - ChiroDesk AI

What Is a BAA?

A Business Associate Agreement (BAA) is a legally required contract under HIPAA between your practice (the Covered Entity) and any company that handles Protected Health Information on your behalf (the Business Associate).

Because ChiroDesk AI processes patient names, phone numbers, appointment details, and health information from conversations, we are a Business Associate. HIPAA requires a signed BAA before any PHI is shared between us.

Why You Need a BAA With Us

Our AI scheduling system handles PHI in several ways:

Patient names and contact information from phone calls and texts
Appointment dates, times, providers, and service types
Health information mentioned during conversations (symptoms, conditions, injury details)
Insurance information provided by patients
Patient records accessed through your EHR integration

All of this is Protected Health Information under HIPAA, and a BAA must be in place before any of it is processed.

What Our BAA Covers

rule Permitted Uses

Specifically defines what we are and are not allowed to do with your patient data. We use PHI only for scheduling, communication, and service delivery as directed by your practice.

shield Safeguards

We implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI. This includes encryption, access controls, audit logging, and more. See our HIPAA Compliance page for details.

notification_important Breach Notification

If any unauthorized access or disclosure of PHI occurs, we notify your practice within 24 hours of discovery, well within the HIPAA maximum of 60 days. We provide all information needed for you to fulfill your notification obligations.

groups Subcontractor Requirements

Any subcontractor that accesses PHI on our behalf (cloud hosting, telephony, EHR integration partners) is bound by the same restrictions and must have a BAA in place with us.

person_search Patient Rights

We support your obligations to provide patients with access to their records, process amendment requests, and provide an accounting of disclosures.

delete_sweep Data Return & Destruction

When the agreement ends, we return or securely destroy all PHI per your instructions. If complete destruction is not feasible, BAA protections extend to any retained data.

How to Sign Our BAA

Our BAA is signed electronically during the onboarding process, before your account is activated and before any patient data enters our system. Every practice receives and signs a BAA as part of setup. It is not optional.

If you would like to review the BAA before beginning onboarding, contact us at legal@chirodesk.ai and we will send you a copy.

Frequently Asked Questions

Do I need my own lawyer to review the BAA?

We recommend it. While our BAA follows standard HIPAA provisions, your practice should have legal counsel review any agreement that involves patient data.

Is there an additional cost for the BAA?

No. The BAA is included with every account at no additional cost.

What happens if there is a data breach?

We notify your practice within 24 hours of discovering any breach. We identify affected individuals and provide all information needed for you to comply with HIPAA’s breach notification requirements.

Do your subcontractors also have BAAs?

Yes. Every subcontractor that creates, receives, maintains, or transmits PHI on our behalf has a BAA in place with us. We evaluate subcontractors for HIPAA compliance before engagement.

What happens to my data if I cancel?

You will have a 60-day window to export your data. After that, all PHI is securely destroyed, and we provide written certification of destruction.

Contact

To request a copy of our BAA or ask questions:

Email: legal@chirodesk.ai