Business Associate Agreement

OrganAlert acts as a Business Associate under HIPAA (45 C.F.R. §164.502(e)). Before any production use involving protected health information, we execute a written Business Associate Agreement with the covered entity. The summary below describes the BAA’s key terms; the executed agreement controls.

Permitted uses & disclosures

We use and disclose PHI only as necessary to provide the contracted service, as permitted by the BAA, or as required by law — never for our own purposes, and never to sell PHI or to train machine-learning models.

Safeguards

We maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including encryption of PHI at rest and in transit, access controls, tenant isolation, and audit logging. See our security overview.

Subcontractors

We ensure that any subcontractor that creates, receives, maintains, or transmits PHI on our behalf agrees to the same restrictions and conditions via a written agreement. Our current subprocessors are bound by BAAs where PHI is involved.

Breach notification

We report any use or disclosure not permitted by the BAA, and any security incident or breach of unsecured PHI, to the covered entity without unreasonable delay and within the timeframe required by the BAA.

Individual rights

We support the covered entity in providing individuals access to, amendment of, and an accounting of disclosures of their PHI as required by the Privacy Rule.

Return or destruction

On termination, we return or destroy all PHI we maintain on the covered entity’s behalf where feasible, and otherwise extend protections and limit further use.

Request the executable BAA

To receive our BAA for signature, contact legal@organalert.com.