Business Associate Agreement (BAA) Summary

This document provides a summary of key provisions in Ansur AI's Business Associate Agreement. A full BAA will be executed with your organization before processing any Protected Health Information (PHI).

Overview

Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations (Covered Entities) must enter into Business Associate Agreements (BAAs) with vendors who handle Protected Health Information (PHI). Ansur AI operates as a Business Associate and executes BAAs with all healthcare organizations before processing any PHI.

Key Provisions

1. Permitted Uses and Disclosures

Ansur AI agrees to use and disclose PHI only as permitted or required by the BAA or as required by law. We will:

  • Use PHI solely for the purpose of providing the Service to your organization
  • Not use or disclose PHI in any manner that would violate HIPAA if done by a Covered Entity
  • Limit use and disclosure to the minimum necessary to accomplish the intended purpose

2. Safeguards

Ansur AI implements appropriate safeguards to prevent use or disclosure of PHI other than as provided for in the BAA, including:

  • Administrative safeguards (policies, procedures, workforce training)
  • Physical safeguards (secure facilities, access controls)
  • Technical safeguards (encryption, access controls, audit logs)

3. Subcontractors

If Ansur AI uses subcontractors that will have access to PHI, we will:

  • Ensure subcontractors agree to the same restrictions and conditions that apply to us
  • Execute BAAs with all subcontractors
  • Notify you of any new subcontractors with 30 days advance notice
  • Maintain a current list of subcontractors available upon request

4. Access to PHI

In accordance with HIPAA, Ansur AI will:

  • Provide access to PHI to you or your designees as necessary to fulfill your obligations
  • Provide access to PHI to individuals as required by HIPAA
  • Make PHI available for amendment and incorporate any amendments as directed

5. Accounting of Disclosures

Ansur AI will maintain records of disclosures of PHI and provide an accounting of disclosures as required by HIPAA, including:

  • Date of disclosure
  • Name of the person or entity who received the PHI
  • Description of the PHI disclosed
  • Purpose of the disclosure

6. Security Incident and Breach Notification

Ansur AI will:

  • Report any security incident involving PHI to you without unreasonable delay
  • Report any breach of unsecured PHI within 72 hours of discovery
  • Provide detailed information about the breach, including the nature of the incident and steps taken to mitigate harm
  • Cooperate with you in investigating and remediating any breach

7. Return or Destruction of PHI

Upon termination of the BAA, Ansur AI will:

  • Return or destroy all PHI, if feasible
  • If return or destruction is not feasible, continue to protect PHI and limit further use and disclosure
  • Retain PHI only as necessary to comply with legal obligations

8. Compliance with HIPAA

Ansur AI agrees to:

  • Comply with applicable provisions of HIPAA and the HITECH Act
  • Make our internal practices, books, and records available to HHS for compliance audits
  • Report any use or disclosure of PHI not provided for in the BAA
  • Ensure that our workforce members comply with the BAA

Our Security Measures

To fulfill our obligations under the BAA, Ansur AI implements comprehensive security measures:

  • Encryption: All PHI is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access controls ensure only authorized personnel can access PHI
  • Audit Logging: Comprehensive logging of all access to and use of PHI
  • Regular Assessments: Ongoing security assessments, penetration testing, and vulnerability scanning
  • Workforce Training: Regular HIPAA and security training for all personnel
  • Incident Response: Documented procedures for detecting, responding to, and reporting security incidents

For more details, please see our Security Brief.

BAA Execution Process

To execute a BAA with Ansur AI:

  1. Contact us to initiate the BAA process
  2. We will provide our standard BAA template for review
  3. If needed, we can customize terms to meet your organization's specific requirements
  4. Both parties execute the BAA (electronic signatures are acceptable)
  5. Once executed, we can begin processing PHI in accordance with the BAA

The BAA must be executed before any PHI is processed through our Service.

Important Notes

This is a summary only. The actual BAA contains complete legal terms and conditions. This summary is provided for informational purposes and does not constitute legal advice.

  • The full BAA will be provided for review and execution
  • We recommend that your organization's legal counsel review the BAA
  • BAAs are specific to each organization and may be customized as needed
  • We maintain executed BAAs on file and can provide copies upon request

Request a BAA

To request a BAA or ask questions about our Business Associate Agreement, please contact us:

  • Email: legal@ansur.ai
  • Subject Line: "BAA Request - [Your Organization Name]"

We typically respond to BAA requests within 2-3 business days.

Ansur AI — Turn Patient Feedback Into Action Fast | Epic Integration