Pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This Business Associate Agreement ("Agreement") is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Covered Entity
Your organization (identified upon signing below)
Business Associate
Cai Systems LLCoperating Kestrel and Talon
WHEREAS, Covered Entity is a healthcare provider or organization that creates, receives, maintains, or transmits Protected Health Information ("PHI") as defined under HIPAA;
WHEREAS, Business Associate provides prior authorization documentation analysis services that require access to PHI in the form of clinical notes and related medical documentation;
WHEREAS, the Parties wish to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, "HIPAA Rules");
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the Parties agree as follows:
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. The following definitions apply to this Agreement:
(a) "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
(b) "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
(c) "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.
(d) "Services" means the prior authorization documentation analysis, gap identification, and related services provided by Business Associate to Covered Entity as described in any applicable service agreement between the Parties.
(a) Business Associate may use or disclose PHI solely to perform the Services on behalf of Covered Entity, and as permitted or required by this Agreement or as required by law.
(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that any disclosure of PHI for such purpose is required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential.
(c) Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted under this Agreement.
Business Associate's Services process PHI as follows, and Covered Entity acknowledges and consents to this processing methodology:
(a) Clinical note text provided by Covered Entity is transmitted via encrypted HTTPS connection to Business Associate's application servers hosted on HIPAA-compliant infrastructure with executed Business Associate Agreements (currently AWS and Vercel).
(b) Clinical note text is processed in-memory by an artificial intelligence language model hosted on HIPAA-compliant infrastructure (currently AWS Bedrock) for the purpose of identifying documentation gaps against payer-specific requirements.
(c) Clinical note text is NOT stored, logged, persisted, cached, or retained by Business Associate at any point during or after processing. Processing occurs entirely in-memory and the clinical note text is discarded upon completion of the analysis.
(d) The gap analysis output returned to Covered Entity does NOT contain or reproduce the clinical note text. The output contains only structured assessments of documentation completeness.
(e) Business Associate may store de-identified metadata about the analysis (payer name, procedure code, gap analysis result categories, timestamp) for quality improvement and service delivery purposes. This metadata does not constitute PHI.
(f) Business Associate may update its sub-processors (hosting providers, AI model providers) with prior written notice to Covered Entity, provided that any replacement sub-processor maintains equivalent or greater HIPAA compliance protections.
(a) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
(b) Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, consistent with the requirements of the HIPAA Security Rule.
(c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410.
(d) In the event of a Breach of Unsecured PHI, notify Covered Entity without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach.
(e) Ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.
(f) Make available PHI in a Designated Record Set to Covered Entity, or to the individual as directed by Covered Entity, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
(g) Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
(h) Maintain documentation of all disclosures of PHI as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 CFR 164.528.
(a) Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's permitted uses or disclosures.
(c) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
Covered Entity acknowledges and agrees that:
(a) The Services utilize artificial intelligence and machine learning technology to analyze clinical documentation against payer requirements. The AI analysis is advisory only and does not constitute medical advice, clinical decision-making, or a guarantee of prior authorization approval or denial.
(b) Clinical note text is processed by a third-party AI model provider (currently Anthropic's Claude model via AWS Bedrock) under a HIPAA-compliant Business Associate Agreement. The AI model provider does not retain, train on, or have access to the clinical note text after processing.
(c) All clinical decisions regarding patient care, documentation sufficiency, and prior authorization submission remain the sole responsibility of Covered Entity's licensed healthcare providers and authorized staff.
(a) This Agreement shall be effective as of the Effective Date and shall remain in effect for the duration of the service relationship between the Parties, unless earlier terminated as provided herein.
(b) Either Party may terminate this Agreement upon thirty (30) days' written notice to the other Party if the other Party materially breaches this Agreement and fails to cure such breach within the notice period.
(c) Upon termination, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Given Business Associate's in-memory-only processing architecture, no PHI is retained that would require return or destruction. Business Associate shall certify in writing that no PHI is retained.
(d) The obligations of Business Associate under this Section shall survive the termination of this Agreement.
(a) This Agreement shall be governed by and construed in accordance with the laws of the State of Rhode Island, without regard to its conflict of law provisions.
(b) This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral.
(c) This Agreement may be amended only by a written instrument signed by both Parties.
(d) If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
(e) Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
For questions about this BAA, contact: support@caisystems.dev