HIPAA · Business Associate Agreement
Sign the BAA before the first EOB lands.
Denial OS operates as a Business Associate under HIPAA. Most practices we work with are Covered Entities — which means a signed BAA is the prerequisite to processing any patient PHI through our platform. We make this fast and free.
What our BAA covers
- Permitted uses and disclosures of PHI strictly limited to providing the appeals service.
- Required safeguards: encryption at rest, encryption in transit, access controls, audit logging.
- Subcontractor flow-down — every downstream vendor (Anthropic, Supabase, Stripe, Resend, Phaxio) has executed a BAA with us where they touch PHI.
- Breach notification within HIPAA Breach Notification Rule timelines.
- Data return / destruction obligations on termination.
- Mutual cooperation on patient access, amendment, and accounting requests.
How to request the template
Email legal@twinflamegroup.com with your practice's legal name, NPI or tax ID, and the name + email of the person authorized to sign. We'll send a countersignable PDF the same business day. If you need a redline against your own template, attach yours and we'll turn it within 48 hours.
Already a customer?
If you started a trial first and now need a BAA, that's fine — we'll get it executed before any production EOB upload. Email the same address and reference your account.
Subcontractor BAAs (downstream)
- Supabase — database, storage, and auth. BAA executed.
- Anthropic — letter generation via the Claude API. BAA via Anthropic's HIPAA program; PHI minimized in prompt envelope.
- Stripe — payments only; no PHI touches Stripe.
- Resend — transactional email. BAA executed; no patient PHI in email bodies.
- Phaxio — fax submission of letters. BAA executed.