Business Associate Agreement (BAA)
SignalEHR signs a HIPAA Business Associate Agreement with every paid US customer at no additional cost. The standard template is available to review before you subscribe.
Reply target: 1 business day for template requests; 1–2 weeks for redlined templates from your legal team.
Included at no extra cost
Every paid SignalEHR subscription. No per-BAA, per-clinic, or per-amendment fees for the standard template.
E-signed in the dashboard
Dedicated signing portal with typed-name signature + timestamped audit trail. No click-through acceptance.
Negotiable for clinic groups
We accept reasonable redlines from your legal team. Material changes require 1–2 weeks of additional legal review.
What's in it
The 7 sections that matter
High-level summary of the standard SignalEHR BAA. The full template is ~14 pages — request it via the button above for the exact legal language.
Permitted uses + disclosures
SignalEHR uses your PHI only to provide the SignalEHR service to you: AI-assisted documentation, scheduling, billing, telehealth, and the related infrastructure. We don't sell, syndicate, or use PHI for marketing, advertising, or model training that affects other clinics.
Sub-processors
Each sub-processor in the data path (Google Cloud, Deepgram, OpenAI, Anthropic, ElevenLabs, Stripe, Twilio, Telnyx, LiveKit, Stedi, TELUS Health) has its own BAA with us. Current list at signalehr.com/security#sub-processors. We notify customers 30 days before adding a new PHI-touching sub-processor.
Safeguards
Administrative, physical, and technical safeguards mapped to 45 CFR §164.308–§164.312. AES-256 encryption in transit and at rest. Zero raw audio retention — transcripts and embeddings only, with explicit consent. Per-PHI audit logging. Annual risk analysis on file.
Breach notification
We notify Covered Entities of any breach affecting their PHI without unreasonable delay and no later than 30 days of discovery (well ahead of HIPAA's 60-day requirement). Notification includes affected individuals, scope, mitigations, and remediation plan.
Right to audit
Customers may request our SOC 2 report (Type I in progress), security overview deck, sub-processor list, and Privacy Impact Assessment artifacts under NDA. We respond within 5 business days.
Termination + return of PHI
On termination, SignalEHR returns or securely destroys all PHI within 90 days (or sooner if requested). Customers can export PHI at any time via the API or dashboard.
Indemnification
Mutual indemnification capped at 12 months of subscription fees paid, except for willful misconduct, gross negligence, or breach of confidentiality (uncapped). Standard for SaaS BAAs at our stage.
Process
From request to signed BAA
- 1
Request the template (pre-sale, no obligation)
Email security@signalehr.com — we send the current standard template within 1 business day. No NDA required.
- 2
Subscribe to SignalEHR
Start a 14-day free trial or convert to a paid plan. The BAA signing flow auto-launches inside Settings → Compliance → BAA on first practitioner login.
- 3
Review + e-sign in the signing portal
Each signer gets a unique signing link sent to their email. Type your full legal name, mark the agreement checkbox, click sign. The signed PDF is stored in your clinic's compliance vault and emailed to both parties.
- 4
Counter-signature from SignalEHR
Returned within 24 hours by the SignalEHR Privacy Officer. You'll receive the fully-executed PDF by email.
- 5
Annual review (optional but recommended)
The template version is reviewed annually. Material updates are sent to your designated compliance contact 60 days before the new version takes effect, with the option to remain on the legacy template until renewal.
FAQ
What practices ask before signing
Do I need a BAA to use SignalEHR?
+
If you're a US Covered Entity under HIPAA (almost every licensed therapy practice is), yes — you must have a signed BAA with any vendor that creates, receives, maintains, or transmits PHI on your behalf. SignalEHR is a Business Associate to your practice the moment a session is recorded, a chart is created, or a claim is submitted. We sign with every paid customer.
Does the BAA cost extra?
+
No. The standard BAA is included with every paid SignalEHR subscription at no additional fee. We do not charge per-BAA, per-clinic, or per-amendment for the standard template.
Can I see the template before subscribing?
+
Yes. Email security@signalehr.com with subject 'BAA template request' and we'll send the current version (PDF + Markdown source) within one business day. We do not require an NDA to share the template — it's a standard contract.
Will you accept our practice's BAA instead of yours?
+
For clinics with established legal review, yes — we accept negotiated redlines on our standard template, and we can sign reasonable variants of common BAAs (most law-firm or consortium templates align closely with ours). We don't sign templates that contain unbounded indemnification, audit rights that override our SOC 2 controls, or breach-notification windows shorter than HIPAA's 60-day requirement.
What about Canada — is there a Canadian equivalent?
+
Canada doesn't use the BAA construct (BAAs are a US/HIPAA artifact), but the equivalent contractual relationship exists under PIPEDA and provincial laws (PHIPA in Ontario, Law 25 in Quebec, HIA in Alberta, PIPA in BC). We sign a Data Processing Agreement (DPA) with every paid Canadian customer that covers the equivalent commitments. Email security@signalehr.com to request the DPA template.
Who signs the BAA on SignalEHR's side?
+
2808845 Alberta Inc., the legal entity behind SignalEHR. The Privacy Officer (currently the founder, Sudipta Sarkar) is the named signatory. Counter-signature is returned to your provided email within 24 hours of your signature.
How is the BAA signed — paper, e-sign, click-through?
+
E-signature via a dedicated signing portal at signalehr.com/baa/{token}. Each signer gets a unique link sent to the email on file. The signed PDF is returned to both parties and stored in your clinic's compliance vault (Settings → Compliance → Documents). We do not use click-through 'acceptance' for BAAs — every BAA is a typed-name + drawn-or-typed-signature flow with a timestamped audit trail.
What if our compliance team needs to negotiate terms?
+
Send your redlines to security@signalehr.com. Reasonable scope is: indemnification caps, breach notification timelines (faster than 60 days OK), audit rights, sub-processor approval, and termination-for-cause language. Material scope changes require legal review on our side and typically add 1–2 business weeks.
Compliance team has a specific question?
Direct line to our Privacy Officer.