Under HIPAA, any vendor that creates, receives, maintains, or transmits protected health information (“PHI”) on behalf of a covered entity is a Business Associateand must operate under a written Business Associate Agreement (“BAA”).
Align.ai is built to operate as a Business Associate of your practice from day one. We require a signed BAA before any real PHI is processed through the service. This page summarizes how that works.
1. What our BAA covers
- Permitted uses & disclosures — strictly limited to providing the Align.ai service (scheduling, documentation, billing prep, patient engagement, analytics) and as required by law
- Safeguards — administrative, physical, and technical safeguards meeting the HIPAA Security Rule, including encryption in transit and at rest, MFA, audit logging, and access controls
- Subcontractor flow-down — every subprocessor we use for PHI handling is itself bound by a BAA with terms at least as protective as ours
- Breach notification — without unreasonable delay, targeting notice within 30 days of discovery of a breach of unsecured PHI
- Individual rights support — assistance with access, amendment, and accounting of disclosures requests
- Audit rights — reasonable access to records and attestations for compliance verification
- Termination & return of PHI — return or secure destruction of PHI on termination, with a certificate of destruction
- AI-specific protections— explicit prohibition on using your patients’ PHI to train general-purpose AI models; AI inference runs through HIPAA-eligible vendors with zero-data- retention configurations where available
2. Subcontractors that may handle PHI
Each subprocessor below operates under a written BAA with CoreForge. We will provide attestations on request as part of our BAA package.
- Vercel — application hosting (US data residency)
- Supabase — Postgres database, file storage
- Clerk — user authentication
- Anthropic — large-language-model inference for the AI scribe and operations copilot
- Deepgram — speech-to-text transcription
- Twilio — SMS reminders and notifications (HIPAA- Eligible plan)
- Sentry — application error tracking, with PHI scrubbing at the SDK boundary
3. What practices are responsible for
A BAA is necessary but not sufficient. Each practice (the Covered Entity) remains responsible for:
- Conducting its own HIPAA risk analysis and maintaining required policies
- Workforce training and access provisioning
- Obtaining patient consents (NPP, communication preferences) where required
- Configuring patient SMS opt-in and opt-out settings appropriately (we provide tooling; you set policy)
- Reviewing and approving every AI-generated artifact before clinical, billing, or patient-communication use
- Notifying affected individuals in the event of a breach, as required by 45 CFR § 164.404
4. How to request a BAA
We will execute a BAA with any practice using Align.ai for real PHI. To request our current template:
Email: baa@coreforgeconsulting.com
Include: practice legal name, primary contact, approximate go-live date, any required redlines.
Typical turnaround: 2–5 business days for unmodified BAAs; longer when redlines are involved. We do not charge for the BAA itself; it is part of getting you onboarded.
5. Demo & pilot accounts
Sandbox / demo accounts that contain only synthetic or de-identified data do not require a BAA. The marketing site demo at /demo uses synthetic patient records and is not subject to HIPAA. Once a practice migrates real patients into the platform, a signed BAA must be in place.
6. Status of this document
This page is a summary of our BAA program — not the agreement itself. The current BAA template is undergoing legal review. Once finalized, we will publish the executable PDF here and notify practices in active negotiation.
7. Contact
Questions about our HIPAA program: compliance@coreforgeconsulting.com. BAA requests: baa@coreforgeconsulting.com.