Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). Denialbase executes BAAs with covered-entity customers and requires them from our own subprocessors.
Request a BAA with Denialbase
Any healthcare customer (covered entity) that will send PHI through Denialbase can request a BAA before go-live.Request
Email legal@denialbase.com with your organization name, primary contact, and anticipated go-live date.
Review
We’ll send our standard BAA (based on HHS model language) within 2 business days. We can accept minor redlines; major redlines may route to outside counsel and extend the timeline.
Sign
Both parties sign electronically via DocuSeal. Fully executed PDF stored in our compliance vault and provided to you.
Our subprocessor BAA status
| Subprocessor | Service | BAA status | Target |
|---|---|---|---|
| Google Cloud Platform | Cloud SQL, Cloud Run, GCS, Memorystore, Secret Manager | Not yet signed (in progress) | Q3 2026 |
| Anthropic | LLM inference for denial detection and appeal drafting | Not yet signed (in progress) | Q3 2026 |
| Sentry | Error monitoring (PHI-scrubbed) | Not yet signed (in progress) | Q3 2026 |
| Amazon SES | Transactional email (no PHI in bodies) | Not yet signed (in progress) | Q3 2026 |
| DocuSeal | E-signature for appeal submissions | Not required — customer-executed, PHI handled in-browser | — |
| Kaiser Permanente | Direct payer integration | Not required — Kaiser is the destination of the data, not a subprocessor | — |
Technical safeguards while BAAs are in progress
We don’t wait for legal execution to enforce technical PHI minimization. All of the following are live today:- Column-level encryption for PHI fields on User, InsuranceMember, InsuranceProfile, and OverturnableDenial models, using Active Record Encryption with customer-managed keys.
- PHI scrubbing before sending to LLM providers: names, DOBs, MRNs, and IDs are replaced with token placeholders that are reversed only server-side.
- PII scrubbing rules in Sentry configured to redact known PHI field names from error payloads.
- No PHI in email bodies — SES sends transactional and notification emails only; PHI stays behind authenticated pages.
- Audit logging of every read/write/export of PHI via the
hipaa_audit_logspipeline.
FAQs
Can I send PHI today even though your subprocessor BAAs aren't fully executed?
Can I send PHI today even though your subprocessor BAAs aren't fully executed?
We strongly recommend reviewing the risk with your own compliance team. Many covered entities proceed based on our technical controls and the “in-progress” status of the subprocessor BAAs; others wait. We can provide a detailed control summary on request.
Will you notify me when a subprocessor BAA is executed, or when a new subprocessor is added?
Will you notify me when a subprocessor BAA is executed, or when a new subprocessor is added?
Yes — our BAA includes a 30-day advance notice clause for new subprocessors. We’ll also post subprocessor changes to this page and to our changelog.
Do you accept my organization's BAA template instead of yours?
Do you accept my organization's BAA template instead of yours?
We can. Our standard BAA is usually the faster path, but we’re happy to review yours. Send it to legal@denialbase.com.
How long do you retain executed BAAs?
How long do you retain executed BAAs?
BAAs and the underlying service agreement are retained for the later of (a) the term of the service agreement plus 6 years, or (b) as required by law.