Business Associate Agreement

Effective Date: February 28, 2026 | Last Updated: March 1, 2026

Important Notice: This page provides general information about Solum Health's approach to Business Associate Agreements under HIPAA. This page does NOT constitute a Business Associate Agreement and does not create any contractual obligations. The actual terms governing the handling of Protected Health Information are set forth exclusively in the individually negotiated and executed BAA between Solum Health and each Customer.

1. What Is a Business Associate Agreement?

Under the Health Insurance Portability and Accountability Act (HIPAA), when a healthcare provider or health plan (known as a "Covered Entity") shares Protected Health Information (PHI) with a third-party service provider, that service provider is classified as a "Business Associate." A Business Associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.

A Business Associate Agreement (BAA) is a legally binding contract between a Covered Entity and a Business Associate. The BAA defines how the Business Associate will handle, protect, and safeguard PHI in accordance with HIPAA requirements. Federal law, specifically 45 CFR 164.502(e) and 45 CFR 164.504(e), requires that a BAA be executed before any PHI can be shared between the parties.

The BAA establishes the following obligations:

  • Permitted and required uses and disclosures of PHI by the Business Associate
  • A requirement that the Business Associate implement appropriate administrative, physical, and technical safeguards to protect PHI
  • Mandatory reporting of any unauthorized uses, disclosures, or security incidents involving PHI
  • Breach notification obligations in compliance with the HIPAA Breach Notification Rule
  • A requirement that the Business Associate ensure any subcontractors who handle PHI agree to the same restrictions and conditions
  • Compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
  • Return or destruction of PHI upon termination of the agreement, where feasible

Without a BAA in place, the sharing of PHI between a Covered Entity and a third-party service provider constitutes a HIPAA violation, which can result in significant civil and criminal penalties.

2. Solum Health as a Business Associate

Solum Health Technologies, Inc. operates as a Business Associate when processing Protected Health Information on behalf of healthcare providers who use our platform. As a healthcare AI SaaS company, we take our HIPAA obligations seriously and have built our infrastructure, processes, and organizational culture around the protection of PHI.

Our commitments as a Business Associate include:

  • SOC 2 Type II examinations: Our systems and controls undergo regular independent SOC 2 Type II examinations covering security, availability, and confidentiality trust service criteria.
  • HIPAA compliance program: We maintain a comprehensive compliance program designed to satisfy the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in our operations involving PHI.
  • Encryption at rest: PHI stored in our production systems is encrypted at rest using industry-standard encryption methods (currently AES-256 or equivalent).
  • Encryption in transit: Data transmitted between our platform and external systems is protected using Transport Layer Security (TLS), with TLS 1.2 as the minimum supported version and TLS 1.3 preferred where supported by connecting systems.
  • Third-party penetration testing: We engage independent security firms to conduct periodic penetration testing of our infrastructure and application.
  • Role-based access controls (RBAC): Access to PHI within our systems is controlled through role-based policies designed to limit access based on job function and business necessity.
  • Multi-factor authentication (MFA): User access to systems containing PHI requires multi-factor authentication. Service-to-service communications are secured through additional authentication controls.
  • Audit logging and monitoring: Access to systems containing PHI is logged, and logs are monitored through automated and manual review processes to detect unauthorized access or anomalous activity.
  • Incident response plan: We maintain a formal incident response plan that outlines procedures for identifying, containing, investigating, and remediating security incidents.
  • Workforce HIPAA training: Solum Health provides HIPAA training to its workforce members, including employees and contractors who access PHI, as part of onboarding and on a recurring basis.
  • Periodic risk assessments: We conduct regular risk assessments as required by the HIPAA Security Rule to identify threats and vulnerabilities to the confidentiality, integrity, and availability of PHI.

3. Scope of Our BAA

What PHI We Process

In the course of providing our services, Solum Health may create, receive, maintain, or transmit the following categories of Protected Health Information on behalf of our customers, including but not limited to:

  • Patient demographics: Names, dates of birth, addresses, phone numbers, email addresses, and other identifying information
  • Insurance information: Payor names, plan details, member IDs, group numbers, and coverage parameters
  • Prior authorization data: Authorization requests, approval and denial statuses, clinical justifications, CPT/HCPCS codes, and related correspondence
  • Eligibility and benefits data: Coverage verification results, benefit breakdowns, copay and coinsurance amounts, deductible status, and out-of-pocket maximums
  • Referral information: Referring provider details, referral reasons, and associated clinical documentation
  • Scheduling data: Appointment dates, times, provider assignments, and visit types
  • Communication records: Patient communications related to intake, scheduling, and insurance matters processed through our platform

How PHI Is Used

Solum Health uses PHI solely for the purpose of providing services as described in the applicable Service Agreement between Solum Health and the Covered Entity. These services include, but are not limited to:

  • Insurance verification and eligibility checking
  • Prior authorization processing, submission, and tracking
  • Patient intake management and form collection
  • Waitlist management and appointment optimization
  • CRM operations and patient pipeline management
  • Insurance monitoring and payor status tracking

PHI is never used for purposes outside the scope of the Service Agreement without explicit written authorization from the Covered Entity, except as required by law.

How PHI Is Protected

Solum Health implements comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. For additional information about our security practices, visit our Security Overview page.

Sub-Processors

Solum Health engages third-party sub-processors to support service delivery. All sub-processors that access PHI are contractually required to maintain appropriate safeguards and execute Business Associate Agreements. A list of sub-processor categories is maintained in our Privacy Policy.

4. PHI and Artificial Intelligence

Solum Health uses artificial intelligence, including our AI assistant Annie, to deliver front-office automation services to healthcare providers. We understand that the use of AI in connection with PHI raises important questions, and we want to be transparent about our practices.

PHI is NOT used to train AI models. Solum Health does not use Protected Health Information to train, fine-tune, or improve any artificial intelligence or machine learning models, whether general-purpose or specialized. When our AI features, including Annie, process PHI, it is done solely for the purpose of delivering the contracted services to the specific customer whose data is being processed in that transaction. PHI from one customer is never used to improve models, algorithms, or services that benefit other customers or the general public.

Our approach to AI and PHI includes the following safeguards:

  • Purpose limitation: AI processing of PHI is strictly limited to performing the services described in the applicable Service Agreement.
  • Data isolation: Customer PHI is logically separated within our systems using access controls and tenant-level data boundaries designed to prevent unauthorized access across customer environments.
  • De-identification standards: When data is used for purposes other than direct service delivery, it is first de-identified in accordance with applicable HIPAA standards, including the Safe Harbor method (45 CFR 164.514(b)) or the Expert Determination method (45 CFR 164.514(a)), as appropriate.
  • De-identified data usage: Data that has been de-identified in accordance with HIPAA is no longer considered PHI and may be used for product improvement, aggregate analytics, and benchmarking. Additional details regarding de-identified data practices are set forth in the applicable Service Agreement and Terms of Service.
  • Transparency: We are committed to transparency about how AI is used in connection with our customers' data. Material changes to our AI practices will be reflected in our publicly available documentation.

5. Request a BAA

Ready to Get Started?

Solum Health requires that a BAA be executed with each customer prior to the exchange of any Protected Health Information. To request a BAA or discuss HIPAA compliance requirements, contact our legal team.

Request a BAA

BAAs are typically executed as part of the standard customer onboarding process. Our legal team will work with you to review, negotiate (if necessary), and execute the BAA before any PHI is transmitted to or processed by our platform.

If you have questions about your BAA status, please contact us at legal@getsolum.com. A BAA must be in place before any PHI can be shared with Solum Health.

When requesting a BAA, please be prepared to provide:

  • Your organization's legal name and address
  • The name and contact information of your HIPAA Privacy Officer or authorized signatory
  • A description of the Solum Health services you intend to use
  • Any specific BAA requirements mandated by your organization's policies or applicable state laws

6. Security Measures

Solum Health maintains a comprehensive security program designed to protect PHI and meet or exceed HIPAA Security Rule requirements. A detailed summary of our security commitments, certifications, and technical safeguards is provided in Section 2 above.

For additional information about our security program, visit our Security Overview page.

7. Breach Notification

In compliance with the HIPAA Breach Notification Rule (45 CFR 164.410), Solum Health maintains a formal breach notification process. In the event of a breach of unsecured Protected Health Information, Solum Health will adhere to the following procedures:

Notification timeline: Solum Health will notify the affected Covered Entity in accordance with the timelines required by the HIPAA Breach Notification Rule (45 CFR 164.410) and the applicable executed BAA.

Notification content: Breach notifications will include the information required under the HIPAA Breach Notification Rule (45 CFR 164.410(c)) and any additional requirements specified in the applicable BAA, including to the extent available:

  • The identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach
  • A description of the nature and circumstances of the breach, including the date of the breach and the date of discovery
  • A description of the types of unsecured PHI involved in the breach (such as full name, Social Security number, date of birth, diagnosis, treatment information, or insurance information)
  • A description of the steps Solum Health has taken and will take to investigate the breach, mitigate harm to affected individuals, and prevent future occurrences
  • Recommended actions the Covered Entity and affected individuals should take to protect themselves from potential harm resulting from the breach

Covered Entity responsibilities: The Covered Entity retains responsibility for notifying affected individuals and the U.S. Department of Health and Human Services (HHS) as required by the HIPAA Breach Notification Rule (45 CFR 164.404 and 164.408). Solum Health will cooperate fully with the Covered Entity in fulfilling these notification obligations.

Investigation and mitigation: Upon discovery of a potential breach, Solum Health will promptly initiate its incident response plan, including containment of the breach, a thorough investigation of the scope and cause, remediation of any vulnerabilities, and documentation of the incident and response actions taken.

8. Contact Us

We welcome questions about our BAA, HIPAA compliance practices, and security measures. Please reach out using the appropriate contact method below:

Mailing address:
Solum Health Technologies, Inc.
989 Market Street, 2nd Floor
San Francisco, California 94103

Chat