Pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This Business Associate Agreement ("Agreement") is entered into pursuant to HIPAA / HITECH between the Covered Entity and Business Associate identified below.
Covered Entity
Your organization (identified upon signing below)
Business Associate
Cai Systems LLCoperating Kestrel (kestrel.to) and Talon (talonapi.dev)
This BAA applies to individual practices and small group practices using Kestrel directly. RCM companies managing multiple practices must execute the RCM Data Processing Addendum. Contact legal@caisystems.dev.
WHEREAS, Covered Entity is a HIPAA Covered Entity that creates, receives, maintains, or transmits Protected Health Information in the course of providing healthcare services or conducting healthcare operations;
WHEREAS, Business Associate provides prior authorization documentation analysis services requiring access to PHI submitted by Covered Entity;
WHEREAS, the Parties intend to comply with HIPAA, HITECH, and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, "HIPAA Rules");
NOW, THEREFORE, the Parties agree as follows:
Terms not defined herein have the meanings given in the HIPAA Rules (45 CFR Parts 160 and 164).
"Breach" — acquisition, access, use, or disclosure of PHI not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI (45 CFR 164.402). Discovery occurs on the first day the Breach is known, or reasonably should have been known, to Business Associate, including the first day that Business Associate’s automated monitoring systems flag potential unauthorized access or anomalous PHI-related activity.
"Designated Record Set" — as defined in 45 CFR 164.501.
"PHI" — individually identifiable health information transmitted or maintained in any form or medium (45 CFR 160.103).
"Security Incident" — attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system (45 CFR 164.304).
"Services" — the prior authorization documentation analysis, gap identification, appeal support, and related services provided by Business Associate under the Terms of Service.
"Unsecured PHI" — PHI not rendered unusable, unreadable, or indecipherable through methods specified by HHS (45 CFR 164.402).
2a. Business Associate may use or disclose PHI only: (i) to perform the Services on behalf of Covered Entity; or (ii) as otherwise permitted or required by this Agreement or applicable law.
2b. Business Associate may use PHI for its own proper management and administration, or to carry out legal responsibilities, provided any disclosure is required by law or made with written confidentiality assurances from the recipient.
2c. Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly authorized under this Agreement.
2d. Business Associate shall not use PHI for fundraising or marketing without explicit Covered Entity authorization.
2e. Business Associate shall not sell PHI.
2f. De-identified aggregated data that no longer meets the HIPAA definition of PHI under 45 CFR 164.514 is not subject to this Agreement. Its collection and use is governed by the Terms of Service and Privacy Policy.
Covered Entity acknowledges and consents to the following processing methodology:
3a. Encrypted PHI Storage. Clinical note text and patient identifiers submitted as part of a prior authorization request are stored encrypted using AES-256-GCM encryption. Encrypted records are accessible only to authenticated, authorized users of the submitting Covered Entity’s account, enforced through database-level row-level security. Encryption keys are stored as environment variables inaccessible through the application interface or API. No Business Associate employee has routine access to unencrypted PHI. Access to encryption infrastructure is restricted to authorized system administrators on a documented need-to-know basis.
3b. De-Identification Before AI Transmission. Before clinical note text is transmitted to the AI analysis service, Business Associate applies programmatic de-identification processes designed to remove known PHI identifiers, including the 18 categories specified in 45 CFR 164.514(b)(2): patient names, geographic subdivisions smaller than state, dates directly related to an individual (other than year), telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number, code, or characteristic.
Business Associate maintains a written De-Identification Methodology Document describing its technical processes and updating it when the de-identification implementation changes materially. This document is available to Covered Entity upon written request and to HHS upon demand.
Business Associate does not warrant that de-identification will be complete in every instance, as clinical documentation may contain PHI in non-standard formats, free-text locations, or implicit references that automated processes may not identify. Where the de-identification system encounters clinical note text that cannot be reliably processed — for example, notes that are primarily a listing of personal identifiers with minimal clinical content — the system flags the note for human review before AI transmission rather than processing it automatically. Additional safeguards that reduce residual risk: all transmissions use HTTPS TLS 1.2 or higher; de-identified text is processed in-memory only; AI processors do not retain text after processing; and AI Output does not reproduce submitted note content.
3c. In-Memory AI Processing — No Retention. De-identified clinical text transmitted to AWS Bedrock is processed entirely in-memory. This text is NOT stored, logged, persisted, cached, or retained by AWS or Anthropic at any point during or after processing. Business Associate has executed a HIPAA-compliant Business Associate Agreement with AWS covering this processing, and AWS contractually confirms that customer inputs and outputs are not used to train or improve AI models.
3d. Non-PHI AI Output. Gap analysis output contains only structured assessments of documentation completeness. It does not reproduce, restate, quote, or reconstruct the original clinical note text submitted.
3e. De-Identified Metadata. Business Associate retains de-identified analysis metadata — payer name, procedure code, gap analysis result categories, completeness scores, timestamps — for quality improvement and network intelligence. This metadata does not constitute PHI, is not subject to this Agreement, and is governed by the Terms of Service and Privacy Policy.
3f. Sub-Processor Updates. Current AI, hosting, and database sub-processors with executed BAAs are listed in the Privacy Policy. Business Associate may update sub-processors with thirty (30) days’ prior written notice. If a change would materially reduce HIPAA protections, Covered Entity may terminate this Agreement within the 30-day window without early termination liability. Continued use after the notice period constitutes acceptance.
4a. Use and Disclosure Limitation. Use or disclose PHI only as permitted or required under this Agreement or applicable law. Report any inconsistent use or disclosure promptly upon discovery.
4b. Safeguards. Implement and maintain appropriate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of electronic PHI created, received, maintained, or transmitted on behalf of Covered Entity.
4c. Security Incident and Breach Reporting.
(i) Breach Notification. In the event of a Breach of Unsecured PHI involving Covered Entity’s data, Business Associate shall notify Covered Entity without unreasonable delay and no later than thirty (30) calendar days after discovery. Notification shall be sent to the breach contact designated in Covered Entity’s account settings and shall include, to the extent reasonably available: identification of individuals whose PHI was involved; description of the Breach and dates of occurrence and discovery; types of PHI involved; recommended steps for individual protection; description of Business Associate’s investigative and corrective actions; and a contact for further inquiry. Business Associate will supplement notification as additional information becomes available.
Business Associate maintains automated monitoring designed to detect unauthorized access or anomalous PHI-related activity. The 30-day notification clock begins on the first day that monitoring flags potential unauthorized access or Business Associate has reason to believe a Breach may have occurred, not on the day a Breach is conclusively confirmed. Business Associate shall investigate promptly and shall not artificially delay the notification clock pending final confirmation.
(ii) Reasonable Notification Efforts. Business Associate shall make reasonable efforts to confirm receipt of breach notifications, including: (A) follow-up email within five (5) business days if the initial notification email is undelivered; and (B) attempted telephone contact to the number on file if email follow-up fails. Business Associate’s notification obligation is satisfied upon documented reasonable efforts using contact information on file, regardless of actual receipt.
(iii) Security Incident Reporting (Non-Breach). Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, including unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction of PHI or Business Associate’s information systems. Reports of routine unsuccessful incidents (blocked login attempts, automated scans) may be provided in written summary form quarterly unless Covered Entity requests individual reporting.
4d. Subcontractor Agreements. Ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on Business Associate’s behalf agrees, by written BAA, to the same restrictions and conditions as apply to Business Associate under this Agreement.
4e. Individual Access Rights. Make PHI available in a Designated Record Set to Covered Entity, or as directed by Covered Entity to the individual, as necessary to satisfy obligations under 45 CFR 164.524, within legally required timeframes.
4f. Individual Amendment Rights. Incorporate amendments to PHI in a Designated Record Set as directed by Covered Entity, per 45 CFR 164.526.
4g. Accounting of Disclosures. Maintain documentation of PHI disclosures sufficient for Covered Entity’s accounting obligations under 45 CFR 164.528. Provide this documentation within thirty (30) days of written request.
4h. HHS Access. Make internal practices, books, and records relating to PHI use and disclosure available to the HHS Secretary for compliance purposes.
4i. Breach Response and Risk Assessment. Maintain a documented breach response plan. Conduct periodic security risk assessments consistent with 45 CFR 164.308(a)(1) and maintain records of such assessments. Business Associate maintains automated monitoring systems designed to detect unauthorized access, exfiltration, or anomalous activity involving PHI, consistent with industry standards for HIPAA-covered SaaS platforms.
5a. Privacy Practice Limitations. Notify Business Associate of any limitation in Covered Entity’s Notice of Privacy Practices that may affect permitted uses or disclosures.
5b. Permission Revocations. Notify Business Associate of changes in or revocations of any individual’s authorization that may affect Business Associate’s permitted activities.
5c. Permissible Requests Only. Not request Business Associate to use or disclose PHI in any manner impermissible under the HIPAA Rules if done by Covered Entity.
5d. Security Obligations. Implement reasonable security measures to protect access to the Service and to PHI outputs, including: (i) maintaining confidentiality of all account credentials; (ii) restricting Service access to authorized workforce members with documented need; (iii) enforcing credential revocation for departing or role-changing workforce members within twenty-four (24) hours; and (iv) notifying Business Associate at legal@caisystems.dev within twenty-four (24) hours of discovering or suspecting unauthorized access.
5e. Breach Contact Currency. Covered Entity shall maintain a current, accurate breach notification contact in account settings: name, title, business email, and direct phone of the authorized individual. Business Associate shall make reasonable notification efforts as described in Section 4c(ii); beyond those efforts, Business Associate is not responsible for notification failures caused by outdated, inaccurate, or absent contact information. Covered Entity accepts this residual risk.
5f. Output Responsibility. AI Output becomes Covered Entity’s responsibility upon receipt. Subsequent use, storage, transmission, and disclosure is governed by Covered Entity’s own HIPAA obligations, including minimum necessary standards. This BAA does not govern Covered Entity’s use of outputs after delivery.
5g. HIPAA Compliance Obligations. Covered Entity is responsible for its own HIPAA compliance, including maintaining a current Notice of Privacy Practices, conducting required workforce training, and implementing a HIPAA security program. These obligations are not transferred to Business Associate.
6a. The Services use AI to analyze clinical documentation against payer requirements. AI analysis is advisory only. It does not constitute medical advice, clinical decision support, diagnosis, treatment recommendations, or any guarantee of PA approval or denial.
6b. Clinical note text is processed by Anthropic’s Claude models via AWS Bedrock under a HIPAA-compliant BAA. The AI processor does not retain, store, or use text to train models.
6c. All clinical decisions remain the sole responsibility of Covered Entity’s licensed healthcare providers and authorized administrative staff.
7a. This Agreement is effective as of the date of electronic execution and remains in effect for the duration of the service relationship, unless earlier terminated under this Section.
7b. Either Party may terminate upon thirty (30) days’ written notice if the other Party materially breaches any provision and fails to cure within that period.
7c. Business Associate may terminate immediately with written notice if continued performance would violate applicable law or HIPAA Rules.
7d. Post-Termination PHI Obligations.
(i) Business Associate shall initiate secure deletion of Covered Entity’s encrypted PHI records within thirty (30) days of account termination.
(ii) Business Associate shall provide Covered Entity with written certification within sixty (60) days of termination confirming: (A) deletion has been completed; or (B) description of any PHI retained and the legal basis for retention. Certification shall be sent to legal@caisystems.dev for Business Associate and to the breach contact on file for Covered Entity.
(iii) If PHI cannot be destroyed, Business Associate shall extend the protections of this Agreement for as long as PHI is retained, limiting further use to the purposes that make destruction infeasible.
(iv) Given Business Associate’s in-memory AI processing architecture, no PHI from the AI analysis path is retained after session completion. Encrypted PHI in the prior authorization request database is subject to deletion per this Section.
7e. Survival. Sections 4, 5f, 5g, and 7d survive termination.
8a. Governing Law. This Agreement is governed by federal law, including HIPAA, HITECH, and their implementing regulations, and where not preempted by federal law, by the laws of Rhode Island, without regard to conflict of law provisions. Any ambiguity shall be resolved consistently with the HIPAA Rules.
8b. Entire BAA. This Agreement constitutes the entire business associate agreement between the Parties on PHI handling and supersedes all prior BAA-related writings. This Agreement is a separate legal instrument from the Terms of Service and Privacy Policy. In the event of conflict between this Agreement and the Terms of Service on PHI handling, this Agreement controls. De-identified aggregated data that no longer meets the HIPAA definition of PHI (45 CFR 164.514) is governed by the Terms of Service and Privacy Policy, not this Agreement.
8c. Amendments. Amendments require written instrument signed by both Parties. Either Party may request amendments necessary for HIPAA Rules compliance; the other Party shall cooperate in good faith.
8d. Severability. If any provision is held invalid, remaining provisions remain in force. Parties shall replace invalid provisions with valid provisions most nearly achieving the original intent.
8e. No Third-Party Beneficiaries. This Agreement does not create rights for any third party. Individual patient rights under HIPAA must be exercised through Covered Entity.
8f. Relationship of Parties. Business Associate is an independent contractor. This Agreement does not create employment, partnership, joint venture, or agency.
8g. Counterparts. This Agreement may be executed in counterparts and by electronic signature, each constituting an original.
For questions about this BAA, contact: legal@caisystems.dev
Version 2.0 — effective March 21, 2026