Legal
Business Associate Agreement
Our commitment to protecting health information under HIPAA.
Last updated: March 1, 2026
This document was last updated on the date above. We recommend consulting a healthcare attorney for your specific compliance needs.
Note: This page provides an overview of our Business Associate Agreement in plain language. The actual BAA is a separate legal document executed between ReasonWorks AI Inc. and each Customer.
1. What is a BAA?
A Business Associate Agreement (BAA) is a legally required contract under HIPAA between a Covered Entity (your healthcare organization) and a Business Associate (a vendor like ReasonTele that handles Protected Health Information on your behalf).
The BAA ensures that your vendor is legally obligated to protect patient health information with the same rigor that HIPAA requires of healthcare providers. It defines what the vendor can and cannot do with PHI, what security measures must be in place, and what happens in the event of a data breach.
2. Our Commitment
- We sign a BAA with every healthcare customer at no additional cost.
- A signed BAA is required before any Protected Health Information is processed through our platform.
- We proactively maintain compliance with HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule.
- Our BAA meets or exceeds the requirements of 45 CFR §164.502(e) and §164.504(e).
3. Key Terms Summary
While the full BAA contains detailed legal provisions, here is a plain-language summary of the key commitments:
Permitted Use of PHI
PHI is used solely to provide the contracted telehealth services. We will not use or disclose PHI for any other purpose without written authorization.
Encryption
All PHI is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Video and audio streams are protected with WebRTC SRTP encryption.
Access Controls
Role-based access controls (RBAC), multi-factor authentication (MFA) for administrative access, audit logging of all PHI access, and automatic session timeouts.
Subcontractor Obligations
All subcontractors who handle PHI are bound by equivalent HIPAA obligations through their own BAAs with ReasonWorks AI Inc.
Breach Notification
We will notify you within 24 hours of discovering a breach or suspected breach of unsecured PHI. This exceeds the HIPAA requirement of 60 days and ensures you can respond quickly.
Data Return & Destruction
Upon termination of the agreement, all PHI is returned or securely destroyed using cryptographic erasure within 30 days, except where retention is required by law.
HIPAA Security Rule Compliance
Our platform is designed to meet the requirements of the HIPAA Security Rule (45 CFR §164.308–318), including administrative, physical, and technical safeguards. See our Security page for details.
4. How to Execute a BAA
For paid plan customers, the BAA is automatically included as part of the onboarding process. You will be presented with the BAA for review and electronic signature before your account is activated for PHI processing.
If you need a BAA outside of the standard onboarding flow, or if your organization requires a custom BAA, please contact us at legal@reasontelehealth.com.
5. Subprocessor List
The following infrastructure providers may process PHI on our behalf. Each is bound by a BAA or equivalent data processing agreement.
| Provider | Role | Data Processed |
|---|---|---|
| Cloud Infrastructure Provider | Hosting & compute | Encrypted PHI at rest |
| Database Provider | Data persistence | Encrypted PHI at rest |
| AI/ML Provider | Translation & scribe processing | Session audio/video (real-time only) |
| Email Service Provider | Transactional email | Account information only (no PHI) |
Specific provider names are disclosed in the executed BAA. We will notify Customers at least 30 days before adding a new subprocessor that handles PHI.
Questions?
If you have questions about our BAA or HIPAA compliance practices, please contact us at:
ReasonWorks AI Inc.
Email: legal@reasontelehealth.com