What is a BAA?
A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a healthcare provider (the “Covered Entity”) and a vendor (the “Business Associate”) that may access, process, or store Protected Health Information (PHI) on the provider's behalf.
While Salva AI is designed to avoid collecting PHI, we understand that some practices require a BAA as part of their compliance framework. We are happy to execute one for eligible plans.
How Salva AI Handles Patient Data
No PHI collection by design
Our AI agents are specifically instructed to never ask for or record clinical information, diagnoses, treatment histories, or health conditions.
Conversation data is limited
AI conversations capture general inquiries only — scheduling preferences, insurance plan names, office hours questions, and callback requests.
Clinical redirects
When patients bring up clinical concerns, the AI redirects them to contact the practice directly. It does not attempt to provide medical advice.
Encryption everywhere
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Data is stored on US-based servers.
Access controls
Only you and authorized team members can access your practice's conversation data. Salva AI employees access data only for support purposes with appropriate controls.
Minimum Necessary Standard
In accordance with the HIPAA Minimum Necessary Rule, Salva AI limits the information it accesses, uses, and discloses to the minimum amount necessary to accomplish the intended purpose. Our AI agents are programmed to collect only scheduling, contact, and general inquiry information — never clinical data, diagnoses, or treatment details.
In the event that a patient inadvertently discloses PHI during a conversation, the AI is configured to redirect the conversation and advise the patient to contact the practice directly. Any inadvertently received PHI is treated with the same protections outlined in the BAA and is not used for any purpose beyond the immediate conversation context.
Security Incident & Breach Response
In the event of a security incident involving potential unauthorized access to, or disclosure of, data covered under a BAA, Salva AI will:
Notify within 60 days
Notify the Covered Entity of a confirmed breach without unreasonable delay and in no event later than 60 calendar days from the date of discovery, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).
Provide detailed disclosure
Include the nature of the breach, types of information involved, steps taken to investigate and mitigate, and recommendations for the Covered Entity to protect affected individuals.
Cooperate fully
Cooperate with the Covered Entity's investigation and any required notifications to the Department of Health and Human Services (HHS) and affected individuals.
Subcontractors & Third-Party Processors
Salva AI uses third-party infrastructure providers to deliver the Service. In accordance with HIPAA requirements, any subcontractor that may access data covered under a BAA is bound by equivalent confidentiality and security obligations. Our current infrastructure partners include:
- Supabase — Database hosting (US-based servers)
- OpenAI — AI model processing (data processing agreement in place)
- Vercel — Application hosting (US-based edge network)
We will notify BAA-covered practices of any material changes to subcontractors that process data covered under the agreement.
BAA Availability
Pro Plan — $219/mo
- BAA available upon request
- Standard BAA template provided
- Typically executed within 2 business days
Multi-Practice — $749/mo
- BAA available upon request
- Custom BAA review supported
- Dedicated compliance onboarding
BAAs are not available on the Free or Basic plans. If your compliance requirements mandate a BAA, please consider upgrading to Pro or Multi-Practice.
How to Request a BAA
Request your BAA
If you're on a Pro or Multi-Practice plan and need a BAA, simply email us. We'll send you our standard agreement for review and countersignature.
- 1Email support@getgetsalvaai.com with your practice name and plan type.
- 2We'll send you the BAA document for review (typically within 1 business day).
- 3Sign and return the BAA. We'll countersign and send you the executed copy.
What Our BAA Covers
Our standard Business Associate Agreement addresses the following HIPAA requirements:
Our standard BAA is based on the HHS model BAA template, adapted to reflect the specific nature of our Service. It complies with the requirements of 45 CFR Part 164, Subparts C and E.
Data Return & Destruction
Upon termination of a BAA or closure of your Salva AI account:
- All conversation data and practice configuration data will be securely deleted within 30 days of termination.
- If return of data is feasible, we will provide an export upon request before deletion.
- If immediate deletion is not feasible (e.g., data embedded in backups), we will extend protections under the BAA until deletion is complete and limit further use of the data.
- Upon completion of deletion, we will provide written certification of destruction upon request.
Frequently Asked Questions
Do I need a BAA to use Salva AI?
Not necessarily. Since Salva AI is designed to avoid collecting or storing PHI, many practices may not require a BAA. However, if your compliance officer or legal counsel recommends one, we're happy to provide it on eligible plans.
Is Salva AI HIPAA certified?
There is no official “HIPAA certification.” Instead, HIPAA compliance is an ongoing process. Salva AI is designed with HIPAA principles in mind — including data minimization, encryption, access controls, and breach notification procedures.
What if a patient discloses health information to the AI?
If a patient voluntarily shares health information, the AI is configured to redirect the conversation and advise the patient to contact the practice directly for clinical matters. We do not use any voluntarily disclosed information for any purpose other than handling that specific conversation.
Can I use my own BAA template?
Custom BAA review is available on the Multi-Practice plan. For Pro plans, we provide our standard BAA template. Contact us to discuss specific requirements.
How will I be notified of a data breach?
If a breach involving data covered under your BAA is confirmed, we will notify you in writing (via email to your account address) within 60 days of discovery. The notification will include the nature of the breach, the types of data involved, steps we're taking to investigate and mitigate, and any recommended actions for your practice.