Business Associate Agreement

Last Updated: March 2026

NexaClaim AI, Inc. ("Business Associate") enters into Business Associate Agreements (BAAs) with healthcare organizations ("Covered Entities") that use our platform to process Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Overview

A BAA is a legally binding agreement required by HIPAA whenever a Covered Entity shares PHI with a Business Associate. As a healthcare AI platform that processes claim data, denial information, clinical documentation, and patient identifiers, NexaClaim functions as a Business Associate to its customers.

Our standard BAA is available for execution by all customers on Professional and Enterprise subscription tiers. Pilot tier customers may request a BAA during the evaluation period.

Key Provisions of Our BAA

NexaClaim's standard Business Associate Agreement includes the following provisions:

Permitted Uses and Disclosures: NexaClaim will use and disclose PHI only as permitted or required by the BAA, the underlying services agreement, and applicable law. We will not use PHI for marketing, fundraising, or any purpose unrelated to the services we provide.

Safeguards: NexaClaim will implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI. These safeguards include AES-256 encryption at rest, TLS 1.3 encryption in transit, row-level security for tenant isolation, and comprehensive audit logging.

Subcontractor Obligations: NexaClaim will ensure that any subcontractors that create, receive, maintain, or transmit PHI on our behalf agree to the same restrictions and conditions that apply to us under the BAA. We maintain signed BAAs with all subprocessors that handle PHI, including our cloud infrastructure providers and AI service providers.

Breach Notification: NexaClaim will report any breach of unsecured PHI to the Covered Entity without unreasonable delay and no later than 60 days after discovery of the breach, in accordance with 45 CFR 164.410. Our breach notification will include identification of the individuals affected, a description of the breach, and the steps we are taking to mitigate harm.

Individual Rights: NexaClaim will make PHI available to the Covered Entity to fulfill individual rights requests, including access, amendment, and accounting of disclosures, in accordance with 45 CFR 164.524, 164.526, and 164.528.

Return or Destruction of PHI: Upon termination of the BAA, NexaClaim will return or destroy all PHI in our possession, except where retention is required by law. Where destruction is not feasible, we will extend the protections of the BAA to retained PHI.

Term and Termination: The BAA remains in effect for the duration of the services agreement. Either party may terminate the BAA if the other party materially breaches its terms and fails to cure within 30 days of notice.

Subprocessors

NexaClaim maintains Business Associate Agreements with the following subprocessors that may handle PHI in the course of providing our Services:

• Supabase, Inc. — Database hosting, authentication, and file storage (SOC 2 Type II certified, HIPAA BAA available on Pro plan)
• Vercel, Inc. — Application hosting and edge functions (HIPAA BAA available on Enterprise plan)
• OpenAI, Inc. — AI model inference for clinical NLP and coding assistance (zero-retention API, HIPAA BAA available)
• Anthropic, PBC — AI model inference for appeal letter generation (zero-retention API, HIPAA BAA available)

We will notify customers of any changes to our subprocessor list at least 30 days in advance.

Request a BAA

To execute a Business Associate Agreement with NexaClaim AI, please contact our compliance team. We will provide our standard BAA for your legal review and can accommodate reasonable modifications.

Frequently Asked Questions

Is a BAA required to use NexaClaim?

A BAA is required before any PHI is transmitted through our platform. You can explore the platform using de-identified test data without a BAA in place.

Does NexaClaim support custom BAA terms?

Our standard BAA meets the requirements of most healthcare organizations. Enterprise customers may request modifications to specific provisions. Our legal team will work with your counsel to finalize mutually agreeable terms.

How does NexaClaim handle PHI in AI processing?

PHI submitted to our AI models for real-time analysis is processed using zero-retention API agreements with our AI providers. This means PHI is not stored by the AI provider after the response is returned and is never used for model training.

What certifications does NexaClaim hold?

NexaClaim is currently pursuing SOC 2 Type II certification, with completion targeted for Q4 2026. All of our infrastructure providers maintain SOC 2 Type II or equivalent certifications.