Radarrr← Back to site
Legal · HIPAA BAA

Business Associate Agreement

Inxcess LLC, DBA Radarrr

For HIPAA-Covered Entities

⚠️ ATTORNEY REVIEW REQUIRED: This BAA template is based on standard HIPAA Business Associate Agreement provisions (45 CFR §164.504(e)). Healthcare law is highly specialized. Before signing this with any HIPAA-covered customer, have a healthcare-experienced attorney review and customize this document. Misconfigured BAAs expose both parties to significant regulatory penalties under HIPAA (up to $1.5M per violation category per year).

⚠️ INFRASTRUCTURE REQUIREMENT: Before executing this BAA with any customer, ensure that all sub-processors who will touch PHI also have BAAs in place with Radarrr. Specifically: VAPI HIPAA tier ($1,000/mo platform fee), Anthropic HIPAA tier (zero data retention, BAA required), Twilio HIPAA tier. Without these in place upstream, you cannot legally execute downstream BAAs with customers.


Parties

This Business Associate Agreement ("BAA") is entered into between:

Covered Entity: [CUSTOMER LEGAL NAME]

Address: [CUSTOMER ADDRESS]

("Covered Entity")

Business Associate: Inxcess LLC, doing business as Radarrr

Address: 2418 Fats Domino Ave, New Orleans, LA

("Business Associate" or "Radarrr")

Effective Date: [DATE]

This BAA is incorporated by reference into the Master Service Agreement and Terms of Service between the parties (the "Underlying Agreement").

1. Definitions

Capitalized terms used but not defined in this BAA have the meanings ascribed to them in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and their implementing regulations at 45 CFR Parts 160, 162, and 164 (collectively, "HIPAA Rules").

  • "PHI" means Protected Health Information as defined in 45 CFR §160.103, limited to PHI received from, or created or received on behalf of, Covered Entity.
  • "ePHI" means PHI transmitted by or maintained in electronic media.
  • "Security Rule" means the Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.
  • "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 164, Subparts A and E.
  • "Breach" has the meaning given the term in 45 CFR §164.402.

2. Permitted Uses and Disclosures of PHI by Business Associate

2.1 Service Performance

Business Associate may use and disclose PHI as necessary to perform the Services described in the Underlying Agreement. This includes:

  • Operating the AI agent (Candace) to handle voice calls, SMS, and DMs with patients
  • Storing conversation transcripts for the duration permitted by the Underlying Agreement
  • Generating weekly summary reports for Covered Entity
  • Processing appointment bookings and deposit collection

2.2 Management and Administration

Business Associate may use PHI for:

  • Proper management and administration of Business Associate
  • Carrying out the legal responsibilities of Business Associate
  • Provided that any disclosure to third parties is required by law, OR Business Associate obtains reasonable assurances that the third party will hold the PHI confidentially and use it only as required by law or for the purposes for which it was disclosed

2.3 Data Aggregation Services

Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR §164.504(e)(2)(i)(B).

2.4 De-identification

Business Associate may de-identify PHI in accordance with 45 CFR §164.514(a)–(c). De-identified data is no longer PHI and may be used without restriction for service improvement, AI model training, and benchmarking.

3. Obligations of Business Associate

3.1 General Obligations

Business Associate shall:

  • a. Not use or disclose PHI other than as permitted by this BAA, the Underlying Agreement, or as required by law
  • b. Use appropriate safeguards, and comply with the Security Rule with respect to ePHI, to prevent unauthorized use or disclosure of PHI
  • c. Report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including any Breach of unsecured PHI, within fifteen (15) business days of discovery
  • d. In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate
  • e. Make available PHI in accordance with 45 CFR §164.524 (right to access)
  • f. Make available PHI for amendment in accordance with 45 CFR §164.526
  • g. Maintain and make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528
  • h. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, comply with the requirements that apply to Covered Entity in performance of such obligation
  • i. Make Business Associate's internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA

3.2 Sub-processors

Business Associate shall maintain BAAs (or equivalent written agreements) with all sub-processors that handle PHI, including but not limited to:

  • Anthropic, PBC (AI model — Claude, on HIPAA-compliant tier with zero data retention)
  • VAPI (voice infrastructure — HIPAA-compliant tier)
  • Twilio, Inc. (SMS infrastructure — HIPAA-compliant tier)
  • Any other sub-processor that processes PHI

Business Associate shall provide a current list of HIPAA sub-processors upon request.

3.3 Security Rule Compliance

Business Associate shall comply with the applicable provisions of the Security Rule (45 CFR §164.308, §164.310, §164.312, and §164.316), including:

  • Conducting risk analyses of vulnerabilities to ePHI
  • Implementing administrative, physical, and technical safeguards
  • Maintaining documentation of security policies and procedures
  • Workforce training on PHI handling

3.4 Breach Notification

In the event of a Breach of unsecured PHI:

  • a. Business Associate shall notify Covered Entity in writing within fifteen (15) business days of discovery
  • b. Notification shall include, to the extent reasonably available:
  • Identification of each individual whose unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach
  • A brief description of what happened, including the date of the Breach and date of discovery
  • A description of the types of unsecured PHI involved
  • Any steps individuals should take to protect themselves
  • A brief description of what Business Associate is doing to investigate, mitigate, and prevent further Breaches
  • c. Business Associate shall reasonably cooperate with Covered Entity's investigation and notification obligations under 45 CFR §§164.404, 164.406, and 164.408

4. Obligations of Covered Entity

Covered Entity shall:

  • a. Notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI
  • b. Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI
  • c. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 CFR §164.522
  • d. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity
  • e. Provide proper consent and authorization from individuals before sending data to Business Associate for processing

5. Term and Termination

5.1 Term

This BAA is effective as of the Effective Date and continues until the Underlying Agreement is terminated, or until terminated earlier as provided in this BAA.

5.2 Termination for Cause

Either party may terminate this BAA upon written notice if the other party materially breaches this BAA and fails to cure the breach within thirty (30) days of written notice. If cure is not feasible, the non-breaching party may terminate immediately.

5.3 Effect of Termination

Upon termination of this BAA for any reason, Business Associate shall:

  • a. Return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate maintains in any form
  • b. Retain no copies of PHI, except where return or destruction is not feasible. In such cases:
  • Business Associate shall extend the protections of this BAA to the retained PHI
  • Limit further use and disclosure to those purposes that make return or destruction infeasible
  • c. Provide written certification of return or destruction within sixty (60) days of termination, upon Covered Entity's request

6. Miscellaneous

6.1 Amendment

The parties agree to amend this BAA as necessary to comply with any changes in HIPAA Rules.

6.2 Survival

The respective rights and obligations of Business Associate under Sections 3.4 (Breach Notification) and 5.3 (Effect of Termination) survive termination of this BAA.

6.3 Interpretation

Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA Rules. In the event of a conflict between this BAA and the Underlying Agreement, this BAA controls with respect to PHI.

6.4 No Third-Party Beneficiaries

This BAA is intended for the sole benefit of the parties and creates no rights for any third party.

6.5 Governing Law

This BAA is governed by the laws of the State of Louisiana, except to the extent preempted by HIPAA or other federal law.

6.6 Entire Agreement

This BAA, together with the Underlying Agreement, constitutes the entire agreement of the parties regarding the subject matter hereof.


Signatures

COVERED ENTITY:

Signature: _______________________________

Name: ___________________________________

Title: ___________________________________

Date: ___________________________________

BUSINESS ASSOCIATE: Inxcess LLC, DBA Radarrr

Signature: _______________________________

Name: ___________________________________

Title: ___________________________________

Date: ___________________________________

Radarrr
Hire Candace · AI agent for service businesses · radarrr.ai
TermsPrivacyBAA (HIPAA)© 2026 Inxcess LLC