← Back to home

Business Associate Agreement

Last updated April 19, 2026

What is a BAA?

Under HIPAA, a covered entity (such as a telehealth clinic) must have a written Business Associate Agreement ("BAA") in place with any service provider that receives, creates, or transmits protected health information ("PHI") on the covered entity's behalf.

RxRouter as a Business Associate

RxRouter, Inc. operates as a Business Associate under HIPAA when processing PHI on behalf of covered-entity tenant clinics. A signed BAA is required before any PHI is transmitted through the Platform.

Scope of our BAA

The RxRouter BAA covers all services provided through the Platform, including:

What our BAA includes

Our standard BAA addresses the required HIPAA provisions including permitted and required uses and disclosures, safeguard obligations, breach-notification procedures, subcontractor flow-down, and termination provisions. Non-standard modifications are handled during enterprise onboarding.

How to execute a BAA

Tenants who require a BAA should contact their RxRouter account representative or email compliance@rxrouter.ai. We send the draft BAA for countersignature and return the executed copy, typically within two business days.

Production activation

BAA execution is a prerequisite for production tenant activation. Sandbox environments use synthetic test data and do not require a BAA.

Subprocessor transparency

A current list of subprocessors used by RxRouter is available on request. We notify tenant compliance contacts of material subprocessor changes at least 30 days before they take effect.

Breach notification

In the event of a discovered breach involving a tenant's PHI, we follow the notification procedures set out in the executed BAA, including prompt written notice to the tenant compliance contact and full cooperation with the tenant's internal investigation.

Contact

To request a BAA, email compliance@rxrouter.ai.