Log inTalk to usSee a demo
HIPAA & BAA

Our Business Associate Agreement

Last updated: June 11, 2026

What a BAA is — and why it comes first

Under HIPAA, a medical practice (the covered entity) may share protected health information (PHI) with a vendor only when that vendor — the business associate — is bound by a Business Associate Agreement. The BAA makes the vendor's privacy and security obligations contractual and enforceable, not aspirational.

Appelo executes a BAA with every covered entity before any PHI flows into the service. No BAA, no PHI — there is no configuration of Appelo that processes patient data without one. We also execute BAAs with business associates (such as billing companies) that use Appelo on behalf of their covered-entity clients.

What our BAA covers

  • Permitted uses and disclosures. We use PHI only to provide the Appelo service to you — preparing appeals, documentation checks, and prior-auth packets for your team's review — and for no other purpose. We never sell PHI and never use it for advertising or to train machine-learning models.
  • Safeguards. Administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including encryption in transit and at rest and role-based, least-privilege access. See our Security page for specifics.
  • Minimum necessary. Our systems and personnel access only the PHI required to do the work.
  • Breach notification. We notify you of any breach of unsecured PHI without unreasonable delay and within the timelines the BAA specifies, with the detail you need to meet your own notification obligations.
  • Subcontractors. Any subcontractor that may touch PHI is bound by a written agreement at least as protective as our BAA with you, as HIPAA requires.
  • Access, amendment, and accounting. We support your obligations to provide patients access to their PHI, make amendments, and account for disclosures.
  • Audit support. Every AI draft and every human approval in Appelo is logged and exportable, supporting your compliance reviews and ours.
  • Termination, return, and destruction. When the relationship ends, PHI is returned or destroyed as you direct, and the BAA's protections survive for any PHI that must be retained by law.

How to request and execute our BAA

  • Request it. Email [email protected] with the subject “BAA request” and your organization's name. We'll send our standard BAA template the same business day.
  • Review it. Your compliance officer or counsel reviews the template. We're glad to walk through it together and to consider reasonable redlines.
  • Sign before onboarding. The BAA is executed before implementation begins — it's a standard, included step of every Appelo rollout, at no extra cost.

Prospects running a formal security review can also request our SOC 2 Type II report (available under NDA) through the same address.

This page summarizes our standard BAA in plain language; the executed agreement is the controlling document. It's provided in good faith and isn't a substitute for advice from your counsel. Questions? Email [email protected].

Request our BAAReview our security