Skip to main content
JamEMR

Trust Center

Business Associate Agreements

JamEMR executes a Business Associate Agreement with each covered entity before any PHI is handled — no exceptions. What a BAA is, what ours covers, and how to request one through [email protected].

What a BAA is

Under HIPAA, a covered entity (such as a medical practice) may share protected health information with a vendor only if that vendor — the “business associate” — is bound by a Business Associate Agreement. The BAA is the contract that makes the vendor legally accountable for safeguarding PHI: it defines permitted uses, required safeguards, breach notification duties, and what happens to the data when the relationship ends.

A vendor that will touch PHI and does not offer a BAA is a vendor you cannot lawfully use. JamEMR treats the BAA as a hard precondition, not paperwork to catch up on later.

When JamEMR signs one

Before any PHI is handled. No exceptions.

This is enforced by how our pilots actually run: pilot deployments operate on synthetic (non-real-patient) data until a practice’s compliance prerequisites are complete — and an executed BAA is one of those prerequisites. There is no interim period in which JamEMR holds real patient data without a BAA in place.

What our BAA covers

  • Permitted uses and disclosures — JamEMR may use PHI only to provide the contracted services to the covered entity.
  • Safeguards — our commitment to administrative, physical, and technical safeguards, consistent with the controls described across this Trust Center (see HIPAA, Encryption, Access Controls).
  • Breach notification — notification to the covered entity of a breach of unsecured PHI without unreasonable delay and within the timelines the BAA specifies (see Incident Response).
  • Subcontractors — any subcontractor handling PHI must be bound by equivalent terms. In practice this obligation is small by design: clinical AI runs locally, and no subprocessor receives PHI for clinical AI processing (see Subprocessors).
  • Access and accounting support — assistance with the covered entity’s obligations around individual access to records and accounting of disclosures, supported by our audit logging.
  • Return or destruction of PHI at termination of the agreement.

How to request one

Contact [email protected]. We provide our standard BAA for your compliance team’s review as part of pilot onboarding, and we are happy to walk through any provision with your privacy officer or counsel. Questions about the agreement’s privacy terms can also go to [email protected].

← Trust Center