Business Associate Agreement

ApprovalHelp signs a Business Associate Agreement (BAA) with every paid practice. Our default BAA is HIPAA §164.504(e) compliant and ships standard with every subscription — no sales call, no upcharge.

How to get our BAA

• Self-serve tiers (Independent, Practice Starter, Practice Growth, Practice Chart): BAA is countersigned during onboarding right after Stripe checkout — you click through the BAA before your first PHI upload. Stored in your account.
• Enterprise: we can sign your BAA on your paper. Email enterprise@approvalhelp.com.
• Before signup: if you need to review the BAA before paying, email hello@approvalhelp.com and we’ll send you a PDF the same business day.

Subprocessors

We use a small, intentional set of HIPAA-covered subprocessors. All have signed BAAs with DenialHelp, LLC (the parent operator of ApprovalHelp):

• Amazon Web Services — Lightsail (TLS terminator), S3 (encrypted backups), SES (transactional email), Textract (OCR). BAA signed 2026-05-08.
• Stedi — 270/271 eligibility clearinghouse. BAA self-serve, signed.
• Paubox — HIPAA transactional email API. BAA signed 2026-05-16.
• Stripe — payment processing (no PHI; only payment metadata).
• Cloudflare — DNS + edge proxy (no PHI in path; encrypted transit only).

Our security posture in one paragraph

PHI is encrypted at rest on a LUKS volume (AES-XTS). Application data is on an encrypted SQLite database (better-sqlite3-multiple-ciphers). PHI access is audit-logged (HIPAA §164.312(b)) with a 6-year retention window. Every PHI text sent to an LLM is routed through a redact → gate → de-identification pipeline before leaving our server. Audio for the ambient scribe is transcribed on our own servers (self-hosted Whisper) and the audio file is discarded after transcription. See /security for the full technical detail.

Questions

Privacy Officer: Michael Ryan. Email hello@approvalhelp.com for anything BAA-related.