Notifirm is your HIPAA Business Associate. Here is the agreement, the safeguards behind it, and how to get your signed BAA.
Notifirm was built HIPAA-ready from the first line of code, not bolted on later. Every appointment detail, phone number, and reply that runs through Notifirm is treated as protected health information and handled accordingly.
When your practice uses Notifirm, your practice is the Covered Entity and Notifirm is your Business Associate. We handle protected health information solely to provide the service, on your instructions, under a signed Business Associate Agreement.
A Business Associate Agreement, or BAA, is the contract HIPAA requires between a Covered Entity and the vendors that handle its protected health information. Our BAA sets out how we may use and protect your data, our duty to safeguard it, and what happens if something goes wrong.
A signed BAA is included on every Notifirm plan. You do not have to be on an enterprise tier to get one. We countersign before any real patient data is loaded.
We maintain administrative, technical, and physical safeguards, including:
We rely on a small set of infrastructure providers. Every provider that may touch protected health information has signed a BAA with us:
Stripe processes your practice's subscription billing only. It does not receive patient health information, so a BAA is not required for it. We keep this list current as our infrastructure evolves.
If a breach of unsecured protected health information were ever to occur, we would investigate, contain it, and notify your practice without unreasonable delay and within the timelines our BAA and HIPAA require, with the information you need to meet your own notification duties.
HIPAA is a shared responsibility. Notifirm secures the platform, and your practice governs how it is used. As the Covered Entity, your practice is responsible for:
Starting a trial does not require patient data, so you can explore Notifirm right away. When you are ready to go live, request your BAA and we will get it signed before any real patient information is loaded. Email security@notifirm.com or ask your contact during onboarding.
For security, compliance, or BAA questions, reach our security team at security@notifirm.com. We respond to security inquiries within two business days.
Reach our team at privacy@notifirm.com and we will get back to you within two business days.