Trust

HIPAA & BAA

Notifirm is your HIPAA Business Associate. Here is the agreement, the safeguards behind it, and how to get your signed BAA.

Last updated June 20, 2026

HIPAA from day one

Notifirm was built HIPAA-ready from the first line of code, not bolted on later. Every appointment detail, phone number, and reply that runs through Notifirm is treated as protected health information and handled accordingly.

When your practice uses Notifirm, your practice is the Covered Entity and Notifirm is your Business Associate. We handle protected health information solely to provide the service, on your instructions, under a signed Business Associate Agreement.

The Business Associate Agreement

A Business Associate Agreement, or BAA, is the contract HIPAA requires between a Covered Entity and the vendors that handle its protected health information. Our BAA sets out how we may use and protect your data, our duty to safeguard it, and what happens if something goes wrong.

A signed BAA is included on every Notifirm plan. You do not have to be on an enterprise tier to get one. We countersign before any real patient data is loaded.

Safeguards we maintain

We maintain administrative, technical, and physical safeguards, including:

  • Encryption of protected health information in transit and at rest.
  • Access to patient data only through authenticated application servers, with direct client access denied by default.
  • Role-based access and the principle of least privilege for our own team, with access reviewed regularly.
  • Audit logging of access to sensitive data so activity can be traced.
  • Always-on infrastructure with no public database exposure.
  • Workforce training and confidentiality obligations for everyone who can reach production systems.

Subprocessors under a BAA

We rely on a small set of infrastructure providers. Every provider that may touch protected health information has signed a BAA with us:

  • Google Cloud: hosting, authentication, database, and file storage. Covered by a BAA.
  • Amazon Web Services (SES): transactional email delivery. Covered by a BAA.
  • Telnyx: two-way SMS delivery. Covered by a BAA.

Stripe processes your practice's subscription billing only. It does not receive patient health information, so a BAA is not required for it. We keep this list current as our infrastructure evolves.

Breach notification

If a breach of unsecured protected health information were ever to occur, we would investigate, contain it, and notify your practice without unreasonable delay and within the timelines our BAA and HIPAA require, with the information you need to meet your own notification duties.

What your practice handles

HIPAA is a shared responsibility. Notifirm secures the platform, and your practice governs how it is used. As the Covered Entity, your practice is responsible for:

  • Obtaining the patient consent required to send reminders and messages.
  • Managing who on your team has a Notifirm account and what they can see.
  • Using strong, unique passwords and protecting sign-in credentials.
  • Making sure the patient contact details you load are accurate and authorized.

How to get your signed BAA

Starting a trial does not require patient data, so you can explore Notifirm right away. When you are ready to go live, request your BAA and we will get it signed before any real patient information is loaded. Email security@notifirm.com or ask your contact during onboarding.

Security contact

For security, compliance, or BAA questions, reach our security team at security@notifirm.com. We respond to security inquiries within two business days.

Questions about this page?

Reach our team at privacy@notifirm.com and we will get back to you within two business days.