HIPAA Notice & Business Associate Agreement

Who This Applies To

This notice applies to clients who are covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA) — for example, dental practices, medical spas, chiropractors, mental health providers, and similar healthcare businesses — and to the patients whose information those clients handle.

If your business does not handle PHI, HIPAA configuration is not required for your account. If you are unsure whether you are a covered entity, consult your compliance advisor before processing any patient data through our platform.

Our Role as a Business Associate

When Clear AI Studio handles PHI on behalf of a covered entity — for example, by answering patient calls, sending appointment reminders, or managing patient records inside the platform — we act as a business associate as defined under HIPAA (45 CFR § 160.103).

In that role, we will only use or disclose PHI as permitted by a signed Business Associate Agreement and applicable law, and we will require our own service providers (subcontractors) that may touch PHI to provide equivalent protections.

Safeguards We Provide

For HIPAA-configured accounts, we implement administrative, technical, and physical safeguards consistent with the HIPAA Security Rule, including:

• Encryption of data in transit and at rest where supported by our platform partners
• Access controls limiting who can view patient records, on a minimum-necessary basis
• Audit logging of access to systems that store PHI
• Configuration that keeps PHI out of SMS message content (see Section 4)
• Business Associate Agreements with platform partners that process PHI on our behalf

PHI in Messaging & Calls

• SMS content on HIPAA-configured programs does not include PHI — appointment messages reference dates and times only, never diagnoses, treatments, or procedures
• Voice AI interactions for healthcare clients are configured to avoid capturing or disclosing unnecessary PHI
• Call recordings, where used, are handled under the safeguards and retention terms in the BAA
• Patients should never be asked to send sensitive health details over SMS

The Business Associate Agreement (BAA)

Before any PHI is processed through our platform, we enter into a written BAA with the covered entity. The BAA governs permitted uses and disclosures of PHI, required safeguards, breach notification obligations, subcontractor requirements, and the return or destruction of PHI at the end of the engagement, in accordance with 45 CFR §§ 164.502(e) and 164.504(e).

A signed BAA is a prerequisite for healthcare clients — it is not optional.

Breach Notification

If we discover a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and within the timeframes required by the BAA and the HIPAA Breach Notification Rule, and we will cooperate with the covered entity's investigation and notification obligations.

Client Responsibilities

HIPAA compliance is a shared responsibility. As the covered entity, you remain responsible for:

• Obtaining any patient authorizations required for the communications you send
• Ensuring your own staff and practices comply with HIPAA
• Configuring message content and workflows so they do not expose PHI beyond the minimum necessary
• Notifying us promptly of any suspected incident involving PHI on the platform

We configure the technical safeguards; the covered entity remains responsible for overall regulatory compliance.

Subcontractors

We use trusted platform partners — such as our CRM/automation and messaging infrastructure providers — that may process PHI on our behalf. Where they do, we require them to enter into business associate agreements (or equivalent obligations) that protect PHI to the same standard required of us.

Request a BAA

This page is provided for information and does not constitute legal advice. HIPAA obligations depend on your specific circumstances; consult qualified counsel for your practice.