Compliance

Business Associate Agreement

HIPAA requires that any service handling Protected Health Information (PHI) on behalf of a covered entity operate under a Business Associate Agreement. Notive's BAA is included with every paid plan and is accepted as part of the clinician registration process.

Our BAA is modeled on the HHS Model Business Associate Agreement and is integrated into our Notive Clinician Agreement as Appendix A.

How the BAA is executed.

The BAA is part of the Notive Clinician Agreement that every practice accepts during registration. There is no separate document to sign or request — it is built into the onboarding flow.

Practice owner creates a Notive account and selects a paid plan.

During registration, the Notive Clinician Agreement is presented, which includes the Business Associate Agreement as Appendix A.

The practice owner reviews and accepts the agreement, including the BAA, before accessing the platform.

The executed agreement is available for download from your organization settings at any time.

What our BAA covers.

Key commitments Notive makes as your Business Associate under HIPAA.

Use and disclosure restrictions

Notive will use and disclose PHI only as permitted by the BAA, the underlying service agreement, or as required by law. PHI is limited to the minimum necessary for each use.

Administrative, physical, and technical safeguards

Notive implements safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI — including encryption at rest and in transit, role-based access control, and multi-factor authentication.

Breach notification

Notive will notify you of any Breach of Unsecured PHI no later than 30 calendar days after discovery, in accordance with 45 CFR §164.410. Notive will reimburse costs imposed on you as a result of a Breach committed by Notive.

Security incident reporting

Notive will report any Security Incident affecting Electronic PHI, and any unauthorized use or disclosure of PHI, within five business days of becoming aware of the event.

Subcontractor obligations

Any subcontractor with access to PHI (e.g., Anthropic, Deepgram, DoseSpot) is bound by equivalent privacy and security restrictions under their own BAAs with Notive.

Individual access rights

Notive will make PHI available to support your obligations under the HIPAA Privacy Rule, including individual access requests, amendment requests, and accounting of disclosures.

Audit and compliance

Notive will make its internal practices, books, and records available to the HHS Secretary for compliance review. Independent compliance reports are available upon request.

Termination and return of PHI

Upon termination, Notive will return or destroy all PHI in its possession, retaining only what is required by law. Data export assistance is provided for 90 days following termination.

Subprocessors with PHI access.

The following third-party services may process PHI as part of Notive's operation. Each operates under a BAA with Notive.

DoseSpot — Electronic prescribing (EPCS, PDMP, drug interactions, prior authorization)

Deepgram — Speech-to-text transcription for AI scribe

AWS — Cloud infrastructure, object storage, database hosting

Notive will notify you of any new subcontractors with PHI access within 30 calendar days of execution by posting notice on this page.

Need a copy of our BAA?

The BAA is included with every paid plan and accepted during registration. If you need a copy for your records before signing up, contact us.

For questions about HIPAA compliance, subprocessors, or our security practices, see our Security page or reach out directly.