HIPAA Compliant
Business Associate Agreement
FormRx includes a HIPAA Business Associate Agreement with every subscription — at no extra cost. No enterprise tier required.
Included with Every Plan
Unlike many healthcare SaaS products that charge extra for HIPAA compliance or restrict BAAs to enterprise tiers, FormRx includes a signed BAA with every subscription. This is a core part of our service, not an add-on.
What Our BAA Covers
- Document Processing: All clinical documents uploaded to FormRx (clinic notes, imaging reports, lab results, forms) are covered under the BAA.
- Storage: PHI is encrypted at rest (AES-256) on AWS infrastructure covered by the AWS BAA.
- Transmission: Fax and email transmission of clinical documents is covered, including through our fax provider (Documo) which maintains a separate BAA with FormRx.
- AI Processing: Clinical data processed by AI models runs through AWS Bedrock under zero-data-retention agreements. No clinical data is used for model training.
- Data Retention: PHI is retained while your subscription is active. After cancellation, all data is deleted within 30 days.
Our Infrastructure
- All data processed and stored on AWS (US-West-2 region)
- AWS BAA covers all AWS services used by FormRx
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Full audit logging with 7-year retention
- 15-minute session timeout
- Role-based access control
Download BAA Template
Review our standard Business Associate Agreement. This BAA is electronically signed during account setup.
For questions or to discuss specific compliance requirements, contact us:
Aether Practice Solutions Inc.