$13M raised to bring you a faster, smarter AI receptionist. 🎉

By Industry

AI solutions tailored to your specialty.

DentalOptometryMedicalVeterinaryMedical SpaPlastic SurgeryPhysical TherapyMental HealthPrimary CareView all industries

By Role

Solutions tailored to your job.

Practice OwnersOffice ManagersFront Desk StaffView all roles

For Enterprises

Unify multi-office operations.

Dental Service Organizations (DSO)Medical GroupsVision GroupsVeterinary Chains

Products

Everything you need to run your practice communications.

Call Management

AI ReceptionistCall RecordingCall IntelligenceMissed Call Text BackVoicemailPhone Porting

Scheduling

Smart SchedulingOnline SchedulingCalendar SyncWaitlistBooking Widget

Patient Engagement

Two-Way TextingRemindersReview RequestsPatient OutreachRecall & Reactivation

Practice Management

Multi-LocationTeam ManagementDigital FormsPaymentsPatient CRM

Analytics & AI

Call AnalyticsPractice AnalyticsProvider DashboardCustom AI Voice

Use Cases

See how practices put Front Desk to work every day.

AI ReceptionistVirtual Receptionist24/7 Answering ServiceAfter-Hours AnsweringHoliday Call AnsweringMissed Call RecoveryOverflow Call AnsweringVoicemail ReplacementAI Call Answering ServiceAppointment Booking ServiceOnline Appointment SchedulingHIPAA-Compliant AISpanish-Speaking AIReplace Your Answering ServicePricing vs Answering ServiceCost of an Answering ServiceAnswering Service Pricing Guide
View all use cases

Resources

Guides, templates and tools to grow your practice.

Templates & Scripts

12 free downloadable resources

Case Studies

Real results from real practices

Industry Guides

In-depth guides by specialty

Healthcare Glossary

250+ medical terms explained

Blog

Tips, trends & insights

Integrations

Connect your PMS & EHR

Results

Proven outcomes & stats

Changelog

Latest product updates

Case Studies

See how practices across 8 specialties recovered $600K+ in revenue with AI-powered call handling.

View case studies
Quick Links
Home/
AI Receptionist/features
Pricing/pricing
Contact/contact
Book a Demo/contact
About/about
Partners/partners
Security/security
Developers/developers
↵ to selectTab to navigateEsc to close

By Industry

DentalOptometryMedicalVeterinaryMedical SpaPlastic SurgeryPhysical TherapyMental HealthPrimary CareView all industries

By Role

Practice OwnersOffice ManagersFront Desk StaffView all roles

Enterprise

Dental Service Organizations (DSO)Medical GroupsVision GroupsVeterinary Chains

Call Management

AI ReceptionistCall RecordingCall IntelligenceMissed Call Text BackVoicemailPhone Porting

Scheduling

Smart SchedulingOnline SchedulingCalendar SyncWaitlistBooking Widget

Patient Engagement

Two-Way TextingRemindersReview RequestsPatient OutreachRecall & Reactivation

Practice Management

Multi-LocationTeam ManagementDigital FormsPaymentsPatient CRM

Analytics & AI

Call AnalyticsPractice AnalyticsProvider DashboardCustom AI Voice
AI ReceptionistVirtual Receptionist24/7 Answering ServiceAfter-Hours AnsweringHoliday Call AnsweringMissed Call RecoveryOverflow Call AnsweringVoicemail ReplacementAI Call Answering ServiceAppointment Booking ServiceOnline Appointment SchedulingHIPAA-Compliant AISpanish-Speaking AIReplace Your Answering ServicePricing vs Answering ServiceCost of an Answering ServiceAnswering Service Pricing GuideView all use cases
Templates & ScriptsCase StudiesIndustry GuidesHealthcare GlossaryBlogIntegrationsResultsChangelog
Tools
Get StartedLog InSales: (469) 812-5544

Legal

Business Associate Agreement

How Front Desk handles Protected Health Information under HIPAA and the HITECH Act.

Last updated: June 21, 2026 · Version 1.0

This Business Associate Agreement ("BAA") is made and entered into as of the date your Front Desk account is created ("Effective Date") and is between you ("Covered Entity") and Front Desk AI, Inc. ("Business Associate"). This BAA supersedes any previous business associate agreement between the parties and amends, supplements, and is made a part of the Terms of Service by and between Covered Entity and Business Associate (the "Agreement"). This BAA applies only when Business Associate meets the definition of a "business associate" under 45 C.F.R. § 160.103 with respect to Covered Entity.

This BAA governs the use and disclosure of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and the regulations and other guidance promulgated thereunder by the U.S. Department of Health and Human Services. The purpose of this BAA is to satisfy the standards and requirements of HIPAA, including but not limited to 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e).

1. Definitions

Terms used but not otherwise defined in this BAA shall have the same meanings as in HIPAA, the HITECH Act, and their implementing regulations. Any inconsistency shall be resolved in favor of a meaning that permits compliance with HIPAA.

  • "Breach" has the meaning set forth in 45 C.F.R. § 164.402.
  • "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as applied to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
  • "Electronic Protected Health Information" or "ePHI" means PHI that is maintained or transmitted electronically.
  • "Security Incident" has the meaning set forth at 45 C.F.R. § 164.304.
  • "Reportable Event" means any (i) use or disclosure of PHI not permitted by this BAA; (ii) Security Incident; or (iii) Breach of Unsecured PHI.
  • "Subcontractor" has the meaning set forth at 45 C.F.R. § 160.103.

2. Permitted Uses and Disclosures of PHI

Except as otherwise limited in this BAA or the Agreement, Business Associate may:

  • Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as described in the Agreement, provided such use or disclosure would not violate HIPAA if done by Covered Entity.
  • Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.
  • Disclose PHI for the proper management and administration of Business Associate provided that (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances that the information will remain confidential and that any breach of confidentiality will be reported to Business Associate.
  • Use PHI to report violations of law to appropriate federal, state, and local authorities consistent with 45 C.F.R. § 164.502(j).
  • Use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
  • De-identify PHI in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)–(c). De-identified information shall not be considered PHI and may be used by Business Associate for any lawful purpose, including service improvement and analytics.

3. Obligations of Business Associate

3.1 Limited by Agreement and Law

Business Associate may not use or disclose PHI other than as permitted or required by this BAA and the Agreement, or as Required by Law.

3.2 Appropriate Safeguards

Business Associate shall use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA, and shall comply with the Security Rule and HITECH with respect to ePHI. Such safeguards include, without limitation:

  • AES-256 encryption of data at rest
  • TLS 1.2 or higher for data in transit
  • Role-based access controls (RBAC)
  • Audit logging of PHI access
  • Regular risk assessments and security reviews

3.3 Minimum Necessary

Business Associate agrees that it shall comply with HIPAA's minimum necessary requirements with respect to all uses, disclosures, and requests for PHI.

3.4 Reportable Events and Breach Notification

Business Associate shall report to Covered Entity any Reportable Event of which it becomes aware, without unreasonable delay and in no case later than sixty (60) calendar days after discovery. Routine unsuccessful attempts (e.g., pings, port scans, unsuccessful log-on attempts) shall not require individual notice and may be reported in the aggregate. Such notice shall include, to the extent possible:

  • Identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed during the Reportable Event;
  • A description of what happened, including the date of the Reportable Event and the date of discovery;
  • The types of PHI involved;
  • Steps taken to investigate, mitigate, and prevent recurrence;
  • Such other information that Covered Entity would reasonably need to fulfill its notification obligations.

Business Associate shall mitigate, to the extent practicable, any harmful effect of a Reportable Event and shall cooperate with Covered Entity in investigating the event and determining whether it constitutes a Breach of Unsecured PHI.

3.5 Subcontractors

If Business Associate discloses PHI to a Subcontractor or allows a Subcontractor to create, receive, maintain, or transmit PHI on its behalf, Business Associate shall require the Subcontractor to agree in writing to substantially the same restrictions and conditions that apply to Business Associate, in a manner consistent with 45 C.F.R. §§ 164.314(a) and 164.504(e).

3.6 Individual Rights Support

Business Associate agrees to support Covered Entity in fulfilling its obligations to Individuals under HIPAA, including providing access via in-app export to PHI in a Designated Record Set in order to meet Covered Entity's requirements under:

  • 45 C.F.R. § 164.524 (Access to PHI)
  • 45 C.F.R. § 164.526 (Amendment of PHI)
  • 45 C.F.R. § 164.528 (Accounting of Disclosures)
  • 45 C.F.R. § 164.522 (Restrictions on use and disclosure)

Business Associate shall respond to Covered Entity's requests within a commercially reasonable timeframe. In no case shall Business Associate be required to provide such documentation in less than ten (10) business days after receipt of the request. Except as this BAA may otherwise provide, in the event Business Associate receives an access, amendment, accounting, or similar request directly from an Individual, Business Associate will redirect the Individual to Covered Entity. These provisions do not apply if Business Associate and its Subcontractors have no PHI in a Designated Record Set of Covered Entity.

3.7 Governmental Access to Records

Business Associate shall make its internal policies, practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with HIPAA. No attorney-client, accountant- client, or other legal privilege shall be deemed to have been waived by Business Associate by virtue of compliance with this provision.

3.8 Communication with Other Business Associates

In connection with the performance of its services, Business Associate may disclose PHI to other business associates of Covered Entity, and may use and disclose PHI received from other business associates of Covered Entity, as if such PHI originated with Covered Entity. It is the responsibility of Covered Entity to maintain business associate agreements with its other business associates.

4. Obligations of Covered Entity

  • Notice of Privacy Practices. Covered Entity shall notify Business Associate in writing of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI.
  • Notification of Revocations. Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI.
  • Notification of Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
  • Permissible Requests. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
  • Minimum Necessary. Covered Entity agrees to provide Business Associate the minimum PHI necessary for Business Associate to provide the services.

5. Term and Termination

5.1 Term

The term of this BAA shall commence as of the Effective Date, be coterminous with the Agreement, and continue in full force and effect from year to year. It shall terminate as of the earliest occurrence of any of the following: (i) the Agreement expires or is terminated; (ii) this BAA is terminated for cause; (iii) the parties mutually agree to terminate this BAA; or (iv) this BAA is terminated under applicable federal, state, or local law.

5.2 Termination for Cause

Upon the non-breaching party's determination of a breach of a material term of this BAA, the non-breaching party shall provide written notice in sufficient detail to enable the breaching party to understand the specific nature of the breach and afford an opportunity to cure. If the breaching party fails to cure within thirty (30) days of receipt of such notice, the non-breaching party may terminate this BAA and the Agreement. If termination is not feasible, the non-breaching party shall report the issue to the Secretary of HHS.

5.3 Effect of Termination

Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI that Business Associate still maintains in any form and retain no copies. If return or destruction is not feasible, Business Associate shall:

  • Retain only that PHI for which return or destruction is not feasible;
  • Return or destroy the remaining PHI it still maintains;
  • Extend the protections of this BAA to retained PHI, continue to use appropriate safeguards, and comply with the Security Rule and HITECH with respect to ePHI, for as long as Business Associate retains the PHI;
  • Not use or disclose the retained PHI other than for the purposes for which it was retained, subject to the same conditions that applied prior to termination; and
  • Return or destroy the retained PHI if and when it becomes feasible to do so.

This Section 5.3 shall survive termination of this BAA.

6. Liability and Indemnification

Business Associate shall be directly responsible for its own violations of this BAA and applicable law. Each party agrees to indemnify and hold harmless the other party from and against any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from its own breach of this BAA or negligent acts or omissions, subject to any limitations set forth in the Agreement.

To the extent permitted by applicable law, liability under this BAA shall be subject to the limitations set forth in the Agreement, except that such limitations shall not apply in cases of willful misconduct, gross negligence, or violations of HIPAA.

7. Miscellaneous

7.1 Regulatory References and Amendment

A reference in this BAA to a section in HIPAA means the section as in effect or as amended. Upon the effective date of any federal statute amending or expanding HIPAA, or of any regulations promulgated thereunder, this BAA shall be automatically amended such that the obligations imposed on the parties remain in compliance, unless the parties agree otherwise by mutual consent. Except as provided in this paragraph, no waiver, change, or amendment of any provision of this BAA shall be made unless in writing and signed by the parties.

7.2 Interpretation

Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA. In the event of an inconsistency between this BAA and the mandatory terms of HIPAA or interpretations thereof by the Secretary or a court of competent jurisdiction, such interpretation shall prevail.

7.3 Entire Agreement; Effect on the Agreement

This BAA, together with the Agreement, sets forth the entire understanding between the parties and supersedes any previous or contemporaneous understandings regarding the subject matter hereof. To the extent that any term in this BAA is directly contradictory to a term in the Agreement, the term in this BAA shall supersede the contradictory term to the extent necessary to permit compliance with HIPAA.

7.4 Independent Contractors

The parties are independent contractors. Nothing in this BAA is intended to create any relationship between the parties other than that of independent contractors.

7.5 No Third-Party Beneficiaries

Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities upon any person other than Covered Entity, Business Associate, and their respective successors and assigns.

7.6 Severability

The provisions of this BAA shall be severable. The invalidity or unenforceability of any provision shall not affect the validity and enforceability of the remaining provisions.

7.7 Data Location

All PHI is processed and stored within the United States using HIPAA-eligible cloud infrastructure (Amazon Web Services).

7.8 Governing Law

This BAA shall be construed, administered, and governed by the governing law set forth in the Agreement, except to the extent preempted by applicable federal law.

7.9 Notices

All notices to Business Associate shall be in writing, delivered by email to compliance@frontdesk.care or by mail to Front Desk AI, Inc., c/o Compliance Manager. All notices to Covered Entity shall be by email to the email address provided upon account creation. Each party reserves the right to change its address for receiving notice during the term of this BAA upon written notice to the other party.

Questions about this BAA? Email compliance@frontdesk.care. For our overall HIPAA program, see our HIPAA Compliance page.