BAA on every engagement
Every iDENTIFY engagement begins with a signed Business Associate Agreement before any patient data flows. Every third-party vendor we use is also BAA-covered.
Six principles
The non-negotiables on every engagement.
Encryption end to end
All data in transit uses TLS 1.3. All data at rest is AES-256 encrypted. No PHI is ever transmitted via unencrypted email, SMS, or chat.
Minimum necessary
We only collect, store, and process the minimum patient information required to deliver each service. Marketing campaigns never receive PHI.
Access controls
Role-based access for every team member. MFA enforced on every account that touches your systems. Quarterly access reviews on every active engagement.
Audit trail
Every change to your campaigns, integrations, or content is logged. Practice owners can request the audit log at any time.
Annual third-party review
Our compliance posture is reviewed annually by an independent third-party assessor. Findings drive the following year's roadmap.
Vendor stack
Every third party that touches your data — disclosed.
We will not put your practice on a vendor we have not vetted. Every third party in our delivery chain is BAA-covered and reviewed annually. Below is the current core stack.
| Capability | Vendor | Purpose |
|---|---|---|
| Call tracking | CallRail (BAA) | Inbound call attribution + recording |
| AI voice | OneClickAi (BAA) | Patient call answering + booking |
| CRM | HubSpot (BAA, paid) | Lead pipeline management |
| Review automation | Birdeye (BAA) | HIPAA-compliant review requests |
| Postmark (BAA) | Transactional email | |
| Hosting | AWS (BAA) | Application + data hosting |
Vendor stack is reviewed quarterly. Updates communicated to active clients before any change goes live.
Want our BAA template? We'll send it before the call.
Most healthcare-conscious owners want to see the paperwork before they invest the audit hour. We respect that. Ask on the form and the BAA will be in your inbox within an hour.
Request The BAA + Audit