Skip to main content
← Back to CheapRX.AI

Business Associate Agreement (BAA)

For healthcare organizations requiring HIPAA compliance

What is a BAA?

A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity — such as a healthcare provider, health plan, or healthcare clearinghouse — and a business associate (like CheapRX.AI) that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of the covered entity. The BAA establishes the permitted uses and disclosures of PHI, requires safeguards to prevent unauthorized use, and ensures regulatory compliance.

Our HIPAA Security Controls

CheapRX.AI implements the following technical, administrative, and physical safeguards:

  • AES-256-GCM encryption of medication data at rest
  • TLS encryption of all data in transit
  • IP anonymization using hashed values with a daily-rotating salt
  • Comprehensive audit logging of all PHI access events
  • Role-based access controls with organizational data isolation
  • Automatic session timeout after 30 minutes of inactivity
  • Regular security assessments and vulnerability scanning
  • Incident response procedures with defined breach notification timelines
  • Data export and deletion capabilities for users and organizations

BAA Coverage

What the BAA Covers

  • Storage of encrypted medication data (drug names, dosages, quantities)
  • Email delivery of price alerts and savings reports (via SendGrid)
  • Enneagram personality data (when used within healthcare organizations)
  • Organization member directory data

What the BAA Does NOT Cover

  • Anonymous drug price searches (not linked to user identity)
  • Third-party pharmacy websites (when users click through to pharmacies)
  • Google AdSense advertising
  • Publicly available drug pricing data

Request a BAA

Complete the form below and our team will reach out within 2 business days to discuss your BAA requirements.

Our Subprocessors

The following third-party services may process data as part of the Service:

Google Cloud Platform

Database hosting and compute infrastructure. All data encrypted at rest. SOC 2 Type II, ISO 27001, HIPAA compliant.

Stripe

Payment processing. Processes billing information for paid plans. PCI DSS Level 1 certified. Does not receive health data.

SendGrid

Email delivery. Processes email addresses and delivers price alerts, savings reports, and account notifications. SOC 2 Type II compliant.

PostHog

Anonymized product analytics. Receives only anonymized usage events. No PHI or PII is transmitted to PostHog.

Cloudflare

CDN and DDoS protection. Processes network traffic for performance and security. SOC 2 Type II, ISO 27001 compliant.

Contact

Terms of ServicePrivacy PolicyDisclaimer