Resources

Business Associate Agreement

Approva executes a HIPAA business associate agreement with each ASC or covered entity before any protected health information is exchanged. The standard BAA is included with every engagement; custom terms are available on request.

What the BAA covers

The agreement governs Approva's handling of PHI on behalf of covered entities — ambulatory surgery centers and their affiliated providers — and tracks the required elements of 45 CFR 164.504(e).

  • Permitted uses and disclosures of PHI.
  • Appropriate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule.
  • Reporting of unauthorized use or disclosure, including security incidents and breaches.
  • Subcontractor flow-down: any subcontractor handling PHI on Approva's behalf signs a BAA with terms no less stringent.
  • Individual rights support: access, amendment, and accounting of disclosures.
  • HHS access to internal practices, books, and records for compliance review.
  • Return or destruction of PHI on termination, or extended protections where return or destruction is infeasible.
  • Termination for material breach.

Breach notification

Approva notifies the covered entity of a discovered breach without unreasonable delay and in no case later than 30 calendar days from discovery. The window is built to give the covered entity room to meet the HITECH 60-day individual-notice deadline.

Standard terms

Standard terms apply by default; custom terms are available on request. To review or execute the standard agreement, request the template at hello@approva.health or through the request the standard BAA template path. Standard BAA v1, effective May 2026.

Security posture

For a full overview of the technical and administrative controls that support our BAA commitments, see the security and compliance page.