Last updated June 5, 2026

Business Associate Agreement

This HIPAA Business Associate Agreement governs how Aide handles Protected Health Information on behalf of your dental practice. By using Aide, your practice enters into this agreement.

1. Purpose and Scope

This Business Associate Agreement ("BAA") is entered into between Aide Inc. ("Business Associate") and the dental practice or organization ("Covered Entity") that accepts these terms by creating or maintaining an account on the Aide platform. This BAA supplements and is incorporated into the Aide Terms of Service and governs the handling of Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

2. Definitions

Protected Health Information (PHI)

Any individually identifiable health information that Aide creates, receives, maintains, or transmits on behalf of the Covered Entity in connection with the provision of services, including but not limited to patient names, phone numbers, appointment details, and call transcripts.

Business Associate Services

Aide acts as a Business Associate when providing AI call answering, SMS appointment reminders, review generation, and related analytics dashboard services that involve the processing of PHI on behalf of the Covered Entity.

Breach

The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of such information.

3. Permitted Uses and Disclosures

Aide may use and disclose PHI only as necessary to provide the contracted services to the Covered Entity, as required by law, or as otherwise permitted under this BAA. Aide will not use or disclose PHI in a manner that would violate HIPAA if done by the Covered Entity. Aide will not use PHI for its own independent purposes, marketing, or to train AI models without the explicit written consent of the Covered Entity.

4. Safeguards

  • Implement administrative, physical, and technical safeguards to protect PHI from unauthorized use or disclosure
  • Encrypt PHI in transit using TLS 1.2 or higher and at rest using AES-256 encryption
  • Maintain role-based access controls limiting PHI access to authorized personnel only
  • Conduct regular security risk assessments and remediate identified vulnerabilities
  • Maintain audit logs of access to PHI and review them regularly
  • Ensure all workforce members receive HIPAA privacy and security training

5. Subcontractors

Aide may disclose PHI to subcontractors and agents necessary to perform its services, including Twilio (telephony), Anthropic (AI processing), Retell AI (voice), Supabase (database), and Stripe (billing). Aide will obtain written assurances from each subcontractor that they will safeguard PHI in a manner consistent with HIPAA requirements and this BAA. Aide remains responsible for the actions of its subcontractors with respect to PHI.

6. Individual Rights

  • Provide access to PHI maintained in a Designated Record Set to the Covered Entity within 15 business days of request
  • Amend PHI in a Designated Record Set upon direction from the Covered Entity
  • Document and make available an accounting of disclosures of PHI as required by HIPAA
  • Incorporate any amendments to PHI into copies of PHI maintained by Aide

7. Reporting Obligations

Aide will report to the Covered Entity any use or disclosure of PHI not provided for under this BAA, including any Breach of Unsecured PHI, as soon as reasonably practicable and no later than 10 business days after discovery. Aide will provide the Covered Entity with the information required under the HIPAA Breach Notification Rule to notify affected individuals and, where applicable, the Secretary of Health and Human Services and the media.

8. Minimum Necessary Standard

Aide will request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. Aide will implement policies and procedures to limit access to PHI to those workforce members who need access to perform their job duties.

9. Term and Termination

Term

This BAA is effective upon account creation or acceptance of the Terms of Service and remains in effect for the duration of the service agreement between the parties.

Termination for Cause

Either party may terminate this BAA upon 30 days written notice if the other party materially breaches any provision of this BAA and fails to cure such breach within the notice period.

Effect of Termination

Upon termination, Aide will, at the Covered Entity's direction, return or destroy all PHI received from or created on behalf of the Covered Entity. If return or destruction is not feasible, Aide will extend the protections of this BAA to the PHI and limit further use or disclosure to those purposes that make return or destruction infeasible.

10. Covered Entity Obligations

  • Obtain all necessary patient authorizations and consents required by HIPAA and applicable law before using Aide services
  • Notify Aide of any restriction on the use or disclosure of PHI agreed to with a patient that may affect Aide's services
  • Notify Aide of any changes in, or revocation of, patient authorization that may affect Aide's use or disclosure of PHI
  • Not request Aide to use or disclose PHI in any manner that would not be permissible under HIPAA
  • Ensure that the practice staff using the Aide dashboard is trained on HIPAA privacy practices

11. Miscellaneous

This BAA is governed by federal law and, to the extent applicable, the laws of the State of Delaware. In the event of any conflict between this BAA and the Terms of Service, this BAA controls with respect to PHI. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA. Neither party may assign its rights or obligations under this BAA without the prior written consent of the other party, except in connection with a merger or acquisition.

12. Contact

For questions about this BAA or to submit a privacy request, email privacy@revvai.com. For breach reporting or urgent privacy matters, use the same address with "URGENT — HIPAA" in the subject line.