How we vet, contract with, and monitor business associates that touch PHI — and our standards for workforce training.
Currently in effect: v2.0
Effective 2026-05-13 — Added explicit AI-vendor BAA requirement and 'no PHI for model training' clause.
Current policy (v2.0)
Any subprocessor that touches PHI — EHR, hosting, payments, telehealth, e-prescribing, lab interfaces, secure messaging, and AI assistants — signs a Business Associate Agreement before any data is shared.
We do not allow vendors to use PHI to train general-purpose AI models. Where AI features are used internally, they run through HIPAA-eligible providers under a BAA, with prompts and outputs subject to the same access controls and audit logging as the rest of your record.
Workforce members complete HIPAA privacy and security training at hire and annually thereafter. We maintain written policies for sanctions, contingency planning, data backup, and disaster recovery.
Change history
Each revision is preserved for transparency. Older versions describe the practices in place at the time they were effective.
- v2.0Current
Added explicit AI-vendor BAA requirement and 'no PHI for model training' clause.
- Required BAAs for any AI vendor that could process PHI, including LLM providers used for summarization or coding.
- Prohibited use of PHI to train general-purpose AI models by any vendor.
- Made categories of business associates available on request.
- v1.0
Initial published policy.
← Back to Security overview · Questions about this policy? Contact privacy@rootedhealthmember.com or use our security contact page.