Safeguarding protected health information (PHI) is a foundational responsibility for every Covered Entity and Business Associate operating under HIPAA. BastionGPT is built from the ground up to meet that responsibility, which is why a Business Associate Agreement is already baked into our standard terms of service. Any healthcare organization using our platform is automatically covered by the FortaTech Security HIPAA Business Associate Agreement, along with the administrative, physical, and technical safeguards required to keep patient data protected. You can review the full BAA directly on our site here before you ever sign up.
This default inclusion is one of the reasons clinicians, group practices, and health systems consider BastionGPT the leading HIPAA compliant AI assistant. Rather than forcing customers to chase down paperwork or negotiate separate contracts before they can safely use AI for medical documentation, charting, or clinical workflows, we ensure compliance coverage is in place from day one. That means physicians, nurses, therapists, and administrative staff can begin drafting notes, summarizing records, and handling PHI-adjacent tasks with confidence that the legal framework is already established.
For organizations that require additional documentation, BastionGPT can provide a separately signed BAA via DocuSign. This is often useful for compliance officers, procurement teams, and IT administrators who need a countersigned copy on file for internal audits, vendor risk assessments, or accreditation reviews. To request one, simply email [email protected] and our team will coordinate the signing process. The agreement mirrors the terms already included in our standard service, so there are no surprises or gaps in coverage.
How fast will I receive my countersigned BAA?
Request a countersigned DocuSign copy by emailing [email protected] or asking in this chat, and include the name and email address it should be issued to. Signed BAAs are sent within one business day, and most go out within 30 minutes of the request.
The AI told me there is no BAA. Why?
AI language models cannot see the contracts a company signs, so if you ask the AI inside BastionGPT (or any AI tool) about our legal agreements, it may answer incorrectly. The facts: every BastionGPT plan includes our HIPAA Business Associate Agreement, you agreed to it electronically at signup, and a countersigned copy is available on request as described above.
Enterprise customers with more specialized legal requirements have additional flexibility. Larger hospital systems, academic medical centers, behavioral health networks, and multi-site practices occasionally need to align vendor agreements with their own compliance frameworks or existing contract templates. For these organizations, BastionGPT offers custom or redline BAAs that can be tailored to specific institutional language. Organizations that work with student records can also review FERPA compliance for school settings.
Do I need to sign anything before I can use BastionGPT with patient data?
No. When you create your BastionGPT account and accept the terms of use, you electronically agree to our HIPAA Business Associate Agreement at the same time. Your coverage is in place from day one, before you enter any patient information. There is no separate form to request, no waiting period, and no countersignature required for the protection to apply. When you are ready to work with real records, see our guidance on uploading patient records safely.
Every BastionGPT customer is covered this way. If your compliance or legal team wants a traditionally signed copy for its vendor files, the DocuSign option described above provides one, and the terms are identical to the agreement you accepted at signup.
Is the BAA included in every plan?
Yes. Because we serve healthcare exclusively, every plan we offer includes the HIPAA Business Associate Agreement. There is no BastionGPT plan or service without it, no separate HIPAA application, and no additional fee. It is all included in your subscription pricing.
Does the BastionGPT API include the same HIPAA coverage?
Yes. When you register for API access, accepting our terms of use incorporates the same HIPAA agreements that cover the rest of our services. Anything you build on the BastionGPT API carries the same contractual protections as the BastionGPT assistant itself.
What does the BAA actually commit BastionGPT to?
In plain terms, the BAA is a contract between your organization and ours that binds us to protect your data the way HIPAA requires. Under it, we commit to:
Meet or exceed the federal security requirements for protected health information
Notify you in a timely manner if a security incident were ever to occur
Notify the appropriate federal authorities and cooperate with any resulting audit
We apply this standard to all customer data, whether or not a particular record technically falls under HIPAA, so you never have to track which records qualify. Our broader terms of use also commit us to never sell your data and never use it to train AI models. For the safeguards behind these commitments, see how BastionGPT protects PHI technically.
Whether you are a solo practitioner looking for a dependable AI scribe, a private practice adopting AI therapy notes, or an enterprise health system rolling out an AI platform for clinical documentation across thousands of users, BastionGPT provides the contractual and technical assurances HIPAA demands. If you have questions about our BAA, need a signed copy, or want to discuss a custom agreement, reach out to [email protected] and our team will guide you through the next steps.
