HIPAA Compliance — Surgery.AI

HIPAA Compliant — BAA Available

Surgery.AI operates as a Business Associate under HIPAA. A Business Associate Agreement (BAA) is available to all Customers prior to deployment. Contact anup@surgery.ai to request a BAA.

1. Our Role Under HIPAA

Surgery.AI provides technology services to healthcare practices ("Covered Entities") that may involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI). In this capacity, Surgery.AI functions as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act.

2. Business Associate Agreement

Prior to any deployment involving PHI, Surgery.AI executes a Business Associate Agreement (BAA) with the Customer. The BAA governs our permitted uses and disclosures of PHI, our safeguarding obligations, and procedures for breach notification.

If you are a Customer or prospective Customer and require a BAA, please contact us at anup@surgery.ai.

3. Administrative Safeguards

Designated Security Officer responsible for HIPAA compliance
Workforce training on PHI handling and privacy practices
Access controls limiting PHI access to authorized personnel only
Audit controls and activity logging
Documented policies and procedures for PHI handling

4. Physical Safeguards

PHI stored on cloud infrastructure with physical security controls
Data centers with SOC 2 certification and appropriate access controls
Workstation and device controls for staff accessing PHI

5. Technical Safeguards

Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
Unique user identification and authentication for system access
Automatic logoff for inactive sessions
Audit logs for all PHI access and modifications
Transmission security for all PHI communications

6. Permitted Uses and Disclosures

As a Business Associate, Surgery.AI may use or disclose PHI only as permitted by the applicable BAA and HIPAA regulations, which includes:

Providing and operating the contracted Services on behalf of the Customer
Proper management and administration of Surgery.AI's operations
As required by law

Surgery.AI does not use PHI for marketing, sale, or any purpose not authorized by the BAA.

7. Subcontractors

Where Surgery.AI engages subcontractors who may have access to PHI, we require those subcontractors to enter into a BAA and maintain HIPAA-compliant safeguards equivalent to our own.

8. Breach Notification

In the event of a breach of unsecured PHI, Surgery.AI will notify affected Customers in accordance with the timelines and requirements set forth in the BAA and HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

9. Contact

For HIPAA-related inquiries, BAA requests,