Legal
Business Associate Agreement (BAA)
Last updated: July 14, 2026
Template provided for convenience. Have your attorney review before relying on it.
This page summarizes the Business Associate Agreement between your dental practice (the "Covered Entity") and Revamend (the "Business Associate"). Under HIPAA, a covered entity may disclose protected health information (PHI) to a business associate only with satisfactory assurances, documented in a written agreement, as required by 45 CFR 164.502(e). The BAA you sign electronically during onboarding provides those assurances. This summary is for convenience; the executed agreement is the binding document.
Why a BAA is required
Revamend reviews remittance advice, claim records, and supporting clinical documentation on your behalf to recover denied claims. That work requires access to PHI, which makes Revamend a business associate under HIPAA. The BAA obligates us to protect that PHI to the standards of the HIPAA Privacy, Security, and Breach Notification Rules.
Permitted uses and disclosures
Revamend may use and disclose PHI only:
- To perform the denial recovery services described in the Master Service Agreement: triaging denials, preparing and submitting appeals and corrected claims, communicating with payers, and reporting to your practice.
- For Revamend's proper management and administration, subject to the conditions in the BAA.
- As required by law.
We do not use PHI for marketing, do not sell PHI, and follow the minimum necessary standard in every use and disclosure.
Safeguards
The BAA commits Revamend to administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including encryption of PHI in transit and at rest, role-based access limited to personnel performing the services, access logging, and workforce training.
Breach notification
Revamend will report to your practice any use or disclosure of PHI not permitted by the BAA, any security incident of which it becomes aware, and any breach of unsecured PHI, without unreasonable delay and within the timeframe stated in the executed agreement. Reports include the information your practice needs to meet its own notification obligations under 45 CFR 164.404.
Subcontractors
If Revamend engages a subcontractor that creates, receives, maintains, or transmits PHI on its behalf (for example, our cloud hosting and database providers), the subcontractor must first agree in writing to restrictions and safeguards at least as protective as those in our BAA with your practice, as required by 45 CFR 164.502(e)(1)(ii).
Access, amendment, and accounting
The BAA obligates Revamend to make PHI available to your practice so it can meet patient rights to access and amend records, to document disclosures needed for an accounting of disclosures, and to make its internal practices available to the Secretary of Health and Human Services for compliance review.
Return or destruction at termination
When the engagement ends, Revamend will return or destroy all PHI received from or created for your practice, if feasible, and retain no copies. Where return or destruction is infeasible, the BAA's protections extend to that PHI for as long as it is retained, and further use is limited to the purposes that make return infeasible.
How the BAA is executed
You sign the BAA electronically as part of online onboarding. The full executed BAA, countersigned by Revamend, is delivered to your email after onboarding is complete. Keep it with your practice's HIPAA compliance records.
Questions about this document? Contact hello@revamend.com.