Business Associate Agreement

Some Avalora workflows may involve protected health information when Avalora supports a clinic's patient communication process.

For PHI-bearing deployments, Avalora can support a Business Associate Agreement before those workflows go live.

A BAA-backed Avalora deployment is designed to define:

• permitted uses and disclosures of PHI
• clinic-approved communication boundaries
• call recording, transcription, and summary handling
• staff access and handoff rules
• subprocessors and vendor documentation
• retention and deletion expectations
• incident and breach notification responsibilities
• human escalation for clinical, urgent, or sensitive questions

Avalora does not treat vendor compliance alone as Avalora compliance. The full workflow, client agreement, vendor chain, and data handling process must be reviewed before making final compliance claims.

During onboarding, Avalora reviews what information will be captured, where it will be stored, which vendors are involved, where data is routed, and what agreements are required before launch.