Legal
Business Associate Agreement (BAA)
How NeuroLTC approaches HIPAA and the Business Associate Agreement — when we act as a business associate, why PHI is processed only under a signed BAA, and what our BAA covers. This page is informational; the executed BAA governs.
Last updated: July 14, 2026
These materials are being finalized; contact legal@neuroltc.com with questions.
1. What a Business Associate Agreement is
Under the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate Agreement (BAA) is a contract between a covered entity — such as a skilled nursing or long-term care facility — and a business associate — a vendor that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. HIPAA requires this agreement to be in place before the vendor handles PHI.
A BAA sets the ground rules for that relationship, including:
- the permitted uses and disclosures of PHI;
- the administrative, physical, and technical safeguards the business associate must maintain;
- breach and security-incident notification obligations; and
- the return or destruction of PHI when the relationship ends.
2. NeuroLTC's role as a business associate
When a facility connects real resident data to the NeuroLTC platform, the facility is the covered entity (or acts on behalf of one) and NeuroLTC, Inc. ("NeuroLTC") acts as its business associate — we handle PHI to provide the documentation-support and compliance-tracking Service, not for our own purposes.
Because of that role, NeuroLTC offers a BAA to facility customers. The BAA is the instrument that governs how PHI is handled between the facility and NeuroLTC, and it takes precedence over our general Privacy Policy for that PHI.
3. PHI only under a signed BAA
NeuroLTC does not process real PHI until a BAA is executed. This is a deliberate posture, not a formality:
- Today the platform operates on demonstration and synthetic data — a first-class mode of the product, designed so facilities can evaluate NeuroLTC fully without exposing any resident information.
- No PHI should be entered into demonstration or pre-BAA environments. We ask customers not to connect or type real resident data until a BAA is in place.
- Once a BAA is executed, PHI is processed only as the agreement permits.
4. What our BAA covers
Our BAA addresses the standard HIPAA business-associate commitments. At a high level, it provides that NeuroLTC will:
- use and disclose PHI only as permitted or required by the agreement and applicable law;
- maintain appropriate administrative, physical, and technical safeguards to protect PHI;
- report security incidents and breaches of unsecured PHI as required;
- ensure that subprocessors who handle PHI are bound by terms at least as protective as those in the BAA; and
- return or destroy PHI on termination, where feasible, consistent with the agreement.
This page describes those commitments in plain language. The executed BAA — not this summary — sets out the binding contractual terms.
5. Subprocessors and PHI
When the relevant features are enabled, a small set of vendors ("subprocessors") may handle customer data on NeuroLTC's behalf. We name only those we actually use, and each is bound by appropriate terms:
- Vercel — Hosting and content delivery for the site and application.
- Convex — Application backend and data storage — database, server functions, and file storage.
- OpenRouter (LLM provider) — Routing to a large-language-model provider for AI drafting — only when AI features are enabled, and with PHI-minimized inputs (internal identifiers, never resident names).
- PointClickCare — Customer-initiated, read-only EHR / FHIR integration — only when a facility connects it.
Where a subprocessor may handle PHI, it is engaged under terms at least as protective as our BAA. For the same list in the privacy context, see our Privacy Policy.
6. Security posture
NeuroLTC is built with a HIPAA-minded architecture: encryption in transit and at rest through our platform providers, facility-scoped and role-based access control, and comprehensive audit logging of access and changes. NeuroLTC does not claim to be "HIPAA certified" — HIPAA has no certification for software — and SOC 2 Type II is in preparation as a roadmap item, not currently held. We describe our security approach honestly and avoid overstated claims; see our security posture for more.
7. How to request a BAA
To request a BAA, email legal@neuroltc.com or reach out through your pilot contact. A BAA is executed before any PHI is connected to the platform, typically as part of pilot onboarding, so that the agreement is in place the moment a facility is ready to move from demonstration data to real resident data.
8. Not legal advice; relationship to other terms
This page is informational and explains NeuroLTC's HIPAA and BAA posture; it is not legal advice and is not the BAA itself. Where a BAA has been executed, that signed agreement governs the handling of PHI and controls to the extent it differs from this page. For related terms, see our Privacy Policy and Terms of Service.