Please note: Complern is an early-stage platform. Our BAA documentation is currently being prepared with legal counsel. We do not process identifiable PHI until a BAA is in place. Contact us to discuss your timeline and what compliance documentation we can provide today.
Complern executes a HIPAA-compliant Business Associate Agreement with every hospital and health system customer. Here's what that means, what it covers, and how to request yours.
A BAA is a required contract under HIPAA between your hospital (the Covered Entity) and any vendor that may create, receive, maintain, or transmit Protected Health Information (PHI) on your behalf. Here's how we are approaching this as an early-stage platform.
As a hospital or health system, you are a HIPAA Covered Entity subject to the full requirements of the Privacy and Security Rules. Any vendor you share PHI with must be bound by a BAA.
When your staff complete compliance training on Complern, their identities and training records may be associated with PHI access roles. This makes Complern a Business Associate requiring a BAA before any PHI flows.
Safeguard PHI with appropriate technical, physical, and administrative safeguards. Report breaches within 60 days. Restrict subcontractor access. Return or destroy PHI upon contract termination.
A signed BAA will give your compliance team documented evidence that your relationship with Complern is HIPAA-accountable. We are committed to having this in place before any PHI is handled.
These are the core provisions we are building into our BAA. Our legal team is preparing the full agreement, which will cover all material HIPAA requirements before any PHI is processed.
Complern may use PHI only to provide compliance training services described in your subscription and as required by law. No marketing, analytics, or secondary use.
Implementation and maintenance of technical, physical, and administrative safeguards meeting or exceeding HIPAA Security Rule standards.
Notification to your designated Privacy Officer of any confirmed or suspected breach of PHI within 60 calendar days of discovery, per 45 CFR ยง164.410.
All sub-processors with PHI access are bound by BAAs equivalent to or more stringent than Complern's standard BAA terms.
Complern will cooperate in fulfilling patient rights requests โ access, amendment, and accounting of disclosures โ as they relate to data held by Complern.
Upon contract termination, Complern will return or securely destroy all PHI held within 90 days, with written certification of destruction provided on request.
Complern's BAA process is currently being finalised with legal counsel. Here is how it will work when ready โ reach out now if you are evaluating us for a deployment involving PHI.
Submit a BAA request through our contact page or notify your Complern account representative. Include your organisation name and legal entity name.
Our legal team sends a DocuSign envelope with Complern's standard BAA. Most hospital legal teams find our terms acceptable without modification. Typical review time: 3โ5 business days.
If your legal team requires modifications, we work through a single redline cycle. Enterprise customers with custom agreements can attach their own BAA as an exhibit for our CPO to countersign.
Once legal review is complete on both sides, Complern's authorised signatory countersigns. Both parties receive an executed copy. The BAA will be linked to your subscription.
With a fully executed BAA on file, Complern can begin processing identifiable workforce training data. Your Compliance Officer receives a copy for your policy evidence files.
Let's discuss your timeline and compliance requirements. We'll be transparent about where our BAA documentation currently stands.