BAA Details

A Business Associate Agreement (BAA) is a legal contract required by HIPAA whenever a third party handles Protected Health Information on behalf of a healthcare provider. SOAP Note Buddy has BAA coverage in place for its cloud infrastructure.

Google Cloud BAA

All AI processing and cloud data storage runs on Google Cloud, which is covered by a HIPAA Business Associate Agreement. Our Google Cloud project is enrolled in Google’s Assured Workloads — Healthcare and Life Sciences Controls compliance regime. This BAA covers:

• Google Vertex AI — the service that powers note generation
• Google Firestore — the database that stores your synced patient data
• Google Cloud Run — the backend service that handles API requests

Google’s BAA ensures that all data processed through these services is handled in accordance with HIPAA requirements for security, privacy, and breach notification.

AI Processing Location

To maintain reliable service during periods of high demand on Google’s AI infrastructure, we use Vertex AI’s global endpoint, which automatically routes requests to whichever Google Cloud region has available capacity. This means an individual AI request may be processed in a Google Cloud data center outside the United States. All such processing remains under Google’s HIPAA BAA, encrypted in transit and at rest, and never retained or used to train Google’s models.

If your practice requires US-only processing, please contact us at [email protected] so we can discuss options.

BAA Acceptance in the Extension

Before you can use SOAP Note Buddy, you must accept the BAA within the extension. This acceptance is presented when you add your first patient. You cannot proceed without agreeing to the terms.

If you need to review the BAA terms, they are available at soapnotebuddy.com/hipaa.

What the BAA Covers

The BAA establishes that:

• Data is encrypted in transit and at rest
• Access is restricted to authorized services only
• Google will notify us of any security breaches
• Data handling follows HIPAA’s minimum necessary standard
• Audit controls and logging are maintained

Your Practice’s BAA

SOAP Note Buddy’s BAA with Google covers the technology infrastructure. Depending on your practice’s compliance requirements, you may also need a BAA between your organization and SOAP Note Buddy. Contact [email protected] to discuss your specific needs.