Menu
hcmappeals.com
Effective Date: December 30th, 2025
This Business Associate Agreement (“BAA” or “Agreement”) is entered into by and between the entity or individual accepting these terms (“Covered Entity,” “you,” or “your”) and Health Care Claims Management, Inc., d/b/a Healthcare Chaos Management, an Indiana corporation with its principal place of business at 701 Broad Ripple Avenue, Indianapolis, Indiana 46220 (“HCM,” “Business Associate,” “we,” “us,” or “our”).
This Agreement governs the use, disclosure, and protection of Protected Health Information (“PHI”) in connection with your use of the HCMappeals.com platform and related services (collectively, the “Platform”). This Agreement supplements and forms an integral part of the End User License Agreement (“EULA”) available at https://hcmappeals.com/eula, which is incorporated herein by reference.
BY CLICKING “I ACCEPT,” CREATING AN ACCOUNT, OR OTHERWISE ACCESSING OR USING THE PLATFORM TO SUBMIT PROTECTED HEALTH INFORMATION, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT SUBMIT ANY PROTECTED HEALTH INFORMATION TO THE PLATFORM.
RECITALS
WHEREAS, Covered Entity is a “Covered Entity” or “Business Associate” as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations at 45 C.F.R. Parts 160 and 164;
WHEREAS, HCM operates the Platform, which utilizes artificial intelligence technology to assist Covered Entity in generating insurance appeal correspondence, and in connection therewith may create, receive, maintain, or transmit PHI on behalf of Covered Entity;
WHEREAS, the parties desire to comply with the applicable provisions of HIPAA, HITECH, the HIPAA Privacy Rule, the HIPAA Security Rule, and other federal and state privacy and security laws;
WHEREAS, this Agreement is intended to satisfy the requirements for Business Associate agreements under 45 C.F.R. sections 164.314(a) and 164.504(e), and other applicable regulations;
NOW, THEREFORE, in consideration of the mutual covenants and promises herein, the parties agree as follows:
Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in HIPAA, HITECH, the Privacy Rule, and the Security Rule, as amended from time to time. In the event of a conflict between a definition in this Agreement and a definition in the Privacy Rule or Security Rule, the definition in the Privacy Rule or Security Rule shall control.
1.1 “Artificial Intelligence” or “AI” means machine learning models, large language models, neural networks, and other automated systems that generate, analyze, or process content based on statistical patterns and training data.
1.2 “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 C.F.R. section 164.402.
1.3 “Designated Record Set” means a group of records maintained by or for a Covered Entity that includes medical records and billing records about Individuals, or that is used, in whole or in part, by or for the Covered Entity to make decisions about Individuals.
1.4 “Electronic Protected Health Information” or “ePHI” means individually identifiable health information that is transmitted by or maintained in electronic media.
1.5 “Generated Content” means all text, documents, appeal letters, recommendations, analyses, and other outputs produced by the Platform through artificial intelligence or other automated processing.
1.6 “Individual” means the person who is the subject of PHI and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. section 164.502(g).
1.7 “Minimum Necessary” means the least amount of PHI necessary to accomplish the intended purpose of a use, disclosure, or request, in accordance with HIPAA, HITECH, and their implementing regulations.
1.8 “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
1.9 “Protected Health Information” or “PHI” means any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future payment for the provision of health care to an Individual; (b) identifies the Individual or creates a reasonable basis to believe the information can be used to identify the Individual; and (c) is created, received, maintained, or transmitted by or on behalf of HCM in connection with the services provided under this Agreement.
1.10 “Required by Law” means a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.
1.11 “Secretary” means the Secretary of the U.S. Department of Health and Human Services (“HHS”) or any officer or employee of HHS to whom the authority involved has been delegated.
1.12 “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
1.13 “Security Rule” means the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
1.14 “Subcontractor” means a person or entity to whom HCM delegates a function, activity, or service involving PHI, including third-party AI service providers.
1.15 “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.
2.1 Permitted Uses and Disclosures. HCM may Use and Disclose PHI solely as necessary to perform the services described in the EULA, and only to the extent such Use or Disclosure would be permissible if done by Covered Entity. Any such Use or Disclosure shall be limited to the Minimum Necessary to accomplish the intended purpose. HCM may also Use or Disclose PHI as described in Sections 3.1 through 3.4 below.
2.2 Minimum Necessary Standard. HCM shall limit its Uses, Disclosures, and requests for PHI to the Minimum Necessary in accordance with HIPAA, HITECH, and the Privacy Rule. HCM shall not Use or Disclose PHI in a manner that would violate HIPAA if done by a Covered Entity.
2.3 Safeguards. HCM shall implement administrative, physical, and technical safeguards that comply with 45 C.F.R. sections 164.308, 164.310, and 164.312 and protect the confidentiality, integrity, and availability of PHI and ePHI. At a minimum, HCM shall maintain:
(a) Role-based access controls to limit PHI access to authorized personnel only;
(b) Encryption of ePHI in transit and at rest in accordance with current industry standards;
(c) Workforce training on the privacy and security of PHI;
(d) Written policies and procedures that comply with HIPAA’s Privacy and Security Rules.
2.4 Mitigation of Harm. HCM shall mitigate, to the extent practicable, any known harmful effects resulting from its own Use or Disclosure of PHI in violation of this Agreement.
2.5 Reporting of Breach or Security Incident. HCM shall notify Covered Entity in writing without unreasonable delay, but no later than five (5) business days after discovery of any:
(a) Breach of Unsecured PHI as defined by 45 C.F.R. section 164.402;
(b) Use or Disclosure of PHI not permitted by this Agreement; or
(c) Security Incident involving PHI.
Such notice shall include:
(i) Description of the event and the date of discovery;
(ii) Categories of PHI involved;
(iii) Steps taken to mitigate harm and prevent recurrence;
(iv) Known or suspected identities of affected Individuals (or a timeline for identification);
(v) Contact information of a knowledgeable representative.
2.6 Subcontractors and Agents. HCM shall require all Subcontractors and agents who access PHI to agree in writing to the same restrictions and obligations contained herein. HCM shall:
(a) Conduct reasonable due diligence on Subcontractors with PHI access;
(b) Maintain executed downstream Business Associate Agreements; and
(c) Provide information regarding such agreements to Covered Entity upon reasonable request.
2.7 Access to PHI. If PHI is maintained in a Designated Record Set, HCM shall, within ten (10) business days of a written request, provide Covered Entity (or the Individual at Covered Entity’s direction) with access to such PHI in compliance with 45 C.F.R. section 164.524.
2.8 Amendment of PHI. If PHI is maintained in a Designated Record Set, HCM shall amend such PHI as directed by Covered Entity or the Individual, pursuant to 45 C.F.R. section 164.526, within ten (10) business days of a written request.
2.9 Accounting of Disclosures. HCM shall document Disclosures of PHI and provide Covered Entity, within ten (10) business days, the information necessary for Covered Entity to fulfill an Individual’s request under 45 C.F.R. section 164.528.
2.10 Books and Records. HCM shall make its internal practices, books, and records relating to PHI Use and Disclosure available to Covered Entity and to the Secretary of HHS within ten (10) business days of a written request.
2.11 Compliance with Law. HCM shall comply with all applicable federal and state privacy and security laws, including HIPAA, HITECH, and related regulations.
3.1 Performance of Services. Except as otherwise limited in this Agreement, HCM may Use or Disclose PHI solely as necessary to perform the services described in the EULA, including the generation of appeal correspondence using artificial intelligence, provided that such Use or Disclosure complies with the Minimum Necessary standard and would not violate HIPAA if performed by a Covered Entity.
3.2 Management and Administration. HCM may Use or Disclose PHI for its own management and administrative functions or to fulfill legal responsibilities, provided that:
(a) the Disclosure is Required by Law; or
(b) HCM obtains reasonable written assurances from the recipient that PHI will be held in confidence, used only for the intended legal purpose, and that any known breach will be promptly reported.
3.3 De-Identification. HCM may de-identify PHI in accordance with 45 C.F.R. section 164.514(a)-(c), provided that de-identified data shall not be re-identified or used in any manner inconsistent with HIPAA or this Agreement.
3.4 Reporting Legal Violations. HCM may Use PHI to report suspected violations of law to appropriate federal or state authorities, in accordance with 45 C.F.R. section 164.502(j)(1) and applicable legal and ethical requirements.
IMPORTANT: THIS SECTION CONTAINS CRITICAL INFORMATION ABOUT HOW PHI IS PROCESSED USING ARTIFICIAL INTELLIGENCE TECHNOLOGY.
4.1 Disclosure of AI Processing. Covered Entity acknowledges and agrees that the Platform utilizes artificial intelligence, including large language models and machine learning systems, to process PHI submitted by Covered Entity and generate appeal correspondence. By submitting PHI to the Platform, Covered Entity consents to such AI processing.
4.2 Third-Party AI Service Providers. Covered Entity acknowledges that HCM utilizes third-party AI services, including services provided by OpenAI, LLC (“OpenAI”), to process PHI and generate content. HCM has entered into a Business Associate Agreement with OpenAI that requires OpenAI to:
(a) Implement appropriate safeguards to protect PHI;
(b) Use PHI only as permitted by HCM and in accordance with HIPAA;
(c) Report Security Incidents and Breaches to HCM; and
(d) Comply with applicable provisions of the HIPAA Security Rule.
4.3 Prohibition on AI Training. HCM shall not, and shall contractually require its AI Subcontractors not to, use any PHI or derived data to train, validate, fine-tune, or otherwise develop any artificial intelligence, machine learning, or automated decision-making model or system, except as expressly authorized in writing by Covered Entity.
4.4 AI Output Verification Requirement. COVERED ENTITY ACKNOWLEDGES AND AGREES THAT ALL GENERATED CONTENT PRODUCED BY THE PLATFORM IS AI-GENERATED AND MAY CONTAIN ERRORS, INACCURACIES, OR “HALLUCINATIONS.” COVERED ENTITY ASSUMES SOLE RESPONSIBILITY FOR REVIEWING, VERIFYING, AND APPROVING ALL GENERATED CONTENT BEFORE USE, SUBMISSION, OR RELIANCE. HCM SHALL HAVE NO LIABILITY FOR ERRORS OR INACCURACIES IN AI-GENERATED CONTENT.
4.5 AI Transparency Requirement. Covered Entity agrees not to represent to any insurance carrier, healthcare payor, regulatory authority, patient, or other third party that Generated Content was created by a human or constitutes human-authored correspondence. Covered Entity shall disclose the AI-assisted nature of any appeal submission when required by applicable law, payor policy, or regulatory guidance.
4.6 AI Limitations. Covered Entity acknowledges that the Platform and its AI capabilities are not a substitute for the professional judgment of licensed healthcare providers, attorneys, or other qualified professionals. Generated Content is intended to assist, not replace, professional review and decision-making.
5.1 Authorization to Disclose PHI. Covered Entity represents and warrants that it has obtained all necessary authorizations, consents, and permissions required under HIPAA, state law, and any other applicable regulations to disclose PHI to HCM for the purposes described in this Agreement and the EULA.
5.2 Notification of Changes. Covered Entity shall notify HCM, in writing and without unreasonable delay, of:
(a) Any limitation in its Notice of Privacy Practices under 45 C.F.R. section 164.520, to the extent the limitation may affect HCM’s permitted Use or Disclosure of PHI;
(b) Any change in, or revocation of, an Individual’s authorization or permission to Use or Disclose PHI, to the extent such change may affect HCM’s handling of that PHI; and
(c) Any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to under 45 C.F.R. section 164.522, to the extent such restriction is relevant to HCM’s permitted activities.
5.3 Compliance Instructions. Covered Entity shall not instruct or require HCM to Use or Disclose PHI in a manner that would be impermissible under HIPAA if conducted by Covered Entity.
5.4 Minimum Necessary. Covered Entity shall submit only the Minimum Necessary PHI required to accomplish the intended purpose of using the Platform.
6.1 Term. This Agreement shall take effect upon Covered Entity’s acceptance and shall remain in force until terminated pursuant to this Section 6, or until all PHI received by HCM on behalf of Covered Entity is returned or destroyed in accordance with Section 6.3.
6.2 Termination. This Agreement may be terminated:
(a) By either party upon termination of the EULA;
(b) By Covered Entity at any time by discontinuing use of the Platform and providing written notice to HCM;
(c) By HCM if Covered Entity materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice; or
(d) Immediately by HCM if cure of a breach is not possible or if required by law.
6.3 Effect of Termination.
(a) Return or Destruction of PHI. Upon termination of this Agreement for any reason, HCM shall, at Covered Entity’s election, return to Covered Entity or securely destroy all PHI received or created under this Agreement, including all copies in any medium. HCM shall require its Subcontractors to do the same and shall certify such destruction in writing upon request.
(b) Infeasibility of Return or Destruction. If HCM determines that returning or destroying PHI is infeasible, it shall notify Covered Entity in writing and explain the specific reasons. If return or destruction is infeasible, HCM shall continue to protect such PHI in accordance with this Agreement and shall limit further Use or Disclosure to those purposes that make the return or destruction infeasible, for as long as it retains such PHI.
(c) Survival. The obligations of HCM under this Section 6.3 shall survive termination of this Agreement.
7.1 Safeguards and Compliance Obligations. HCM shall implement and maintain reasonable and appropriate administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits on behalf of Covered Entity. Such safeguards shall meet the requirements of the HIPAA Security Rule and HITECH, including but not limited to 45 C.F.R. sections 164.306, 164.308, 164.310, 164.312, and 164.316.
7.2 Subcontractor Security. HCM shall ensure that any Subcontractor to whom it provides ePHI agrees, in a written agreement, to implement safeguards that are no less stringent than those required by this Agreement and applicable law. All such Subcontractors must:
(a) Encrypt ePHI in transit and at rest using industry-standard methods;
(b) Comply with HHS guidance regarding secure transmission and storage; and
(c) Notify HCM of any Security Incident within their control that affects PHI.
7.3 Geographic Restriction. HCM shall not permit any access to PHI from outside the United States without Covered Entity’s prior written consent, regardless of hosting location or workforce citizenship.
8.1 Regulatory References. All references to HIPAA, the Privacy Rule, the Security Rule, or HITECH include those regulations as amended from time to time and any implementing rules for which compliance is required.
8.2 Amendment. HCM reserves the right to modify this Agreement at any time by posting the revised terms at https://hcmappeals.com/baa or by providing notice to Covered Entity. Covered Entity’s continued use of the Platform after the effective date of any modification constitutes acceptance of the modified terms. The parties agree to negotiate in good faith to make any amendments necessary to comply with applicable privacy and security laws.
8.3 Survival. The rights and obligations under Sections 2.6, 4.3, 4.4, 6.3, 7, and 8 shall survive termination of this Agreement.
8.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a construction that ensures compliance with HIPAA, HITECH, and related regulations.
8.5 Precedence. In the event of a conflict between this Agreement and the EULA or any related contract, the terms of this Agreement shall control with respect to the use, disclosure, or safeguarding of PHI.
8.6 Waiver. No waiver of any provision or breach of this Agreement shall be effective unless in writing and signed by the waiving party. A waiver shall not be construed as a continuing waiver or waiver of any other breach.
8.7 Notices. All notices under this Agreement shall be in writing and deemed given:
(a) upon personal delivery;
(b) upon confirmed email transmission without bounce-back or delivery failure;
(c) on the next business day if sent by overnight courier; or
(d) three (3) business days after mailing via certified U.S. Mail, return receipt requested.
Notices to HCM shall be sent to: Health Care Claims Management, Inc., 701 Broad Ripple Avenue, Indianapolis, Indiana 46220, Attention: Legal Department, or by email to legal@hcmar.com. Notices to Covered Entity shall be sent to the email address associated with Covered Entity’s account.
8.8 Governing Law and Venue. This Agreement shall be governed by the laws of the State of Indiana without regard to conflict of laws principles. The parties consent to the exclusive jurisdiction of state and federal courts located in Marion County, Indiana.
8.9 Relationship of the Parties. Nothing in this Agreement shall be construed to create an agency, joint venture, or employment relationship. The parties are independent contractors.
8.10 No Third-Party Beneficiaries. This Agreement is intended solely for the benefit of the parties and their permitted successors and assigns. No third party, including any Individual whose PHI is processed under this Agreement, shall have any rights or remedies hereunder.
8.11 Severability. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced with a valid provision closest in meaning to the original.
8.12 Electronic Execution. Covered Entity acknowledges and agrees that clicking an “I Accept” or similar button, or otherwise manifesting assent electronically, constitutes Covered Entity’s electronic signature and has the same legal effect as a handwritten signature. This Agreement may be accepted electronically and such acceptance shall be legally binding.
8.13 Entire Agreement. This Agreement, together with the EULA, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous communications, proposals, and agreements relating to such subject matter.
11.1 “AS IS” PROVISION. THE PLATFORM AND ALL GENERATED CONTENT ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. YOUR USE OF THE PLATFORM IS AT YOUR SOLE RISK. Without limiting the foregoing, the beta program terms set forth in Section 1.2 apply to all use of the Platform during the beta period.
11.2 DISCLAIMER OF WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HCM EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION: (A) IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT; (B) WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE; (C) WARRANTIES THAT THE PLATFORM WILL MEET YOUR REQUIREMENTS OR EXPECTATIONS; (D) WARRANTIES THAT THE PLATFORM WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE; (E) WARRANTIES REGARDING THE ACCURACY, COMPLETENESS, RELIABILITY, OR QUALITY OF ANY GENERATED CONTENT; (F) WARRANTIES THAT DEFECTS WILL BE CORRECTED; AND (G) WARRANTIES THAT THE PLATFORM OR SERVERS ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.
11.3 NO GUARANTEE OF AVAILABILITY OR ACCURACY. HCM DOES NOT WARRANT OR GUARANTEE: (A) CONTINUOUS, UNINTERRUPTED, OR SECURE ACCESS TO THE PLATFORM; (B) THE ACCURACY, COMPLETENESS, CURRENTNESS, OR RELIABILITY OF ANY GENERATED CONTENT; (C) THAT THE PLATFORM WILL PRODUCE EFFECTIVE APPEAL LETTERS OR SUCCESSFUL OUTCOMES; (D) THAT GENERATED CONTENT WILL BE SUITABLE FOR ANY PARTICULAR PURPOSE OR COMPLY WITH ANY PARTICULAR REQUIREMENTS; OR (E) THAT THE PLATFORM WILL BE COMPATIBLE WITH ANY PARTICULAR HARDWARE, SOFTWARE, OR NETWORK CONFIGURATION.
11.4 Third-Party Disclaimers. HCM’s third-party licensors and service providers make no warranties to you and shall have no liability to you under this Agreement.
For questions about this Agreement or to report a privacy concern, please contact:
Health Care Claims Management, Inc.
d/b/a Healthcare Chaos Management
701 Broad Ripple Avenue
Indianapolis, Indiana 46220
General and Privacy Inquiries: legal@hcmar.com
BY CLICKING “I ACCEPT,” CREATING AN ACCOUNT, OR OTHERWISE SUBMITTING PROTECTED HEALTH INFORMATION TO THE PLATFORM, YOU ACKNOWLEDGE THAT:
(A) YOU HAVE READ AND UNDERSTOOD THIS BUSINESS ASSOCIATE AGREEMENT IN ITS ENTIRETY;
(B) YOU AGREE TO BE BOUND BY ALL TERMS AND CONDITIONS OF THIS AGREEMENT;
(C) YOU ARE AUTHORIZED TO ENTER INTO THIS AGREEMENT ON BEHALF OF THE COVERED ENTITY;
(D) YOU UNDERSTAND THAT PHI WILL BE PROCESSED USING ARTIFICIAL INTELLIGENCE TECHNOLOGY;
(E) YOU ACCEPT SOLE RESPONSIBILITY FOR VERIFYING ALL AI-GENERATED CONTENT BEFORE USE;
(F) YOU AGREE NOT TO REPRESENT AI-GENERATED CONTENT AS HUMAN-AUTHORED; AND
(G) YOU HAVE OBTAINED ALL NECESSARY AUTHORIZATIONS TO DISCLOSE PHI TO HCM.
End of Agreement
Version 1.0 | December 30th, 2025
© 2026, All Rights Reserved.
