1. Our Role and Commitment
Beija, Inc. provides AI agents that automate prior authorization and benefits investigation for healthcare practices. When we create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of a healthcare customer, Beija acts as a business associate under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Privacy, Security, and Breach Notification Rules (collectively, “HIPAA”). We are committed to protecting PHI and to meeting our obligations under HIPAA and our Business Associate Agreement.
2. Administrative Safeguards
- Documented security policies and a designated security and privacy official.
- Workforce screening, role-based access, and recurring HIPAA and security training.
- Periodic risk analysis and risk management, with a documented incident-response process.
- Vendor management: subcontractors that may access PHI are bound by written agreements with flow-down obligations.
3. Technical Safeguards
- Encryption of PHI in transit (TLS) and at rest.
- Unique user authentication, least-privilege access controls, and enforced session limits with re-authentication.
- Audit logging of access to and activity involving PHI.
- Logical tenant isolation so each customer’s data is segregated.
4. Physical Safeguards
PHI is hosted in the infrastructure of cloud providers that maintain HIPAA-eligible environments and execute business associate agreements with us, with facility access controls and environmental protections maintained by those providers.
5. Minimum Necessary and Permitted Uses
We access and use PHI only as necessary to provide the contracted services, for the proper management of our operations, and as otherwise permitted by the BAA and required by law. We apply the minimum-necessary principle to access and disclosure.
6. Breach Notification
We maintain processes to detect, investigate, and respond to security incidents. We will report any use or disclosure of PHI not permitted by the BAA, and any breach of unsecured PHI, to the affected customer without unreasonable delay and within the timeframes required by the Breach Notification Rule and the applicable BAA.
7. Business Associate Agreements
We sign a Business Associate Agreement with each covered-entity or business-associate customer before PHI is exchanged, and we flow down equivalent obligations to any subcontractor that handles PHI.
8. Data Retention and Destruction
We retain PHI only as long as needed to provide the services or as required by law, and we return or securely destroy PHI upon termination of the BAA where feasible, with verified end-of-life destruction.
9. Supporting Individual Rights
Because individuals exercise their HIPAA rights through the covered entity, we provide reasonable assistance to enable customers to fulfill requests for access, amendment, and an accounting of disclosures as set out in the BAA.
10. Contact
Security and privacy questions: security@beija.ai · privacy@beija.ai
This statement is provided for transparency and does not by itself create contractual obligations; the BAA governs the parties’ HIPAA obligations.