HIPAA Compliance
Effective Date: 8/4/2024
IntuBlade is aligned with HIPAA, supporting healthcare organizations and partners in protecting patient data during video laryngoscopy and airway management. All accounts operate in a HIPAA-eligible AWS environment, and a Business Associate Agreement (BAA) is made available at account signup.
For HIPAA-related questions, contact: privacy@intublade.com
How to Get Set Up with on OUr HIPAA-Compliant Cloud
Sign up at admin.intublade.com
Review the Business Associate Agreement (BAA) below
Account is automatically covered upon acceptance
You’re good to go
IntuBlade Business Associate Agreement (BAA)
Effective automatically for eligible accounts
Latest Revision: 5 August 2025
Effective automatically for eligible accounts
Important Eligibility Notice
This Business Associate Agreement (“BAA”) automatically applies only to IntuBlade customer accounts that:
Are hosted in IntuBlade’s HIPAA-compliant AWS Cloud Environment (currently us-west-2), and
Are registered through admin.intublade.com and accept the BAA upon account creation.
Accounts that do not meet both conditions are not covered by this BAA and may not process Protected Health Information (“PHI”) with IntuBlade.
By creating or continuing to use an eligible account, the entity identified in IntuBlade billing records (“Customer”, “Covered Entity” or its own business associate under HIPAA) is deemed to have reviewed, understood, and agreed to this BAA. No additional click-through or signature is required.
Questions? Email: privacy@intublade.com
1. Parties & Incorporation
This BAA supplements and is incorporated by reference into the IntuBlade Terms of Service and any other agreement governing Customer’s use of the IntuBlade software, app, or connected services (“Services Agreement”). In the event of any conflict between this BAA and the Services Agreement concerning PHI, this BAA will control.
2. Definitions
Capitalized terms follow the meanings in HIPAA (45 C.F.R. Parts 160 & 164), as amended by the HITECH Act. Key terms include:
PHI (Protected Health Information): Any information created, received, maintained, or transmitted by IntuBlade on behalf of Customer that relates to an individual’s health status, care, or payment.
Breach: The unauthorized acquisition, access, use, or disclosure of PHI as defined under 45 C.F.R. §164.402.
Security Incident: As defined under 45 C.F.R. §164.304.
HITECH Act: Title XIII of the American Recovery and Reinvestment Act of 2009.
All other terms not defined here shall have the meanings set forth in HIPAA.
3. Permitted Uses & Disclosures
IntuBlade may use or disclose PHI solely to:
Provide its HIPAA-hosted software and related support services under the Services Agreement
Fulfill legal obligations, provided any disclosures are (i) required by law or (ii) to a recipient under equivalent confidentiality safeguards
Comply with applicable law or valid legal process
IntuBlade will not use or disclose PHI for any other purpose without written authorization from the Customer.
4. Customer Responsibilities
Customer agrees to:
Remain a Covered Entity or Business Associate under HIPAA and use IntuBlade services in compliance with HIPAA
Only upload PHI that is strictly necessary for clinical or training use
Not send PHI via support channels, unsecured email, or non-HIPAA-approved environments
Obtain any necessary consents for IntuBlade to process PHI
Maintain appropriate configurations and access restrictions on their own user accounts
5. Safeguards
IntuBlade will:
Implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
Use encryption in transit and at rest (AES-256 and TLS 1.2+)
Restrict PHI access to authorized personnel only
Train staff handling PHI on confidentiality obligations and HIPAA basics
Store PHI in encrypted AWS S3 buckets with strict IAM role-based access
6. Subcontractors
IntuBlade will ensure that any subcontractor with access to PHI agrees in writing to comply with obligations no less restrictive than those in this BAA and the HIPAA Security Rule.
7. Incident & Breach Reporting
IntuBlade will:
Notify Customer of any unauthorized use or disclosure of PHI within 72 hours of discovery
Report material security incidents impacting PHI
Assist Customer in complying with 45 C.F.R. §§164.404–410 to the extent information is available
Routine intrusion attempts (e.g., port scans, failed logins) do not require notification.
8. Individual Rights
Where applicable and feasible, IntuBlade will assist Customer in fulfilling obligations related to:
Access requests (45 C.F.R. §164.524)
Amendments (45 C.F.R. §164.526)
Accounting of disclosures (45 C.F.R. §164.528)
Fees may apply for non-standard support or retrieval efforts.
9. Books & Records
IntuBlade will make its relevant security and privacy documentation available to the U.S. Department of Health & Human Services upon lawful request, subject to legal privilege and trade secret protections.
10. Term & Termination
Term: This BAA is effective upon account creation and remains in effect until:
(a) the Services Agreement is terminated or downgraded, or
(b) the Customer ceases using IntuBlade’s HIPAA-compliant services.
Termination for Breach: Either party may terminate this BAA with 30 days’ notice if the other materially breaches and fails to cure within that time.
Return or Destruction of PHI: Upon termination, IntuBlade will delete or return all PHI within 30 days unless retention is required by law or infeasible. In such cases, PHI will remain protected and access will be restricted.
11. Miscellaneous
No Third-Party Rights: This BAA grants no rights to any third party.
Amendment: IntuBlade may update this BAA as required to comply with changes in law, with at least 30 days' notice. Continued use of the services constitutes acceptance.
Liability: Each party is responsible for its own HIPAA violations or penalties.
Governing Law: This BAA is governed by the laws set forth in the Services Agreement.