HIPAA Compliance

Effective Date: 8/4/2024

IntuBlade supports healthcare teams in protecting patient data during video laryngoscopy and airway management.

Eligible accounts run in a HIPAA-ready AWS environment, and a Business Associate Agreement applies to those accounts.

For HIPAA questions email privacy@intublade.com

How to use IntuBlade on our HIPAA Cloud

  1. Sign up at admin.intublade.com

  2. Create or upgrade an account on a HIPAA-eligible plan

  3. Review the IntuBlade BAA below

  4. Once you use an eligible account, the BAA applies automatically

Download IntuBlade BAA as PDF

IntuBlade Business Associate Agreement

Latest revision 12 November 2025

Applies automatically to eligible accounts

Important eligibility notice

This Business Associate Agreement (BAA) applies only to IntuBlade customer accounts that:

  • run in IntuBlade’s HIPAA Cloud environment on AWS us-west-2, and

  • are created or upgraded through admin.intublade.com on a HIPAA-eligible paid plan.

Accounts that do not meet both conditions are not covered by this BAA and must not process Protected Health Information (PHI) with IntuBlade.

By creating or using an eligible account, the entity listed in IntuBlade billing records (Customer, Covered Entity, or its own business associate under HIPAA) is treated as having read and agreed to this BAA. No separate signature is required.

Questions can be sent to privacy@intublade.com

1. Relationship to other agreements

This BAA supplements and is part of:

  • the IntuBlade Terms of Service

  • any order forms

  • any other written agreement that governs use of IntuBlade software, apps, or cloud services (together the Services Agreement).

If there is a conflict about PHI, this BAA controls over the Services Agreement.

2. Definitions

Capitalized terms follow HIPAA at 45 C.F.R. Parts 160 and 164, as amended by the HITECH Act.

Key terms:

  • Protected Health Information (PHI)

    • Information created, received, stored, or transmitted by IntuBlade for Customer that relates to an individual’s health, care, or payment.

  • Breach

    • The acquisition, access, use, or disclosure of unsecured PHI that is not permitted under HIPAA.

  • Security Incident

    • Has the meaning in 45 C.F.R. §164.304.

Terms not defined here have the meaning in HIPAA or in the Services Agreement.

3. Permitted uses and disclosures

IntuBlade may use or disclose PHI only to:

  • provide IntuBlade products and support under the Services Agreement

  • manage its operations and meet legal duties where a law requires the use or disclosure or where the recipient is bound by written confidentiality duties

  • meet other legal process that applies to IntuBlade.

IntuBlade will not use or disclose PHI for any other purpose without written instructions from Customer, unless HIPAA allows or requires it.

IntuBlade will not use PHI for marketing or product training unrelated to Customer without Customer’s written approval.

4. Customer responsibilities

Customer agrees that it will:

  • remain a Covered Entity or Business Associate under HIPAA and meet its own HIPAA duties

  • limit PHI sent to IntuBlade to what is needed for clinical care, quality review, or training

  • avoid sending PHI through support tickets, chat, or email that are not marked as HIPAA ready

  • configure accounts, users, and devices in line with IntuBlade guidance for HIPAA use

  • obtain any consents or authorizations needed for IntuBlade to process PHI under this BAA.

IntuBlade may rely on Customer’s instructions when judging whether PHI is the minimum necessary.

5. Safeguards

IntuBlade will:

  • run an information security program that follows the HIPAA Security Rule

  • use administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of electronic PHI

  • encrypt PHI in transit and at rest using industry-standard methods

  • limit access to PHI to workforce members and contractors who need it for their job

  • train workforce members with access to PHI on privacy, security, and confidentiality duties.

PHI is stored in AWS data centers in the United States. Remote access for support is limited to trained personnel under least-privilege access and multi-factor authentication.

6. Subcontractors

If IntuBlade uses any subcontractor that accesses PHI, IntuBlade will:

  • put a written agreement in place that requires protections at least as strong as this BAA and the HIPAA Security Rule

  • stay responsible for the subcontractor’s use and protection of PHI as if IntuBlade had done the work itself.

IntuBlade will maintain a current list of subprocessors used for the HIPAA Cloud and will provide it on request.

7. Incidents and breach reporting

IntuBlade will:

  • report any Breach of unsecured PHI or any unauthorized use or disclosure of PHI to Customer without undue delay and no later than 72 hours after discovery

  • describe the known facts so Customer can meet its own notice duties

  • report Security Incidents that materially affect PHI.

Common background events like port scans or failed logins that do not compromise PHI do not require notice.

After a report, IntuBlade will cooperate in good faith with Customer on investigation, risk analysis, and any required notices or mitigation steps.

8. Individual rights

To the extent IntuBlade holds PHI in a designated record set and where it is feasible, IntuBlade will help Customer:

  • respond to requests for access to PHI

  • respond to requests to amend PHI

  • account for disclosures of PHI where HIPAA requires an accounting.

Customer remains responsible for communicating with individuals and for deciding how to respond. IntuBlade may charge reasonable fees for extensive or unusual support.

9. Access for regulators

IntuBlade will make relevant policies, procedures, and records related to the use and protection of PHI available to the U.S. Department of Health and Human Services if required by law, subject to legal privilege and protection of trade secrets.

10. Term and termination

This BAA starts when Customer first creates or upgrades an eligible HIPAA Cloud account and stays in effect until:

  • all Services Agreements between IntuBlade and Customer that relate to HIPAA Cloud use have ended, and

  • IntuBlade has returned or destroyed PHI in line with this section.

Either party may terminate this BAA on written notice if the other party commits a material breach and does not cure it within thirty days.

When this BAA ends, IntuBlade will return or delete PHI within thirty days, unless a law requires retention or deletion is not feasible. If deletion is not feasible, IntuBlade will keep protecting that PHI and will not use or disclose it for any other reason.

11. Other terms

  • This BAA does not create rights for any third party.

  • IntuBlade may update this BAA to keep up with legal changes. IntuBlade will post the new version and give at least thirty days notice. If Customer objects to a material change, Customer may stop using the HIPAA Cloud and receive a pro-rated refund of prepaid fees for the remaining term of that HIPAA plan.

  • Each party is responsible for any HIPAA penalties that result from its own acts or omissions.

  • Governing law and dispute rules follow the Services Agreement.