DPA and BAA Readiness

Pilot-stage template. Replace with lawyer-reviewed contract language before production contracts or protected health information workflows.

Data roles

The clinic normally decides why patient or prospect data is collected and how it should be used for intake, follow-up, and booking. ClinicReception AI should process that data only to provide the service and according to the clinic's configured instructions.

Data Processing Addendum

For UK, EU, or Germany-facing customers, a production contract should include a Data Processing Addendum covering processing purpose, data categories, confidentiality, security measures, subprocessors, deletion/return of data, and assistance with data subject requests where applicable.

Healthcare privacy boundary

For US healthcare customers, HIPAA may apply if protected health information is created, received, maintained, or transmitted on behalf of a covered entity. Production use with PHI should wait until the required Business Associate Agreement and vendor obligations are in place.

Current pilot posture

• Use intake and scheduling language only.
• Avoid emergency details, diagnosis, clinical advice, final pricing, and insurance guarantees.
• Keep human review enabled by default before automated patient-facing sends.
• Use consent-based forms and opt-out text for patient follow-up.
• Use production hosting, backups, secrets, and vendor contracts before paid live operation.

Reference links

• HHS: Covered Entities and Business Associates
• HHS: Business Associates
• EDPB: Data controller or data processor
• ICO: PECR overview