Business Associate Agreement

Last updated: June 2025

About This Agreement

Healthcare practices using CallRope are “Covered Entities” under the Health Insurance Portability and Accountability Act (HIPAA). CallRope acts as a “Business Associate” because we handle Protected Health Information (PHI) on your behalf when processing patient calls.

Federal law requires a signed Business Associate Agreement between you and any vendor who handles PHI for your practice. This page explains what our BAA covers and how to execute it.

To sign a BAA with CallRope, email: usman@callrope.com with subject line “BAA Request — [Practice Name]”. We will send you a countersigned copy within 2 business days.

What Our BAA Covers

How we use PHI

CallRope uses PHI only as necessary to provide the voice agent service to your practice. This includes processing call audio and transcripts to book appointments, route calls, and generate call logs for your review.

What we do not do with PHI

We do not sell PHI. We do not use PHI for our own marketing or research purposes. We do not disclose PHI to third parties except as required to deliver the service or as required by law.

Sub-processors who handle PHI

Our service relies on the following sub-processors who may process PHI as part of delivering calls:

  • Retell AI (voice infrastructure) — SOC 2 Type II certified, HIPAA BAA signed (DocuSign, May 2026), end-to-end encryption, customer-managed encryption key option
  • Twilio / Telynx (telephony, via Retell AI) — HIPAA BAA in place

We have signed BAAs with each sub-processor that handles PHI. Copies are available upon request.

Security safeguards we maintain

  • All call audio and transcripts encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls on all internal systems handling PHI
  • Audit logs of all access to call data, retained for a minimum of 6 years
  • Breach detection and incident response procedures
  • Data retention limits: raw call audio deleted after 30 days by default (configurable)
  • Annual security review of all sub-processors

Breach notification

We will notify you of any confirmed breach involving your patients' PHI without unreasonable delay and no later than 60 calendar days after discovery, as required by HIPAA's Breach Notification Rule. Our upstream provider Retell AI is contractually required to notify us within 21 business days of discovering a breach. Notification to you will include the nature of the breach, PHI involved, steps taken to contain it, and steps you should take.

Disclosure — Retell AI data handling

Our voice infrastructure provider (Retell AI) operates under a signed BAA with CallRope. Under the terms of that BAA, Retell AI is permitted to process call data outside the United States and to de-identify and aggregate call data for its own internal purposes. De-identified data is no longer PHI under 45 CFR 164.514(b). If your practice has restrictions that prohibit offshoring of any call data, please contact us before activating service so we can discuss alternative configurations.

Your responsibilities

By executing our BAA, you agree that:

  • You are a Covered Entity under HIPAA
  • You will only use CallRope for lawful healthcare purposes
  • You will configure the service appropriately for your compliance obligations
  • You will promptly notify us of any suspected breach or unauthorized access involving our service
  • You will execute a BAA with CallRope before processing any PHI through the service

Termination

Either party may terminate the BAA by terminating the underlying service agreement. Upon termination, CallRope will return or destroy all PHI within 30 days, except where retention is required by law.

Compliance Infrastructure

CallRope's voice AI infrastructure (Retell AI) is:

  • SOC 2 Type II certified — independently audited security, availability, and confidentiality controls
  • HIPAA compliant with signed BAA
  • GDPR ready for any EU patient data

These certifications cover the infrastructure layer where call audio and transcripts are processed and stored. Certificates are available in Retell AI's Trust Center at trust.retellai.com.

Ready to Sign?

Email usman@callrope.com with subject line “BAA Request — [Your Practice Name]”.

We will send you a countersigned BAA within 2 business days at no additional cost. A signed BAA is required before your trial or paid service begins processing patient calls.