SpinoLens
HomeStart 7-Day Free Trial
Healthcare

Business Associate Addendum

A review copy of the business associate terms SpinoLens expects to use if a clinic requires a BAA for patient-share or other PHI-handling workflows.

Last updated June 1, 2026

Purpose

This Business Associate Addendum is intended as a review copy for clinics that determine SpinoLens will act as a business associate under HIPAA for their use of the product. It is not effective until separately accepted or executed by SpinoLens and the clinic.

SpinoLens is designed to minimize patient data storage. However, patient viewer links may temporarily process normalized patient-related atlas values and clinic branding through SpinoLens servers. Clinics should consult their own counsel or compliance team to determine whether a BAA is required for their intended use.

Permitted uses and disclosures

  • SpinoLens may use or disclose protected health information only to provide and secure the product, support patient viewer links, comply with the agreement, or as required by law.
  • SpinoLens may use de-identified or aggregated information only if it does not identify the clinic, patient, or individual and is handled in accordance with applicable requirements.
  • SpinoLens will not sell protected health information or use it for advertising.

Safeguards

SpinoLens will use reasonable administrative, technical, and organizational safeguards intended to protect electronic protected health information handled by the product. Current product controls include authenticated clinic access, tokenized patient viewer links, hashed token storage, expiration and revocation controls, no-store API headers, and rate limiting.

Reporting

SpinoLens will report to the clinic any security incident or breach involving unsecured protected health information of which SpinoLens becomes aware, consistent with applicable law and the executed agreement.

Subcontractors

SpinoLens may use subcontractors and service providers to provide the product. Where required, SpinoLens will ensure that subcontractors who create, receive, maintain, or transmit protected health information on behalf of SpinoLens agree to appropriate restrictions and safeguards.

Access, amendment, and accounting

Because SpinoLens is not intended to be the clinic's system of record, requests for patient access, amendment, accounting, or disclosure records should generally be handled by the clinic through its own records system. SpinoLens will reasonably assist the clinic with information in SpinoLens possession if required by an executed agreement and applicable law.

Return or destruction

Upon termination of services or upon verified request, SpinoLens will return, delete, or destroy protected health information in its possession where feasible and legally permitted. Patient viewer link payloads are designed to expire automatically and may be revoked by clinics.

Contact

To request a BAA review, contact privacy@spinolens.com.