Business Associate Agreement - Checkbox Acknowledgement

Purpose

This document provides the UI text, legal language, and implementation guidance for the BAA checkbox acknowledgment displayed during user sign-up for Adjudica.AI products that handle Protected Health Information (PHI).

Implementation Requirements

When to Display

Display the BAA checkbox acknowledgment when:

User is signing up for an account that will handle PHI
User is upgrading to a tier that includes PHI processing
User is enabling features that involve medical records or health information
User's organization is a HIPAA Covered Entity (law firm handling WC cases)

Required Components

Checkbox (unchecked by default, must be checked to proceed)
Acknowledgment text with links to full documents
Timestamp of acceptance stored in database
User ID associated with acceptance
IP address of user at time of acceptance (optional but recommended)

Checkbox UI Text

Primary Checkbox (Required)

☐ I acknowledge that I have read and understand the Business Associate Agreement
   (BAA) and AI Processing Addendum, and I agree to be bound by their terms.

   View full documents:
   • Business Associate Agreement [link]
   • AI Processing Addendum [link]

Alternative: Compact Version

☐ I have read and agree to the Business Associate Agreement and AI Processing
   Addendum governing the handling of Protected Health Information (PHI).
   [View BAA] [View AI Addendum]

Key Points Summary (Display Above Checkbox)

Display this summary to help users understand what they're agreeing to:

### Business Associate Agreement Summary

By checking the box below, you acknowledge and agree that:

**Data Protection**
• Glass Box Solutions will handle your clients' Protected Health Information (PHI)
  in compliance with HIPAA regulations
• PHI is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access to PHI is logged and auditable

**AI Processing**
• PHI may be processed by AI systems (Google Gemini) for document analysis,
  case summarization, and legal research
• Our AI provider (Google) is contractually prohibited from using your data for model training
• AI outputs must be verified by a licensed attorney before reliance

**Your Responsibilities**
• You must review all AI-generated content before use
• AI outputs do not constitute legal advice
• You are responsible for maintaining professional supervision over AI-assisted work

**Data Handling**
• PHI is retained only as long as necessary to provide services
• You may request deletion of your data at any time
• Breach notification will be provided within 10 calendar days of discovery

Full Legal Acknowledgment Text

For users who click "View Full Acknowledgment" or for legal records:

BUSINESS ASSOCIATE AGREEMENT ACKNOWLEDGMENT

By checking this box and clicking "Accept" (or proceeding with account creation),
I, on behalf of myself and my organization (the "Covered Entity"), acknowledge
and agree to the following:

1. AGREEMENT TO TERMS
   I have read, understand, and agree to be bound by:
   (a) The Business Associate Agreement between Glass Box Solutions, Inc. and
       Covered Entity; and
   (b) The AI Processing Addendum supplementing the Business Associate Agreement.

2. AUTHORITY TO BIND
   I represent and warrant that I have the legal authority to bind my organization
   to this Business Associate Agreement.

3. HIPAA COMPLIANCE
   I understand that Glass Box Solutions, Inc. is a Business Associate as defined
   under HIPAA and will handle Protected Health Information (PHI) in accordance
   with HIPAA regulations (45 CFR Parts 160 and 164).

4. AI PROCESSING ACKNOWLEDGMENT
   I understand and acknowledge that:
   (a) PHI may be processed using artificial intelligence technologies;
   (b) AI outputs may contain errors and must be verified before reliance;
   (c) AI outputs do not constitute legal advice;
   (d) A licensed attorney must supervise all AI-assisted legal work.

5. NO MODEL TRAINING
   I understand that Glass Box Solutions has obtained contractual commitments
   from our AI provider (Google) that my organization's PHI will not be used
   for AI model training.

6. DATA SECURITY
   I understand that PHI will be:
   (a) Encrypted in transit using TLS 1.3;
   (b) Encrypted at rest using AES-256;
   (c) Subject to access controls and audit logging;
   (d) Retained in accordance with the Data Retention Policy.

7. BREACH NOTIFICATION
   I understand that Glass Box Solutions will notify my organization of any
   breach of unsecured PHI within ten (10) calendar days of discovery.

8. PROFESSIONAL SUPERVISION REQUIREMENT
   I acknowledge the Professional Supervision Requirement set forth in Section
   1A of the End User License Agreement and agree to maintain appropriate
   attorney oversight of all AI-generated content.

9. ELECTRONIC SIGNATURE
   I agree that checking this box and completing account registration constitutes
   my electronic signature and acceptance of the Business Associate Agreement
   and AI Processing Addendum, with the same legal force and effect as a
   handwritten signature.

Acceptance Date: [Auto-populated timestamp]
User Email: [Auto-populated]
Organization: [Auto-populated if available]
IP Address: [Auto-populated]

Database Schema

Store acceptance records with the following fields:

CREATE TABLE baa_acceptances (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID NOT NULL REFERENCES users(id),
  organization_id UUID REFERENCES organizations(id),

  -- Document versions accepted
  baa_version VARCHAR(20) NOT NULL,           -- e.g., "1.0"
  ai_addendum_version VARCHAR(20) NOT NULL,   -- e.g., "1.0"

  -- Acceptance metadata
  accepted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  ip_address INET,
  user_agent TEXT,

  -- Legal record
  full_acknowledgment_text TEXT NOT NULL,     -- Store the exact text shown
  checkbox_text TEXT NOT NULL,                -- Store the checkbox label text

  -- Audit
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),

  CONSTRAINT unique_user_baa UNIQUE (user_id, baa_version, ai_addendum_version)
);

CREATE INDEX idx_baa_acceptances_user ON baa_acceptances(user_id);
CREATE INDEX idx_baa_acceptances_org ON baa_acceptances(organization_id);
CREATE INDEX idx_baa_acceptances_date ON baa_acceptances(accepted_at);

API Endpoint

// POST /api/legal/baa-acceptance
interface BAAAcceptanceRequest {
  userId: string;
  organizationId?: string;
  baaVersion: string;
  aiAddendumVersion: string;
  checkboxText: string;
  fullAcknowledgmentText: string;
}

interface BAAAcceptanceResponse {
  id: string;
  acceptedAt: string;
  baaVersion: string;
  aiAddendumVersion: string;
}

Document Links

Configure these URLs in your environment:

# Production URLs for BAA documents
BAA_DOCUMENT_URL=https://adjudica.ai/legal/business-associate-agreement
AI_ADDENDUM_URL=https://adjudica.ai/legal/ai-processing-addendum

# Or hosted document URLs
BAA_DOCUMENT_URL=https://docs.adjudica.ai/legal/baa
AI_ADDENDUM_URL=https://docs.adjudica.ai/legal/ai-addendum

React Component Example

// @Developed & Documented by Glass Box Solutions, Inc.

import { useState } from 'react';
import { Checkbox } from '@/components/ui/checkbox';
import { Button } from '@/components/ui/button';
import { ExternalLink } from 'lucide-react';

interface BAACheckboxProps {
  onAccept: (accepted: boolean) => void;
  baaUrl: string;
  aiAddendumUrl: string;
}

export function BAACheckbox({ onAccept, baaUrl, aiAddendumUrl }: BAACheckboxProps) {
  const [checked, setChecked] = useState(false);
  const [expanded, setExpanded] = useState(false);

  return (
    <div className="space-y-4 rounded-lg border border-gray-200 p-4">
      {/* Key Points Summary */}
      <div className="text-sm text-gray-600">
        <h4 className="font-semibold text-gray-900 mb-2">
          Business Associate Agreement Summary
        </h4>
        <ul className="space-y-1 list-disc list-inside">
          <li>Your clients' PHI will be handled in HIPAA compliance</li>
          <li>AI providers cannot use your data for model training</li>
          <li>AI outputs must be verified by a licensed attorney</li>
          <li>Breach notification within 10 days of discovery</li>
        </ul>
      </div>

      {/* Checkbox */}
      <div className="flex items-start gap-3">
        <Checkbox
          id="baa-acceptance"
          checked={checked}
          onCheckedChange={(value) => {
            setChecked(!!value);
            onAccept(!!value);
          }}
          className="mt-1"
        />
        <label htmlFor="baa-acceptance" className="text-sm cursor-pointer">
          I acknowledge that I have read and understand the{' '}
          <a
            href={baaUrl}
            target="_blank"
            rel="noopener noreferrer"
            className="text-blue-600 hover:underline inline-flex items-center gap-1"
          >
            Business Associate Agreement
            <ExternalLink className="h-3 w-3" />
          </a>{' '}
          and{' '}
          <a
            href={aiAddendumUrl}
            target="_blank"
            rel="noopener noreferrer"
            className="text-blue-600 hover:underline inline-flex items-center gap-1"
          >
            AI Processing Addendum
            <ExternalLink className="h-3 w-3" />
          </a>
          , and I agree to be bound by their terms.
        </label>
      </div>

      {/* Expand full acknowledgment */}
      <button
        type="button"
        onClick={() => setExpanded(!expanded)}
        className="text-xs text-gray-500 hover:text-gray-700 underline"
      >
        {expanded ? 'Hide' : 'View'} full legal acknowledgment
      </button>

      {expanded && (
        <div className="text-xs text-gray-600 bg-gray-50 p-3 rounded max-h-48 overflow-y-auto">
          {/* Full acknowledgment text here */}
          <p className="font-semibold mb-2">BUSINESS ASSOCIATE AGREEMENT ACKNOWLEDGMENT</p>
          <p>By checking this box, I acknowledge and agree to the terms...</p>
          {/* ... rest of full text ... */}
        </div>
      )}
    </div>
  );
}

Validation Requirements

Before allowing form submission:

Checkbox must be checked — Display error: "You must accept the Business Associate Agreement to continue"
Links must be functional — Test that BAA documents are accessible
Timestamp must be recorded — Server-side, not client-side
Version must be stored — Track which version of BAA was accepted

Re-Acceptance Triggers

Require users to re-accept the BAA when:

BAA version changes — Material updates to the agreement
AI Addendum version changes — Changes to AI processing terms
New AI provider added — Per Section 4.3 of AI Addendum (30-day notice)
User changes organization — New Covered Entity requires new acceptance
Annual re-confirmation — Optional, for additional compliance assurance

Audit Trail Requirements

For HIPAA compliance, maintain:

Immutable acceptance records — Never delete or modify
Document version history — Store historical versions of BAA/Addendum
Access logs — Who viewed/downloaded the full documents
Re-acceptance history — Track all acceptance events per user

Document	Path	Purpose
Full BAA	`legal/templates/BUSINESS_ASSOCIATE_AGREEMENT_TEMPLATE.md`	Complete BAA template
AI Addendum	`legal/final-documents/product/BAA_AI_ADDENDUM.md`	AI processing terms
EULA	`legal/final-documents/product/END_USER_LICENSE_AGREEMENT.md`	End user license
Privacy Policy	`legal/final-documents/corporate/PRIVACY_POLICY.md`	Privacy practices
AI Transparency	`legal/final-documents/product/AI_TRANSPARENCY_DISCLOSURE.md`	AI capabilities/limitations

Business Associate Agreement — Checkbox Acknowledgment