HIPAA Legal Document

CriteriaIQ Business
Associate Agreement

This Agreement governs the handling of Protected Health Information between your organization and Cavan Ventures, LLC (operating as CriteriaIQ) in connection with your use of the CriteriaIQ platform.

✓ HIPAA 45 CFR Parts 160 & 164
✓ Effective: Date of Checkout Acceptance
✓ Covers Chrome Extension & RCM Platform
Important Notice Regarding AI Processing

CriteriaIQ uses the Anthropic Claude API for AI-assisted clinical analysis. Cavan Ventures, LLC is actively pursuing a Business Associate Agreement with Anthropic, Inc. Until that agreement is fully executed, users are advised to treat CriteriaIQ outputs as clinical decision support to be reviewed by a licensed clinician prior to submission to any payer, and to minimize unnecessary inclusion of direct patient identifiers in chart data submitted for analysis where clinically feasible.

I.

Definitions

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164):

  • Business Associate — Cavan Ventures, LLC, operating as CriteriaIQ, located in Deerfield Beach, Florida.
  • Covered Entity — The subscribing organization accepting this Agreement at the time of checkout.
  • Protected Health Information (PHI) — Any individually identifiable health information transmitted or maintained in any form or medium.
  • Services — The CriteriaIQ Chrome Extension and CriteriaIQ RCM platform, both operated by Cavan Ventures, LLC.
  • Security Incident — The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
  • Unsecured PHI — PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.
II.

Obligations of Cavan Ventures, LLC

Cavan Ventures, LLC agrees to:

  1. Permitted Uses. Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
  2. Appropriate Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI.
  3. Breach Notification. Notify the Covered Entity of any Breach of Unsecured PHI within thirty (30) days of discovery.
  4. Subcontractors. Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and requirements.
  5. Access to PHI. Make available PHI in a Designated Record Set within five (5) business days of request per 45 CFR 164.524.
  6. Amendment. Make any amendment(s) to PHI as directed within five (5) business days of written request per 45 CFR 164.526.
  7. No Sale of PHI. Never sell, transfer, or use PHI for marketing, advertising, or any commercial purpose beyond providing the Services.
  8. AI Processing Disclosure. PHI processed through CriteriaIQ is transmitted to the Anthropic Claude API for analysis only and is not stored in any AI training dataset. Cavan Ventures, LLC is actively pursuing a formal BAA with Anthropic, Inc.
  9. Minimum Necessary. Apply the minimum necessary standard to all uses, disclosures, and requests of PHI in accordance with 45 CFR 164.502(b).
III.

Permitted Uses and Disclosures

  1. Services. Use PHI as necessary to provide the CriteriaIQ Services, including AI-assisted clinical documentation analysis, utilization review support, revenue cycle management functions, and related platform features.
  2. Operations. Use PHI for the proper management and administration of Cavan Ventures, LLC or to carry out its legal responsibilities.
  3. Required by Law. Disclose PHI as Required by Law, provided that Cavan Ventures, LLC notifies the Covered Entity in advance where legally permissible.
IV.

Obligations of the Covered Entity

  1. Notify Cavan Ventures, LLC of any limitation in its Notice of Privacy Practices that may affect permitted uses or disclosures of PHI.
  2. Not request that Cavan Ventures, LLC use or disclose PHI in any manner not permissible under the HIPAA Rules.
  3. Ensure all personnel accessing CriteriaIQ are authorized workforce members with legitimate need to access PHI.
V.

Term and Termination

  1. Term. This Agreement is effective as of the date the Covered Entity accepts at checkout and continues until terminated.
  2. Termination for Cause. Upon knowledge of a material breach, the Covered Entity may provide an opportunity to cure or terminate this Agreement.
  3. Effect of Termination. Upon termination, Cavan Ventures, LLC shall return or destroy all PHI within thirty (30) days and provide written confirmation upon request.
VI.

Miscellaneous

  1. Governing Law. This Agreement is governed by the laws of the State of Florida.
  2. Amendment. This Agreement may be amended by Cavan Ventures, LLC upon thirty (30) days written notice. Continued use constitutes acceptance.
  3. Electronic Acceptance. Acceptance at checkout constitutes a legally binding electronic signature pursuant to the E-SIGN Act, 15 U.S.C. 7001 et seq. The acceptance timestamp, email address, and IP address are recorded as evidence of execution.
  4. Notices. All compliance notices: compliance@criteriaiq.com or by mail to Cavan Ventures, LLC, Deerfield Beach, Florida.
This Agreement is accepted electronically at checkout

By checking the BAA acceptance box during checkout, the Covered Entity agrees to all terms on behalf of their organization. The acceptance timestamp, email, and IP address are recorded as evidence of execution.

Start Free Trial — Accept BAA at Checkout

Last updated: April 2026 · Cavan Ventures, LLC · Deerfield Beach, Florida · Subject to change with 30 days notice.

© 2026 CriteriaIQ — Cavan Ventures, LLC · Deerfield Beach, Florida · HIPAA-Ready · support@criteriaiq.com