Three Gates Developer DocsDetected PHI tokenized before AI invocationDesigned to support HIPAA Security Rule obligations

BAA Management

Configure Business Associate Agreement status to authorize identifiable PHI flow to external integration endpoints (FHIR, patient matching, claims systems).

What a BAA gates in Three Gates

A Business Associate Agreement (BAA) is a HIPAA-required contract between a Covered Entity and a Business Associate that permits the sharing of Protected Health Information (PHI) under specified safeguards.

What the BAA toggle controls in Three Gates

The BAA setting in Three Gates governs whether the platform may transmit identifiable PHI to configured external integration endpointson the customer's behalf — for example, FHIR endpoints, patient-matching services, claims systems, and EHR write-back targets. These are non-AI integration paths.

The BAA setting does not change what an AI model receives. In both Tier 1 and Tier 2, the three-gate enforcement boundary tokenizes detected PHI before any model invocation. AI providers are not the destination for identifiable PHI in either tier.

Tier 2 (BAA executed)

External integration endpoints authorized to receive identifiable PHI:

• FHIR data exchange with covered partners
• Patient-matching services
• Claims and billing systems
• EHR write-back integrations

AI model invocations continue to receive only tokenized content for any detected PHI.

Tier 1 (no BAA)

External integration endpoints receive only de-identified content:

• Detected PHI tokenized before external transmission
• Read-only integrations that do not require a BAA
• Workflows operating on de-identified content
• AI-assisted tasks on de-identified inputs

AI model invocations behave the same as in Tier 2 — tokenized content only.

Customer determination:Whether a particular workflow can run in Tier 1 without a BAA, or requires Tier 2 with a BAA in place, is a determination your organization makes based on its own HIPAA risk assessment and the destination endpoint's terms.

Accessing BAA Management

BAA management is available in the System Admin area (site admin access required).

Navigate to System Settings

Click on your profile menu → System Admin

Go to Compliance Section

In the left sidebar, navigate to Compliance → BAA Status

Configure BAA Settings

Enter BAA details, upload signed agreement, and enable Tier 2 routing for external integration endpoints

Admin only: BAA configuration requires site admin permissions. Contact your organization administrator if you don't have access.

Configuring BAA Status

The BAA configuration form requires the following information:

BAA Signed

Toggle to indicate whether your organization has executed a Business Associate Agreement with Three Gates.

Signed Date & Expiration Date

Enter when the BAA was signed and when it expires. The system displays warnings 30 days before expiration and blocks Tier 2 routing to external integration endpoints after expiration.

BAA Provider Name

Name of the counterparty on the executed agreement (typically "Three Gates" or your specific vendor contact).

BAA Document URL

Optional URL to the signed BAA document (link to SharePoint, Google Drive, or document management system).

Enable Tier 2 Routing

Master toggle authorizing Three Gates to transmit identifiable PHI to configured external integration endpoints under the executed BAA. This is administratively separate from the BAA-signed flag so an organization can stage configuration before activating routing.

External Routing Acknowledgment

Before Tier 2 routing can begin, an authorized user must acknowledge the scope of what the BAA toggle authorizes in Three Gates.

Acknowledgment Statement:

“I acknowledge that by enabling Tier 2 routing, our organization authorizes Three Gates to transmit identifiable Protected Health Information (PHI) to the external integration endpoints we have configured (for example, FHIR endpoints, patient-matching services, claims systems, and EHR write-back targets), under the terms of the BAA we have executed. I understand that:

The three-gate enforcement boundary continues to govern what reaches AI model providers, and AI providers do not receive identifiable PHI in either Tier 1 or Tier 2.
A valid Business Associate Agreement with Three Gates is in place.
Each external integration endpoint is either a covered partner under our BAA scope or otherwise authorized to receive PHI under our HIPAA risk assessment.
Our organization retains responsibility for HIPAA obligations and will maintain appropriate safeguards for PHI.”

Click "Acknowledge External Routing"

Button appears after enabling Tier 2 routing

Review Acknowledgment Statement

Read the full attestation in the modal dialog

Enter Attestation Text

Type "I acknowledge" to confirm understanding

Submit Acknowledgment

User ID and timestamp recorded in audit log

Required: Tier 2 routing to external integration endpoints will not execute until this acknowledgment is completed, even when the BAA is signed and Tier 2 is enabled.

Tier 2 Eligibility Check

The BAA status page shows real-time eligibility for Tier 2 external routing based on all requirements.

Eligibility Requirements:

BAA must be signed

BAA must not be expired (expiration date in future)

Tier 2 routing must be enabled

Customer must have completed the external routing acknowledgment

Eligibility Status Indicators:

Eligible for Tier 2

All requirements met. Workflows that route identifiable PHI to configured external endpoints can execute.

Not Eligible

One or more requirements not met. Tier 1 workflows continue to operate. See status message for details.

Expiration Warnings

The system monitors BAA expiration dates and displays warnings to prevent inadvertent lapse.

30-Day Warning

Alert appears when the BAA expires within 30 days. Begin renewal process.

7-Day Critical Warning

Urgent alert when the BAA expires within 7 days. Contact vendor to expedite renewal.

Expired BAA

Tier 2 external routing is automatically blocked when the BAA expires. Workflows that depend on identifiable PHI flowing to external integration endpoints will fail at the compliance gate. Tier 1 workflows continue to operate.

Best practice: Set a calendar reminder 60 days before expiration to begin BAA renewal with ample time for contract review.

Workflow Compliance Gate

Workflows that route identifiable PHI to external integration endpoints include a "Compliance Gate" step that validates BAA status before that external transmission occurs. This gate is independent of the three-gate enforcement boundary that governs AI model invocations.

// Compliance Gate Configuration
{
  "stepType": "compliance_gate",
  "checks": [
    "baa_signed",
    "baa_not_expired",
    "tier2_enabled",
    "external_routing_acknowledged"
  ],
  "blockOnFailure": true
}

Gate Behavior:

All Checks Pass

Workflow continues, and identifiable PHI may be transmitted to the configured external endpoint.

Any Check Fails

External routing is blocked with an error message specifying the failure reason. Tier 1 paths remain available.

What this gate does and does not do: The compliance gate enforces the BAA precondition for routing identifiable PHI to external integration endpoints. It does not govern AI model invocations — those are governed by the three-gate enforcement boundary regardless of BAA status, and tokenize detected PHI before the model is invoked.

Audit & Compliance Logging

BAA configuration changes and Tier 2 routing activities are recorded in the immutable audit log.

BAA Status Changes

Logged with user ID, timestamp, and changed fields

Tier 2 Enable/Disable

Recorded with administrative user who made the change

Acknowledgment Records

Attestation text, user ID, and timestamp permanently stored

Compliance Gate Results

Every gate check logged in the workflow execution record