Business Associate Agreement

Public summary updated: April 21, 2026

This page is a public summary of PHIGuard's current standard Business Associate Agreement. The operative BAA for each customer is the version reviewed and accepted in PHIGuard's onboarding flow for that customer's legal entity.

When PHIGuard acts as a business associate

PHIGuard acts as a business associate when it creates, receives, maintains, or transmits Protected Health Information on behalf of a customer. The current standard BAA supplements the governing PHIGuard Terms of Service and controls if there is a conflict about PHI handling.

How the BAA is accepted

PHIGuard uses a native in-app legal acceptance flow. During onboarding, an authorized organization owner or admin reviews and accepts the current standard Terms and current standard BAA together on behalf of the customer legal entity.

Billing stays locked until the current BAA and current Terms have been accepted. PHIGuard records the acceptance timestamp, signer details, accepted document version, and execution artifacts for the organization.

What the current standard BAA covers

Permitted uses and disclosures

PHIGuard may use and disclose PHI only as needed to provide the contracted services, as otherwise permitted by the BAA, or as required by law. PHIGuard does not claim a right to use PHI for marketing.

Safeguards

The current standard BAA requires PHIGuard to implement appropriate administrative, physical, and technical safeguards for PHI and to comply with applicable HIPAA Security Rule obligations for ePHI.

Security incident and breach reporting

The current standard BAA requires PHIGuard to report impermissible uses or disclosures of PHI and Security Incidents as required by HIPAA and the agreement. It also requires notice of a Breach of Unsecured PHI without unreasonable delay and no later than the outside deadline required by HIPAA.

Subcontractors

If a subcontractor creates, receives, maintains, or transmits PHI on PHIGuard's behalf, the current standard BAA requires PHIGuard to bind that subcontractor to the same restrictions and conditions that apply to PHIGuard. Public vendor disclosure is available on the Subprocessors page.

Support for customer HIPAA obligations

To the extent PHIGuard maintains PHI in a designated record set or otherwise holds information needed for customer HIPAA requests, the current standard BAA requires PHIGuard to support customer access, amendment, and accounting obligations as required by HIPAA.

Termination and post-termination handling

The current standard BAA permits termination for a material breach that remains uncured after notice. At termination, PHIGuard supports its standard product export and deletion handling. If return or destruction of PHI is infeasible, PHIGuard must continue to protect that PHI and limit further use and disclosure as required by HIPAA.

Executed copies and current versioning

PHIGuard stores executed legal evidence per acceptance record. The accepted BAA version is tied to the organization's legal acceptance history, and PHIGuard can require re-acceptance if a newer standard BAA version becomes current.

Public questions about PHIGuard's BAA can be sent to angel.campa@phiguard.app.