Our BAA commitment.

A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA whenever a covered entity — such as a healthcare provider, health plan, or clearinghouse — shares Protected Health Information (PHI) with a business associate that performs services on its behalf.

The BAA defines the permitted uses and disclosures of PHI, establishes safeguards the business associate must implement, and outlines breach notification obligations. Without a BAA in place, sharing PHI with a third party violates HIPAA regulations.

For healthcare commerce, a BAA is essential because transactions often involve patient data, insurance information, and health-related purchase histories — all of which qualify as PHI under HIPAA.

HealthSail treats BAA readiness as a core platform capability, not an afterthought. Our standard BAA is drafted in collaboration with healthcare compliance counsel and reflects the latest HHS guidance on business associate obligations.

Every HealthSail plan that involves PHI processing comes with BAA eligibility. Our standard agreement covers all platform services, including data storage, processing, transmission, and backup. Enterprise customers can negotiate custom BAA terms to align with their specific organizational requirements and risk posture.

We maintain our own compliance program, including annual HIPAA security risk assessments, workforce training, and documented policies and procedures — so your BAA is backed by operational substance, not just contractual language.

Platform Services: The BAA covers all HealthSail platform capabilities — commerce engine, patient portal, secure forms, compliance dashboard, and analytics — when configured to handle PHI.

Data Handling: Coverage extends to all stages of the data lifecycle within HealthSail, including ingestion, processing, storage, transmission, backup, and disposal. Encryption, access control, and audit logging are enforced at every stage.

Integrations: When HealthSail connects to your EHR, practice management system, or other healthcare applications, the BAA covers data that transits through our integration layer. For third-party services accessed through HealthSail, we maintain our own BAA relationships with subcontractors.

Subcontractors: HealthSail extends BAA obligations to all subcontractors who may access PHI in the course of providing our services. We maintain a current list of subprocessors and notify customers of material changes.

Obtaining a BAA from HealthSail is straightforward. You can initiate the process by booking a Compliance Blueprint session, where our team reviews your requirements, walks you through the agreement, and answers any questions about coverage scope.

For Starter and Growth plans, we provide a standard BAA that can typically be executed within a few business days. Enterprise customers receive a dedicated compliance liaison to manage custom BAA negotiations, which generally complete within two to four weeks.

To get started, schedule a Compliance Blueprint session and our team will guide you through the process.

Healthcare commerce platforms rarely operate in isolation. HealthSail connects to EHR systems, practice management platforms, payment processors, and other healthcare applications — each of which may handle PHI.

When data flows through HealthSail to a third-party integration, our BAA covers the data while it is within our platform and integration layer. For downstream services, we maintain our own BAA relationships with integration partners and subprocessors.

We recommend that customers also establish direct BAA relationships with third-party vendors where PHI flows directly between systems outside of the HealthSail integration layer. Our compliance team can advise on the appropriate BAA structure for your integration architecture.