Skip to main content
AssistedCareEHR
Skilled Nursing (SNF)Residential Care (RCFE)Assisted LivingMemory CareMore Facilities
Medication ManagementClinical ChartingBilling & RevenueFamily PortalDocument Digitalization
HIPAA ComplianceCalifornia PrivacyTitle 22CMS Readiness
About UsPricingWhy SwitchContact
Theme
Start Free Demo

Business Associate Agreement

Last updated: April 2026

What is a BAA?

A Business Associate Agreement (BAA) is a contract required by the Health Insurance Portability and Accountability Act (HIPAA) between a healthcare provider or health plan (a “Covered Entity”) and a service provider (a “Business Associate”) that creates, receives, maintains, or transmits Protected Health Information (PHI) on the Covered Entity's behalf. The BAA establishes the permitted uses, required safeguards, and breach notification obligations for PHI.

Our Commitment

AssistedCare executes a Business Associate Agreement with every customer before any PHI is processed. No exceptions. Our BAA covers:

  • Permitted uses and disclosures of PHI, limited to providing and improving the Service
  • Administrative, physical, and technical safeguards to protect PHI
  • Breach notification obligations, including timelines and required disclosures
  • Requirements for subcontractors who may access PHI
  • Return or destruction of PHI upon termination of the agreement

Security Safeguards

Our BAA is backed by comprehensive security safeguards across all three categories required by the HIPAA Security Rule:

Administrative Safeguards

  • Workforce training on HIPAA and privacy best practices
  • Access management policies enforcing minimum necessary access
  • Designated security and privacy officers
  • Regular risk assessments and remediation

Physical Safeguards

  • Facility access controls for all data processing environments
  • Workstation security policies and device management
  • Media disposal and re-use procedures

Technical Safeguards

  • Encryption at rest (AES-256, SQLCipher) and in transit (TLS 1.3)
  • Role-based access controls with unique user authentication
  • Immutable audit controls logging every access to PHI
  • Data integrity controls including hash-chain verification
  • Automatic session timeout and re-authentication requirements

Breach Notification

In the event of a breach of unsecured PHI, AssistedCare is committed to rapid and transparent notification:

  • We notify affected Covered Entities within 24 hours of discovering a breach — well within the HIPAA-required 60-day window
  • We provide all information required for the Covered Entity to fulfill its HIPAA breach notification obligations
  • We cooperate fully with breach investigations and mitigation efforts
  • We maintain documented incident response procedures tested through regular drills

Subcontractors

We take subcontractor compliance seriously:

  • All subcontractors with access to PHI are required to sign downstream Business Associate Agreements
  • We maintain ongoing oversight and compliance monitoring of all subcontractors
  • A current list of subcontractors handling PHI is available upon request

Request a BAA

Ready to get started? Every AssistedCare customer receives a fully executed BAA before onboarding begins. To request a BAA or discuss your compliance needs:

  • Our standard BAA is available for immediate execution; custom terms are negotiable for enterprise customers
  • Reach out to us via our Contact Us page to schedule a compliance consultation
← Back to homepage