HIPAA Compliance · Beta Preparation

BAA Templates & Vendor Compliance

Business Associate Agreement templates and a vendor checklist for TheraSignal's HIPAA obligations before handling real patient data in beta. Draft these, have counsel review, sign before PHI touches any system.

⚖️

Attorney Review Required. These templates are professionally drafted starting points — not final legal documents. Have a healthcare attorney review and execute before using with any covered entity, vendor, or patient data. These drafts significantly speed up that review process.

BAA Templates

12+

Vendors to Assess

§164

CFR Reference

HIPAA BAA Requirements

What every BAA must include

Outgoing BAA Template

Send to vendors who handle PHI

Incoming BAA Template

Sign as Business Associate to clinics

Vendor Compliance Checklist

Who needs a BAA and what to verify

Cloud Provider BAA Status

AWS, GCP, Render, Neon, Anthropic & more

Pre-Beta Action Plan

Ordered steps before first real patient data

HIPAA BAA Requirements

45 CFR §164.504(e) — Mandatory elements for every Business Associate Agreement

Permitted Uses & Disclosures

The BAA must specify exactly what the Business Associate may do with PHI. It can only use or disclose PHI as permitted by the BAA or required by law. Any use beyond the listed purposes = breach.

Prohibition on Unauthorized Use

BA must not use or disclose PHI other than as permitted or required. Must not use PHI in a manner that would violate HIPAA Privacy Rule if done by the Covered Entity.

Appropriate Safeguards

BA must implement appropriate safeguards — administrative, physical, and technical — to prevent unauthorized use or disclosure. Required under Security Rule for ePHI (45 CFR §164.312).

Breach Notification Obligations

BA must report security incidents to the Covered Entity. For breaches: notify within 60 days of discovery (federal). Some states require faster — CA requires "expedient" notice. BAA should require 5–10 business days.

Subcontractor BAAs

If the BA engages subcontractors who handle PHI, the BA must obtain BAAs from them with equivalent protections. Downstream liability flows through the chain.

Access & Amendment Rights

BA must make PHI available for access and amendment requests from the Covered Entity within required timeframes. Must track disclosures for accounting requests (45 CFR §164.528).

Return or Destroy PHI on Termination

On termination: return or destroy all PHI and retain no copies. If infeasible to destroy (e.g., backups), extend protections and limit use to the purpose that makes return infeasible.

Termination for Cause

Covered Entity must be permitted to terminate the BAA if the BA violates a material term. HHS requires this provision. BAA should also permit termination if the BA determines it cannot comply.

TheraSignal's Dual Role

TheraSignal operates in two capacities under HIPAA: (1) as a Covered Entity's Business Associate when serving therapist practices that are covered entities, and (2) as a Covered Entity itself if it stores, processes, or transmits PHI as a healthcare clearinghouse or provider. In practice, for beta: TheraSignal is most likely a Business Associate to covered-entity therapist practices. This means you need BAAs in both directions — outgoing to your infrastructure vendors, and incoming from the practices you serve.

Outgoing BAA Template

Send this to hosting providers, database vendors, and AI processing services that will handle PHI on TheraSignal's behalf

When to Use This Template

Use this when TheraSignal is the Covered Entity (or acting as agent for one) and you're contracting with a downstream vendor who will access, process, or store PHI — e.g., your database host (Neon), compute host (Render), or AI API provider (Anthropic). Fill in highlighted fields before sending.

BUSINESS ASSOCIATE AGREEMENT — Outgoing (Vendor / Subcontractor) TheraSignal → Vendor

This Business Associate Agreement ("Agreement") is entered into as of [EFFECTIVE DATE] by and between:

Covered Entity / Contractor: TheraSignal, Inc., a [STATE] corporation ("TheraSignal"), and

Business Associate: [VENDOR LEGAL NAME], a [STATE AND ENTITY TYPE] ("Business Associate").

This Agreement supplements and is incorporated into the underlying services agreement between the parties dated [SERVICES AGREEMENT DATE] ("Services Agreement").

1. Definitions

"PHI," "ePHI," "Covered Entity," "Business Associate," "Protected Health Information," "Breach," "Security Incident," and other capitalized terms used but not defined in this Agreement shall have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and implementing regulations at 45 C.F.R. Parts 160 and 164.

2. Obligations and Activities of Business Associate

Business Associate agrees to:

Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI it creates, receives, maintains, or transmits, as required by 45 C.F.R. Part 164, Subpart C.
Report to TheraSignal any use or disclosure of PHI not permitted by this Agreement of which it becomes aware, including Breaches of Unsecured PHI, within five (5) business days of discovery.
Report to TheraSignal any Security Incident of which it becomes aware, including successful and unsuccessful attempts to access, use, disclose, modify, or interfere with ePHI, within five (5) business days of discovery.
Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to restrictions and conditions at least as stringent as those in this Agreement by executing a BAA with each such subcontractor.
Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with HIPAA.
Document all disclosures of PHI and make such documentation available to TheraSignal upon request to enable TheraSignal to respond to patient access or accounting requests.
Return to TheraSignal or, if directed by TheraSignal, destroy all PHI upon termination of this Agreement. Business Associate shall certify that no copies of PHI are retained. If return or destruction is not feasible, Business Associate shall extend protections of this Agreement indefinitely and limit further use to the purpose that makes return or destruction infeasible.

3. Permitted Uses and Disclosures by Business Associate

Business Associate may use and disclose PHI solely to perform the following services under the Services Agreement:

[Describe specific services, e.g.: "Hosting and storing TheraSignal application data including encrypted PHI on Render's infrastructure services"]
[Additional permitted use if any]

Business Associate may use PHI for its own proper management and administration or to carry out its legal responsibilities, provided disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that PHI will be held confidentially and used only for the disclosed purpose.

Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by TheraSignal, except as permitted above.

4. Obligations of TheraSignal

TheraSignal shall:

Notify Business Associate of any restrictions on the use or disclosure of PHI that TheraSignal has agreed to with individuals.
Not request Business Associate to use or disclose PHI in any manner that would violate HIPAA.
Obtain any necessary authorizations and consents from patients prior to providing PHI to Business Associate.

5. Term and Termination

This Agreement shall remain in effect for the duration of the Services Agreement. Either party may terminate this Agreement if the other materially breaches this Agreement and fails to cure within thirty (30) days of written notice, or immediately if cure is not possible. TheraSignal may terminate immediately upon any breach that compromises PHI security. Upon termination, Section 2 obligations regarding return or destruction of PHI survive.

6. Indemnification

Business Associate agrees to indemnify, defend, and hold harmless TheraSignal and its officers, directors, and employees from and against any claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from Business Associate's breach of this Agreement or violation of applicable law relating to PHI.

7. Miscellaneous

This Agreement constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements relating to PHI. This Agreement shall be governed by the laws of [GOVERNING STATE]. If any provision is unenforceable, the remainder shall remain in force. Amendments must be in writing signed by both parties.

Signatures:

TheraSignal, Inc.: _________________________ Date: ___________
Name: [AUTHORIZED SIGNATORY NAME]
Title: [TITLE]

[VENDOR LEGAL NAME]: _________________________ Date: ___________
Name: ________________________________
Title: ________________________________

Incoming BAA Template

Sign this when therapist practices or clinics (Covered Entities) want TheraSignal to agree to HIPAA obligations as their Business Associate

When to Use This Template

A therapist practice is a HIPAA Covered Entity. When they hire TheraSignal to process their patient data, they must get a BAA signed before sharing any PHI. This template is what you sign — positioning TheraSignal as the Business Associate, accepting HIPAA obligations on behalf of their practice. Use this for onboarding clinics and group practices in beta.

BUSINESS ASSOCIATE AGREEMENT — Incoming (TheraSignal as Business Associate) Practice → TheraSignal

This Business Associate Agreement ("Agreement") is entered into as of [EFFECTIVE DATE] by and between:

Covered Entity: [PRACTICE / CLINIC LEGAL NAME], a licensed healthcare practice ("Covered Entity"), and

Business Associate: TheraSignal, Inc., a [STATE] corporation ("TheraSignal" or "Business Associate").

This Agreement is entered in connection with certain services TheraSignal provides to Covered Entity pursuant to the TheraSignal Subscription Agreement or other services agreement dated [SERVICES AGREEMENT DATE] ("Services Agreement"), involving the use or disclosure of PHI.

1. Definitions

Capitalized terms used but not defined in this Agreement have the meanings set forth in HIPAA/HITECH and implementing regulations at 45 C.F.R. Parts 160 and 164, as may be amended.

2. Obligations of TheraSignal as Business Associate

TheraSignal agrees to:

Not use or disclose PHI other than as permitted or required by this Agreement or as required by applicable law.
Use appropriate safeguards and, for ePHI, comply with 45 C.F.R. Part 164 Subpart C (Security Rule), to prevent use or disclosure of PHI other than as provided by this Agreement.
Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI, within ten (10) calendar days of discovery, along with the identity of affected individuals, PHI involved, and remediation steps taken.
Report any Security Incident, including attempts to access or modify ePHI, within ten (10) calendar days of discovery.
Ensure subcontractors that access PHI on TheraSignal's behalf execute BAAs with restrictions at least as stringent as this Agreement.
Make internal practices, books, and records relating to PHI available to HHS upon request for compliance purposes.
Provide access to PHI maintained in a Designated Record Set as requested by Covered Entity to allow it to fulfill individual rights requests (45 C.F.R. §164.524).
Make PHI available for amendment and incorporate amendments requested by Covered Entity (45 C.F.R. §164.526).
Document and make available information regarding disclosures to allow Covered Entity to comply with accounting of disclosures (45 C.F.R. §164.528).
On termination, return or destroy all PHI (in all media, including backups) and retain no copies unless return or destruction is infeasible, in which case TheraSignal shall extend protections of this Agreement to the retained PHI and limit further use to the purpose that makes return or destruction infeasible. TheraSignal shall provide Covered Entity written certification of disposition within thirty (30) days of termination.

3. Permitted Uses and Disclosures by TheraSignal

TheraSignal may use and disclose PHI only as necessary to:

Provide the services described in the Services Agreement, including: [patient symptom tracking, outcomes measurement, clinical signal analysis, secure therapist communication, session note integration].
Perform data aggregation services relating to the healthcare operations of Covered Entity (45 C.F.R. §164.504(e)(2)(i)(B)).
For TheraSignal's own proper management and administration, or to carry out its legal responsibilities, provided that disclosures are required by law, or that TheraSignal obtains reasonable assurances from the recipient of confidentiality.

TheraSignal shall not use PHI to train AI models without explicit written consent from Covered Entity and applicable patient authorization. De-identified data (meeting HIPAA Safe Harbor standard under 45 C.F.R. §164.514(b)) is not PHI and may be used for product improvement, research, and benchmarking.

TheraSignal shall not sell PHI or use PHI for marketing purposes without authorization.

4. Obligations of Covered Entity

Covered Entity shall:

Notify TheraSignal of any restriction on the use or disclosure of PHI and any revocation of such restrictions.
Obtain all consents, authorizations, and permissions required for TheraSignal to perform the services contemplated in the Services Agreement.
Not request TheraSignal to use or disclose PHI in any manner that would violate HIPAA.
Promptly notify TheraSignal of any changes to its Notice of Privacy Practices that may affect TheraSignal's use or disclosure of PHI.

5. Term and Termination

This Agreement shall remain in effect for the duration of the Services Agreement and shall automatically renew with any renewal thereof. Either party may terminate this Agreement for material breach upon thirty (30) days written notice if the breach is uncured. Covered Entity may terminate immediately upon discovery of a Breach affecting patient PHI. TheraSignal may terminate immediately if compliance becomes infeasible under applicable law. Sections 2 (obligations), 6 (indemnification), and 7 (survival) survive termination.

6. Indemnification

Each party agrees to indemnify, defend, and hold harmless the other party from claims, damages, and costs (including attorneys' fees) arising from that party's breach of this Agreement or violation of HIPAA/HITECH, to the extent caused by the indemnifying party's acts or omissions.

7. Miscellaneous

This Agreement, together with the Services Agreement, constitutes the entire agreement of the parties on this subject and supersedes all prior agreements. This Agreement shall be governed by the laws of [GOVERNING STATE]. Amendments require written agreement signed by both parties. No waiver of any provision shall be effective unless in writing. If any provision is found unenforceable, the balance remains in full force.

Signatures:

[COVERED ENTITY PRACTICE NAME]: _________________________ Date: ___________
Name: ________________________________
Title: ________________________________
NPI (if applicable): ___________________

TheraSignal, Inc.: _________________________ Date: ___________
Name: [AUTHORIZED SIGNATORY NAME]
Title: [TITLE]

Vendor Compliance Checklist

For each vendor that touches PHI, verify these items before beta launch

PHI Exposure Determines BAA Requirement

A BAA is required for any vendor that creates, receives, maintains, or transmits PHI on TheraSignal's behalf. This includes vendors that may access PHI even incidentally — e.g., a database host that stores encrypted PHI is a Business Associate because theoretically they could access the decryption key or the plaintext. When in doubt, get the BAA.

Pre-BAA Vendor Vetting

Confirm the vendor will have access to PHI Required

Map all data flows. Will patient names, diagnoses, session content, or any 18 HIPAA identifiers flow through this vendor? If yes, BAA required.

Verify vendor has a BAA program Required

Most enterprise cloud providers offer BAAs. If a vendor refuses or has no BAA program, do not use them for PHI workloads. No exceptions.

Review vendor's security certifications Required

Look for: SOC 2 Type II, ISO 27001, FedRAMP authorization, or equivalent. Request their most recent security audit report or SOC 2 report.

Execute signed BAA before any PHI is transmitted Required

BAA must be fully executed (signed by authorized parties on both sides) before a single byte of PHI flows to the vendor. Retroactive BAAs don't cure pre-BAA exposure.

Confirm vendor's breach notification procedures Required

Understand their incident response timeline. Verify it aligns with your BAA obligation to notify practices within HIPAA's 60-day window (aim for 5–10 days internally).

Document BAA execution in a vendor register Required

Maintain a central log: vendor name, BAA execution date, renewal date, PHI data types covered, and point of contact. Auditors will ask for this.

Confirm data residency in the US Recommended

PHI stored in EU or APAC regions complicates HIPAA compliance and adds GDPR obligations. Confirm US-only data residency for PHI workloads where possible.

Verify encryption at rest and in transit Recommended

AES-256 at rest, TLS 1.2+ in transit. TheraSignal should also apply application-layer encryption (AES-256-GCM) before data reaches vendor — defense in depth.

Review vendor's subprocessor list Recommended

If the vendor uses subcontractors who handle PHI (CDNs, monitoring tools, backup providers), confirm they have downstream BAAs in place.

Annual BAA review and renewal Nice to Have

Review all BAAs annually. Services change — scope creep can mean a vendor handling more PHI than originally anticipated. Update BAA scope as needed.

Obtain vendor's penetration test reports Nice to Have

Annual pen test reports (even summaries) show vendor security posture. For critical PHI vendors (database host, AI API), request most recent test results.

Cloud Provider BAA Status

TheraSignal's current and planned vendors — BAA availability and activation steps

Infrastructure & AI Vendors — BAA Availability Matrix

Vendor	Role in TheraSignal	BAA Available	How to Activate
Amazon Web Services (AWS) View HIPAA Services →	Hosting, storage, if using any AWS-based services	Yes — Free	Sign AWS BAA in AWS Artifact console. Must enable HIPAA-eligible services only. No cost.
Google Cloud Platform (GCP) View HIPAA docs →	If using Vertex AI, Cloud SQL, or GCS for PHI	Yes — Free	Accept BAA in GCP Console → IAM & Admin → Settings → HIPAA BAA. Free.
Microsoft Azure View HIPAA docs →	Azure OpenAI, blob storage if applicable	Yes — Free	Microsoft includes BAA in their Online Services Terms (OST) automatically for applicable services. Confirm scope.
Render Contact Render →	Primary compute host — runs TheraSignal app servers	Request Required	Render offers BAAs on paid plans. Contact support@render.com to request a BAA. Required before PHI workloads.
Neon (PostgreSQL) Neon security docs →	Primary database — stores all patient and session data	Request Required	Neon offers BAAs on Business/Enterprise plans. Contact sales@neon.tech. Critical — upgrade plan if needed before PHI is stored.
Anthropic (Claude API) Anthropic privacy →	AI processing — processes session notes and clinical signals	Request Required	Anthropic offers BAAs for enterprise customers. Contact privacy@anthropic.com or sales. Do not send raw PHI to Claude API until BAA is executed.
OpenAI OpenAI security →	AI processing if used as fallback or for specific models	Request Required	OpenAI offers BAAs on ChatGPT Enterprise and API Enterprise plans. Not available on standard API tiers. Consider Azure OpenAI (BAA included) as alternative.
Cloudflare Cloudflare compliance →	CDN, WAF, R2 storage (if used for media/attachments)	Request Required	Cloudflare offers BAAs on Enterprise plans. Contact enterprise@cloudflare.com. If using R2 for patient file uploads, BAA is required.
Twilio / SendGrid Twilio HIPAA →	SMS/email notifications that may include PHI	Request Required	Twilio offers HIPAA-eligible products with BAA. Only use HIPAA-eligible product list. Do NOT send PHI via standard SMS (not encrypted).
GitHub GitHub privacy →	Source code hosting — should NOT contain PHI	Not Applicable	Ensure no PHI ever exists in code, configs, logs, or test fixtures in the repository. Audit test data. Use synthetic data only.
Stripe Stripe privacy →	Payment processing — should NOT handle clinical PHI	Not Applicable	Stripe handles payment data (PCI DSS scope), not clinical PHI. Ensure billing systems don't inadvertently include diagnosis codes or treatment info.
Datadog / LogRocket / Sentry Datadog HIPAA →	Monitoring, error tracking — may inadvertently capture PHI in logs	Check Plan	Datadog offers HIPAA on GovCloud/Enterprise. Scrub PHI from all log lines before sending to monitoring tools. Implement log sanitization middleware.

Critical: Render + Neon + Anthropic Are Blockers

These three vendors are TheraSignal's core infrastructure and all process PHI. BAAs with all three must be executed before beta launch. Start outreach now — Render and Neon typically respond within 1–5 business days. Anthropic enterprise BAAs may take longer; initiate immediately.

Pre-Beta Action Plan

Ordered steps to complete before the first real patient record touches TheraSignal

Engage Healthcare Attorney

Send both BAA templates to a healthcare attorney for review. Ask specifically about: governing state law, indemnification caps, breach notification timelines, and any state-specific requirements (CA CMIA, TX THIPA, NY SHIELD). Budget 1–2 weeks for review. Cost: $500–$2,000 typical for template review.

Contact Render, Neon, and Anthropic for BAAs

Initiate BAA requests simultaneously. Emails to send: support@render.com, sales@neon.tech, privacy@anthropic.com. Subject line: "BAA Request for HIPAA-Covered Healthcare Application." Include: company name, use case, expected PHI types, and timeline need. Follow up weekly.

Audit Existing Code for PHI in Logs / Test Data

Search codebase for any hardcoded names, diagnoses, or realistic patient data in test fixtures, mocks, or logs. Replace with synthetic data (e.g., "John Doe", fake SSNs, FHIR test datasets). Implement log-scrubbing middleware to strip potential PHI from all log outputs before they reach monitoring tools.

Complete Security Risk Assessment (Required by HIPAA)

45 C.F.R. §164.308(a)(1)(ii)(A) requires a documented Security Risk Assessment before handling PHI. Use the HHS SRA Tool (free at healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool) or hire a consultant. Document: PHI flows, threats, vulnerabilities, and mitigation controls. This is required, not optional.

Draft Internal HIPAA Policies

At minimum: (1) Privacy Policy for workforce, (2) Security Policy, (3) Breach Response Plan, (4) Employee sanctions policy, (5) Workforce training acknowledgment. HIPAA requires documented policies (45 C.F.R. §164.316). Minimum viable set can be drafted in 1–2 weeks using templates from AHIMA or HHS guidance.

Execute BAAs with All PHI-Handling Vendors

Once attorney-reviewed templates are ready and vendor BAAs received, execute all agreements. Store signed copies in a secure, version-controlled document repository. Maintain a vendor BAA register with: vendor, date signed, PHI scope, expiration/renewal date.

Execute BAAs with First Beta Practices

When onboarding therapist practices for beta, collect the Incoming BAA (Template 2) before sharing any access credentials or allowing PHI upload. Use a document management workflow: e-signature via DocuSign or HelloSign, store countersigned copy securely, add to BAA register. Gate system access on BAA execution — technical enforcement preferred.

✓

Beta Launch — HIPAA-Ready

With BAAs executed, Security Risk Assessment complete, internal policies documented, and code audited for PHI leakage: TheraSignal is in defensible HIPAA compliance posture for beta. Not perfect — HIPAA compliance is ongoing — but sufficient for initial covered entity customers.

Questions? Reach the Compliance Team

Email therasignal@polsia.app for questions about BAA execution, vendor compliance, or HIPAA obligations. For urgent compliance questions, reference your attorney first — this page provides operational guidance, not legal advice.

Legal Disclaimer: The BAA templates and compliance guidance on this page are provided for informational and operational purposes only. They are professionally informed starting points designed to facilitate attorney review — they are not final legal documents and do not constitute legal advice. HIPAA requirements are complex and jurisdiction-specific. TheraSignal requires that all Business Associate Agreements be reviewed and executed under the supervision of a licensed healthcare attorney before use. By using these templates, you acknowledge that TheraSignal is not your attorney and no attorney-client relationship is created. Current as of April 2, 2026. HIPAA regulations are subject to HHS rulemaking; verify current requirements with counsel.