HIPAA Compliance

Business Associate Agreement

We sign a BAA with every covered entity customer. It is not an optional add-on or a paid extra. It is a foundational part of every professional subscription because protecting protected health information is our obligation under federal law.

What Is a Business Associate Agreement

A Business Associate Agreement, or BAA, is a contract required under the Health Insurance Portability and Accountability Act (HIPAA). It must be executed between a covered entity and any business associate that creates, receives, maintains, or transmits protected health information on behalf of that covered entity.

HaloPT operates as a business associate under HIPAA. When a covered entity such as a physical therapy clinic, hospital system, or health plan uses our platform to manage patient data, we process protected health information on their behalf. The BAA establishes the legal framework that governs how we handle that data.

Why a BAA Matters

Without a valid BAA, a covered entity cannot lawfully share protected health information with a vendor. Signing a BAA means both parties acknowledge their respective responsibilities under HIPAA. It defines permitted uses of PHI, requires appropriate safeguards, establishes breach notification procedures, and ensures that patient privacy protections extend throughout the entire data lifecycle.

The BAA is required by the HIPAA Privacy Rule at 45 CFR Section 164.502(e). Failure to execute a BAA before exchanging PHI can result in significant civil monetary penalties for both the covered entity and the business associate.

What Our BAA Covers

The HaloPT Business Associate Agreement addresses each of the requirements set forth in the HIPAA Privacy Rule and Security Rule. Below is a summary of the key provisions included in every BAA we execute.

Permitted Uses and Disclosures of PHI

Our BAA clearly defines the specific purposes for which HaloPT may use or disclose protected health information. We only process PHI as necessary to perform the services described in our subscription agreement or as required by law. Any use of PHI outside the scope of the agreement is prohibited.

Safeguards for Protected Health Information

We commit to implementing appropriate administrative, physical, and technical safeguards to protect PHI in accordance with the HIPAA Security Rule. This includes encryption in transit and at rest, access controls, audit logging, and workforce security training. Our full security posture is documented on our HIPAA compliance page.

Breach Notification

If HaloPT discovers a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and in no case later than 60 days after discovery. The notification will include the nature and extent of the breach, types of information involved, and steps the covered entity should take to mitigate potential harm.

Subcontractor Requirements

Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of HaloPT is bound by a written Business Associate Agreement that imposes the same restrictions, conditions, and requirements that apply to HaloPT under this BAA. We flow down all HIPAA obligations to downstream vendors who handle PHI.

Audit Rights

The Secretary of the Department of Health and Human Services has the right to audit HaloPT to determine compliance with the BAA and applicable HIPAA regulations. Covered entity customers also have the right to request information about our compliance practices and may request a copy of our most recent security audit summary.

Data Return and Destruction on Termination

Upon termination of the BAA, HaloPT will, if feasible, return or destroy all PHI received from or created on behalf of the covered entity. If return or destruction is not feasible, we will extend the protections of the BAA to the remaining PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.

How to Get a BAA

Getting a BAA with HaloPT is straightforward. There is no separate application process and no additional cost.

01

Automatic with Every Paid Subscription

When you subscribe to any HaloPT paid plan, a Business Associate Agreement is included automatically. You do not need to request it separately. The BAA terms are incorporated into your subscription agreement at the time of signup.

02

No Additional Cost

There is no separate fee for a BAA. HIPAA compliance and the associated BAA are part of our standard offering for all covered entity customers. We do not charge extra for compliance because we believe it is a baseline requirement, not a premium feature.

03

Signed at Onboarding

The BAA is presented and executed during the onboarding process for every new covered entity customer. An authorized representative of the covered entity and an authorized representative of HaloPT both sign the agreement before any protected health information is processed on the platform.

Request a BAA

If you are evaluating HaloPT and would like a copy of our BAA before subscribing, or if you need a BAA for an existing account, fill out the form below and our team will follow up within one business day.

Contact

For questions about this Business Associate Agreement, our HIPAA compliance practices, or to request a copy of the full BAA document, contact our legal team.

For security-related inquiries, including suspected vulnerabilities or incidents, please contact security@halopt.com.