01 · Business Associate Agreement

We sign your BAA
same day.

No week-long contract loop. No legal back-and-forth. Request it, sign it, return it — and we're live that afternoon.

Request our BAAbaa@perpetuahealth.com
02 · The Basics

What's a Business Associate Agreement?

A Business Associate Agreement (BAA) is a legally required contract between a HIPAA Covered Entity (your practice) and a Business Associate (any vendor that handles PHI on your behalf).

The BAA puts four things in writing:

  1. What the vendor is allowed to do with the PHI (and nothing else).
  2. What safeguards the vendor must have in place.
  3. How the vendor must respond to a breach.
  4. What happens to the PHI when the relationship ends.

Every HIPAA-compliant vendor should have a standard BAA ready to sign on day one. If they don't — or if they want to rewrite the HIPAA statute in the process — that's a warning sign, not a negotiation.

03 · Why It Matters

Three reasons every practice needs BAAs on file.

01

It's a federal requirement

HIPAA requires a BAA with any vendor that handles PHI on your behalf. Without one, you're out of compliance the moment PHI changes hands.

02

It shifts risk appropriately

A BAA makes the vendor directly liable to HHS for breaches of PHI they handle. Without one, you're holding all of it.

03

Your cyber insurance will ask

Most cyber and medical-liability carriers require BAAs with every vendor touching PHI.

04 · What's In It

What our BAA covers.

Standard HIPAA language, no surprises, no traps. Our counsel is happy to walk you through anything.

01

Permitted Uses & Disclosures

Defines exactly what Perpetua can do with PHI — only what's needed to provide the Service, and only as you direct.

02

Safeguards

Commits us to administrative, physical, and technical safeguards: encryption, access control, audit logging, employee training.

03

Breach Notification

We notify you within 24 hours of discovering a breach — faster than HIPAA's 60-day statutory minimum.

04

Subcontractor Flow-Down

Every subprocessor (Supabase, Twilio, Clerk, etc.) is under a BAA or equivalent. Those obligations flow down.

05

PHI Return & Destruction

On termination, PHI is returned or destroyed per your instruction. Backups are purged on the standard schedule.

06

Audit Rights

You can audit our compliance posture on reasonable notice. Security policies and incident-response docs available under NDA.

05 · Same-Day Timeline

From request to signed in hours, not weeks.

01

You request the BAA

Email baa@perpetuahealth.com or click the button below. Include your practice's legal name and signer info.

1 minute
02

We send via DocuSign

Pre-filled with your entity details. Our side is already signed — you review and countersign.

within 1 hour
03

You countersign

Executed copies go to both parties' records. A clean audit-ready PDF lives in your dashboard.

5 minutes
04

We go live

The moment the BAA is executed, your account is cleared to process PHI.

immediately
Typical total time · under 3 hours
06 · FAQ

Quick answers.

Is there a fee for the BAA?
No. BAAs are standard for every paying customer and included on every plan — Essential, Professional, and Enterprise.
Can we redline your BAA?
Our standard BAA tracks HIPAA cleanly and we don't negotiate it as a rule — but Enterprise customers can work with our counsel on material concerns. Most practices sign as-is.
Can we use our own BAA template?
For Enterprise accounts we review yours. For Essential and Professional we sign ours as-is — it keeps onboarding fast and obligations consistent.
Where can I see proof you're actually compliant?
Ask for our security package. Under NDA we share security policies, subprocessor list, incident-response runbook, and network architecture. Most practices get it back within one business day.
07 · Get Your BAA

Ready to get your BAA?

We'll have it in your inbox within the hour. Executed before your next patient checks in.

Request BAASee HIPAA details