Skip to main content

Universal Services Agreement · v2.0.0

HIPAA Business Associate Agreement

This is Section 3 of Psy180's Universal Services Agreement — the operative BAA between Psy180 (Business Associate) and your clinic (Covered Entity). Click-wrap signed during signup, captured as an immutable PHI-S3 snapshot. Read the full agreement.

3. HIPAA Business Associate Agreement

Psy180's BAA with covered entities — 45 CFR §§164.308(b), 164.502(e), 164.504(e).

This Section binds (i) clinics ("Covered Entities"), (ii) therapists in their capacity as workforce members of a covered entity or as solo-practitioner covered entities, and (iii) Psy180, Inc. ("Business Associate"). This Section does not bind clients (whose obligations are covered by Section 4 — Notice of Privacy Practices Acknowledgment).

(a) Permitted Uses and Disclosures by Business Associate. Psy180 may use and disclose PHI only as necessary to (i) provide platform services to the Covered Entity (clinical documentation, telehealth session management, consent management, scheduling); (ii) host PHI on HIPAA-compliant infrastructure that meets all AWS BAA standards; (iii) generate aggregate de-identified analytics consistent with 45 CFR §164.514; (iv) carry out its legal obligations, including disclosures to the Secretary of HHS under 45 CFR §164.502(j)(2); (v) carry out the data-aggregation services described in 45 CFR §164.504(e)(2)(i)(B) on behalf of the Covered Entity. Psy180 will not sell PHI or use PHI for marketing without separate written authorisation under 45 CFR §164.508.

(b) Safeguards. Psy180 will implement and maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C), NIST SP 800-53 / SP 800-66, and Massachusetts 201 CMR 17.00 (Written Information Security Program — incorporated regardless of client residence as the floor security standard). Psy180 operates on HIPAA-compliant infrastructure that meets all AWS BAA standards, including: AES-256 encryption at rest with customer-managed keys, TLS 1.2+ in transit, private network isolation, least-privilege access controls, multi-factor authentication for administrative access, and immutable seven-year audit logging.

(c) Subcontractors. Psy180 will ensure that each subcontractor that creates, receives, maintains, or transmits PHI on behalf of Psy180 agrees in writing to restrictions and conditions at least as stringent as those in this Section (45 CFR §164.504(e)(2)(ii)(D)).

(d) Breach Notification — 30-Day Floor. Psy180 will notify the Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery. This 30-day floor is stricter than HIPAA's 60-day default and aligns with the strictest applicable state regimes (Florida FIPA §501.171; Colorado §6-1-716; Washington RCW 19.255.010 as amended 2023; Massachusetts Chapter 93H §3). Notification will include the description, date of breach and discovery, types of PHI involved, mitigation steps, and recommended individual protective steps to the extent then known. The Covered Entity remains responsible for individual notifications under 45 CFR §164.404 and HHS Secretary notifications under 45 CFR §164.408.

(e) Access, Amendment, Accounting. Psy180 will make PHI available to the Covered Entity to satisfy individual requests under 45 CFR §§164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures). Psy180 will make its internal practices, books, and records relating to PHI handling available to the Secretary of HHS for compliance audits under 45 CFR §164.504(e)(2)(ii)(H).

(f) Minimum Necessary. Psy180 will request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose (45 CFR §164.502(b)).

(g) Termination and Return of PHI. Upon termination of the Covered Entity's platform subscription, Psy180 will, at the Covered Entity's direction, return or securely destroy all PHI in its possession that is feasible to return or destroy. PHI that is not feasible to return or destroy (e.g. as part of immutable audit logs required for HIPAA compliance) will continue to be protected under this Section for as long as Psy180 retains it.

(h) Provider HIPAA Acknowledgment (Workforce-Member Obligations). [Binds therapists.] If you are a therapist signing as a workforce member of a covered entity (or as a solo-practitioner covered entity), you acknowledge: (i) your independent obligations under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule; (ii) the minimum-necessary standard; (iii) your duty to maintain the confidentiality of your platform credentials and to enable multi-factor authentication; (iv) your duty to report any actual or suspected Breach of PHI to Psy180 and your clinic's Privacy Officer immediately upon discovery; (v) your obligation to complete HIPAA Privacy and Security training appropriate to your role within thirty (30) days and annually thereafter; (vi) the federal civil penalties (45 CFR §160.404 — up to USD 1.9 M per violation category per year) and criminal penalties (42 U.S.C. §1320d-6 — up to USD 250,000 and 10 years imprisonment for wilful misuse) for HIPAA violations; (vii) the additional obligations imposed by the state(s) in which you hold an active licence.