BAA (Business Associate Agreement)

A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) and a business associate (any organization that creates, receives, maintains, or transmits Protected Health Information on behalf of the covered entity). The BAA establishes the permitted and required uses of PHI by the business associate.

The BAA must specify the allowed uses of PHI, require the business associate to implement appropriate safeguards, mandate breach notification procedures, and outline the terms for returning or destroying PHI upon contract termination. Without a BAA in place, sharing PHI with a third-party technology vendor is a HIPAA violation regardless of the security measures in place.

Healthcare organizations deploying contactless vitals technology must ensure a BAA is executed with the technology provider before any patient data is collected or processed. Circadify provides BAA agreements to all healthcare customers, ensuring that vital signs data captured through rPPG technology is handled in full compliance with HIPAA requirements throughout the entire data workflow.