Business Associate Agreement (BAA)

When your practice is a HIPAA covered entity (or another business associate acting on behalf of a covered entity), PsycSuit acts as your business associate for PHI processed in the service. The BAA supplements your Terms of Service.

• Process PHI only to provide the subscribed service and as required by law.
• Not use or disclose PHI for marketing unrelated to your instructions.
• Use subprocessors under written agreements with comparable safeguards (see Trust center).

We implement administrative, physical, and technical safeguards appropriate to the service, including access controls, encryption in transit, audit logging, and staff training. Details are on the Trust & security page.

We will notify you without unreasonable delay after discovering a breach of unsecured PHI in our systems, and provide information reasonably required for your notification obligations, consistent with HIPAA and the HITECH Act.

We will make PHI available for access, amendment, and accounting of disclosures as directed by you and required by the BAA, using product tools or support processes where applicable.

Upon termination, we will return or destroy PHI where feasible, except where retention is required by law or permitted by your export and backup settings.

• Provide minimum necessary PHI to the service.
• Maintain policies, workforce training, and patient notices.
• Ensure BAAs with other vendors that handle PHI.
• Report suspected misuse or security incidents promptly.

Complete practice registration. After approval and account setup, PsycSuit provides the countersigned BAA for your records. Contact us if you need a copy resent.

Privacy and compliance inquiries:

EU/UK practices: see the Data Processing Agreement.