Business Associate Agreement

Effective date: July 9, 2026

This Business Associate Agreement ("BAA") is between OmgSamesies LLC ("Practisaurus," "we," "us") and the practice that holds a Practisaurus account ("you," the "practice"). Practices use Practisaurus to maintain records about their clients that can include protected health information (PHI). Under HIPAA, the practice is the covered entity and we are its business associate, and the law requires a written agreement between us before we handle PHI on the practice's behalf. This is that agreement.

How this agreement is entered

This BAA is part of our Terms of Service. It is entered into, and takes effect, when a practice creates a Practisaurus account or first uses the service to maintain PHI, whichever comes first. No signature or separate paperwork is needed; accepting the terms executes this agreement for both of us. If your practice requires a countersigned copy, contact us at help@practisaurus.app.

If anything in the Terms of Service conflicts with this BAA where PHI is concerned, this BAA controls.

Definitions

Capitalized and technical terms used here โ€” such as "protected health information," "breach," "security incident," "designated record set," and "subcontractor" โ€” have the meanings given in HIPAA and its regulations at 45 CFR Parts 160 and 164 (the Privacy, Security, Breach Notification, and Enforcement Rules), as amended, including by the HITECH Act. "PHI" means protected health information we create, receive, maintain, or transmit on your behalf.

What we may do with PHI

We use and disclose PHI only:

  • to provide the service โ€” hosting, processing, transmitting, and displaying your practice's records so that you and the people you authorize can use Practisaurus, and maintaining, supporting, and securing the platform;
  • as required by law; and
  • for our own proper management and administration and to carry out our legal responsibilities. If that ever requires disclosing PHI, we will disclose it only where required by law, or with written assurances that it will be held confidentially, used only as required by law or for the purpose it was disclosed for, and that we will be told of any breach of its confidentiality.

We follow the minimum-necessary standard: we use, disclose, and request only the PHI needed for the purpose at hand. We will not use or disclose PHI in any way that would violate the HIPAA Privacy Rule if you did it yourself (other than the management-and-administration uses above), and โ€” as our Privacy Policy also promises โ€” we never sell PHI and never use it for advertising or marketing.

Our obligations

  • Safeguards. We maintain administrative, physical, and technical safeguards that reasonably and appropriately protect PHI, and we comply with the HIPAA Security Rule with respect to electronic PHI.
  • Reporting. We will report to you any use or disclosure of PHI not permitted by this BAA, and any breach of unsecured PHI, without unreasonable delay and in no case later than ten days after we discover it. Our report will include what we know that you need for your own notification obligations: what happened, whose information was involved, and what we are doing about it. We will likewise report security incidents; for unsuccessful attempts that are routine on any internet-facing service (pings, port scans, blocked login attempts), this paragraph serves as ongoing notice, with no further report unless one succeeds.
  • Mitigation. We will mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of this BAA.

Subcontractors

If a subcontractor creates, receives, maintains, or transmits PHI on our behalf, we first bind it in writing to restrictions and conditions at least as protective as those that apply to us under this BAA. Our Privacy Policy lists the service providers we use: Amazon Web Services handles hosting and message delivery under a business associate agreement with us, and Stripe processes payments without ever receiving PHI.

Client rights

Your clients' HIPAA rights run through you โ€” the practice controls its records, and we act on your instructions.

  • Access. Your records are available to you in Practisaurus at all times, in a designated record set, so you can meet your obligations to give clients access to their PHI. If you need our help producing records โ€” including an electronic copy โ€” we will provide it promptly, and in any case within fifteen days of your request.
  • Amendment. We will make PHI available for amendment and incorporate any amendment you direct, as the Privacy Rule requires.
  • Accounting. We will document the disclosures of PHI that an accounting must cover and give you the information you need to provide a client an accounting of disclosures.
  • Requests made to us. If a client contacts us directly about their records, we will forward the request to you rather than act on it ourselves.

If we ever carry out one of your obligations under the Privacy Rule on your behalf, we will comply with the requirements that would apply to you in carrying it out.

Government oversight

We will make our internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for the purpose of determining compliance with HIPAA.

Your obligations

  • Tell us about any limitation in your notice of privacy practices, any change to or revocation of a client's permission, and any restriction on the use or disclosure of PHI you have agreed to, to the extent it affects how we may handle PHI.
  • Do not ask us to use or disclose PHI in a way that would be impermissible under the Privacy Rule if you did it yourself.

Term and termination

This BAA lasts as long as we hold PHI on your behalf. If we materially breach it and do not cure the breach within thirty days of your written notice, you may terminate this BAA and your practice's use of the service.

When your account closes, we make your records available for export for a reasonable period, as described in our Terms of Service. After that, we will return or destroy the PHI we hold on your behalf. If return or destruction is not feasible โ€” for example, because of backup retention or legal requirements โ€” the protections of this BAA extend to that PHI for as long as we keep it, and we will use or disclose it only for the purposes that make its return or destruction infeasible. Healthcare records carry their own legal retention requirements, which remain your responsibility as the covered entity.

Interpretation and changes

Any ambiguity in this BAA is resolved in favor of a meaning that lets both of us comply with HIPAA. References to laws and regulations mean those laws and regulations as amended. We may amend this BAA as needed to keep it compliant with the law: we will post changes here and update the effective date, and material changes will be communicated to practices directly. This BAA creates no rights in anyone other than you and us.

Contact

Questions about this agreement:

OmgSamesies LLC ยท help@practisaurus.app