Business Associate Agreement

HIPAA Compliance for Healthcare Organizations

Overview

Certivo offers a Business Associate Agreement (BAA) to customers who handle Protected Health Information (PHI) as part of their electronic signature workflows. Our BAA establishes the obligations of both parties under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act.

The BAA is available to all customers on paid plans and can be executed directly through Certivo using our own compliant e-signature process.

What Is a BAA?

A Business Associate Agreement is a legally binding contract required by HIPAA between a Covered Entity (such as a healthcare provider, health plan, or healthcare clearinghouse) and a Business Associate (a vendor or service provider that handles PHI on their behalf).

The BAA defines the permitted uses and disclosures of PHI, establishes safeguards that must be in place, and outlines each party's responsibilities for breach notification and compliance.

• Required under HIPAA Privacy Rule (45 CFR 164.502(e)) and Security Rule (45 CFR 164.308(b))
• Must be in place before any PHI is shared with the Business Associate
• Covers both electronic PHI (ePHI) and physical PHI
• Mandates breach notification within 30 days of discovery

How to Execute a BAA with Certivo

Certivo dogfoods its own e-signature platform for BAA execution, ensuring the signing process itself meets our compliance standards:

1. Navigate to Settings → Compliance in your Certivo dashboard
2. Click “Request BAA” to generate a personalized agreement
3. You will be redirected to sign the BAA using Certivo's standard signing flow
4. Complete signing with Password + TOTP two-factor authentication
5. Your signed BAA is stored securely and available for download at any time

Only organization owners and admins can request and sign a BAA. The signed agreement applies to the entire organization.

What the BAA Covers

Our BAA addresses the following key areas as required by HIPAA:

• Permitted Uses and Disclosures — PHI is used only to provide the electronic signature services described in the Service Agreement
• Safeguards — Administrative, physical, and technical safeguards to protect ePHI, including encryption, access controls, and audit logging
• Breach Notification — Certivo will notify the Covered Entity of any breach of unsecured PHI within 30 calendar days of discovery
• Subcontractor Obligations — Any subcontractors handling PHI are bound by equivalent protections. Certivo maintains a HIPAA Business Associate Agreement with Amazon Web Services (AWS), our primary infrastructure provider.
• Individual Rights — Support for access, amendment, and accounting of disclosures as required by the Privacy Rule
• Termination — Return or destruction of PHI upon termination, with protections extending to any retained data

Security Measures

Certivo implements comprehensive security measures to protect PHI processed through our platform:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for all data in transit
• Two-factor authentication (Password + TOTP) for all signature events
• Role-based access controls with principle of least privilege
• SHA-256 hash-chain audit trails for document integrity
• 21 CFR Part 11 compliant electronic signatures
• Comprehensive incident response and breach notification procedures
• Regular security assessments and penetration testing

For more details on our security practices, please review our Data Processing Agreement and Privacy Policy.

Contact

For questions about our BAA or HIPAA compliance, please contact us at:

Email: compliance@certivo.io

Mailing Address:
Certivo, Inc.
1519 E Chapman Ave. #278
Fullerton, CA 92831