BAA Agreement

Business Associate Agreement (BAA)

Last Updated: August 2, 2025

This Business Associate Agreement (“Agreement”) is entered into by and between you, the Covered Entity, and SOAPsync, Inc. (“Business Associate”, “SOAPsync”, “we”, “us”, or “our”), and governs the permitted use and limited handling of Protected Health Information (“PHI”) in connection with your use of the SOAPsync platform (“Service”).

By accessing or using the Service, you confirm your authority to enter into this Agreement on behalf of a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and agree to the terms set forth herein.

1. Definitions

  • Business Associate: SOAPsync, Inc., solely to the extent it incidentally or transiently encounters PHI while providing browser-based documentation support tools.
  • Covered Entity: A licensed healthcare provider, practice, or organization subject to HIPAA.
  • PHI: Protected Health Information, as defined in 45 CFR §160.103.
  • HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules set forth in 45 CFR Parts 160 and 164.

2. Description of Service

SOAPsync is a browser-based, AI-powered clinical documentation tool designed for use by mental health professionals. Features may include:

  • Drafting assistance for clinical notes (e.g., SOAP, DAP);
  • Editable and customizable form templates;
  • Export of locally created documentation.

SOAPsync does not provide clinical advice, diagnosis, or treatment. All use of the Service is strictly for clinical documentation support.

3. Scope of PHI Handling & Data Architecture

SOAPsync’s architecture is built on a “no-retention-by-default” model:

  • No PHI is stored, transmitted, or processed on SOAPsync servers.
  • All content is processed locally in the user’s browser and is lost unless manually exported or saved by the user.
  • SOAPsync has no access to clinical records or content unless granted incidentally during authorized support sessions (e.g., via screen share or limited support request).

4. User & Covered Entity Responsibilities

As the Covered Entity, you agree to:

  • Ensure that all PHI entered into the platform is managed only with valid patient authorization or consent;
  • Treat SOAPsync solely as a documentation assistant and not as a diagnostic tool, copy and paste decision maker or treatment directive source;
  • Maintain secure backup copies of all PHI generated through the Service, recognizing that data not immediately exported may be lost;
  • Not require SOAPsync to store, manage, or archive PHI in any persistent way.

5. SOAPsync’s Responsibilities as Business Associate

If and only to the extent that SOAPsync qualifies as a Business Associate under HIPAA, SOAPsync agrees to:

  1. Use or disclose PHI solely as required by law or as explicitly permitted by this Agreement;
  2. Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure;
  3. Report to the Covered Entity any known Security Incident or Breach involving PHI without unreasonable delay;
  4. Ensure that any subcontractors with incidental access to PHI are contractually bound to comply with equivalent HIPAA safeguards;
  5. Provide access to or destroy PHI (if any) upon request, subject to feasibility, recognizing that PHI is not stored on our systems;
  6. Limit any incidental exposure to PHI to the minimum necessary and only during explicitly authorized support interactions.

6. De-Identified Data

SOAPsync may collect and use fully de-identified system usage data (not PHI) for internal purposes such as:

  • Platform performance optimization;
  • Statistical analysis;
  • Service development.

All de-identification shall conform to the safe harbor standards under 45 CFR §164.514.

7. Disclaimers & Clinical Oversight

  • The platform is designed to support—not replace—the clinical judgment of qualified professionals.
  • All AI-generated content must be independently reviewed and verified by a licensed clinician.
  • Users remain solely responsible for patient care decisions.
  • No content is retained unless manually saved or exported. Users are solely responsible for data preservation.

8. Term and Termination

This Agreement shall remain in effect for as long as the Covered Entity uses SOAPsync.

  • Either party may terminate this Agreement with written notice upon a material breach not cured within thirty (30) days.
  • Upon termination, SOAPsync will return or destroy any PHI in its possession, if any exists and if feasible, recognizing that no data is normally retained.

9. No PHI Retention

SOAPsync is intentionally designed to avoid the storage or retention of PHI.

  • All user-generated content is processed in-browser;
  • No documentation, PHI, or clinical notes are saved to SOAPsync servers;
  • Users must manually export or save records—unsaved data may be lost permanently.

SOAPsync assumes no responsibility for data loss due to unsaved content.

10. Limitations of Liability

SOAPsync’s obligations and liabilities under this Agreement are expressly subject to the Limitation of Liability terms provided in the Terms of Use, which are hereby incorporated by reference.

11. Governing Law

This Agreement shall be governed by the laws of the State of Maryland, without regard to its conflict of law provisions.

12. Acceptance & Authority

By clicking “I Agree & Continue,” you affirm that:

  • You are authorized to act on behalf of a HIPAA-Covered Entity;
  • You understand the structure and limitations of SOAPsync’s role and data architecture;
  • You accept the terms of this Business Associate Agreement in full.

13. Contact Information

SOAPsync Privacy Officer
📧 Email: privacy@soapsync.com
🌐 Website: https://soapsync.com

☐ I have read and agree to the Business Associate Agreement and Terms of Use.