HIPAA BAA

Business Associate Agreement

Last updated: February 1, 2026

Team plan subscribers can accept this BAA from their Account Settings page, where you can also download a pre-filled PDF copy.

Business Plan Only: This BAA applies exclusively to Team plan subscribers. Users on the free Starter plan are not covered by this agreement. If you require HIPAA compliance, you must upgrade to the Team plan.

Purpose

This Business Associate Agreement ("BAA") is entered into between the entity subscribing to the PrivaiShield Team plan ("Covered Entity") and Appvergence LLC ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations (collectively, the "HIPAA Rules").

This BAA supplements the Terms of Service and governs the handling of Protected Health Information ("PHI") in connection with the Service.

Definitions

Protected Health Information (PHI): Individually identifiable health information as defined in 45 CFR 160.103, transmitted or maintained in any form or medium.

Electronic PHI (ePHI): PHI that is transmitted or maintained in electronic media.

De-Identified Data: Data that has been de-identified in accordance with 45 CFR 164.514(b), such that it no longer constitutes PHI.

All capitalized terms not defined herein shall have the meanings assigned to them under the HIPAA Rules.

Obligations of Business Associate

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law.
  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.
  • Report to Covered Entity any use or disclosure of PHI not provided for in this BAA, including any Security Incident or Breach of Unsecured PHI.
  • Ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions.
  • Make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under HIPAA.
  • Make Business Associate's practices, books, and records available to the Secretary of HHS for compliance determination.

Permitted Uses & Disclosures

Business Associate may use or disclose PHI solely to perform functions, activities, or services for or on behalf of Covered Entity as specified in the Terms of Service, provided that such use or disclosure would not violate the HIPAA Rules.

Business Associate may de-identify PHI in accordance with 45 CFR 164.514(b). De-identified data is no longer PHI and is not subject to the restrictions of this BAA.

Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided disclosures for such purposes are required by law or Business Associate obtains reasonable assurances from the recipient.

Technical Architecture (Privacy-First)

How PrivaiShield Protects PHI: PrivaiShield uses a multi-layered approach to detect and redact PHI before it reaches AI providers. These measures are designed to significantly reduce PHI exposure:

  • The first layer of detection runs in the user's browser, identifying and redacting PHI before data leaves the device.
  • For enhanced detection (such as names and context-dependent information), text may be processed through PrivaiShield's servers. This processing is transient — content is not permanently stored or logged for detection purposes.
  • Detected PHI is replaced with tokens (e.g., a name becomes "[PERSON_1]"). The mapping between tokens and originals is stored only in the user's browser.
  • AI providers receive text after our redaction process, which is designed to significantly reduce PHI exposure. However, no automated detection system is perfect, and some PHI may not be caught in all contexts.
  • Users may choose between local-only (browser) or encrypted server storage for chat history. Local storage (default) keeps all data on the user's device. Server storage encrypts data at rest using AES-256-GCM with AWS KMS customer-managed keys.
  • If server-side chat storage is enabled, chat messages and session metadata are stored encrypted. Users may delete server-stored data at any time by switching to local storage or deleting individual sessions.
  • When the AI response is returned, the original information is restored in the user's browser.

Important Limitation: PrivaiShield's automated detection is designed to reduce PHI exposure, not to guarantee complete removal. Certain types of information — including names, indirect identifiers, and context-specific references — may not be detected in all cases. Covered Entity is responsible for reviewing redacted output before sharing it with AI providers or third parties. The Service is not a substitute for human review of sensitive content.

Safeguards

Business Associate shall implement safeguards as required by the HIPAA Security Rule, including:

  • Administrative safeguards: Workforce training, security management processes, contingency planning.
  • Physical safeguards: Facility access controls, workstation and device security.
  • Technical safeguards: Access controls, audit controls, integrity controls, transmission security (TLS 1.3).
  • Encryption: AES-256-GCM for data at rest with AWS KMS customer-managed keys (including field-level envelope encryption for chat data, organization names, and member emails), TLS 1.3 for data in transit.
  • Access controls: Role-based access with least-privilege principle for all employees.

Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity without unreasonable delay and in no event later than 60 calendar days after discovery of the Breach.

The notification shall include, to the extent available:

  • Identification of each individual whose PHI has been, or is reasonably believed to have been, affected.
  • A description of the nature of the Breach, including the types of PHI involved.
  • Steps individuals should take to protect themselves from potential harm.
  • A description of what Business Associate is doing to investigate, mitigate, and prevent future occurrences.
  • Contact information for individuals to ask questions or obtain additional information.

Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

A current list of subprocessors is maintained at /legal/subprocessors. AI providers receive text after our redaction process, which is designed to significantly reduce PHI exposure.

Term & Termination

This BAA is effective as of the date Covered Entity subscribes to the Team plan and shall remain in effect for the duration of the subscription, unless earlier terminated.

Termination for Cause: Either party may terminate this BAA if the other party materially breaches any provision and fails to cure the breach within 30 days of written notice.

Effect of Termination: The obligations of Business Associate under this BAA shall survive termination with respect to any PHI retained by Business Associate.

Return / Destruction of PHI

Upon termination of this BAA, Business Associate shall, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity.

Data Minimization Note: Text processed for PII detection is handled transiently and discarded after processing. If the Covered Entity has enabled server-side chat storage, encrypted chat data (messages and session titles) constitutes stored PHI. Upon termination, Business Associate shall delete all server-stored chat data within 30 days. Chat data stored locally in the user's browser is under the Covered Entity's control and is not accessible to Business Associate. Account metadata and usage metrics will be deleted in accordance with our standard data retention policy.

Amendment

This BAA may be amended at any time by mutual written agreement of the parties. The parties agree to negotiate in good faith any amendments to this BAA that are necessary to ensure compliance with changes to the HIPAA Rules. Material changes will be communicated with at least 30 days' notice.

Governing Law

This BAA shall be governed by and construed in accordance with federal law, including the HIPAA Rules. To the extent that state law applies, the laws of the State of Delaware shall govern without regard to conflict of law principles.

Acknowledgment

By subscribing to the PrivaiShield Team plan, Covered Entity acknowledges that it has read, understood, and agrees to be bound by this BAA. This BAA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the handling of PHI.

Legal Notice: This BAA is provided as a scaffold document. While it contains standard HIPAA BAA provisions, Covered Entities should have this agreement reviewed by qualified legal counsel before relying on it as a binding agreement.