Psych Today Screener
Log inStart free trial

Business Associate Agreement

Last updated: 2026-05-22 · Version 1.0

This BAA is signed electronically as part of your signup flow. The text below is the current draft. The signed copy specific to your practice is stored in your account and available at any time via Settings → Documents.

You are the Covered Entity ("CE"): a licensed mental-health professional or practice subject to HIPAA. We are the Business Associate ("BA"): Psych Today Screener LLC.

1. Scope

This Agreement governs all Protected Health Information ("PHI," as defined at 45 CFR § 160.103) that CE provides to BA, or that BA creates, receives, maintains, or transmits on behalf of CE, in connection with the Service.

2. Permitted uses and disclosures

  • BA may use and disclose PHI only as necessary to perform the Service: inbound-email screening, structured extraction, crisis routing, auto-replies, and daily digests.
  • BA may use PHI for its own management and administration as permitted by 45 CFR § 164.504(e)(4).
  • BA will not use or disclose PHI in ways that would violate HIPAA if done by CE.

3. Safeguards

BA shall implement administrative, physical, and technical safeguards including:

  • Per-tenant envelope encryption of PHI at rest (AES-256-GCM keys, wrapped by AWS KMS master key).
  • TLS 1.2+ for all transit, both inbound and outbound.
  • Role-based access control with TOTP 2FA for any user role that can view PHI.
  • Audit logs for every PHI access, retained six years.
  • Postgres row-level security enforcing tenant isolation at the database layer.

4. Subcontractors

BA may engage subcontractors that handle PHI only with a signed BAA on file. The current list is at /legal/subprocessors. CE will be notified at least 14 days before any addition.

5. Breach notification

BA shall notify CE within 24 hours of discovering any acquisition, access, use, or disclosure of PHI not permitted by this Agreement, by 45 CFR Part 164 Subpart E, or by 45 CFR § 164.402. Notification will include the information required by 45 CFR § 164.410(c).

BA's 24-hour notification is faster than the regulatory 60-day Business Associate deadline, by design — it gives CE time to meet its own 60-day notification windows.

6. Access and amendment

BA shall make PHI available to CE within 7 business days of a written request, for the purpose of CE's compliance with 45 CFR §§ 164.524 and 164.526. CE can self-serve the export of all PHI via Settings → Export at any time.

7. Accounting of disclosures

BA shall make available the information required to provide an accounting of disclosures under 45 CFR § 164.528, within 14 business days of a written request.

8. Termination

  • This Agreement terminates when the underlying Subscription ends, or as either party may terminate for material breach with 30 days' notice.
  • On termination, BA shall, at CE's option: (a) return all PHI, (b) crypto-shred the per-tenant DEK, rendering the encrypted PHI unrecoverable, or (c) some combination.
  • Audit logs are retained for the HIPAA-required six years regardless of termination.

9. Indemnification

Each party shall indemnify the other against losses arising from the indemnifying party's own willful misconduct or material breach of this Agreement, subject to the liability limits in the Terms of Service.

10. Notices

Notices to BA: legal@psychtoday-screener.com.
Notices to CE: the email on file at signup.

11. Order of precedence

If this Agreement conflicts with the Terms of Service regarding PHI, this Agreement controls.

12. Governing law

New Jersey, with venue in NJ state or federal courts.

Download a draft

A PDF draft you can route through your counsel before signing up is available at /documents/baa-v1.pdf (uploaded when we go live; for now, contact us at legal@psychtoday-screener.com).