Business Associate Agreement — HSAM.net

hsam.net / business-associate-agreement

Business Associate Agreement

HSAM.net is maintained by the Institute for Civil Memory, the nonprofit section of GLC / Gwyn Legacy. This page provides BAA availability information. It is not itself an executed Business Associate Agreement.

Last Updated: May 8, 2026

BAA available for eligible workflows

A Business Associate Agreement may be available for eligible healthcare, research, clinical, and covered-entity workflows. When a service relationship involves Protected Health Information or HIPAA-regulated workflows, a BAA may be executed before PHI is processed, transmitted, stored, or accessed through covered services.

No blanket HIPAA claim

This page does not claim that every website, prototype, dashboard, app, or service is HIPAA compliant. HIPAA-regulated workflows require appropriate scoping, written terms, security review, access controls, retention expectations, and operational controls before PHI is handled.

Before PHI is handled

Before any PHI is intentionally processed, transmitted, stored, or accessed, the workflow should be reviewed for service scope, user roles, access controls, audit/logging expectations, storage locations, subcontractor involvement, retention, deletion, breach-notification obligations, and whether a separate security or compliance exhibit is required.

How to request BAA review

Eligible clients may request BAA review through Contact or Support. Do not send PHI through general website forms or unauthenticated channels. Include only enough non-sensitive context to identify the intended workflow and organization type.

BAA process

BAA requests are reviewed before regulated workflows begin. Any final BAA must be executed through an authorized written agreement before PHI is intentionally processed, transmitted, stored, or accessed.