hsam.net / business-associate-agreement
Business Associate Agreement
HSAM.net is maintained by the Institute for Civil Memory, the nonprofit section of GLC / Gwyn Legacy. This page provides BAA availability information. It is not itself an executed Business Associate Agreement.
01 — Availability
BAA available for eligible workflows
A Business Associate Agreement may be available for eligible healthcare, research, clinical, and covered-entity workflows. When a service relationship involves Protected Health Information or HIPAA-regulated workflows, a BAA may be executed before PHI is processed, transmitted, stored, or accessed through covered services.
02 — Boundary
No blanket HIPAA claim
This page does not claim that every website, prototype, dashboard, app, or service is HIPAA compliant. HIPAA-regulated workflows require appropriate scoping, written terms, security review, access controls, retention expectations, and operational controls before PHI is handled.
03 — Workflow Review
Before PHI is handled
Before any PHI is intentionally processed, transmitted, stored, or accessed, the workflow should be reviewed for service scope, user roles, access controls, audit/logging expectations, storage locations, subcontractor involvement, retention, deletion, breach-notification obligations, and whether a separate security or compliance exhibit is required.
04 — Request
How to request BAA review
Eligible clients may request BAA review through Contact or Support. Do not send PHI through general website forms or unauthenticated channels. Include only enough non-sensitive context to identify the intended workflow and organization type.
BAA requests are reviewed before regulated workflows begin. Any final BAA must be executed through an authorized written agreement before PHI is intentionally processed, transmitted, stored, or accessed.