BAA Included Free: Every MedConnect Pro plan includes a signed Business Associate Agreement. Contact us at compliance@medconnectpro.com to request your BAA.

📋 What Is a BAA?

A Business Associate Agreement (BAA) is a legal contract required by HIPAA between a Covered Entity (your healthcare organization) and a Business Associate (MedConnect Pro) that handles electronic Protected Health Information (ePHI) on the Covered Entity's behalf.

The BAA establishes the permitted and required uses and disclosures of ePHI, the safeguards the Business Associate must implement, and the responsibilities for reporting security incidents and breaches.

🔒 Key BAA Provisions

Permitted Uses of ePHI

  • MedConnect Pro may use and disclose ePHI only as necessary to perform services under the service agreement
  • Uses are limited to treatment, payment, and healthcare operations as defined by HIPAA
  • Any use not expressly permitted requires the Covered Entity's written authorization

Safeguards

  • Implementation of administrative, physical, and technical safeguards as required by the HIPAA Security Rule
  • Encryption of ePHI at rest (AES-256) and in transit (TLS 1.2+)
  • Access controls including two-factor authentication and role-based permissions
  • Comprehensive audit logging of all ePHI access

Subcontractors

  • Any subcontractor with access to ePHI will be bound by the same HIPAA obligations through a downstream BAA
  • Key subcontractors include: DoseSpot (e-prescribing) and cloud infrastructure providers (hosting)

Breach Notification

  • MedConnect Pro will report any breach of unsecured ePHI to the Covered Entity without unreasonable delay and no later than 60 days after discovery
  • The report will include the nature of the breach, types of information involved, and recommended mitigation steps

Termination

  • Either party may terminate the BAA if the other party materially breaches its obligations
  • Upon termination, MedConnect Pro will return or destroy all ePHI, subject to legal retention requirements
  • If return or destruction is not feasible, protections under the BAA continue as long as ePHI is retained

🛒 Storefront & BAA Coverage

When the optional Storefront e-commerce add-on is used in conjunction with MedConnect Pro, the BAA covers the following data flows:

  • Patient Data Sync: Customer information from the Storefront that becomes part of a consultation record is covered as ePHI
  • API Communication: All data transmitted between the Storefront and Platform via API is encrypted and authenticated
  • Webhook Data: Consultation status updates transmitted via webhooks are covered under the BAA

Note: Payment data is handled securely. Credit card numbers are never stored on MedConnect Pro servers.

📊 Our Compliance Measures

MedConnect Pro implements the following measures to fulfill our BAA obligations:

🔐

Encryption

AES-256 at rest, TLS 1.2+ in transit, HSTS with preload directive.

🔒

Access Control

2FA, session timeout, login lockout, role-based access for all user types.

📋

Audit Logging

All ePHI access logged with PHI-safe sanitization. 6-year audit retention.

🏥

Tenant Isolation

Multi-tenant data isolation with query scoping and middleware enforcement.

🗑

Data Retention

7-year PHI retention from last encounter. Automated purge with audit trail.

🚨

Incident Response

Documented response procedures with breach notification within 60 days.

📧 Request a BAA

To request a signed Business Associate Agreement or to discuss your HIPAA compliance needs:

Compliance Team: compliance@medconnectpro.com

BAAs are typically executed as part of the onboarding process for new customers. If you are an existing customer and need an updated BAA, please contact our compliance team.

Last updated: April 2026